[gwd]

I like how Matrix handles this: You can either download and store locally a key that you enter into a new device to decrypt the encrypted messages stored on the server; or you have one of your other active devices decrypt its locally stored messages and send them to the new device (using some form of verification to prove you control both devices).

[tptacek]

Until very recently (weeks not months), Matrix servers controlled group membership, and could add arbitrary accounts to your group without permission, thus allowing them to decrypt messages to the group. Matrix servers could also silently add "devices" to your account.

https://nebuchadnezzar-megolm.github.io/

[cvwright]

Matrix servers still control group membership, and probably will for a while (ie, months).

The vulnerabilities that allowed such users and devices to steal keys have been fixed.

[tptacek]

Control of group membership in Matrix is control of key distribution. That's generally how group secure messaging works. The vulnerabilities didn't allow unauthorized group messengers to "steal" keys; it added unauthorized members to groups, which causes authorized group members to negotiate key relationships with them.