profanity icon indicating copy to clipboard operation
profanity copied to clipboard
verified publisher icon profanity-im

Alert user if sending encrypted messages when none/not all fingerprints are trusted

Open quite opened this issue 6 years ago • 6 comments

The original item in #1070 read "Alert user if sending encrypted messages with not all keys trusted".

Given that messages are only ever encrypted with keys that are trusted, I interpret this as: the user should be alerted if they try to sent a message to a peer, for which fewer than all fingerprints have been trusted (not counting any explicitely untrusted fingerprints!).

The message could include both the number of fingerprints trusted and non-trusted (excluding untrusted).

It would serve as a reminder to the user to remember to trust a fingerprint before sending a message. But also to explicitely untrust fingerprints that should not be encrypted for.

Now that I'm writing this, I realise that perhaps this is a bit harsh? Should the user perhaps only be alerted if there are no trusted fingerprints, and the dummy message "You received a..." is all that got through (to any device).

quite avatar Sep 08 '19 13:09 quite

@paulfariello :-)

jubalh avatar Sep 09 '19 07:09 jubalh

I think on new new not decided keys, the user should get an alert inside the chat window, and the message should not be sent. This forces the user to do something about that keys. Then the message can be resend from the command history. This way the receiver will get the message on all trusted devices. Otherwise maybe, we wont send to the new mobile phone and the information is read much later on a desktop client. Yeah, there still is a dummy message, but do normal users always ask about that or just wait and hope messaging might heal itself.

kaffeekanne avatar Sep 18 '19 13:09 kaffeekanne

@paulfariello could we also just make a check at the beginning when the OMEMO session is started. And then print a message like "fingerprint X" is not trusted. Or won't that catch all cases? For example Profanity is running on a server. Someone gets a new phone, puts conversations on it and gets a new omemo fingerprint. The session will still be initialized so no message?

jubalh avatar Jan 23 '20 23:01 jubalh

@DebXWoody you did this recently, right?

jubalh avatar Jun 09 '21 21:06 jubalh

Am Mittwoch, den 09.06.2021 um 14:50:31 -0700 schrieb @.***:

@DebXWoody you did this recently, right?

No, this hasn't been implemented. I think @mwuttke97 has implemented a message, if we didn't find a key at all.

Personally, I also think we shouldn't print a message during sending. Maybe I have a buddy which I decided that I wouldn't trust his mobile phone.

I saw that we get a headline message from users. I will try to implement this. It should be possible that we print a message, "User X has got a new device (device id): Fingerprint.", just once in the console.

We should also add a flag to the known devices:

  • unknown
  • trusted - has been trusted by user
  • tofu - has been added because of trust on first use
  • blindtrust - has been added because of blind trust
  • disabled - do not trust this device

If this has been done, each device has a flag. Just in case the flag ist set to unknown, the user will get a message just after session start. The user should make this decision, without annoying him.

DebXWoody avatar Jun 10 '21 05:06 DebXWoody

I agree, if the flag feature is too complicated we could print the message only once when the session starts and when a new fingerprint is added. That way it shouldn't be too annoying

MarcoPolo-PasTonMolo avatar Dec 19 '22 18:12 MarcoPolo-PasTonMolo