Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Second factor for re-registering with the server #3988

Closed
laurencebgood opened this issue Aug 27, 2015 · 8 comments
Closed

Second factor for re-registering with the server #3988

laurencebgood opened this issue Aug 27, 2015 · 8 comments

Comments

@laurencebgood
Copy link

Currently, if someone gets the ability to get my SMSes, such as by stealing my SIM card or somehow intercepting them at the carrier, or number cloning, then the only thing standing in the way of that person impersonating me to a user I've already chatted to is the key mismatch warning. Some users will click through that without thinking. And someone who's never chatted to me before will not get any warning because of TOFU.

Since I don't think there's any intention to aggressively push users to manually verify key fingerprints, it would be nice if I could add a passphrase to my registration that would not let someone register a new device with my phone number without also having that passphrase. Since this adds some friction, it would be reasonable for it to be opt-in; that is to say, once I register my number for the first time, I should be able to go into the settings and enable the passphrase requirement.

The biggest drawback I can see is that if I give up my phone number and then it is reassigned, someone else will be stuck unable to use textsecure with that number. I can't really think of a perfect way to solve this, but expiring a registration that hasn't been used at all in some period of time, say 12 months, would probably be a reasonable approach. Alternatively, instead of just requiring use, the server could periodically send the client a liveness check of some sort (via push), and clear the registration if those don't succeed for some shorter period of time (3 months?) if the app isn't even responding at all.
@moxie0
Copy link
Contributor

moxie0 commented Aug 27, 2015

Thanks but I don't think we're going to do this.

@moxie0 moxie0 closed this as completed Aug 27, 2015
@laurencebgood
Copy link
Author

Might I ask why?
On Aug 27, 2015 8:58 AM, "Moxie Marlinspike" notifications@github.com
wrote:

Thanks but I don't think we're going to do this.


Reply to this email directly or view it on GitHub
#3988 (comment)
.

@laurencebgood
Copy link
Author

Hey Moxie, just wondering if you're going to have a chance to reply at some point. Thanks.

@laurencebgood
Copy link
Author

Ping?

@connorlanigan
Copy link

Some users will click through that without thinking. means that these users actively circumvent the security offered by TextSecure. That's like selling someone a high-security door and they leave it open all day.
Fingerprint verification is the one thing that has to be done by the human. If they don't do that or circumvent it, any technological "safety net" is of not much use.

While this approach would probably be possible, it is running away from the actual problem that you initially described: those people do not use fingerprints correctly.

@laurencebgood
Copy link
Author

If nothing else, the passphrase I propose would prevent someone from
denying me the ability to receive my textsecure messages... this isn't
something that proper fingerprint verification would prevent.
On Sep 30, 2015 12:55 PM, "Connor Lanigan" notifications@github.com wrote:

Some users will click through that without thinking. means that these
users actively circumvent the security offered by TextSecure. That's
like selling someone a high-security door and they leave it open all day.
Fingerprint verification is the one thing that has to be done by the
human. If they don't do that or circumvent it, any technological "safety
net" is of not much use.

While this approach would probably be possible, it is running away from
the actual problem that you initially described: those people do not use
fingerprints correctly.


Reply to this email directly or view it on GitHub
#3988 (comment)
.

@connorlanigan
Copy link

Yes, you're right about that. (However, there are a lot of other ways someone can prevent you from getting messages.)
The drawbacks you mentioned are quite big in my opinion compared to that gain of reliability — for one, the number will be reassigned at some time, and second, users could forget their registration password (they never use it!) in which case they can't switch to another phone without TextSecure breaking, and third, it adds to the complexity of the user experience. To quote the Development Ideology: The answer is not more options.
I guess the situation you described will just not happen often that it's worth these problems (though I have no data on those occurences).

@moxie0
Copy link
Contributor

moxie0 commented Sep 30, 2015

Thanks everyone but this is an issue tracker rather than a discussion forum. If you'd like to continue discussing this, please move to the mailing list. Thanks!

@signalapp signalapp locked and limited conversation to collaborators Sep 30, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@moxie0 @connorlanigan @laurencebgood