-
-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add verified 1:1 chats #4188
Comments
I have a verified contact who sometimes uses another MUA which sends unencrypted unsigned messages. So, just dropping the verification always is not good even with appropriate warnings. But generally people don't use several keys to sign their messages, so i think we can drop the verification on a receipt of a message signed with another key. But if it's not signed at all, it's probably from another MUA and it's me who should decide whether to drop the verification (peer's key) or not. So, in the latter case i'd want to have a capability to "not accept" and continue to use the existing verification. EDIT: Better no dialogs at all. Just show a warning with a button "Downgrade encryption" and continue to use the existing verification until a user presses the button and enters the confirmation code (to be on the safe side). Intrusive dialogs/confirmations break the usual UX. EDIT: Smth like "It's not guaranteed that ur messages can be read by the peer anymore. Downgrade encryption?" EDIT: And also when forwarding messages, there are two buttons now -- CANCEL and OK -- the same message with a button "Downgrade encryption" should be added. EDIT: Btw, the solution we choose here also may (i think even should) be used for the encryption droppage in unverified groups. I'd prefer that the same warning with button to appear there if we can't encrypt for all peers anymore. |
On Mon, Mar 20, 2023 at 13:45 -0700, iequidoo wrote:
I have a verified contact that sometimes uses another MUA which sends unencrypted unsigned messages.
Am skeptical supporting this use case of mixing cleartext and verified 1:1 comms.
To begin with, an attacker can just send an unencrypted/unsigned message
and you would believe it as legit so the value of the original verification is limited.
In the issue summary's suggestion, your 1:1 chat would degrade to opportunistic
and i think you should keep it at this -- if there is a real need for verified encryption
(say for transfering credentials/logins/other things)
then better create a dedicated two-member verified group chat
and keep the 1:1 chat just opportunistic.
The key thing here is that 1:1 chats will be special wrt verification
in that they can downgrade to opportunistically-encrypted.
Verified group chats never downgrade.
|
@hpk42, thanks for the explanation, now i got the idea. But then maybe after a contact verification auto-create a verified two-member group and show a message explaining how it's better? Otherwise it will not be clear for users that 1:1 chat can downgrade. It wasn't clear even for me when i tried it the first time :) EDIT: Maybe not auto-create, but just suggest to create, and if a user presses "Move to the verified chat", create it and focus/select it for further messaging. EDIT: Considering that verification is a bg process, we can display this "Move to the verified chat?" suggestion message in the 1-1 chat upon the verification completion with two buttons "Move me" and "Dismiss". |
That's Alternative 2 when you click on "Alternatives" in the original message. Downsides:
That's why the "proposed solution" above makes it really obvious when the 1:1 chat downgrades |
Then not auto-create a verified 2-member group, but add a good explaining message with two choices: "Move to the verified chat" and "Dismiss". And i think "Alice & Bob" (in ab order) is ok for naming. Maybe even w/o a word "verified" because the verification mark is displayed at the end of chat name (at least on Android).
Yes, making that obvious is the must, but it's too late -- maybe a user would prefer to switch to a verified group in advance if they understand the difference. So, i suggest to show an explanation message after a contact verification. Better with the two choices described above, but even just a message would be good. |
On Tue, Mar 21, 2023 at 10:09 -0700, iequidoo wrote:
> It's going to be confusing that there are 2 chats, and not clear if people get suspicious just because an unsigned (evil) message appears in the wrong chat
Then not auto-create a verified 2-member group, but add a good explaining message with two choices: "Move to the verified chat" and "Dismiss". And i think "Alice & Bob" (in ab order) is ok for naming. Maybe even w/o a word "verified" because the verification mark is displayed at the end of chat name (at least on Android).
> That's why the "proposed solution" above makes it really obvious when the 1:1 chat downgrades
Yes, making that obvious is the must, but it's too late -- maybe a user would prefer to switch to a verified group in advance if they understand the difference. So, i suggest to show an explanation message after a contact verification. Better with the two choices described above, but even just a message would be good.
Let's see what makes sense text/recommendation wise
but up-front choices we generally avoid unless there is an overwhelming need.
In the current top issue description interaction/decision
from a user is only forced when/after the chat degrades
but not for the "happy path":
- show/scan qr
- get into a chat (with a verified sign which you can ignore)
- start chatting
It's fine to add an info "this chat is now end-to-end encrypted ..." message
a bit like WA does but there shouldn't be a user choice in this "happy path"
unless there is an overwhelming need. Later on, we could think about
offering something special when the chat degrades but please don't
forget that we want to be super-economical about causing extra UI work currently.
|
FTR, I added more info about "After scanning a QR code" to the issue description. |
Finally i think that just adding an explanation message after a successful verification is ok. Smth like "Now the chat is verified, but it can can downgrade if... If you want a chat that never downgrades, then...". But just in case -- there's also possible an Alternative 4 similar to
Instead, on a receipt of unverified message we can let a user to make a choice: "Downgrade to non-verified" and "Move new unverified messages to a new chat". Pros:
Cons: more work, UI-wise also (an extra button) |
I'll add this as an alternative, but I'm afraid it's really a lot of work, because currently all the UIs (that is, at least Android, but I assume also the others) rely on the fact that there is only one 1:1 chat. Of course, that's also a downside of the other alternatives that introduce a second chat.
I'm a bit sceptical because as the text becomes longer, fewer users will read it. We can defer this discussion to after I implemented the UI part, though. |
We can leave it as is -- if a user chooses "Move new unverified messages to a new chat", we can move new messages to an unverified 2-person group chat and name it using the Subject. Or, if messages have different Subjects, to multiple new chats. This will solve the problem with using another one MUA that doesn't encrypt. Also if we detect that unverified messages are sent using DC (but the peer's key was reset), we can reset the verification in the 1:1 chat. Maybe we even don't need to ask a user for the described choice then -- even if a peer lost access to DC and is now using another MUA, the conversation will be continued in a new unverified group chat. |
This would actually be one possible solution to hpk's first concern, I'll add this as "Solution 1.1". |
I think we/user shouldn't make the decision on our side, the user couldn't know if the contact uninstalled DC or not. Also if we downgrade the chat to unverified, the user will see the full message history while the peer -- only new messages in their non-DC MUA (minor for me, but not sure as for others). And we shouldn't drop the peer's Autocrypt key -- we just shouldn't encrypt in chats where our peer doesn't use it. Looks like it's somewhat a dark area of the Autocrypt standard -- how to deal with multiple MUAs that can be used for communication in different threads for whatever reasons. So, maybe better instead of dropping the verification drop the concept of the special 1:1 chat and make And i'd prefer for messages w/o the Chat-Group-Id header to come different per-thread (per-Subject) group chats. |
So, let me put what you said in different words to see if I understood it correctly: Email doesn't know the concept of "1:1 chats", it just knows threads, where every email that isn't a reply to an existing email starts a new thread. So, you propose to remove the concept of 1:1 chats, and instead whenever someone starts a new email thread, start a new group. The thread subject maps nicely to the group name. If the user clicks on a contact to start a chat, just give them the 2-member group chat where we sent the last message. Additionally, you propose to make it possible for verified groups to drop to unverified when someone's key changes. Independently of this, you propose to scope the peerstate encryption-preference per-chat-and-contact instead of per-contact as it's currently done. I.e. if we get a non-autocrypt message in one chat, continue encrypting in other chats. Did I understand you correctly? |
Not sure however that we should create a new 2-member ad-hoc group if there's no InReplyTo, because several groups with the same Subject and peer may be confusing. Maybe just use Subject. And only if there's no Chat-Group-Id.
Not sure also that we should mix it with the existing "verified groups". Afaiu, in this issue you suggest to just make it possible for 1:1 chats to be "opportunistically verified", but that doesn't make them "verified groups" in the current wording. Instead, i'd suggest to make it possible for the current unverified groups to be "opportunistically verified" and drop 1:1 chats. So, verification can be dropped for such a group if the peer's key has changed to not yet verified.
Yes, i personally sometimes experience a dropped encryption for some of my contacts sending me unencrypted/unsigned emails from other MUAs. Then the same will be for the verification. Maybe we can step away a little from Autocrypt here. And i don't suggest to do anything of this in the scope of the current issue -- just evaluate whether any ideas have sense and if yes, prevent implementing anything conflicting. |
User-Testing SetupThis evolved over time, so, esp. in the first user testings, I didn't follow it yet:
User-Testing 1Person:
Results - with a grain of salt, the setup wasn't good yet:
User-Testing 2Person:
Results:
User-Testing 3Person:
Results: Went good in general, but the downgrade message was 'too strong': "It's not e2e-encrypted anymore, and I need to meet them in person? But why can Signal do e2ee w/o meeting in person?" Onboarding: Works fine, no problems
I changed the "More info" alert dialog from User-Testing 4Person:
Results:
|
Implement #4188 BREAKING CHANGE: Remove unused DC_STR_PROTECTION_(EN)ABLED* strings BREAKING CHANGE: Remove unused dc_set_chat_protection()
Implement #4188 BREAKING CHANGE: Remove unused DC_STR_PROTECTION_(EN)ABLED* strings BREAKING CHANGE: Remove unused dc_set_chat_protection()
We did it!!!!! That was quite an effort, but verified 1:1 chats are finally release-ready, even though they aren't even called "Verified 1:1 Chats" in the UI anymore! I can still remember the day last winter/spring when @hpk42 and me stood in BB and talked about what my Bachelor Project could be and what we should propose to OTF, and decided for verified 1:1 chats. I already delivered what we had in Juli as my Bachelor Project Now, and afterwards went on my trip to Norway, and others jumped in. Now, after hundreds of hours of discussions, after multiple changes in how we call it in the UI, after many user testings, after looots of bugs, we're on the final meters to releasing it. I added the last open point to the end of https://gist.github.com/Hocuri/29839ad9c205a3fb89bf525dd1574e06 (because it's actually about verified chats in general, not verified 1:1 chats), and we don't need this issue anymore. Thanks @hpk42 for leading and coordinating with me, thanks @link2xt for tireless fixing of bugs that crept up on the last meters, thanks everyone involved for the constructive discussions, and thanks everyone involved for completing this together! |
Congratulations on this huge milestone @Hocuri |
yeah, congrats! 🥳🍾 i was just skimming over https://gist.github.com/Hocuri/29839ad9c205a3fb89bf525dd1574e06 again - and, indeed, what a history, i mean the posts from 2020 were not even the first ones :) |
The issue description here is a living document where I record all the ongoing discussion. Below we can have an "unordered" discussion.
User Testings
Core PR, Followups: #4538, #4539, #4542
Android preparation PR, Android main PR
FAQ PR
Motivation
Today only group chats can be verified.
This makes verified chats annoying to use in 1:1 communication, and almost nobody actually uses them. This is probably biggest reason for not using verified chats.
You also don't land in a verified chat after scanning the verification QR code, which can be surprising.
Proposed solution
After lots of discussions between various people, this seems to be the general consensus now:
After scanning a QR code (note that no user choice is required):
When an unverified message comes in:
Rationale
Alternatives
Wordings
Rationale
Alternatives
My original proposals:
What @hpk42, @r10s, @link2xt and me came up with after a long discussion on 2023-05-07:
In the user testings, "Messages may not be end-to-end encrypted anymore" turned out to sound way more dangerous than intended. Also, to one of the users "Accept" sounded as if they are going to actually change something with accepting (and should have the opportunity to not accept), as opposed to just dismissing the dialog.
The "tap to learn more" text when the verification was broken:
There is also going to be a link to the FAQ with even more information.
Concerns
Unresolved questions (in the rough order in which we should resolve them)
I checked all the checkmarks where we have some answer, of course we can still change the answer later.
~
before the name and so on, so it should be clear to the user.Just assign the message to the 1:1 chat with the actual sender instead
in the code.Prior art
Signal:
FAQ: https://support.signal.org/hc/en-us/articles/360007060632
WhatsApp:
Threema:
Mastodon:
"Protected chats" (#1968) would have introduced verified 1:1 chats (but they were abandoned deltachat/deltachat-android#2099).
Future
See also:
Implementing this in Core and Android is going to be my Bachelor's project, so, please nobody rush to implement it :)
The text was updated successfully, but these errors were encountered: