Join GitHub today
Warn user if an unverified device turns up #2143
When a new unverified device turns up in a room, and the user sends a message, we should warn them and let them check the device list.
This is going to be tricky to get right, without races: it would be easy for a malicious homeserver to engineer a race so that a new device turns up milliseconds before you press enter, so we must make sure we deal with that race robustly.
referenced this issue
Dec 7, 2016
I see the difference between a passive and an active attacker. If you don’t use E2E anyone who can one day get access to the homeserver logs (or break tls) can read the message. The active attacker scenario would actually require malicious code in the homeserver (today. without anyone noticing. which will be hard, if users who know, what they are doing, are actually verifying their keys). I totally understand that the security is lower, but E2E crypto is much more important than verified E2E crypto. Confusing users with misplaced warnings lowers security and does not raise it.
(I will not push this point any further, this has to be decided by the developers. We can discuss it on matrix, if you want.)
I think these warnings should pop up per room. Something like:
Presumably, whoever added the key would also message the room with an older verified key/device saying something to the effect of "Hey, just got a new phone" or something. This will also encourage users to have descriptive device names.