We could cross-sign devices to aid trust when new ones join a room #2714
Comments
|
This is a good solution! It also opens the possibility for a "web of trust" in the future, where other user(s) you trust verifying people give you some trust transitively (like PGP; and definitely useful for bigger rooms). |
|
This opens up an attack where someone with temporary access to a phone or laptop could silently enroll a new malicious device, which isn't a huge tragedy, but should be considered. I notice that my own devices in Riot aren't automatically verified, which is nice. Maybe when an old device sees that a new device has been enrolled, they should get a popup like
"Ignore" just does what today's default is. "remove" removes the key from the account, and "endorse" verifies the key for yourself, and emits a message to all the e2e rooms you're in that looks something like
Then, there could be an option, per user, called "Trust cross device endorsements", which is enabled by default, and if enabled, the endorsement message, and the warning message I propose in #2143, could silently disappear. |
|
Requiring people to verify each device separately seems a bit unrealistic IMHO. And since other people will happily encrypt for that new device regardless of whether it is verified, some validation is better than none. |
|
May consider signal's method of device linking from a UX standpoint. |
|
I agree that this would be useful. I have a friend with 2 devices, and I have 3. Each of our devices has to sign each other device, which is awkward and I also think a barrier to entry for non-technical users. Thanks |
|
One very useful UX fix would be not giving people an option to encrypt a
conversation if there are unverified devices present, rather than merely
issuing a stern warning.
…On Thu, Mar 9, 2017 at 3:17 PM, Edd Barrett ***@***.***> wrote:
I agree that this would be useful.
I have a friend with 2 devices, and I have 3. Each of our devices has to
sign each other device, which is awkward and I also think a barrier to
entry for non-technical users.
Thanks
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#2714 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGLNG4FQnYF14_klRo0eEEa8CgLU4w4Bks5rkIh6gaJpZM4LG4xT>
.
--
Tess Gadwa
Chief Executive Officer
_______________________________
Yes Exactly, Inc. | yesexactly.com | 413.325.8251
|
|
You can configure your Riot instance, to only send messages to trusted devices in the settings. |
|
@erdii i used this option. Good from a security point of view but it adds even more confusion, when you start searching for the reason, why no more messages are send. I recently added some non geek friends to my HS and the first lesson has been:
Sooner or later they will complain about missing mesages. So they all even don't know there's a web client :) |
|
I think signal and keybase have some kind of key-tree magic going on, so the other users only trust one pubkey and you can have multiple device keys behind that pubkey. Something like this would be great IMO because it would shift the device-trust hustle to the user owning the devices. |
|
the problem is that sometimes you /do/ want to trust/distrust specific devices - hence the idea of cross-signing rather than having a formal hierarchy. But all options are still on the table here :) |
|
Is the requirement to be able to distrust other user's devices or is it enough to be able to distrust one of your own devices and your chatpartners stop encrypting for that device too? |
|
How is trusting devices based on other users any improvement from simply the user cross-verifying their other devices from their primary/verified deice? |
|
crosslinking to #2142 (general 'improve verification') |
|
One option would be to create a new intermediate permission level that corresponds to This could be exposed in the main Settings and Room Settings as, for example,
It could also be exposed the User Details sidebar USER OPTIONS section as, for example,
|
|
What's the current proposed solution for this? At the moment I've been using Matrix for about a year now and a huge advocate for it, I have my family, and a lot of my friends on it as well, however one thing that is a huge UX problem is that we basically have had to stop using verification completely since the most important thing for us is simply to encrypt our conversations, and it's a futile effort for us to do verification. If any on of us log into the web ui (Which we basically avoid as much as possible for the same reason - and just use our mobile devices), we get a new device id (as per design), after this happens if any of us contact each other we are displayed with the "Unverified device, verify, or use legacy verification" etc messages. At that point since it's a futile effort, we just click send anyway. Using only the mobile devices really limits the power of using Matrix and it has an extremely negative UX. Just thinking about logging out is problematic because it means that everyone will get an unverified message pop up which is really stressful for everyone involved. As what people said before, using a strategy similar to Signal or WhatsApp where people are alerted of a device change would definitely help. This would of course need to be added to |
|
This kills me too :( I hate it, my users hate it |
|
The proposed solution is matrix-org/matrix-spec-proposals#1756 and the implementation is currently being worked on. It has been implemented in matrix-js-sdk and synapse (pending review), but the UI part for riot-web still needs to be done, as well as implementation in riot-android and riot-ios. |
|
@uhoreg thanks for the reply! I'm looking forward to it :). |
|
Is there a place to follow the progression of the work on
|
|
The cross-signing project is tracked as a set of user stories. We use a custom dashboard to view the status of all issues in the project. (It requests approval to access your GitHub account because GitHub API request limits would not allow it to load otherwise.) |
|
Thanks a lot, it really shows the huge work for this. |
|
I think we can close this one now. |
At the moment we risk drowning users in unverified device warnings as per #2143, which is stupid given we can give some level of confidence that a new device should be trusted if it has been somehow cross-signed by a device that you already trust yourself.
The text was updated successfully, but these errors were encountered: