kriztan
/
blabber.im
12
34
Fork 12
Code Issues 96 Pull Requests 3 Releases 176 Wiki Activity
Labels Milestones
New Issue

Blind Trust Before Verification - Allow user to verify manually contact device fingerprint #640

Open
opened 3 months ago by andypl · 2 comments
andypl commented 3 months ago

General information

  • Version: 3.1.0 beta (2021-09-17)-playstore
  • Device: Pixel 5
  • Android Version: Android 12 (stock)
  • Server name: own domain on conversations.im
  • Pix-Art Messenger source: PlayStore Beta Channel,

Blabber has an Blind Trust Before Verification feature (BTBV).
How it works? Its described here https://gultsch.de/trust.html, TLDR version:

Automatically trust all new devices of contacts that haven’t been verified before, and prompt for manual confirmation each time a verified contact adds a new device.

This is working OK, but in my opinion verification of device fingerprints are not good implemented right now. Why?

Right now we have an only one option to verifing a contact device fingerprint - by scanning an QR Code. It works only in some cases and this create problems.

For example:

  1. If we text with a friend that is in another country, we are unable to meet him in place and scann qr code. We can send him in trusted channel (by email using openPGP - verified keys) screenshot of our qr code, but it genereate another problem. How he can scan it, if he have only one smartphone? QR Code scanner use back camera to scan it, so we must have a printed version of this code, or use another device to display it. Its stupid.
  2. If friend client can't generate this qrcode, we can't verify it.
  3. What if friend use an desktop client on a notebook or desktop computer? We must visit him, to veryfi this qrcode...it's stupid.
  4. Mix all of 1-3 scenario.

So how we can resolve this situations? I think that Blabber should be able to manually set device fingerprint status to veryfied.

My proposition is to replace button "Scan QR Code" with Verify contact fingerprint, when we touch this button a new view will appear and we have another two buttons: B1: Verify it by qrcode, B2: Verify it manually.
B1 will behave as existing Scan QR Code, and "Verify it manually" button will set Verified status on that device fingerprint.

#### General information * **Version:** 3.1.0 beta (2021-09-17)-playstore * **Device:** Pixel 5 * **Android Version:** Android 12 (stock) * **Server name:** own domain on conversations.im * **Pix-Art Messenger source:** PlayStore Beta Channel, Blabber has an Blind Trust Before Verification feature (BTBV). How it works? Its described here https://gultsch.de/trust.html, TLDR version: > Automatically trust all new devices of contacts that haven’t been verified before, and prompt for manual confirmation each time a verified contact adds a new device. This is working OK, but in my opinion verification of device fingerprints are not good implemented right now. Why? Right now we have an only one option to verifing a contact device fingerprint - by scanning an QR Code. It works only in some cases and this create problems. For example: 1. If we text with a friend that is in another country, we are unable to meet him in place and scann qr code. We can send him in trusted channel (by email using openPGP - verified keys) screenshot of our qr code, but it genereate another problem. How he can scan it, if he have only one smartphone? QR Code scanner use back camera to scan it, so we must have a printed version of this code, or use another device to display it. Its stupid. 2. If friend client can't generate this qrcode, we can't verify it. 3. What if friend use an desktop client on a notebook or desktop computer? We must visit him, to veryfi this qrcode...it's stupid. 4. Mix all of 1-3 scenario. So how we can resolve this situations? I think that Blabber should be able to manually set device fingerprint status to veryfied. My proposition is to replace button "Scan QR Code" with Verify contact fingerprint, when we touch this button a new view will appear and we have another two buttons: B1: Verify it by qrcode, B2: Verify it manually. B1 will behave as existing Scan QR Code, and "Verify it manually" button will set Verified status on that device fingerprint.
toxi commented 3 months ago

should be closed. this is no issue.

should be closed. this is no issue.
andypl commented 3 months ago
Poster

should be closed. this is no issue.

Of course it's an issue. Blabber user can't set device fingerprint status to verify in another way that scanning their qr code.

Dino or Gajm allow verifying fingerprint without scan qr code.

> should be closed. this is no issue. Of course it's an issue. Blabber user can't set device fingerprint status to verify in another way that scanning their qr code. Dino or Gajm allow verifying fingerprint without scan qr code.
Echolon added the
Enhancement
OMEMO/Encryption
 labels 2 months ago
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
old_master
Labels
Apply labels
Clear labels
Bug
Issues about bugs, error or stability Duplicate
This or a similar issue was already posted before Enhancement
Enhancement or feature request Git
Git version concerning Hardware
Issue is related to Hardware Help wanted
The developer asks everyone to help him out Invalid
The developer treats this issue as invalid or not being recognised in the development Low priority
Issue which is treated with less efforts that normal MUC
Related to MUC / group chat Need info
The developer ask for additional information. Please get back to it to help! OMEMO/Encryption
This issue is related to OMEMO or other encryptions Playstore
Playstore version concerning Priority
Issue which is treated with prioritised efforts Question
The developer or a user has raised a question UI
Related to visual appreance of the app (User Interface) Website
Issueas related to the website wontfix
This issue or request will not be fixed. Please respect XEP
This issue is related to a specific XEP
No Label Bug Duplicate Enhancement Git Hardware Help wanted Invalid Low priority MUC Need info OMEMO/Encryption Playstore Priority Question UI Website wontfix XEP
Milestone
Set milestone
Clear milestone
No items
No Milestone
Assignees
Assign users
Clear assignees
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Write Preview
Loading…
Cancel
Save
There is no content yet.
Delete Branch '%!s(MISSING)'

Deleting a branch is permanent. It CANNOT be undone. Continue?

No
Yes