Blind Trust Before Verification - Allow user to verify manually contact device fingerprint #640

Open
opened 3 months ago by andypl · 2 comments
andypl commented 3 months ago

General information

  • Version: 3.1.0 beta (2021-09-17)-playstore
  • Device: Pixel 5
  • Android Version: Android 12 (stock)
  • Server name: own domain on conversations.im
  • Pix-Art Messenger source: PlayStore Beta Channel,

Blabber has an Blind Trust Before Verification feature (BTBV).
How it works? Its described here https://gultsch.de/trust.html, TLDR version:

Automatically trust all new devices of contacts that haven’t been verified before, and prompt for manual confirmation each time a verified contact adds a new device.

This is working OK, but in my opinion verification of device fingerprints are not good implemented right now. Why?

Right now we have an only one option to verifing a contact device fingerprint - by scanning an QR Code. It works only in some cases and this create problems.

For example:

  1. If we text with a friend that is in another country, we are unable to meet him in place and scann qr code. We can send him in trusted channel (by email using openPGP - verified keys) screenshot of our qr code, but it genereate another problem. How he can scan it, if he have only one smartphone? QR Code scanner use back camera to scan it, so we must have a printed version of this code, or use another device to display it. Its stupid.
  2. If friend client can't generate this qrcode, we can't verify it.
  3. What if friend use an desktop client on a notebook or desktop computer? We must visit him, to veryfi this qrcode...it's stupid.
  4. Mix all of 1-3 scenario.

So how we can resolve this situations? I think that Blabber should be able to manually set device fingerprint status to veryfied.

My proposition is to replace button "Scan QR Code" with Verify contact fingerprint, when we touch this button a new view will appear and we have another two buttons: B1: Verify it by qrcode, B2: Verify it manually.
B1 will behave as existing Scan QR Code, and "Verify it manually" button will set Verified status on that device fingerprint.

#### General information * **Version:** 3.1.0 beta (2021-09-17)-playstore * **Device:** Pixel 5 * **Android Version:** Android 12 (stock) * **Server name:** own domain on conversations.im * **Pix-Art Messenger source:** PlayStore Beta Channel, Blabber has an Blind Trust Before Verification feature (BTBV). How it works? Its described here https://gultsch.de/trust.html, TLDR version: > Automatically trust all new devices of contacts that haven’t been verified before, and prompt for manual confirmation each time a verified contact adds a new device. This is working OK, but in my opinion verification of device fingerprints are not good implemented right now. Why? Right now we have an only one option to verifing a contact device fingerprint - by scanning an QR Code. It works only in some cases and this create problems. For example: 1. If we text with a friend that is in another country, we are unable to meet him in place and scann qr code. We can send him in trusted channel (by email using openPGP - verified keys) screenshot of our qr code, but it genereate another problem. How he can scan it, if he have only one smartphone? QR Code scanner use back camera to scan it, so we must have a printed version of this code, or use another device to display it. Its stupid. 2. If friend client can't generate this qrcode, we can't verify it. 3. What if friend use an desktop client on a notebook or desktop computer? We must visit him, to veryfi this qrcode...it's stupid. 4. Mix all of 1-3 scenario. So how we can resolve this situations? I think that Blabber should be able to manually set device fingerprint status to veryfied. My proposition is to replace button "Scan QR Code" with Verify contact fingerprint, when we touch this button a new view will appear and we have another two buttons: B1: Verify it by qrcode, B2: Verify it manually. B1 will behave as existing Scan QR Code, and "Verify it manually" button will set Verified status on that device fingerprint.

should be closed. this is no issue.

should be closed. this is no issue.
Poster

should be closed. this is no issue.

Of course it's an issue. Blabber user can't set device fingerprint status to verify in another way that scanning their qr code.

Dino or Gajm allow verifying fingerprint without scan qr code.

> should be closed. this is no issue. Of course it's an issue. Blabber user can't set device fingerprint status to verify in another way that scanning their qr code. Dino or Gajm allow verifying fingerprint without scan qr code.
Echolon added the
Enhancement
OMEMO/Encryption
labels 2 months ago
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.