search

corona-warn-app / cwa-wishlist

Central repository to collect community feature requests and improvements. The CWA development ends on May 31, 2023. You still can warn other users until April 30, 2023. More information:
https://coronawarn.app/en/faq/#ramp_down
Apache License 2.0
105 stars 14 forks source link

Make validation status of vaccination certificate more obvious #586

Closed Ein-Tim closed 1 year ago

Ein-Tim commented 3 years ago

Current Implementation

Version 2.5 shows vaccination certificates with a blue background, regardless if 14 days since the last shot have passed or if all required doses were received.

Suggested Enhancement

Show a grey background for vaccination certificates, which are not valid yet because a) not all shots were received (only 1 out of 2 shots) b) 14 days have not yet passed.

A grey background was shown in version 2.3 & 2.4.

Expected Benefits

Users can easier see whether their certificate(s) are already valid or not.

Additional information

I'm doing this report based on feedback from Twitter users, but I personally also see room for improvement here.

Internal Tracking-ID: EXPOSUREAPP-8487

DirkBaumeister commented 3 years ago

Additionally to this suggestion I would recommend to add a string to the page where the QR code is shown, similar to how the german "CovPass" app it is doing if you are fully vaccinated:

CovPass-App_Handyansicht

Here it shows "Vollständiger Impfschutz".

jucktnich commented 3 years ago

I think, that if there's no way to tell wether a certificate is full, you may encourage users to scan the qrcode.

DirkBaumeister commented 3 years ago

On the one hand I think you are right, on the other hand it's also a security risk if everyone has to scan it and not only official authorities like airports etc. because anyone could simply duplicate your qr code. Therefore in my opinion the screen should show such visual information for "less critical" locations like restaurants etc. This is also the recommendation of the german government. "Let it only be scanned by official authorities"

jucktnich commented 3 years ago

@DirkBaumeister If the qr code doesn't gets scanned, you have no problem faking it. I bet, i could do this in under 5min. Scanning the qr code to validate it is absolutely essential.

jucktnich commented 3 years ago

@DirkBaumeister Do you really think, there are so many other guys out there with exactly the same name and DoB?

DirkBaumeister commented 3 years ago

@DirkBaumeister Do you really think, there are so many other guys out there with exactly the same name and DoB?

It's less my concern that anyone could use my certificate for himself. It's more that the certificate contains sensitive information like First- and Surname paired with your birthdate. This information is more than sufficient to gather more information about you and fake an identity. Therefore it's recommended that not everyone in any place has to scan the certificate.

Ein-Tim commented 3 years ago

@DirkBaumeister

Could you share the source where you found this recommendation?

DirkBaumeister commented 3 years ago

@DirkBaumeister

Could you share the source where you found this recommendation?

Okay, can't find an official recommendation of the government at the moment so I might be wrong on this one. But here is a german report which describes the "issue": https://www.t-online.de/digital/id_90225294/covpass-diesen-qr-code-sollten-sie-lieber-nicht-verbreiten.html

Quote from Holger Bleich from the german computer magazine c't: "Der Rat von Bleich lautet: Das Zertifikat eher für offizielle Anlässe wie Reisen oder im Grenzverkehr nutzen. Im Alltag hilft manchmal skeptisches Nachfragen: "Wenn am Biergarten jemand den Impfstatus checkt, würde ich mir zeigen lassen, dass das auch wirklich die Check-App ist", sagt Bleich."

Ein-Tim commented 3 years ago

@DirkBaumeister

I would also recommend to always ensure that CovPassCheck and not another wallet app (which can store the certificate) is used. But it's definitely not recommended from official side to not check the certificates with CovPassCheck. At the moment the Corona-Warn-App does not have signature checks, so I could import any certificate into the app and proof me as fully vaccinated although I'm not.

In fact, this is the way a vaccination certificate should be checked.

  1. Open your wallet app and take out your ID card
  2. Show the QR code to the person who checks the vaccination status.
  3. Make sure they use CovPassCheck.
  4. Show your ID card so that they can see that you are the owner of the vaccination certificate.

This is the only way for the person who checks the certificates to be 100% sure that everything is OK, that the certificate has a valid signature & wasn't revoked and that the certificate actually belongs to the person who showed it to you.

DirkBaumeister commented 3 years ago

@DirkBaumeister

I would also recommend to always ensure that CovPassCheck and not another wallet app (which can store the certificate) is used. But it's definitely not recommended from official side to not check the certificates with CovPassCheck. At the moment the Corona-Warn-App does not have signature checks, so I could import any certificate into the app and proof me as fully vaccinated although I'm not.

In fact, this is the way a vaccination certificate should be checked.

  1. Open your wallet app and take out your ID card
  2. Show the QR code to the person who checks the vaccination status.
  3. Make sure they use CovPassCheck.
  4. Show your ID card so that they can see that you are the owner of the vaccination certificate.

This is the only way for the person who checks the certificates to be 100% sure that everything is OK, that the certificate has a valid signature & wasn't revoked and that the certificate actually belongs to the person who showed it to you.

Yeah, I agree with you :) But do you think that a more obvious, visual display of the vaccination status would interfere with the correct way of checking the certificate?

Ein-Tim commented 3 years ago

@DirkBaumeister

But do you think that a more obvious, visual display of the vaccination status would interfere with the correct way of checking the certificate?

I think the correct way has to be found here. On one side, the user wants to know when their vaccination protection is full and they can use the certificate, but on the other hand, if everything is shown on the first look, it'll surely discourage people from using the CovPassCheck-App.

But that's off topic here, what I definitely think is that there should be a visible difference between fully protected and not yet fully protected through a vaccination (Blue/Gray, as described in the OP).

jucktnich commented 3 years ago

People won't check, that they have to scan the certificate, until there's really no other possibility for them. Just see all the articles in the media about the "Security flaws".

jucktnich commented 3 years ago

I'd suggest to generate a new code, which contains a Timestamp and is signed via a key in the certificate, everytime you Show the certificate. But this would be something for a new issue and would need a new version of the eu COVID certificate spec.

DasEtwas commented 3 years ago

@DirkBaumeister

But do you think that a more obvious, visual display of the vaccination status would interfere with the correct way of checking the certificate?

I think the correct way has to be found here. On one side, the user wants to know when their vaccination protection is full and they can use the certificate, but on the other hand, if everything is shown on the first look, it'll surely discourage people from using the CovPassCheck-App.

But that's off topic here, what I definitely think is that there should be a visible difference between fully protected and not yet fully protected through a vaccination (Blue/Gray, as described in the OP).

A visual emphasis (green colors, maybe a text label) stating that protection is full would be appreciated by me and several users I talked to. Just my 2p. Thank you.

soerface commented 3 years ago

I agree with @Ein-Tim - it happened only once to me that someone actually scanned the code. No one has yet compared the data with my identity card. They just touch my phone and scroll down to the blue checkmark and maybe read my name.

If people are not forced to scan the code, they won't do it. And with the new 2G instead of 3G rule coming up, there will be apps faking the vaccination status for sure.

Regarding making the vaccination state more obvious: How about not displaying the QR code at all when it is not valid. Replace it with a red "x" along with a message, that you have to wait for a few more days / get your second shot?

AlexVonB commented 3 years ago

Hi all,

I got asked multiple times if my certificate is really valid. The general public seems to use the CovPass app, which displays "Vollständiger Impfschutz" above the QR code. The CWA does not have a similar text, so the people checking the 3Gs are confused. I had to click on the certificate, scroll down to "2/2" and show it. A friend was even denied entry into a university library because she used the CWA, not the CovPass app, and did not have the "Vollständiger Impfschutz" string. The gray/blue scheme does not seem to be hint enough or is not known.

I absolutely know the code should be scanned, but in daily use the checking people dont want to waste time and just want to see the magic words...

Best! Alex

dsarkar commented 3 years ago

Hi @AlexVonB, thanks for the feedback. In a future release there will be a text above the QR code, explaining how to verify the certificate.

See e.g. https://github.com/corona-warn-app/cwa-app-ios/pull/3556

Corona-Warn-App Open Source Team

Ein-Tim commented 1 year ago

As the CWA project went into ramp-down mode, I don't expect this feature to be implemented. I'm therefore closing this issue.