Show Saved-Messages as verified

[hpk42]

For consistency it makes sense to show saved-messages as verified. With @hocuri's recent work merged i'll see a lot of 1:1 verified chats, pretty nice ;) Am using a pre-release for android (gplay-test-release use with care: https://download.delta.chat/android/beta/deltachat-gplay-release-1.38.2-verifiedchats.apk ) and also core main on desktop.

[Hocuri]

Probably makes sense. The "Saved Messages" chat does contain unencrypted emails sent to self by classical email clients, but since allow protected verified chats to contain unencrypted outgoing emails, in general, the "Saved Messages" chat does satisfy the rules we set for verified chats.

Some of things to decide here:

• [ ] Should the "Device Messages" chat also be marked as verified? I tend to say yes.
• [ ] Do we want to show the "Messages are guaranteed to be end-to-end encrypted from now on." message at the top of the chat? I tend to say yes.

[link2xt]

Do we want to show the "Messages are guaranteed to be end-to-end encrypted from now on." message at the top of the chat? I tend to say yes.

I would say no, this introduces a lot of questions, e.g. what to do if the user already has a chat and updates, what if there is currently no chat, when it appears if one device has this chat and the other does not.

Unlike 1:1 chats saved messages chat never becomes verified, it is verified from the start and can never become unverified, so there is no point in time where this message should appear.

Does WhatsApp add such message to the chat with self?

[Hocuri]

WhatsApp doesn't have a dedicated chat with self, you have to create a group with another member and then remove them if you want a chat with yourself. If you do, then yes, there is the "Messages are end-to-end encrypted..." message at the top, though not sure if that counts.

I would say no, this introduces a lot of questions, e.g. what to do if the user already has a chat and updates, what if there is currently no chat, when it appears if one device has this chat and the other does not.

That's a point, not adding it would probably make our lives easier.

[link2xt]

WhatsApp doesn't have a dedicated chat with self, you have to create a group with another member and then remove them if you want a chat with yourself.

FAQ says you can just open a 1:1 chat with yourself: https://faq.whatsapp.com/1785465805163404/

[Hocuri]

Interesting, that wasn't possible when I checked last.

Does WhatsApp add such message to the chat with self?

Yes:

[link2xt]

This is some special message, I think it is different from what we say ("messages are guaranteed to be encrypted from now on", implying that they were somehow not guaranteed to be encrypted before which is not true for saved messages). We could add some info message like this when saved messages chat is first created, but not worth the effort IMO, easier to just add a blue checkmark and close this issue.

[hpk42]

On Tue, Jul 25, 2023 at 01:16 -0700, link2xt wrote:

This is some special message, I think it is different from what we say ("messages are guaranteed to be encrypted from now on", implying that they were somehow not guaranteed to be encrypted before which is not true for saved messages). We could add some info message like this when saved messages chat is first created, but not worth the effort IMO, easier to just add a blue checkmark and close this issue.

yes, i think it's sufficient to just mark it as verified and not add any message.

What about the case where someone uses webmail to send a message to DC (or vice versa)? It's a pretty rare case and maybe we could indeed just open a group then instead of degrading verification of "saved messages"? Or maybe we don't degrade and just show the typical "this message is not encrypted ..." message?

[Hocuri]

What about the case where someone uses webmail to send a message to DC (or vice versa)?

If we just follow the same rules as in other chats, then they are allowed in the verified chat:

https://github.com/deltachat/deltachat-core-rust/blob/f930576fd1a2feef981cbaa2e691f52bb66d2582/src/receive_imf.rs#L2170-L2180

So, probably it's fine to just continue showing them in Saved Messages without degrading or showing any warning.

[hpk42]

K, thanks for clarifying -- so nothing speaking against marking saved messages chat as verified then.

On Tue, Jul 25, 2023 at 06:07 -0700, Hocuri wrote:

What about the case where someone uses webmail to send a message to DC (or vice versa)?

If we just follow the same rules as in other chats, then they are allowed in the verified chat:

https://github.com/deltachat/deltachat-core-rust/blob/f930576fd1a2feef981cbaa2e691f52bb66d2582/src/receive_imf.rs#L2170-L2180

So, probably it's fine to just continue showing them in Saved Messages without degrading or showing any warning.

-- Reply to this email directly or view it on GitHub: https://github.com/deltachat/deltachat-core-rust/issues/4561#issuecomment-1649812106 You are receiving this because you authored the thread.

Message ID: @.***>

[hpk42]

let's see if someone other than me really cares about "saved messages" and green checkmarks.
Closing the somewhat stale issue until then.

[iequidoo]

// 1. They can't be an attack (they are outgoing, not incoming)

But actually they can if the server is hacked. I think, displaying an error like a red exclamation mark would be ok for unencrypted saved messages.

EDIT: A more realistic reason to add smth more noticeable than just absense of padlock is that if the user's account is stolen, the attacker can send unencrypted messages to Saved Messages.

[link2xt]

Let's reopen this, actual users report that they did not know that messages were encrypted until looking into the info.

[Hocuri]

// 1. They can't be an attack (they are outgoing, not incoming)

But actually they can if the server is hacked. I think, displaying an error like a red exclamation mark would be ok for unencrypted saved messages.

EDIT: A more realistic reason to add smth more noticeable than just absense of padlock is that if the user's account is stolen, the attacker can send unencrypted messages to Saved Messages.

I fail to come up with a scenario where it would be beneficial for an attacker to add a message to Saved Messages.

What might be more of a problem is that an attacker could add an outgoing text to a 1:1 chat, e.g. "For the record, thanks that you gave me back the 200€ you owned me" (with a date of four months ago so that the user doesn't really remember). Then, ask the user to check the chat, in order to trick them into thinking that they received the 200€. But this problem is separate from whether we'll mark Saved Messages as verified.

[iequidoo]

I fail to come up with a scenario where it would be beneficial for an attacker to add a message to Saved Messages.

E.g. i often save some URLs to Saved Messages (w/o any additional text), then if i don't notice absense of the padlock, i could be fished. I don't suggest to change the chat protection state to "broken", but displaying a red exclamation mark as we do for errors isn't difficult and may be helpful.

EDIT: The only problem if it's actually the user's message sent from another MUA. But if it doesn't have the "Chat-Version" header, maybe it's better to move it to a separate chat?

[adbenitez]

maybe it's better to move it to a separate chat?

I don't think that would be good, the message will not have a padlock, so that would hint you that this was sent by you in a webmail/classic-client or can't be trusted/wasn't you, the red exclamation mark might make sense or if we switch from showing a padlock to showing some red sign when message is unencrypted, then it would be more obvious the message can't be trusted

since any message you sent there from delta chat will be encrypted, I think showing the banner for verified chats there is an improvement and better than the current behavior

[iequidoo]

Yes, the current "no padlock" approach is too unnoticeable, i see these padlocks so often so even i stopped to pay attention to them, so what we can say about ordinary users. Btw, currently outgoing messages are all green, for unencrypted messages in verified chats another color may be used, but only as an additional measure.

[r10s]

ftr, there are ideas around for switching the encryption signal to show "the flaw", not "the feature", that would also improve the situation where an attacker could add a message to the "saved messages" chat and user thinks it was themself. still, also today, this is not invisible, and we agreed that this is a pretty special case anyways

so, as this was requested for quite some time, the advantage of showing "Saved-Messages as verified" seems to be clearly the bigger advantage (btw, also you might be scared to "forward" things there from "guaranteed", thinking it is weaker)

let's move forward, add the icon and get real user feedback :) -- and add some test when creating/recreating the saved-messages-chat

if sth. happens, it happens out there :)