Inconsistent E2EE iconography

[HarHarLinks]

Steps to reproduce

1. enable labs new room headers on develop.element.io
2. e.g. view a DM with someone you've xsigned but who has a new yet unverified device

Outcome

What did you expect?

What happened instead?

An issue is that

• verification use the shield iconography
• this circled ! icon is already used for something else: to show that a message couldn't be sent

Operating system

arch

Browser information

Firefox 117

URL for webapp

develop.element.io

Application version

Element version: 22f2b1f9e9df-react-54fa9a572e1c-js-02ca5c78cf4e Olm version: 3.2.14

Homeserver

matrix.org

Will you send logs?

Yes

[weeman1337]

Not sure if this is a bug or a feature :wink:

I would expect a shield there but designs also say circle/exclamation

Pinged design to have a look at it.

[americanrefugee]

@weeman1337 The "!" inside a circle is indeed the correct icon. Some context...

• We are trying to get rid of / replace the shield icons everywhere because they combine two separate concepts (encryption + verification) and are therefore confusing or misleading
• For verified status, we should use the new Verified icon
• For any critical errors that the user can or must take action on, always use the Error icon
  • In this case, the other user was previously verified. So, we display an Error icon to inform the user that the other user is no longer verified and must be verified again since the encryption keys changed
  • An Error icon may also be used in other contexts

@nadonomy and @janogarcia Do you have any objections?

[weeman1337]

Thanks @americanrefugee . Closing the issue because it is not a bug.

[germain-gg]

@weeman1337 Sorry, reopening as this raises a different question. We're changing some of the iconography related to E2E and this is probably a good issue to track this and ensure we do not have inconsistencies in the rolling out plan of this change.

We'll discuss this internally on Thursday

[HarHarLinks]

That explains things, thank you.

You've probably considered this, but

critical errors that the user can or must take action on

what action is the user supposed to take? Inform the other user that they've an unverified device?

I'm surprised it's using the generic icon and not a red version of the new verified icon, which makes it hard to distinguish between some error vs the trust state at a glance.

[americanrefugee]

@HarHarLinks

On the action that the user should take:

• They must verify the other user again (since we can no longer guarantee the other user's authenticity)

On using a generic icon vs. a red version of the verified icon:

• We can't rely on color alone to communicate something for accessibility reasons
• That's why it's important to use a distinct icon that signifies "something is wrong" in addition to the color

To clarify... You had difficulty distinguishing between a green checkmark in a multi-pointed star (verified) vs. an "!" inside a red circle (error)? Or rather you weren't expecting the change of icon altogether?

[HarHarLinks]

They must verify the other user again (since we can no longer guarantee the other user's authenticity)

Wait, what? That's not how this works!

I mean, I guess one could do that, but really the other user should cross-sign their new device/session! ....if that client supports cross-signing.... which leads me to the fact that this will just keep being red shields generic error icons for those of us who try different clients now and then.

To clarify...

With only a single generic error icon, I know have difficulty distinguishing between an "actual" error where something in this room is not working vs it "just" being that the other person has been trying out some client that can't cross-sign yet. (Partially, I've been trained by the last 6 years of using Element/Riot what the shield icon means, so I'm not sure how heavy to weigh this argument.)

[americanrefugee]

Some context @HarHarLinks ...

• The red critical error in this case would be very rare, and is the one special case @pmaier1 and I identified ages back. You're correct about how the other user should cross-sign their new devices. In the future I believe we even want to make this mandatory before being able to read/send messages. However, if the other user you previously verified signs out everywhere and looses access to / didn't save their recovery key, then they would have to reset their encryption keys. And since you cared enough to verified them in the first place, you would likely want to know about that as this could be an intruder.

• We will use a gray Info icon in pretty much all other cases to identify things like "unable to decrypt". So, you shouldn't see red Error icons everywhere :)

Does that make sense / help?