signalapp / Signal-Android

A private messenger for Android.
https://signal.org
GNU Affero General Public License v3.0
25.62k stars 6.15k forks source link

An alternative to the painful plaintext key comparison #1459

Closed SafwatHalaby closed 9 years ago

SafwatHalaby commented 10 years ago

Humans are better at comparing images than comparing a long string. Currently, the latter is used in TextSecure, and it's very inconvenient.

My proposal is to be inspired by Telegram, here is how Telegram users compare their shared key:

key_image

Important: If we take that path, there is one problem which Telegram didn't resolve and we should - Users often compare their key visualizations over an insecure channel. The most common way is for them to take a screenshot of the key visualization and then send it via Telegram itself. This defeats the purpose of key visualizations, because Telegram should be considered an insecure channel until the keys are compared outside of it.

The solution is just a simple message like: "Please compare your key visualizations in real life / over a secure channel, never compare your key visualization via TextSecure itself"

tinloaf commented 10 years ago

What are the advantages of this approach over the (already existing) possibility of comparing QR codes? Both only work if you're in the same place, but I think comparing QR codes is a lot easier and more precise than this..

SafwatHalaby commented 10 years ago

Simplicity. It may not matter that much for you, but most people aren't tech guys and they have zero tolerance, you want the app as simple as possible. If a feature makes granny runaway, that feature isn't simple enough. QR codes would make granny run away.

SafwatHalaby commented 10 years ago

Regarding precision, I think the human eye is precise enough for this.

SafwatHalaby commented 10 years ago

As a matter of fact, I've witnessed my friends comparing Telegram pics countless times. But when it came to TextSecure, everyone compares the strings and not once have I seen a usage of the barcodes.

I don't know what's the underlying psychological/technical/social reason here, but barcodes are too not mainstream and few use them. On the other hand, comparing an image is rather straightforward.

tinloaf commented 10 years ago

The reason why people compare the Telegram pictures, but not the TS QR-codes, may simply be the fact that people don't find them. In TS, they are hidden away in some menu, while Telegram displays them directly (just as Threema does with their QR codes). I think TS should display them in an easier way rather than hiding some more fingerprint-to-picture options in the same menu.

@corbett mentioned on the mailinglist that they are working on an overhaul of the "contact view" in TS (or was that only related to iOS?), and if this gets somewhere near what Threema does, I would be very happy with it.

mcginty commented 10 years ago

There are a couple of ways people will actually verify identity fingerprints, but now we'll focus on the two most common that I know of: in person, or via voice on a side channel (phone call means you can recognize their voice and personality).

Like @tinloaf, I believe the reason QR codes aren't used is because they're not easy or obvious in TextSecure right now, but if we make it fast and convenient it's both more efficient and more accurate than telling people to take care of something essentially made for computer vision. The human eye is good at visuals, yes, but is much better at object detection and other things that are more biologically important than exact comparisons of square colors.

With @corbett, we've been putting together various prototypes for identity verification, and are currently leaning toward a poem in the style of madlibs (see https://github.com/mcginty/TextSecure/tree/mnemonic-poem for the prototype) along with a truncated hash of the full public key. Here's a hint for what that might look like:

screenshot

mcginty commented 10 years ago

This doesn't include any of the notes on moving toward a contact profile page or simplifying the QR path, and I also would like to see the word "fingerprint" go away since I don't think it carries well to people outside the security community.

corbett commented 10 years ago

I think simplifying the QR path would be good as well - that's a decent take away. we'll also be doing a pilot usability study of some of these ideas and potentially do an online one as well.

I'm not sure alternatives, I have always thought of a fingerprint as a "cryptographic avatar" but that also is a bit creepy sounding.

c

On Wed, May 7, 2014 at 10:21 PM, Jake McGinty notifications@github.comwrote:

This doesn't include any of the notes on moving toward a contact profile page or simplifying the QR path, and I also would like to see the word "fingerprint" go away since I don't think it carries well to people outside the security community.

— Reply to this email directly or view it on GitHubhttps://github.com/WhisperSystems/TextSecure/issues/1459#issuecomment-42478192 .

Christine Corbett Moran christine.corbett@gmail.com Physics @ ICS.uzh.ch // Zurich: +41 79 962 4499 Dev @ http://circleof6app.com // Boston: +1 (617) 398-0452 Dev @ https://whispersystems.org // SF: +1 (415) 670 9629 www.christinecorbettmoran.com

tinloaf commented 10 years ago

How about just calling it an 'identity'? Because that's really what it is in a way, and "confirm identity" would pretty much tell the user what he's doing.

I like the mockup from @mcginty / @corbett - couldn't you just add a second "or" line and put the QR code beneath it? Sure, you would have to scroll then, but at least everyone would instantly see that it's there...

corbett commented 10 years ago

yes that is certainly an option.

I'm not so sure "confirm identity" conveys anything to the user if they don't know why they have to take this additional step, and whether they are "doing something completely wrong" which is a natural feel if they don't. it's not clear at all to someone who isn't familiar IMHO. so this is really a non-trivial concept to convey why they might want to take this extra step, and how things work if they don't

On Wed, May 7, 2014 at 11:03 PM, tinloaf notifications@github.com wrote:

How about just calling it an 'identity'? Because that's really what it is in a way, and "confirm identity" would pretty much tell the user what he's doing.

I like the mockup from @mcginty https://github.com/mcginty / @corbetthttps://github.com/corbett- couldn't you just add a second "or" line and put the QR code beneath it? Sure, you would have to scroll then, but at least everyone would instantly see that it's there...

— Reply to this email directly or view it on GitHubhttps://github.com/WhisperSystems/TextSecure/issues/1459#issuecomment-42482844 .

Christine Corbett Moran christine.corbett@gmail.com Physics @ ICS.uzh.ch // Zurich: +41 79 962 4499 Dev @ http://circleof6app.com // Boston: +1 (617) 398-0452 Dev @ https://whispersystems.org // SF: +1 (415) 670 9629 www.christinecorbettmoran.com

Bastelbursche commented 10 years ago

In German translation, we have almost all terms of this kind reduced on the word "key". On the technical side, it is not right. Nevertheless, it works from the understanding (in German?) best.

Everyone knows or can guess at least that I need a key to encrypt (German: Schlüssel / Verschlüsselung). It seems almost as well be that the review of the key therefore makes communication more secure.

Maybe that is also an option for English language.

mcginty commented 10 years ago

:+1: to @corbett's sentiment. To keep this conversation on the right path, let's start from the ultimate goal of confirming fingerprints match: to verify identity and confirm that the session is directly between yourself and that identity without any middlepeople. It's almost like confirming that the "line isn't bugged" to pull out some 60's spy movie terminology.

So far I've thought about using terminology like "double-check," "confirm," or even "guarantee" in order to stay away from suggesting that you're doing something wrong by not validating fingerprints. Even making it a bit of a game by calling it a "stamp of security" or something (with a full explanation in a help button of course) might be a decent direction.

jeremymasters commented 10 years ago

"verify"? "approve"? "cone of silence"?

SafwatHalaby commented 10 years ago

I actually like the Mnemonic method more than Telegram's method. It's more accurate and it works on a voice channel.

mcginty commented 9 years ago

dupe of #817