signalapp / Signal-Android

A private messenger for Android.
https://signal.org
GNU Affero General Public License v3.0
25.67k stars 6.16k forks source link

Choice of security presets during setup #838

Closed generalmanager closed 6 years ago

generalmanager commented 10 years ago

If we want TextSecure to compete with W**_sapp, F_book and other less privacy/security focused apps and plattforms, it has to be as user friendly as them. And it should be. Otherwise it'll never get a significant market share with the average users. But we also want to provide maximum security for people who depend on it with their lives, maybe because they live in an undemocratic country and have an unpopular opinion, maybe because they are protesting the regime in Syria, maybe they are gay and happen to live in Uganda or any of the other 82 coutries where that can get you in jail or even executed.

As TextSecure is supposed to be secure and user friendly there are going to be more and more cases where we will have to decide on a default behaviour, often between the safer and the more convenient option. Many of the convenient features, which many users want, because they know and love them from W**_sapp, F_book and other less privacy/security focused apps and plattforms leak data, which, in some really bad cases, could lead to people getting hurt or worse.

An example would be a notification popup with the message content like #798 requests. In some cases even mentioning the sender alone can be a threat (#308 and #366). It gets really bad if this can even happen on a locked phone (#198).

If we neither want to force the average user to go deep into the advanced settings to manually activate all the features they expect (really bad usability) nor want to endanger some users by choosing insecure but convenient defaults, we should ask the user at the setup level what their use case is:

Based on their choice we'll set default settings for the above mentioned features, as well as security features like #175, #226 and #328 and future convenience features.

It should also be possible to re-run this from the advanced settings.

One of the most important presets for the paranoid mode would be to turn off SMS messages entirely, because the metadata, which is the most important tool in modern surveillance, can't be hidden. The network providers can also easily scan the traffic and find out who uses TS, which will put people at risk.

With data that problem doesn't exist, because the relay (GCM) probably isn't controlled by the "enemy" and it works like an anonymizing proxy, because lots of normal apps use GCM. As long as HTTPS (TLS) isn't broken (again...), data should be safe.

phime42 commented 10 years ago

Wizards are a high bar for the average user to take. They are struggeling to accept to type in their phone number, why the heck they would like to adjust a thousand settings before start messaging? The average userhas to be considered to be dumb and lazy. That's the way Apple designs their products. They are pretty successfull with this concept.

generalmanager commented 10 years ago

@LotP you misunderstand the idea, I want to achieve the opposite - people should have to make as few choices as possible. There are going to be more and more convenience features most users want, but which may endanger very few users. We would have to disable those to protect the few, at the cost of convenience for many. The same is true for advanced security features like faking messages to thwart traffic analysis (#328): most users won't and shouldn't use it, but this means most of the endangered people won't be protected either. I propose a simple choice between three security presets: 1) Many convenience features, low security 2) Less convenience features, moderate security 3) No possibly dangerous features, paranoid security

This would be one click for every person installing TS, but we can hide as many advanced settings behind this, which 99% of the user base will never (have to) see.

phime42 commented 10 years ago

Well I think that everybody deserves paranoid security by default with the possibility to opt-out from certain elements. And what should the average user think if he has to choose between safe and convenient? Well, we have to think of a concept that on the one hand is championing security and are on the other hand easy to use, too.

For example, a random amount of maximum 25 messages to random accounts of friends via push could be a feature which the user can't opt-out. Furthermore, an implementation a la "We send a small number of dummy messages a day, you can set your maximum value to (100/200/300/1000) messages a day" in the advanced panel. But 25 as the absolute minimum. Always remember the spartacus principle: in order to protect the people who really need protection, we all have to look the same - that also means that everyone should use the maximum security settings available. Another thing that could be opt-in in the advanced menu: enabling a read confirmation, for example only for a selected group of contacts. That makes communication much more direct and lifelike.

To prevent timing attacks: Am I right that the receiver of the message can only be determined by the server? If true, the server could be configured to "pulse" out new messages only every 5 seconds. That would, in the worst case, be a disadvantage to users who sent their message at the beginning of a new cycle, because their message would have to wait 4,5s on the server cache, but the chance for an attacker with a privileged position to see which message is going where would be reduced dramatically.

phime42 commented 10 years ago

I think i mixed up my answer with issue #878. They are very similar context wise.

generalmanager commented 10 years ago

@LotP You can always edit your own comments. Where possible TextSecure already provides maximum security with great usability. But in many cases we will have to make a choice for one or the other and whatever choice we make for the user would either annoy the hell out of the typical W***sapp user (and loose a massive amount of possible users) or endanger the wellbeing of the few people that really need the best security possible.

That's why we will have to ask the user what he wants and if we explain it nicely with simple examples (aka lockscreen popup with picture of friend with beer in hand, asking when you'll be there, while you are explaining you'll have to leave early to support your sick child) nobody will bat an eye.

L3st3r commented 10 years ago

@lindworm: I really like your idea of asking the user to choose between these levels, so he doesn't have to go through all the settings and choose the right options. In my opinion, we should make it very clear that even the first level ("high convinience + medium security") results in a very good security level, at least way better than the security other apps like Wh_app offer and even better than what you get from Threema (they don't have perfect forward secrecy for example). So the average user who comes from easy-to-use messengers like Wh_app or F***book would choose the first option. Otherwise many users will probably choose the second option, although they don't really want to use security features like a passphrase.

Additionally, it would be a good idea to tell the user in a simple way what the levels mean. We could include a help function here with easy to understand use cases, maybe something like this:

We should of course be careful giving promises here we maybe cannot hold, but this should really just give an idea of my point that the average user should be able to choose the right option for him.

Just one last point: It should be possible to change these options later on in the settings and I would also introduce "extended settings" in the settings, where the user can en-/ disable all security functions himself if he really wants to. (Maybe someone likes the idea of sending dummy messages as suggested in #328 but doesn't want to use a passphrase for example.)

generalmanager commented 10 years ago

I agree, the TS transport is the safest one that's currently available and we should point that out. This is really important for acceptance. I remember that condom manufacturers in India wanted the people to wear the right sized condoms, but they didn't. So they switched from small, medium and large to large, extra large and extra extra large. It worked ;-)

How about we rephrase the cases like that:

I also really like the short descriptions (nice wording) right in the dialog and the extended settings too. Maybe we make those settings available by long clicking each option and tell the user about it?

The extended settings (of the app, not the conversation) should certainly also contain all the settings, as well as an option to re-run this dialog.

L3st3r commented 10 years ago

Yes, that sounds really good. Users hear from others that TextSecure offers very good security and they should know that even the first case is suitable for that. Your new descriptions of the cases should do that pretty good.

And yes, long clicking an option to get the description should be a good solution, because it also works on small devices. A short hint telling the user about it (maybe at the bottom) should also work well.

generalmanager commented 10 years ago

@L3st3r

And yes, long clicking an option to get the description should be a good solution, because it also works on small devices. A short hint telling the user about it (maybe at the bottom) should also work well.

Sorry, I phrased that ambiguously (fixed it now). I meant to make the settings available on long click. That way the user can instantly see which settings will be affected and modify them.

If it's not possible to display the descriptions on small devices (or would look bad), I'd like an obvious help button that shows the descriptions with one click.

lorenzhs commented 10 years ago

Guys guys guys. You're missing the point. Asking the user to choose between security levels is confusing and will hinder adoption. DON'T.

What might be OK: Asking the user something like "Does your personal security or life depend on keeping your messages out of reach of third parties who might be in possession of your phone?", maybe with a "what does this mean?" link. Your average WhatsApp or FB Messenger user will chuckle and go for "no", maybe thinking "wow, those guys are serius". Somebody who is truly dependant on the utmost secrecy that TextSecure can provide will have a different view and will go with stealth paranoia mode.

Everything else is way to confusing and not an option for a product to be used by the masses.

monreal commented 10 years ago

I tend to agree with @lorenzhs but it really depends on how this is implemented and what exactly the setting will do. Just from the "levels" you described here I am not sure how even a technical user would be able to chose what he really needs... how would a non technical user be able to make this convinience vs security tradeoff?

lorenzhs commented 10 years ago

@lindworm You're very active here at the moment, so please let me repeat this. Users don't have the same level of understanding that you might have. You MUST NOT face them with choices such as the one suggested above. Always think of your dumb teenage neighbour when thinking about changing something that affects user experience. Would they get it? If no, then the answer has to be "back to the drawing board!". Everything else will be a major obstacle on the path to wide-spread adoption, and that is a no-go.

generalmanager commented 10 years ago

Asking the user to choose between security levels is confusing

At least it's less confusing than dozens of technical options hidden away in the advanced settings ;-)

However your solution is certainly better. I still think we should stick with the three modes, but take a different approach to implement them:

Edit: damn, the close button is too close to the comment button ;-)

lorenzhs commented 10 years ago

At least it's less confusing than dozens of technical options hidden away in the advanced settings ;-)

@lindworm NO! It is way more confusing, because it's utterly vague. Hell, most people in this thread wouldn't know what to choose!

And I oppose that second step. There should not be a medium setting, that just gives a false sense of security. Simplicity is absolutely essential.

generalmanager commented 10 years ago

There should not be a medium setting, that just gives a false sense of security.

I think the medium setting is essential for all the privacy concious people that are not willing to give up on all the convenient features and don't want to do crazy things like sending dozens of paid SMS messages a day to thwart traffic analysis (#328), while a few data messages would be ok.

Several of the options the paranoid setting will enforce are crazy enough that not even the most privacy loving folks will want to activate them, if their life doesn't depend on it.

Your view of the average user as a thirteen year old is probably spot on. But they aren't brain dead. Every kid would know how to answer these two questions. ~95% of the users will only see the first question and won't be bothered. ~4% will want privacy, but not at a huge cost in usability ~1% really depend on it and will choose the maximum setting.

We can omit the second question by doing something like this:

We can preselect the paranoid setting, use a bold font, color it or highlight it otherwise, while using a smaller normal font for the expert setting.

lorenzhs commented 10 years ago

You have a lot of confidence in 13yolds. As I stated above, people in this thread are unable to answer this question because they don't understand the implications. So no, your suggestion is not an option. Face it, this community is a bubble and "normal people" have no idea what that stuff means that you're talking about.

And a biased choice UI must be just about the worst idea anyone's come up with so far.

If my previous suggestion hasn't led you to the conclusion that what you're suggesting won't work, ask yourself this instead: could this be an Apple product?, because user experience is the single most important thing in building and keeping a user base. If you're not designing your menus, dialogues, etc with that in mind, you won't reach mass adoption.

L3st3r commented 10 years ago

A problem I see here is that the thirteen year old could read the question whether his life might depend on the confidentiality of his messages and than think: "Oh, this is not the right app for me. This sounds like a complicated app and I just want to chat with my friends."

Maybe we should clear first which security functions we have that are optional. And than we can argue whether they justify adding new choices to the wizard.

generalmanager commented 10 years ago

@lorenzhs

user experience is the single most important thing in building and keeping a user base

So what's your solution? Only normal and maximum security? Have you the issues I linked to? The normal setting will be secure enough for most users and they'll use it.

I also think that you underestimate how high the security of the "medium" setting is supposed to be. This would activate things like a pop-up warning whenever you are about to start an unencrypted conversation via SMS, asking if you really want to do that. Other examples would be a 1-click shortcut to wipe the whole database and uninstall TS or making all messages editable so it can't be used as proof against you.

Even the lowest setting is far safer than any other messaging app.

The paranoid setting however would do some things that really mess up usability (no unencrypted at all, dozens of paid SMS, which aren't usually free in Europe or outside of the US. And the list will grow the more advanced security features become implemented.

How are the implications of something along the lines of "will you die if somebody reads your texts or knows who you text" unclear in any way?

Your average user will rightfully click no and that's it. -> Nothing hinders mass adoption.

But if you take away the expert options with reasonable privacy settings from those who know what they are doing, you just messed with the current core userbase. They are the ones who recommend it to their non-technical friends. Or they don't, because they just paid 15€ after two days of preventing traffic analysys or something that's similarily useless when you want privacy but aren't Edward Snowden (whose phone would be taken over anyway).

@L3st3r

A problem I see here is that the thirteen year old could read the question whether his life might depend on the confidentiality of his messages and than think: "Oh, this is not the right app for me. This sounds like a complicated app and I just want to chat with my friends."

I think most people would be rather amused instead of afraid. And if they think what you wrote, they won't stop the setup and uninstall it right away. They'll click "no" and won't be bothered with any complicated security related questions.

Maybe we should clear first which security functions we have that are optional. And than we can argue whether they justify adding new choices to the wizard.

I already linked and referenced many proposed privacy settings we may want to activate, as well as convenience settings we may want to turn off. The reality is that there are many more going to come in the next weeks and months, of which we can't possibly know yet.

But nearly every time when you are faced with two extremes, a compromise is usually the way to go.

donjoe0 commented 10 years ago

"There should not be a medium setting, that just gives a false sense of security."

Not if that setting and its alternatives are all explained accurately in terms of how much security they offer. Then it will be a correct and appropriate sense of security in each case. ;)

lorenzhs commented 10 years ago

@donjoe0 well but that's a big usability issue. You can't make the user read a ton of stuff before getting started. There must not be an extensive setup routine, otherwise nobody will use the app. Users get confused really easily, and you can hardly do any worse than confuse somebody before they've even started using the app.

Also, somebody concerned about prosecution for their opinions should not use SMS in the first place (network operator knows the recipient). Push is way better in that regard. So the argument for the smokescreen texts is maybe not the best. Additionaly, if you do stuff that's obviously designed to hide your tracks and leave false trails, that is rather likely to make whoever is after you have a closer look at you. Having settings like that is just a shit idea, as long as not everyone's install does that. And good luck telling the average western user that this app will send 100 texts a day to random people around the world because that may make some dude in some country more safe. To summarise: the idea isn't thought through. You could do that kind of stuff over push though, because nobody cares about an extra 2KB a day, and you don't even need a setting for it (just enable it for everyone).

L3st3r commented 10 years ago

@lorenzhs: I really don't get your point. We just want to ask the user to choose between three options. If we mark the first option in bold as recommended for most users the average user would just choose this option and then the set-up process would be complete. We don't have to ask him anymore if he wants to use a passphrase which is much more confusing for the average user in my opinion. This way, he also doesn't have to read too much text. He just sees the "recommended..."-hint and chooses this option.

At least I prefer to present a choice of security levels instead of asking if his life depends on the confidentiality of his messages. Otherwise we still don't know whether or not the user wants to use a passphrase and other features like delivery notifications.

Please don't discuss the sending of dummy messages here, because that's another issue: #328 and the choice makes also sense without this feature.

donjoe0 commented 10 years ago

A possible one-page wizard:

Select the general level of security and privacy protection you want before you start using TextSecure (you can tweak these options anytime from the Settings menu):

Encrypted transmission of messages (?) Off ( ) On (x) Paranoid ( ) [Clicking the question mark leads to an explanation page with this text: When transmission encryption is On, your mobile services provider as well as any governmental agecies working with them will be unable to read your messages even if they capture them during transmission. They will, however, be able to tell who sent the messages and to whom. When transmission encryption is set to "Paranoid", TextSecure will take additional steps to obfuscate the identities of the communicating parties. (Somebody else should write this, I don't really know everything TextSecure can and can't do.)]

Encrypted storage of conversations (?) Off (x) On ( ) [requires password] ["?" = When encrypted storage is On, your TextSecure app will be password-protected and your conversations database will be stored in an encrypted format based on this password, so that anyone gaining physical access to your phone will be unable to read any of your conversations unless they know your password.]

Online Presence (?) Off ( ) On (x) ["?" = If Online Presence is On, that means:

Save / Continue

The text might not be entirely accurate or some options may be missing because I myself don't know everything security-related that TextSecure can do (e.g. does it encrypt all push messages for transmission even if I don't set a password?), but this is the general idea: a one-screen wizard with 3(?) on/off options should be more than enough to cover the most important aspects and if anyone wants to know more they can just tap the little question mark icons next to each option (or go to the Settings menu later). Most users will probably just leave the preselected options as they are and proceed immediately.

lorenzhs commented 10 years ago

@L3st3r it's called the average user. If you go and talk to some about these things, you'll see what I mean. By the way, I don't mean your sciency friends, but normal people. They don't get all that technical stuff, as they only have a vague idea of what encryption is all about to begin with. Asking whether their life depends on the messages being secure is something they can answer, choosing security presets confuses them. It is of the utmost importance not to confuse users.

But I don't see the point of continuing this discussion, you guys obviously don't consider my points and I can do much more productive things with my time. I think Moxie and the other authors of TextSecure did an amazing job at creating an intuitive product, and I dare claim that they won't change their mind about simplicity and ease of use because of this.

donjoe0 commented 10 years ago

Well if this app is really intended as the next WhatsApp/Telegram/Threema, mainly aimed at Average Joe, then I guess the single-question solution has to be the right way to do it, so at the first run after installation you would have this:

TextSecure offers extra security and privacy functionalities you may not have seen in other messaging apps. Would you like to set up some of these options now? (You can always run this wizard later or tweak each option independently in the Settings menu.) [Set options now] [No, thanks]

And then [Set options now] takes you to a kind of wizard like I said above, with on/off/paranoid options and concise explanations in lay terms, while [No, thanks] proceeds with some default, maximum-usability options considered optimal for Average Joe.

In this case encrypted storage should be off by default, because Average Joe doesn't want to use a password for his text messages, and everything I called "Online Presence" should be on, because other apps have already got everybody used to having this kind of stuff on by default.

L3st3r commented 10 years ago

@lorenzhs: Yes, we disagree here and that's why it would be good to get more opinions on this issue, not only from "average users" but also from the developers.

But we have the same goal: The user shouldn't have to handle technical questions to use this great app. But at the moment he has to choose for example whether or not he wants to use a passphrase, which already confuses some users (see @donjoe0 's post and [1] if you speak German). In my opinion, we could skip this during the start-up if we knew that the user doesn't want to be bothered with technical aspects at all. Therefore, an easy-to-understand choice during the start-up could be helpful.

Let me explain again how I imagine this part of the wizard would work for the average user:

The wizard presents a simple choice with three options and the first option will be marked as recommended for most users. So the average user just have to choose this option and he is done. He doesn't have to read the descriptions, he won't be asked if he wants to set a pass phrase and he will get all the features he knows from other messenger apps.

What is technical or too difficult about that?

[1] http://www.heise.de/security/news/foren/S-Testbericht-Mein-erster-Test-von-TextSecure/forum-275505/msg-24850989/read/


@donjoe0: Presenting more than one choice to the user is too much in my opinion. We don't want to let the user choose an option for each aspect, because he still can do that in the settings. And we don't know at the moment which security functions will be added in the future. But we could decide for each new function in the future whether we enable it for each user or only for users who chose the second or third option during the initial start-up.

And by the way: Your messages will me encrypted by default when you chat with other TS users. That's independent of a passphrase.

donjoe0 commented 10 years ago

Well, I imagine when everything is added the Security Settings might look so complicated that only total geeks will touch them and since the startup yes/no question would be aimed at total security newbies or people who don't give half of a damn, maybe it would be good to also have a wizard for people in between these two extremes, a wizard offering fewer and more broadly defined options than the Settings menu. But maybe I'm getting ahead of myself - this would only make sense once the Settings menu becomes overcrowded or overly geeky, which I wouldn't say it is yet.

lorenzhs commented 10 years ago

@L3st3r Heiseforum? You take that place seriously? Anyway, while the translation may not be optimal, the passphrase is not a purely technical aspect.

I agree that adding a bit of help texts here and there would certainly be a good thing.

generalmanager commented 10 years ago

I think we all want the same things (more people using TS and beeing as safe as they need to be).

I agree with @lorenzhs that we should probably not give them the choice between different security/comfort levels, because they don't know why they can't have both in the first place.

I also think we should ask the average user only one yes/no question they can answer and that's it (if their life/personal safety depends on it may sound extreme but it's a good example). We don't want all the average users in the western world to have all the convenience settings turned off because they thought it was hip to choose the highest level of security and then complain that they don't get new messages shown on the lockscreen.

But @donjoe0 makes a serious mistake if he thinks the more secure options should be presented in a way where the user makes an informed decision himself. That may sound absurd at first but the problem is: the people who really need those features are usually even less informed than the average European/US-american kid. Your average revolution against regimes and dictators doesn't happen in the first world. Those people are well off, if they can afford a phone capaple of running TS, much less will they know which of those geeky functions does what.

We should give the informed user the ability to set all this stuff himself, but we have to care about the helpless and clueless first.

If you'd go to Venezuela today, talking to the people on the streets, do you think they know the difference between encryption and trust? Many people here haven't understood that.

If we actually want to safe lifes, we have to make it easy to also use the more agressive security features.

Yes, there should be the option to configure all the fancy stuff yourself, but it shouldn't pop up as soon as you click on the most secure option. There you may be able to choose between "set everything up for me" or "I'm an expert and want to do it myself". But the first option has to be big, fat, highlighted and marked as preferrable. In the expert settings you can put all the nerd stuff and help bubbles you like. Then some people may actually read them.

I may disagree with @lorenzhs if we want to have two or three presets (with the third hidden as default settings in the expert dialog), but if we

then we have to make it easy for those groups. The nerdy people with a crypto fetish still won't have a problem to use the app, even when they have to make two more clicks to get to their advanced settings. And honestly they don't have a choice. From a crypto perspective TS is currently defining the new state of the art in mobile messaging. If they are into crypto, TS is their only viable option.

For the people who need it, it may be the only logical choice, but that doesn't matter if they install W***sApp because they didn't like TS.

donjoe0 commented 10 years ago

I was afraid this was where you were going with this.

The big problem is you're choosing as primary targets two very different demographics: the casual "first-world" texter who doesn't know anything about security and doesn't even want to know and the revolutionary "second-world" or "third-world" texter who doesn't know anything about security but needs to use as much of it as possible and needs to find out about it from this app's interface.

When you put it that way it does indeed appear that there's no better option than simply asking the user right at the start if they plan to use the app in a threatening environment where they might be in physical danger if anyone unauthorized manages to read their messages or if they just want a convenient way to exchange text messages with members of their social environment. All this will lead to are the two most extreme security profiles, i.e. extremely high security or extremely low security. Anyone who wants anything between these extremes will have to go fiddle with the stuff in the Settings menu and unless they happen to be a nerd, we have to accept that they might not understand what they're selecting and that they might make the app unnecessarily cumbersome to use because we didn't want to help them understand threat models by including a well-designed wizard for this. (Keep in mind that even the revolutionary user will eventually get to the Settings menu and they still might try to flip some switches in there just to see what happens or just to get rid of some usage impediment. Are you sure you want them to not have a chance to understand what they're doing at least at the level at which a decent threat model wizard could explain it?)

It doesn't even have to be a startup wizard - you can keep just the "revolution vs. casual texing" question at the startup and put the threat model wizard right in the Settings menu - so the Security section of the Settings menu wouldn't just show you all the detailed options directly but ask you first if you know what you're doing or if you want to go through a wizard that might make things clearer for you.

generalmanager commented 10 years ago

The big problem is you're choosing as primary targets two very different demographics

I chose them because they are the important ones. And the second demographic mostly uses what the first decided on. There's a reason some of the Middle-Eastern revolutions are called "Facebook revolution". Were there better tools? Absolutely. But they used what everybody already had, because it doesn't matter if you are the safest activist in the world, if you don't have others to talk to securely.

the revolutionary "second-world" or "third-world" texter who doesn't know anything about security but needs to use as much of it as possible

I agree

but needs to use as much of it as possible and needs to find out about it from this app's interface.

This would be nice, really. But it will not happen. Ever. I have talked on end with critical journalists in South America. They were really pissed when I put a password on their wifi and made their mail clients use https. Those are the kind of people in danger, and they get annoyed by once entering a damn password into their computer. The amount of ignorance and absence of the most basic knowledge of the workings of computers and IT systems really is staggering.

I am targeting those two demographics because of the people in need actually use what is widely available, not what is actually best for their usecase. And the more average chatty teenagers (not just western) use this, the better the deniability and protection for those in actual need.

If there are 500 users with TS installed in an undemocratic country, the authorities can just do an easy network analysis (at least for the SMS verification and encrypted SMS messages) and then kick in every door with a 99% chance of getting an "enemy of the state".

If there are 500000 users, with maybe 5000 activists, there are simply too many doors to kick in. And it's easier to hide 500 kicked in doors from the public than it is to hide a few thousand ones.

donjoe0 commented 10 years ago

Now you seem to be talking about adding security features that don't require the user to understand the app's settings or make any kind of informed choices whatsoever and I don't think that's what this thread is about.

generalmanager commented 10 years ago

@donjoe0 Of course everybody who has the knowledge needed to do so should and will be able to make informed decisions. And we can help those by adding the help texts and explanations in the advanced settings, so they know what exactly is meant. We can not however teach somebody months or years of experience in IT with a few pop ups.

The two main problems are the terminology, which is very precise and can be used to explain complex relations and differences with only a few words, and the complex relations themselves.

I'm rather sure there isn't a big overlap between the groups who know and like encryption and those who actually need it.

Your average Joe from Syria/Ukraine/Venezuela etc. doesn't even know what a server is. That doesn't mean we shouldn't try to teach them, many things can be dumbed down enough to give them the right ideas. Just that we should not overwhelm them by forcing everybody who wants/needs strong protection to actually learn about how it's done. If they wander to the advanced setting, where they can set everything themselves the explanations will go a long way to help them understand, if they want to learn about it.

donjoe0 commented 10 years ago

OK, so where are we at in terms of the topic question? Is there a general agreement that the most important security profiles to make available during setup should be the extremely-high and extremely-low security profiles and that they should be selected via a binary question about whether the user is a casual texter or is involved in protests or a revolution?

generalmanager commented 10 years ago

I think the two stage method I described in https://github.com/WhisperSystems/TextSecure/issues/838#issuecomment-36471830 would be best:

The first question weeds out the huge minority that wants comfortable texting, while the second one gives the uninformed activists as well as the crypto-lovers the chance to get a high security setup without much hassle.

The medium settings would be kinda hidden as a preselection in the expert settings.

We can preselect the paranoid setting, use a bold font, color it or highlight it otherwise, while using a smaller normal font for the expert setting, to draw people to use the preset.

phime42 commented 10 years ago

I don't really get why we're discussing like this. There is an extremely successful application on the market which had to go through the exact same questions and found their answers - users seem to be pretty happy with it. I'm talking about Threema - there you don't have the chance to select a setting considered to be "unsecure" or "lower security level". Claiming that there's a "good" and "not so good" choice will definitely damage Text Secures image - and Moxie's, too. Let's be honest: Moxie is TextSecure and TextSecure is Moxie. I don't think he likes the idea of trading maximum security for UX-improvements.

To sum things up, I'd advocate to have a set of settings pre-set, which can be opt-out if the user wants to (in the settings panel). While configuring TextSecure for the first time we could ask after the telephone number was typed in if the user wants to have all of his messages encrypted in order to protect them. If yes, he types in a password (and not "Passphrase", as it's translated in the German version... No one really knows this word here!) and it's done.

Things like questions asking for the users situation (like "are you in dager?", "do you need maximum protection?") are counterproductive and bad for TextSecures reputation. We could implement a help button for every setting, but provide a set of preferences that's advocating maximum security, from which the user has to opt-out individually (with help-buttons).

generalmanager commented 10 years ago

@LotP TextSecure is aimed at the average user, not the security professional. And the reality is that extremely maximum security will severely affect the usability, which average users won't understand and won't accept.

Moxie even spoke out against showing the verification status (which can be a serious security risk) of people some time ago (https://github.com/WhisperSystems/TextSecure/issues/314#issuecomment-24024272, #227), so I'm pretty sure he doesn't approve of just choosing the highest security level, disregarding the usability.

donjoe0 commented 10 years ago

It won't damage anything to recognize that different people have different lives and different security needs and that what's best for some isn't best for others. If anything it will show that TS is a highly capable and adaptable product that can be made to fit many types of needs.

Anyway, in that Step1 + Step 2 model I'm still not seeing anything aimed at people who aren't completely ignorant but not complete experts either or who are starting out as completely ignorant but want to learn more. If anyone wants any information other than what can be seen at Step1 or Step 2 (which is not much), you're just lumping them in with the experts and throwing them to the lions (i.e. sending them to the fully detailed version of the Settings menu). I think it can be done better (see above, I'm not going to repeat myself).

aktenkundig commented 10 years ago

I'd prefer the opt-in solution. Those who want more security and/or need it, are aware of it and can surely enable some extra features.

A real anecdote: I told my sister to install TextSecure, but it went 'wrong'. She did not enable Push, but made it (not on purpose) the default SMS app, what then confused her even more, when she received SMS in the TextSecure! Well, she gave up and I had to fix it.

To sum it up: TextSecure is not really user-friendly yet. But if you want (more) people to chat to, it REALLY needs to become that!!!

Hellmy commented 10 years ago

+1 I agree with the discussion about an easier setup process. Perhaps just an option on first screen like "I come from WhatsApp and just want to write"....

agrajaghh commented 10 years ago

I just witnessed two people installing TextSecure for the first time. They were confused with the options....

They were not really sure what the password is for. They thought it has something to do with the encrypted transmission. And they didn't know when they have to enter it, if they set one...

I'm not even sure if it's necessary to ask for it in the wizard.... People coming from WhatsApp will be really fast annoyed by entering the password all the time. Perhaps it should just be in the options...

automated-signal commented 6 years ago

GitHub Issue Cleanup: See #7598 for more information.