Give user the possibility to opt-out of E2EE

[digitalentity]

E2EE is great, but it comes with an overhead of having to manage the primary encryption key (in addition to the standard username/passowrd pair). Losing the encryption key means you also lose access to your history.

There are multiple scenarios where e2ee either gives bad UX or is plain impossible, here are some examples:

• for an inexperienced user (think a 80-yo grandpa) who forgets even their password once in a while e2ee means lost history which is annoying and will provoke migration to a service which offers better UX
• for a trusted environment (a single private homeserver where all users trust each other) e2ee is unnecessary and adds annoyance
• for a company having a legal requirement to provide auditable chat logs e2ee is not possible at all

Please give Syphon an option to opt out of encryption for the sake of better flexibility - always create rooms/chats unencrypted, always send plain-text messages.

Syphon still should exchange keys and support encrypted rooms if the encryption was enabled by another participant and server supports it.

I'm "fixing" it on my server with great success, but having a client-side support would also be great.

[ereio]

happy to add this as an advanced setting option but it be off by default still

would also like to warn the user about it with some indicator if a DM was unencrypted in case someone was to disable it maliciously

[digitalentity]

Off by default is fine by me, thanks a lot!

Disabling the encryption for a room (DM is also room) is not possible, therefore no additional notification is needed - Syphon currently has a small "open lock" icon on unencrypted DMs, I think that's sufficient.

[EdGeraghty]

would also like to warn the user about it with some indicator if a DM was unencrypted in case someone was to disable it maliciously

I'm pretty sure the Matrix Spec doesn't allow the "downgrade" of rooms out of E2EE

[EdGeraghty]

IMHO, (and certainly in no way claiming to speak for the project), I'm very reticent about encouraging the use of cleartext communications, especially for Syphon whose entire idea is about secure messaging.

I know it's "privacy veganism", and more than just wishful thinking, but I'd much prefer a world where this apocryphal 80-year-old can be guided through never having to lose messages rather than just switching off such a fundamental protection as E2EE.

[digitalentity]

I totally agree that E2EE is a good thing. Yet it should be implemented in such a way that it doesn't get in the way of users.

Storing the key backup somewhere where the application can extract it without asking the user for a recovery passphrase obviously reduces security to some extent, but it also greatly improve the usability by preventing this:

There is a fine balance between strong security and usability and until there is a solution for providing secure communication without hurting the UX I'm an advocate of giving user a choice to prefer security or convenience and I greatly appreciate Syphon developers' openness to giving user that choice.

[EdGeraghty]

Indeed - I will point out, however, that key import is upcoming in the next release, and right now Syphon is an alpha build. Regardless of this setting, the work on keys and usability will happen :)

[digitalentity]

Regardless of this setting, the work on keys and usability will happen :)

Awesome! It's great to see the project which, apart from technical excelence, considers simplicity and usability. To make matrix protocol and Syphon as a client really popular they must be suitable for a consumer user and for that everything should work out of the box without forcing a user to jump through hoops.

Think about WhatsApp, Signal, Telegram etc - all you need is a phone number. You type it in and you are good to go - the app will even read the SMS automatically for you - Syphon needs a similar user journey for inexperienced users, bleded together with unprecedented level privacy and secrity for consumer-friendly IM apps.

[ereio]

Indeed - I will point out, however, that key import is upcoming in the next release, and right now Syphon is an alpha build. Regardless of this setting, the work on keys and usability will happen :)

I agree with @EdGeraghty here. My intention for support for this feature was less to help out the untechnical "80-year-old" and more to allow freedom on behalf of the users involved. Hiding this setting behind advanced settings was intended so that it would not solve the untechnical user use case, but rather willing participants in the case where there's some extraneous, agreed upon reason not to (the enterprise audit situation was a good example).

Key management and general UX in Syphon would hopefully account for this.

I'm pretty sure the Matrix Spec doesn't allow the "downgrade" of rooms out of E2EE

Also note, this is correct and it would only be for new chats you've created.

[ereio]

That said, juggling freedom vs. privacy & security is a difficult task, so I think the setting should be handled really carefully. Imagine if Signal allowed disabling e2ee and someone complained their stuff was exposed in plaintext? I imagine it would ruin its public image.

[warren-ru]

@ereio you can use your Signal profile with one device only. That's why secret chat in Telegram is the option and not the default one

[ghost]

agreed. it would be nice to offer the option in some kind of advanced settings, but the default E2EE settings should just be turned ON. it kinda makes more sense for a privacy-centric product. The "turning it off by default" logic can be useful for certain groups of people, but given this bahevior is already available from other similar client projects, disabling E2EE by default becomes counter-intuitive.

[notramo]

The Matrix spec team is working on an authentication method that extracts an auth and a 4S passphrase from your login password. This could be used for automatic 4S setup. It would be safer than disabling E2E, but would bring the same easy UX.

If you want this to progress, you can contribute to the discussion. https://github.com/matrix-org/matrix-doc/pull/3262 https://github.com/matrix-org/matrix-doc/pull/3265 https://github.com/matrix-org/matrix-doc/pull/2957 Also, there is a Matrix room for discussion: #secure-login:matrix.vgorcum.com

[ereio]

@digitalentity are we ok waiting for the potential solution above or would you still want an option to disable E2EE?

I've considered adding this under "Advanced" settings and only making it available under non-production builds (Nightlies) for the time being. This could allow Syphon to be used with an enterprise homeserver where auditing messages is required.

The option would also be authed account / profile specific, so if you wanted to login to your personal with E2EE still enabled, you could do so. Let me know your thoughts on this @digitalentity and others here as well.