Gajim - 2023-08-02

does gajim support multiple accounts ✏

> does gajim support multiple accounts Yes. ↺

Suggestion: change the half shield color for OMEMO unverified messages to yellow. Trusting the device that is sending the message is very important so it's best that unverified devices stick out

i'd be with you if not for the fact that most of my contacts dont publish omemo keys out-of-band and there still isnt a good (simple) cross-sign mechanism

also yellow is another colour to consider contrast against light and dark backgrounds

> i'd be with you if not for the fact that most of my contacts dont publish omemo keys out-of-band and there still isnt a good (simple) cross-sign mechanism This should always be done tho, if I understand it correctly.. the point of e2ee is that you don't trust the server. Without verification, E2EE becomes useless.

> also yellow is another colour to consider contrast against light and dark backgrounds Maybe orange would be better?

Most people won't do it, but it's still good practice to always have a way of verifying it, even if it's just a signed message with pgp

Most users don't care about verification

And I don't want to constantly alarm them

If you want to verify your contacts then disable blind trust

Then the will show up as untrusted until you verify them

it's required to ensure the safety of chats though. It's not alarm (would be if bright red, but not if it's yellow) if it's just a simple change in color so that it's noticeable. As it is now, some people won't even notice the half shield

I want my contacts to remember thatt they have to verify *me*

not the other way around

I trust myself to verify, don't trust others to remember to do so

btw, I'm relatively new here... Do you get notified when someone you have an active conversation connects from a new session?

Like, do I have to check their active session fingerprints everytime..? Will disabling blind trust stop me from sending a E2EE message to an unverified session?

> I want my contacts to remember thatt they have to verify *me* I understand that, but we hint towards respecting what the user wants, not his contacts

and if they decide to blindly trust any key, then it would be weird to try and warn them about not verified keys

> btw, I'm relatively new here... Do you get notified when someone you have an active conversation connects from a new session? why would there be a need for a warning?

> Like, do I have to check their active session fingerprints everytime..? Will disabling blind trust stop me from sending a E2EE message to an unverified session? keys/fingerprints dont change only because someone goes offline, devices have their keys usually until the end of life of that device, so verify a device once and then you are fine. And yes disabling blind trust, forces you to verify all devices before sending

though you can set a single key to blind trust, if you are not able to verify it yet, but decide to send anyway to that device

i would not over think this, its called "blind trust before verification"

which means you trust every key, until you verify at least one

afterwards no new key for this contact is trusted blindly anymore

simply trust blindly, and keep in mind to verify once you meet this contact, or do it via another channel

> and if they decide to blindly trust any key, then it would be weird to try and warn them about not verified keys The issue is that is the default. I understand why it's default, but if it is then I believe a small warning at the very least is due. > > btw, I'm relatively new here... Do you get notified when someone you have an active conversation connects from a new session? > why would there be a need for a warning? Because if there is an attack and the account is compromised, you would also be sending the message to the attacker. > > Like, do I have to check their active session fingerprints everytime..? Will disabling blind trust stop me from sending a E2EE message to an unverified session? > keys/fingerprints dont change only because someone goes offline, devices have their keys usually until the end of life of that device, so verify a device once and then you are fine. > And yes disabling blind trust, forces you to verify all devices before sending This is good, thank you. > though you can set a single key to blind trust, if you are not able to verify it yet, but decide to send anyway to that device I remember reading that Signal does this.. The first device/message is blindly trusted, but newer ones give (or used to) give a warning. I think this is best.

the behavior we currently have is kind of problematic

ah no its ok

if you disable blind trust

and a unknown device announces it self

the key is in the state "UNDECIDED"

so Gajim forces you to make a decision

and that can be, either, blind trust, trust, or no trust

so Gajim prevents you only from sending messages until you made your decision

usually if you are paranoid, you would select "no trust"

and then send ask the contact if he has a new device and exchange fingerprints over the already verified and secure channel

afterwards you set it to trust

Yeah, I think that even if blind trust is enabled, it should still give you a small nudge i.e. _aquatarkus has added a new OMEMO session_ or something along these lines, since it is the default option

so we have two modes in Gajim, Paranoid full security, and i dont care about verification, but i want to have everything encrypted

i dont see this group of people that trust blindly everything, but still want to know about new devices

why would they ..

> i dont see this group of people that trust blindly everything, but still want to know about new devices I think that it is a reasonable middle ground, doesn't annoy the user and doesn't make it insecure by default

I believe defaults should always attempt to conciliate between convenience and security

and this seems like the best way to do it

I understand having an option to disable it, but it shouldn't be default imo

when I first learned about XMPP, I had to google around to figure out that it even had this issue with authentication

i dont share that opinion, the default should be, everything is encrypted, it just works, user never is bothered with encryption details

people who are just getting started just don't know that verification is important, and hiding it doesn't do it anyn good

its not important in general

if nobody ever verifies anything, then even E2EE itself becomes redundant, because then you are just giving back trust to the server, that E2EE means to take away

its important for you, or you think its important, i think you over estimate that importance for other people

if the server was to be trusted, then why even send messages with E2EE

TLS is sufficient

> if nobody ever verifies anything, then even E2EE itself becomes redundant, because then you are just giving back trust to the server, that E2EE means to take away thats a common wrong thought

there are various threat models, it depends against who you are trying to protect yourself

if you are trying to protect against a lazy server operator that reads messages in the database, there is no need to verify anything, and default encryption is good enough

if you are trying to protect against simple mass surveilance of internet exchanges

encryption without verification is just fine and good

if you are trying to protect against an sofisticated attacker who takes the time and launch a specific xmpp related encryption attack against you

then its not good enough, but you need to realize that this is not the threat model for 99% of the people

99% of the people don't threat model

they just trust whatever they use to have their best interests in mind and to keep them safe.

i think a info (not warning) that a contact has added a new device does not hurt

This would already be huge, lovetox and I would greatly appreciate if you consider including it

though its hard for me currently to envision how we can display this

just a small italic message?

"$user added a new device, click here to decide on trust"

like what whatsapp/signal do

yeah i know what the user wants, i just dont know how to implement this, we only store messages

it used to be default for whatsapp/signal, but removed it

https://sure.im:443/upload/6c825e7b-418e-4824-b5e2-9f9927e9ea02/7a81afe6-d877-4d7c-b8d7-86cbe7df9e2f.png

> yeah i know what the user wants, i just dont know how to implement this, we only store messages when blind trust is disabled, the user is forced to make a decision. With blind trust enabled, just display a message like this?

it would be gone if the user closes the chat

we would need to store it somewhere

I see

its rather a code architecture problem

nothing that can be solved, but not as straight forward as a user might think

"just display it" ..

*cant

I understand, lovetox, would you like me to create an issue so that you guys will remember to look into this?

yeah you can

alright