-
Veronica
does gajim support multiple accounrs✎ -
Veronica
does gajim support multiple accounts ✏
-
â˜Mike Yellow
> does gajim support multiple accounts Yes. ↺
-
aquatarkus
Suggestion: change the half shield color for OMEMO unverified messages to yellow. Trusting the device that is sending the message is very important so it's best that unverified devices stick out
-
opal
i'd be with you if not for the fact that most of my contacts dont publish omemo keys out-of-band and there still isnt a good (simple) cross-sign mechanism
-
opal
also yellow is another colour to consider contrast against light and dark backgrounds
-
aquatarkus
> i'd be with you if not for the fact that most of my contacts dont publish omemo keys out-of-band and there still isnt a good (simple) cross-sign mechanism This should always be done tho, if I understand it correctly.. the point of e2ee is that you don't trust the server. Without verification, E2EE becomes useless.
-
aquatarkus
> also yellow is another colour to consider contrast against light and dark backgrounds Maybe orange would be better?
-
aquatarkus
Most people won't do it, but it's still good practice to always have a way of verifying it, even if it's just a signed message with pgp
-
lovetox
Most users don't care about verification
-
lovetox
And I don't want to constantly alarm them
-
lovetox
If you want to verify your contacts then disable blind trust
-
lovetox
Then the will show up as untrusted until you verify them
-
aquatarkus
it's required to ensure the safety of chats though. It's not alarm (would be if bright red, but not if it's yellow) if it's just a simple change in color so that it's noticeable. As it is now, some people won't even notice the half shield
-
aquatarkus
I want my contacts to remember thatt they have to verify *me*
-
aquatarkus
not the other way around
-
aquatarkus
I trust myself to verify, don't trust others to remember to do so
-
aquatarkus
btw, I'm relatively new here... Do you get notified when someone you have an active conversation connects from a new session?
-
aquatarkus
Like, do I have to check their active session fingerprints everytime..? Will disabling blind trust stop me from sending a E2EE message to an unverified session?
-
lovetox
> I want my contacts to remember thatt they have to verify *me* I understand that, but we hint towards respecting what the user wants, not his contacts
-
lovetox
and if they decide to blindly trust any key, then it would be weird to try and warn them about not verified keys
-
lovetox
> btw, I'm relatively new here... Do you get notified when someone you have an active conversation connects from a new session? why would there be a need for a warning?
-
lovetox
> Like, do I have to check their active session fingerprints everytime..? Will disabling blind trust stop me from sending a E2EE message to an unverified session? keys/fingerprints dont change only because someone goes offline, devices have their keys usually until the end of life of that device, so verify a device once and then you are fine. And yes disabling blind trust, forces you to verify all devices before sending
-
lovetox
though you can set a single key to blind trust, if you are not able to verify it yet, but decide to send anyway to that device
-
lovetox
i would not over think this, its called "blind trust before verification"
-
lovetox
which means you trust every key, until you verify at least one
-
lovetox
afterwards no new key for this contact is trusted blindly anymore
-
lovetox
simply trust blindly, and keep in mind to verify once you meet this contact, or do it via another channel
-
aquatarkus
> and if they decide to blindly trust any key, then it would be weird to try and warn them about not verified keys The issue is that is the default. I understand why it's default, but if it is then I believe a small warning at the very least is due. > > btw, I'm relatively new here... Do you get notified when someone you have an active conversation connects from a new session? > why would there be a need for a warning? Because if there is an attack and the account is compromised, you would also be sending the message to the attacker. > > Like, do I have to check their active session fingerprints everytime..? Will disabling blind trust stop me from sending a E2EE message to an unverified session? > keys/fingerprints dont change only because someone goes offline, devices have their keys usually until the end of life of that device, so verify a device once and then you are fine. > And yes disabling blind trust, forces you to verify all devices before sending This is good, thank you. > though you can set a single key to blind trust, if you are not able to verify it yet, but decide to send anyway to that device I remember reading that Signal does this.. The first device/message is blindly trusted, but newer ones give (or used to) give a warning. I think this is best.
-
lovetox
the behavior we currently have is kind of problematic
-
lovetox
ah no its ok
-
lovetox
if you disable blind trust
-
lovetox
and a unknown device announces it self
-
lovetox
the key is in the state "UNDECIDED"
-
lovetox
so Gajim forces you to make a decision
-
lovetox
and that can be, either, blind trust, trust, or no trust
-
lovetox
so Gajim prevents you only from sending messages until you made your decision
-
lovetox
usually if you are paranoid, you would select "no trust"
-
lovetox
and then send ask the contact if he has a new device and exchange fingerprints over the already verified and secure channel
-
lovetox
afterwards you set it to trust
-
aquatarkus
Yeah, I think that even if blind trust is enabled, it should still give you a small nudge i.e. _aquatarkus has added a new OMEMO session_ or something along these lines, since it is the default option
-
lovetox
so we have two modes in Gajim, Paranoid full security, and i dont care about verification, but i want to have everything encrypted
-
lovetox
i dont see this group of people that trust blindly everything, but still want to know about new devices
-
lovetox
why would they ..
-
aquatarkus
> i dont see this group of people that trust blindly everything, but still want to know about new devices I think that it is a reasonable middle ground, doesn't annoy the user and doesn't make it insecure by default
-
aquatarkus
I believe defaults should always attempt to conciliate between convenience and security
-
aquatarkus
and this seems like the best way to do it
-
aquatarkus
I understand having an option to disable it, but it shouldn't be default imo
-
aquatarkus
when I first learned about XMPP, I had to google around to figure out that it even had this issue with authentication
-
lovetox
i dont share that opinion, the default should be, everything is encrypted, it just works, user never is bothered with encryption details
-
aquatarkus
people who are just getting started just don't know that verification is important, and hiding it doesn't do it anyn good
-
lovetox
its not important in general
-
aquatarkus
if nobody ever verifies anything, then even E2EE itself becomes redundant, because then you are just giving back trust to the server, that E2EE means to take away
-
lovetox
its important for you, or you think its important, i think you over estimate that importance for other people
-
aquatarkus
if the server was to be trusted, then why even send messages with E2EE
-
aquatarkus
TLS is sufficient
-
lovetox
> if nobody ever verifies anything, then even E2EE itself becomes redundant, because then you are just giving back trust to the server, that E2EE means to take away thats a common wrong thought
-
lovetox
there are various threat models, it depends against who you are trying to protect yourself
-
lovetox
if you are trying to protect against a lazy server operator that reads messages in the database, there is no need to verify anything, and default encryption is good enough
-
lovetox
if you are trying to protect against simple mass surveilance of internet exchanges
-
lovetox
encryption without verification is just fine and good
-
lovetox
if you are trying to protect against an sofisticated attacker who takes the time and launch a specific xmpp related encryption attack against you
-
lovetox
then its not good enough, but you need to realize that this is not the threat model for 99% of the people
-
aquatarkus
99% of the people don't threat model
-
aquatarkus
they just trust whatever they use to have their best interests in mind and to keep them safe.
-
lovetox
i think a info (not warning) that a contact has added a new device does not hurt
-
aquatarkus
This would already be huge, lovetox and I would greatly appreciate if you consider including it
-
lovetox
though its hard for me currently to envision how we can display this
-
aquatarkus
just a small italic message?
-
aquatarkus
"$user added a new device, click here to decide on trust"
-
aquatarkus
like what whatsapp/signal do
-
lovetox
yeah i know what the user wants, i just dont know how to implement this, we only store messages
-
aquatarkus
it used to be default for whatsapp/signal, but removed it
-
aquatarkus
https://sure.im:443/upload/6c825e7b-418e-4824-b5e2-9f9927e9ea02/7a81afe6-d877-4d7c-b8d7-86cbe7df9e2f.png
-
aquatarkus
> yeah i know what the user wants, i just dont know how to implement this, we only store messages when blind trust is disabled, the user is forced to make a decision. With blind trust enabled, just display a message like this?
-
lovetox
it would be gone if the user closes the chat
-
lovetox
we would need to store it somewhere
-
aquatarkus
I see
-
lovetox
its rather a code architecture problem
-
lovetox
nothing that can be solved, but not as straight forward as a user might think
-
lovetox
"just display it" ..
-
lovetox
*cant
-
aquatarkus
I understand, lovetox, would you like me to create an issue so that you guys will remember to look into this?
-
lovetox
yeah you can
-
aquatarkus
alright