Feature suggestion: manual fingerprint verification / SecureJoin alternative for desktop users

It seems like Delta Chat doesn’t check the OpenPGP key initially belongs to the sender address, since there’s no way to do so. There’s SecureJoin, but that seems to be limited to mobile phones or devices with cameras. I think a great alternative would be to allow the users to manually verify the fingerprint of somebody in the “Encryption Info” dialog:

This should then give the user the green check mark as well, and Delta Chat should locally store the verified fingerprint in a way that synchronizes between my Delta Chat devices, and it should show a big scary warning if that key ever changes. In the future, Delta Chat should probably also support accepting new keys automatically and updating the saved pinned fingerprint if the new key is signed with the old pinned key at a point where the old one isn’t expired yet, and given the old key is still locally available of course.

Expected behavior

There’s a way to manually verify and enable the “green check mark” encryption. This would increase user security since those without access to the QR workflow could then use other ways for verification and make Delta Chat watch that there’s no shady changes going on.

Actual behavior

There doesn’t seem to be an obvious way to do good manual verification without SecureJoin, which seems to be limited to QR codes.

Thanks for your suggestion, and welcome to the Delta Chat forum!

We thought about adding this feature, but we didn’t because of concerns that users would click “Mark as verified” without actually having the peer verified.

Signal has this feature, and in the 2016 study “When SIGNAL hits the Fan: On the Usability and Security of State-of-the-Art Secure Mobile Messaging”, 13 out of 28 users thought they had verified their chat partner even tough they hadn’t, and falsely marked the fingerprint as verified (6 thought that clicking “Mark as verified” verifies Bob, 4 thought asking their chat partner questions is enough, 1 thought the presence of fingerprints proves the authenticy, and 1 asked the chat partner “do you think this chat is secure?”).

It would surely be possible to mitigate this with good help texts, but we would need to user-test this in order to make sure that the feature does not cause harm (users often don’t read help texts, depending on how they are laid out in the UI). Or we would need to hide it very well, but we generally try to not have many “hidden” features which we need to maintain and bug-fix while not helping most users - we are a small developer team with limited resources, and need to prioritize what gives the most value to many users.

2 Likes

Thanks for the feedback!

Assuming this idea here isn’t worthwhile, what’s the alternative workflow for verifying users for a secure chat on desktop? As long as there is one, this isn’t much of an issue, but I couldn’t find one.

no.

  • “Guaranteed End-to-End-Encryption” (the term we use for “Secure join”) is not limited to mobile devices. “Guaranteed End-to-End-Encryption” is supported by Delta Chat Desktop as well as Delta Chat iOS and Delta Chat Android.

  • it is not needed that all devices have a camera. if you want to scan a QR code, you need a camera only one one device.

  • if you do not have a camera on any devices, you can relay the needed information via an “invite link”

so, all you need is Delta Chat - in theory, other apps could add support for “Guaranteed End-to-End-Encryption” as well, however, we do not hold our breath right now :slight_smile:

a general note to understand priorities, (repeated from somewhere else :slight_smile: ) Delta Chat does not consider PGP in its classic dealing-with-keys form as a convenient-enough approach to exchange keys or to guarantee things. we do not want users to be confronted with key questions in the UI they “reach”, Don’t ask users anything about keys, ever. therefore, effort and focus is put to other parts - autocrypt, secure-join, vcards etc. - resulting in far more messages being encrypted than on most other email apps :slight_smile:

1 Like

Maybe it’s just me, but that doesn’t seem practical for people without android or iOS, since others typically don’t support QR code workflows. Even where they technically do, there’s the physical trouble of aiming an entire laptop the right way at a QR code. The “add device” solves this by alternatively allowing copying text around.

For desktop users, this state basically seems to mean they can’t verify any users. That seems drastic to me and that doesn’t seem like a meaningful state for the app to be in, if it’s not just meant for mobile. My apologies if I’m just missing something, however.

For what it’s worth, doesn’t element have this symbol comparison approach for verifying users? So there are other ways that don’t involve asking keys, that I’m sure some smart people can come up with. My proposal might be bad, but something vaguely alike would be nice.

Hello :wave:,

most laptops today have cameras. As mentioned above there are four ways to verify a contact, even if a laptop has none:

  1. The person with a smartphone or laptop with a camera scans the QR code on the laptop without one.
  2. It is possible to send an invite link.
  3. The QR code can be saved as an image file on one device and read again on the other.
  4. A vCard can be sent.

You can transfer the link contained in the qr code as text.

Displaying fingerprints as emoji sequence might help users to more easily compare them. I like the idea.
But must be same emoji font to not repeat this matrix mistake:


screenshot from https://utopia.rosano.ca/encryption-rant/ (nice post about how confusing secure messengers can be in practice).

1 Like

Thanks for all the responses! Sorry for my confused question, how does this invite code work for a user I already have as a contact that I want to verify? I can’t really find any “invite” or “verify” functionality in the context menu of that contact, and I can’t find anything in the top menu either.

As for showing emoji sequences and fonts, I heard some free emoji fonts exist so maybe it would be possible to bundle them with the different clients for the various platforms.

In DC-Desktop, this feature is not yet as visible as in the other versions.
To create an invite link, open the QR code menu. Then click on “Copy”.
The link is now in the clipboard and can be shared with others.
Either via DC if no chatmail account is used, otherwise via another channel.
Another option is to open this link:

Then copy the QR code into it.

1 Like

I’m really sorry for being so confused, but what’s the “QR code menu”? I just can’t find anything like that on desktop. I expected it in the right-click menu of a contact (so I can verify them) or anywhere in the app menu bar.

Edit: ohhhhh it’s the button right next to the search? My apologies, I probably should have seen that.