E2E encryption is worth not much if the keys can’t be verified by the users. What I dislike currently:
It’s not so clear id the connection is encrypted before sending a message
It’s quite hard to find the fingerprints, also it’s “only” letters
My suggestion
Show a “secure” icon on the send button once e2e encryption is active
Display the fingerprints for example as smileys on a more central area of the user profile screen. Telegram is using smileys on their voice/video calls and it can be quite fun to verify the connection.
Off topic
There are many secure chats systems out there these days, and delta has a really nice concept. But none of this apps have the “wow” effect. The ui/ux is quite boring and conservative. Telegram for example is just plain cool somehow. Fancy. It’s very easy to convince people to switch to telegram, but if they see delta or signal, they don’t like it in the very most cases.
This also explains the active user counts of this apps…
Fingerprints are not supposed to be compared manually. What you discovered in the “Encryption” menu is a debugging info at best. Use QR-code verification, then create a verified chat with the contact once you have verified their key. In the future there is a plan to replace “verified groups” with “protected chats” and allow to upgrade 1:1 chats to protected chats too. For now you have to create a “verified group” with two members for verified 1:1 chat.
Well, how do you compare fingerprints if you are in another country? Or continent? Send the QR code by paper mail?
This QR verification has big usability issue. Manual verification via a phone call or another secure channel is in my experience the most useful way. The “in person” verification is a quite rare use case, at least for some people.
And to be honest, it’s cool to ask the other party if their key is “smiley, heart, poop, party”. It makes security and encryption a little bit less boring and annoying.
Show the QR code in a video chat or send a screenshot via second channel.
Adding a readable Signal-like “safety number”, maybe encoded in emojis, is possible, but it only provides a one-way verification and users may fail to verify it two-way. Delta Chat uses a more complex Setup Contact protocol which uses one-time token to verify the key both ways. When you compare safety number, you only verify on your side but you can’t be sure that your contact has verified the key properly, in which case their messages can be intercepted and re-encrypted with your key so you don’t notice anything.
With this sort of manual verification users easily fail to verify even one-way, see:
Schröder, Svenja, et al. “When SIGNAL hits the fan: On the usability and security of state-of-the-art secure mobile messaging.” European Workshop on Usable Security. IEEE. 2016.
I agree that it should be revisited during the “protected chats” round of releases, but we must ensure that it’s impossible to turn the chat “protected” without properly verifying or ending up with a broken chat when someone turns it “protected” while the other side believes it is unverifed.
How to scan the QR code when showing it via video chat? For sure it’s possible somehow, but I honestly don’t know how right now how, except of course I have a second device. Or a printer. Or maybe a mirror?
I don’t know anyone who used the E2E verification system of Telegram which works also with QR codes. But the one of the old school OTR over XMPP was very commonly used back then. Because it’s easy, user friendly and works over the distance.
You should have a minimum amount of trust in users, most are not this stupid and should be able to communicate about for example emojis or words. To prevent lazy (or invalid/supid) verifications, maybe a simple quiz may solve this issue after clicking the “I verified the keys with my partner” button? Maybe something like “Was a poop smiley included in the key?”, just to add a small second security layer…
I think the chat system behind Signal is cool, and the one of Delta is even cooler. But both and many other secure chat apps can’t reach the 10 year old school kid or the 50 year old mother who is used to FB messenger or WhatsApp. Telegram makes an really awesome job in UI/UX, but sadly they don’t focus on E2E.
I think scanning QR from picture is needed in Android app, I think desktop has means to do this without directly scanning a QR, but isn’t common for me and many people around me to have a second device at hand when the situations comes, the QR might be sent using XMPP and then you have the picture in your gallery but no way to scan it
who is delta chat’s audience? If a person selects
delta chat for encryption reasons, then it is not
acceptable if a message can be emailed unencrypted
unwillingly. A delta chat user should be able to decide, that either
a message is sent encrypted or will not be sent.
