That’s what I feared. Letting the user mark safe QR codes might alleviate that.
If you previously scanned a QR code with the correct fingerprint, and then scan a QR code of the MITM-server for the same email address, you will get a “setup changed” message, so this is noticeable. Then you can assume attack and investigate.
In most cases there is no MITM, so you will get a contact “introduced by” invite bot, then added to some green-checkmarked group without issues, then later scan a QR code in person and also get no “setup changed” message.
1 Like
I did do that, scan QR in person later. But there’s no easy visual indicator for whom I already did that. Especially in group chats, you get many people, it’s easy to forget who is safe.
Hence my suggestion to choose this both on code creation (do I plan to share this code in-person or unsafe remote) and when scanning (did I scan this in-person in safe ways).
A way to solve this with QR code contexts would be for you to generate a QR code with a “context” saying “met Bob in person at …”, show this QR code to who you think is Bob and this should result in the Bob contact getting a badge “scanned <met Bob in person at …>” QR code on 2025-02-11.
It would help but I think this info should be easily accessible in the contact list. E.g. a different icon.
Although I don’t know if I agree because deltachat can take care that the contact has been established securely (e2e), but knowing who we have made contact with should be our problem, in my opinion the most intuitive icon would be the thumbs up 
.
Or it could be added the possibility of dividing contacts into categories, and then one would create the “verified” category.
Pretty sure DeltaChat can’t guarantee E2EE without MITM if the QR code was altered.
I am untrained in the subject but I think, not considering bugs or anything, on this one it is not like you assume.
In the event that someone intercepts one of your qrcodes and connects to you, what happens is that you can converse with him and he can claim to be someone he is not, however it is not a MITM because this person cannot decode messages that are directed to others without their private key.
What happens is precisely that he is deceiving you, not that he is deceiving the e2ee of delta.
I think an evil mail server might set up a QR code for each of you, being in the middle, and relay messages. You would be talking to the correct person and even if you e.g. verify each other via knowledge only both of you know, the connection would continue to be intercepted. That seems like MITM to me.
This is why I think Delta Chat should explicitly ask if I received a QR code via safe means.
you are not supposed to send QRs or invite links in the channel you want to protect against, the whole point of QR scanning and contact verification is to avoid the server doing MITM if you do the verification via the server itself that is completely defeating the point, you need to use a “safe enough” 3rd party channel not in the control of your and your peer’s provider
In theory yes, in practice users send invite links to groups around inside Delta Chat to allow others to decide whether they want to join the group, Contribute - Delta Chat has a public invite link, you have an invite link in your mastodon profile.
Instead of telling users they are doing it wrong and adding “are you sure this link is safe?” dialogs where users will click “yes” anyway because they want to join the group, we can allow whatever and still let the user scan another QR code in person when they want to re-verify with a QR code obtained at a different time in a different channel.
I’m trying to figure out how this can happen (really, I’m no biased I just want to try to understand).
1: the server sends you invitation messages posing as people you are supposed to know.
1.1: you get an unexpected request, this should not happen, the only justification could be that someone shared your account or found your qr code in a public place. In either case you were not expecting this contact.
1.2: Someone you already know contacts you and tells you that they have made a new contact. That seems plausible to me.
1.3: Someone whose contact you were expecting contacts you, but it is actually someone who succeeded at the right time in making the request. This is particularly worrying; it looks like surveillance.
2: Someone pretends to be you and starts contacting your contacts, but to do so they must have access to your contacts. This can happen, however, if indeed it is the server that is doing this.
Honestly, you’re making me worried, too.
The solution seems to me to be not to accept contact or changes from people with whom you have not first warned yourself about how you will handle the contact.
So I wanted to invite people to a temporary server (a chatmail) and then from there invite them elsewhere, however this way would be safe?
yeah but the people that really need this can then take care of not doing things wrong? I published my link because I don’t care and I own my email server, if I would care about MITM I wouldn’t do it, in practice when we didn’t have such links people were not really verifying each others either most of the time and chatting just unverified which is worse
the people that are “doing it wrong” now at the same that don’t care or will not understand if you start adding symbols and signals for every type of QR scanning and verification or will ignore the symbols and assume all is verified etc
Not really because you also get green checkmark and “verified” key because someone added more contacts to the group and you cannot be sure they have been as careful as you.
you can never trust a 3rd party anyways so just going to profile and seeing it was not verified by you would do
The topic started with ell1e joining a group via invite link and in case you scan a group invite link you get Alice “verified” by yourself, so this does not help in this case.
if she joins via invite bot all members are verified by invite bot and hence you can’t trust the verification
in any case I think the icon should be changed to a green shield with a checkmark because this is about chat protection, no verification, it is too confusing and often mixed up with identity verification
and about expiring QRs I think that just make things more complicated for the users while not solving any problem
Some list of concrete proposals:
- Replace checkmark with a shield.
- Remove last traces of “verified” from the UI, including ugly square bracket error messages.
- Add contexts to QR codes and when someone scans your QR code write down the timestamp and context of scan in the contact profile as some sort of a “badge”.
- Expire QR codes and make them one-time by default. It should still be possible to create a QR code that allows infinite number of scans with a “Mastodon” context and put it into your profile.
- Allow placing a “trusted” seal on the contact manually and display it in contact lists, remove it every time key fingerprint changes. Maybe add automatically if someone scans a short-term one-time QR code you just created.
1 Like
i like 3 and 4, 5 must propagate to all the devices one uses.