Currently you can either verify a contact and have guaranteed end-to-end encryption, or you are left without any encryption guarantees. which is not ideal.
If you are not able to verify a contact immediately, it seems you have to accept the weaknesses/limitations of Autocrypt’s “opportunistic” security.
I think you could improve security in these cases by allowing users to add contacts/create chats that have guaranteed encryption but “unverified” status (maybe a gray checkmark instead of a green checkmark?) which would eliminate risks such as “surprise” unencrypted messages or email servers doing MITM at a later point in time. When users are able to verify these contacts properly at a later date, they can upgrade the status (e.g. from gray checkmark to green checkmark).
On a related subject, is there any news/update about whether “forced encryption” mode as discussed on other threads has already been implemented or will be implemented soon?
Related topics (3+ years old with no clear resolution):
- In settings autocrypt add forced end to end encryption option
- show end-to-end encryption state of chat - #18 by adbenitez
Relate GitHub issues: