Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Element X: require acknowledgement to send to a verified user if their identity changed or a device is unverified #2488

Closed
andybalaam opened this issue Jul 31, 2024 · 6 comments
Closed

Element X: require acknowledgement to send to a verified user if their identity changed or a device is unverified #2488

andybalaam opened this issue Jul 31, 2024 · 6 comments

Comments

@andybalaam
Copy link
Member

andybalaam commented Jul 31, 2024
edited by richvdh
Loading

The purpose of this issue is to prevent people who have explicitly verified someone accidentally sending messages. We need to cover 2 cases:

  1. A verified person becomes unverified
  2. A verified person has a new unsigned device

in both cases, when I try to send a message, sending should fail, and an error message should be displayed.

So we expect to change the message sending code (in Rust) to throw an error in these cases, and we expect the UI to display the error and offer options.

The options in case 1 would be "withdraw verification" (mark the person as unverified and send the message) or "cancel sending" (discard the message). Note that on EX there is no "Re-verify" yet.

The options in case 2 would be "send anyway" (send the message to the unverified device and remember that we don't need to ask again for that device) or "cancel sending" (discard the message).

This will require changes in
@richvdh richvdh mentioned this issue Jul 31, 2024
Closed
@richvdh
Copy link
Member

richvdh commented Jul 31, 2024

matrix-org/matrix-rust-sdk#1129 is part of this, I think.

This was referenced Aug 1, 2024
Closed
Closed
@mxandreas
Copy link

I am noting down a few questions for the session on Wed:

The options in case 1 would be "withdraw verification" (mark the person as unverified and send the message) or "cancel sending" (discard the message). Note that on EX there is no "Re-verify" yet.

  1. If you do want to keep sending the messages (now or later), the only option is to "withdraw the verification", correct?
  2. How to make sense of the state once the verification has been withdrawn? Will it correspond to a pinned/TOFU identity (e.g. we're already able currently to detect changes to it), or can it be then changed any time without anyone noticing?

The options in case 2 would be "send anyway" (send the message to the unverified device and remember that we don't need to ask again for that device) or "cancel sending" (discard the message).

  1. I assume that if more than one device is untrusted, we handle them as a group, e.g. send to all or nothing and if send, then remember to not ask again for any of these devices.
  2. Where do we remember the devices - is that something that is captured on the server or locally on the client side?

@americanrefugee
Copy link

Here are the current designs for:

  1. A previously verified user reset their crypto identity
  2. A regular user (NOT previously verified) reset their crypto identify

The first design covers case 1. We can probably modify the second design to cover case 2.

Comments/questions:

  • My understanding was that in the future it will not be possible to send or receive messages with an unverified device. Is this still true? If so, then case 2 is only a temporary thing?
  • The described behavior of "sending should fail" does not reflect the concept @pmaier1 @andybalaam and I came up with. In the design, the user can't even try sending a message until without withdrawing verification or verifying the user again. Until then, the composer is visible but disabled.

@andybalaam
Copy link
Member Author

andybalaam commented Aug 6, 2024
edited
Loading

My understanding was that in the future it will not be possible to send or receive messages with an unverified device. Is this still true? If so, then case 2 is only a temporary thing?

Yes, this is temporary to make Element X ready now.

The described behavior of "sending should fail" does not reflect the concept @pmaier1 @andybalaam and I came up with. In the design, the user can't even try sending a message until without withdrawing verification or verifying the user again. Until then, the composer is visible but disabled.

Correct: this is temporary too, because in future the user should not be able to send. There is an edge case though, where the UI did not update quickly enough and the user sent the message, so this error case could still be used in rare cases.

@americanrefugee
Copy link

americanrefugee commented Aug 8, 2024
edited
Loading

Here are the designs iOS and Android.

@richvdh richvdh mentioned this issue Aug 8, 2024
Open
@pixlwave pixlwave mentioned this issue Aug 13, 2024
Closed
@manuroe
Copy link
Member

manuroe commented Aug 13, 2024

I am closing this request in favor of https://github.com/element-hq/element-internal/issues/614 so that we can follow the EX team process with epic -> user stories -> tech tasks. It makes things easier for us to roll out the plan and to guarantee we do not forget a task.

@manuroe manuroe closed this as completed Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@andybalaam @richvdh @manuroe @americanrefugee @mxandreas