Comments (33)
Petition to tackle MUC encryption next? :)
from dino.
You say "security" and then speak of usability.
Exactly. Because both are very closely connected, nowadays.
And yes, you cannot prevent anybody from doing something insecure. That's not my point. My point is, you have to prevent users from doing insecure things, because they are just users… Users will click through SSL warnings e.g. That's why they are not dismiss-able in modern browsers, depending on the circumstances.
In many e2e encrypted messengers, users sometimes send the verification code (or however it is called) through the same channel as they want to verify.
With the UI you should discourage that behavior. Make clear it is optional and so on… Or e.g. provide a mechanism, which usually can only be used when the contacts meet in person (that's why I've mentioned QR codes). And yes, if they want, they can screenshot the QR code, send it to the contact, the contact can print them and scan them; but hey… that's the case of shooting in the foot. As a dev you have done everything you can do.
But I think there is not much need to discuss this further. I trust the Dino devs that they do UI+security design etc. correctly. This tickets is about OMEMO, after all, not about "How to design secure systems, which are usable?" 😉
from dino.
IMHO you should use this trust model by default as it is also used by Conversations. First "blind trust" and when they are verified (preferably via QR-code scanning), then disable "blind trust" and always show notifications. This is a reasonable trade-off of usability and security IMHO.
from dino.
@mar-v-in What is OMEMO v2? Searching the web I can only find rather vague references from a few years ago.
from dino.
Because of the usability aspect involved. You usually only scan
Don't mess things up. You say "security" and then speak of usability.
It can(!) just be dangerous for some users.
Yes! Life is dangerous too, let's save them from living at all!
If the user wants to shoot himself in the foot, there's nothing we can do. Such user will eventually shoot out his foot even if every safety system in the world protects him from doing this. And "safeguarding" all the users that way just hurts the ones who simply want to verify themselves with simply comparing codes.
from dino.
It works well! But I'm getting the fallback message with every picture upload (for conversations, 'I sent you an OMEMO encrypted message but your client doesn’t seem to support that. Find more information on https://conversations.im/omemo').
from dino.
Remove devices from own devicelist
Someone is working on that?
from dino.
Only colorizing fingerprints can be problematic, better have more contrast than just color, maybe
- font-weight
- size
- brightness
- background
- spacing
- indicator icon
- ...
from dino.
@mray The idea is to colorize in 4 hex character chunks, similar to OpenKeychain and group 2 chunks together (so that there are 8 groups of 8 characters, which is how OMEMO fingerprints are displayed in Conversations)
from dino.
Oh, Ok. I expected coloring like Gajim does:
The colorizing you have in mind works fine of course.
from dino.
I guess image/file sharing is not implemented yet? I got an URL like this: aesgcm://share.conversations.im/<user>/<a lot of numbers and chars>
from dino.
Can't I receive pictures because its not implemented or because my server does not support it? I think its the first one. Because people send me picture all over and I need to tell them that I cannot decode them because of my client :(
from dino.
If you receive links with aesgcm://
, this is the non-standard way of conversations to share omemo-encrypted files via http file upload. This is not implemented in Dino yet, neither is Jingle file transfer (which the other client shouldn't even try to use, because support is not announced by Dino). You are able to receive unencrypted or openpgp-encrypted http file uploads though.
from dino.
So this means I should open an issue at conversation bugtracker?
Thanks for the information. I will try to send it encrypted then, even though its not the best idea.
from dino.
I am willing to donate 50€ to the project if OMEMO gets implemented completely. I wont open any bugbounty program to avoid any additional fees, more for you guys. We will get in touch once its done :)
Keep up the great work!
from dino.
@rugk how do you scan a QR code on a desktop computer?
from dino.
On Laptops with webcams that is no problem… But of course you may offer a way for users to manually enter the string for verification or so.
from dino.
@rugk all the messy ways to compare the codes instead of simply looking at them and tapping "Verified"? No way!
from dino.
Well… QR code scanning is more secure and still convenient… with a webcam… well more or less. Typing manually is not so nice, I agree, but just letting users tap on things labeled "it's ok" is often dangerous. Many many users will not verify anything and just tap things away.
from dino.
QR code scanning is more secure
WHAT?
Many many users will not verify anything and just tap things away.
This only happens if verification is blocking the users from sending messages. The suggested model of trust, if you allow them to compare fingerprints by hand, doesn't bother the users (even doesn't suggest to do anything) and is still OK for the users who can't or don't want to scan codes.
from dino.
WHAT?
Because of the usability aspect involved. You usually only scan
This only happens if verification is blocking the users from sending messages.
Maybe, maybe not. Some users would still verify anything they can – even if it is just to get a green tick…
But yes, I don't say this "click to verify" should not be implemented. It can(!) just be dangerous for some users. It could also be "hidden" and only available for users, who know what they do. That's all possible. It just depends on how it is done.
from dino.
Would you kindly focus down Un-/trust devices. This is the only think preventing me from using dino :(
from dino.
What is the status of encrypted images? gthumb seems to be the only app that can open it and it gives me segfaults on Arch Linux, so I can't open them at all.
Why are sub issues for each separate aspect not allowed?? #419
from dino.
Is there a bounty for this issue?
from dino.
Is there a bounty for this issue?
https://www.bountysource.com/issues/44025760-omemo-tracking
from dino.
Ok... added more 50$ :) I'd love to be able to see encrypted images... 🐈
from dino.
@mar-v-in List can be updated or?
from dino.
Encrypted File up/download seems to be supported now:
#339 (comment)
from dino.
- Option to disable Blind Trust (GSoC)
It shouldn't be marked as done. Currently, there seems to be no way of disabling blind trust globally (or at least it's not hooked to the UI)
from dino.
@marmistrz The option is marked fine, as it doesn't say "globally". You can disable blind trust per-user: Go to the contact's details > OMEMO Key Management > Automatically accept new keys. #484 is an issue for globally disabling blind trust.
Given that Dino's OMEMO implementation is - besides some bugs - mostly done, I will close this tracking issue. Bugs and further features can be discussed in separate issues.
from dino.
It seems to me OMEMO has broken. Was working perfectly not long ago. Then it just disappeared when I upgraded. I have compiled it with the OMEMO plugin.
from dino.
It seems to me OMEMO has broken. Was working perfectly not long ago. Then it just disappeared when I upgraded. I have compiled it with the OMEMO plugin.
I had the same issue when I was running dino from outside the build directory (I didn't make install). If I cd to the build directory, OMEMO is available.
from dino.
Good news:
from dino.
Related Issues (20)
- MAM for MUC is not syncing MUCs history properly HOT 1
- Enable echo cancellation during calls HOT 7
- can't get voice/video calls between two dino on postmarket devices HOT 2
- dns-over-tls in Dino HOT 2
- Segmentation fault on KDE when hovering the icon taskbar HOT 2
- HTTP upload functionality not detected if http upload hostname starts with "xmpp-"
- Segmentation fault in xmpp_message_archive_management_NS_VER HOT 2
- HiDPI: Scaling makes Emojis huge HOT 1
- Sent message not synced (MAM sync problem?) on other device HOT 3
- A way to make dino open http links in a chosen web browser. HOT 6
- Dino 0.4.3 fails to compile after Vala-c update to 0.56.17 HOT 7
- XEP-0174: Serverless messaging support HOT 8
- Feature request: Phosh `feedbackd` vibration support HOT 2
- [Flatpak] Does not run without `sudo -i -- ...`
- org.gnome.Platform branch 44 is end-of-life HOT 2
- Can't establish call between two Dino instances
- Cannot Connection after Resume from Suspend. HOT 2
- XEP-0466 - Add the ability to auto-delete messages. HOT 2
- 0.4.3: failed to add UI from resource /im/dino/Dino/unified_main_content.ui: .:26:1 Invalid object type 'DinoUiConversationSelector' HOT 7
- ss
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dino.