Daniel Gultsch

Blind Trust Before Verification

Establishing trust is always a complicated task but especially difficult in a multi-device environment where every device has its own identity. Concepts like Trust On First Use (TOFU) don’t work very well because a malicious server could sneak a ‘surveillance device’ into every device announcement. Furthermore Trust On First Use doesn’t have an answer to users switching devices or otherwise reinstalling the App which would generate a new key. If you consider that an App or an identity is being used for 10+ years you can assume that every user will reinstall the App or get a new device at least once. Subsequently TOFU only prolongs the problem of having to make a manual trust decision. Signal and WhatsApp have recognized this and are moving to a trust-everything approach and merely warn users when fingerprints change. Train somebody long enough to ignore those warnings and you’ve essentially made End-to-End-Encryption completely useless. Imagine if we only used the Web with self signed certificates; Even cautious users would quickly adopt a behaviour of simply ignoring the warning. Of course you could drive to the bank and compare the certificate’s fingerprint in person, but in reality nobody is going to do that, especially if they keep changing every couple of months.

When we first introduced OMEMO into Conversations we wanted to go down a different path; The trust decision had to be made before exchanging messages. This gave a user who was actually under high risk of surveillance the perfect tool to only exchange messages with trusted devices. There was no warning the user could overlook or that could vanish in the backlog. Instead there was only a simple yes or no. Yes means I trust this device and I want to send message to that device. No means I don’t trust this device.
This will also remain the recommended approach to users that have well-founded reason to believe that they will be the target of active attacks. However even people who want to protect against passive attacks are starting to adopt it, but at the same time they don’t want the hassle of verifying keys. The market has reacted to that demand and is slowly but surely removing verification from the picture. WhatsApp - and pretty soon Signal as well - are the prime example of an industry turning End-to-End Encryption into a hollow marketing phrase that doesn’t mean anything. Encryption without verification is ineffective. Having the ability to verify doesn’t mean anything, if nobody is using it.

Starting with version 1.15.0 Conversations is trying to find a middle ground between those extremes with a concept called Blind Trust Before Verification. In that mode - which is the default mode - Conversations blindly trusts any device a contact might have and it will also trust new devices that are being created in the future. Messages from those devices are marked with a lock, similar to how messages using OTR or PGP are marked. Users are given the option to verify contacts - or to be exact, their devices - by scanning a 2D barcode either of their phone, their social media presence or website. A manual verification is not possible to clearly communicate the concept that verification is what happens if you scan barcodes, instead of verification is what happens if you press some buttons and ignore some warnings. After such a verification happened Conversations will no longer blindly trust new devices that are created after the verification. By doing verification the user has proven three things a) they are capable of scanning barcodes b) they have some sort of out-of-band channel where such a verification can happen c) they have some interest in verified communication. For this reason it is no longer desirable to blindly accept new devices and thus Conversations will prompt for a manual trust decision as it was implemented before. Conversations will still make a difference between device fingerprints that were verified and those that were trusted blindly offering the ability to verify them at a later point. Messages from verified devices are marked with a small shield icon.
Messages from untrusted devices are marked with a red background and have a clear label called untrusted. However since for unverified contacts all devices are blindly trusted by default, messages from untrusted devices usually only occur after verification.

In additon to introducing the Blind Trust Before Verification mode and making it the default we will try to make verification easier. For example Conversations offers an easy way to share the 2D barcode over social media and other trusted channels.

Even if other apps are giving up on verification, because it is hard, we recognize that it is an essential part of End-to-End encryption that you can not automate.

TLDR: Automatically trust all new devices of contacts that haven’t been verified before, and prompt for manual confirmation each time a verified contact adds a new device.