Add setting for confirmation when sending messages to a room with verified users who have unverified devices

[jryans]

Broadly, we want to update the existing nag that appears when sending messages with untrusted devices to account for cross-signing status: when there are verified users with unverified devices, show warning. (This will happen separately in element-hq/element-web#11750.)

We also want to add a setting for advanced users to control this as shown below. Default to off as shown. (Figma)

Open questions:

• If you accept, when do we show it again? Every message? When devices change?
• If someone removes all of their devices, do they sneak by...? Is that okay?
• This replaces the existing behaviour of prompting when sending a message and the list of the unverified devices has new unverified devices in it. Is that okay?

See also the related element-hq/element-web#11808.

[jryans]

@nadonomy, please review the questions above with your product hat on.

[nadonomy]

• If you accept, when do we show it again? Every message? When devices change?

I think every message makes the most sense, this is for advanced security conscious users wanting to be aware of every time they might be encrypting a message for an untrusted device.

If the nags are annoying, I think it's reasonable to expect social dynamics to come into play (i.e. ask people to cross-sign their own devices).

• If someone removes all of their devices, do they sneak by...? Is that okay?

Is this not covered by the conversation we had yesterday where we said if a verified user generates a new cross-signing key they'd then be decorated with warning? Is there some other nuance I'm missing?

• This replaces the existing behaviour of prompting when sending a message and the list of the unverified devices has new unverified devices in it. Is that okay?

Yeah, this is designed to make that new behaviour opt in, rather than by default. Echoing the conversation we just had on Matrix, but for posterity in this issue— users are warned exhaustively by decoration (room icon in the room list, room icon in the room header, user icons in the member list, composer) so this interaction adds too much friction for our common, default use cases.

[lampholder]

@nadonomy at the moment the text of this issue says that that the setting to prompt users when there are untrusted devices in the room (when there are room members you have verified who have devices that they not verified) should be on by default; if we want this to be for advanced users only we should change that :)

I have to say though I thought we concluded the opposite the other day - I thought we agreed that the act of verifying a user represents your desire to have sensitive conversations safely, so the app should be maximally noisy if something threatened that safety.

[nadonomy]

@nadonomy at the moment the text of this issue says that that the setting to prompt users when there are untrusted devices in the room (when there are room members you have verified who have devices that they not verified) should be on by default; if we want this to be for advanced users only we should change that :)

This should be off by default; the same is true of all of the advanced encryption settings.

@jryans apologies if the Figma comps showing 'on' was misleading; they're just showing different UI states, not indicative of the defaults. I've amended them all to be 'off' now.

I have to say though I thought we concluded the opposite the other day - I thought we agreed that the act of verifying a user represents your desire to have sensitive conversations safely, so the app should be maximally noisy if something threatened that safety.

From the discussion the other day we discussed the app decorating noisily, but that it shouldn't block interactions unless opted in to by advanced users.

[jryans]

Thanks @nadonomy, the intention seems clearer to me now. I have updated these settings issues with new screenshots to clarify the default state. Also, I moved this over to the advanced users only story.