Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insecure instructions for verifying devices #10008

Closed
madduck opened this issue Jun 11, 2019 · 2 comments
Closed

Insecure instructions for verifying devices #10008

madduck opened this issue Jun 11, 2019 · 2 comments

Comments

@madduck
Copy link

madduck commented Jun 11, 2019

When being asked to verify a device, the instructions say:

To verify that this device can be trusted, please contact its owner using some other means (e.g. in person or a phone call) and ask them whether the key they see in their User Settings for this device matches the key below: […]

IMHO, this is wrong. The owner should read out the fingerprint, and it should be up to the local user to verify the match. Otherwise, a malicious actor could simply ack the fingerprint as read out by the owner, and get them to trust a malicious device that somehow managed to fake the fingerprint.

I am not sure this is really an attack vector, but it seems wrong to ask someone else to make comparison calls that are critical to one's own trust definitions.

@jryans
Copy link
Collaborator

jryans commented Jun 11, 2019

Thanks for the feedback! I believe most of this UX will change significantly when cross-signing is used instead of verifying individual devices, but it's still good to track.

@aaronraimist
Copy link
Collaborator

This has been fixed

su-ex added a commit to SchildiChat/element-web that referenced this issue Feb 28, 2023
* Description of QR code sign in labs feature ([\element-hq#23513](element-hq#23513)). Contributed by @hughns.
* Add option to find own location in map views ([\element-hq#10083](matrix-org/matrix-react-sdk#10083)).
* Render poll end events in timeline ([\element-hq#10027](matrix-org/matrix-react-sdk#10027)). Contributed by @kerryarchibald.
* Indicate unread messages in tab title ([\element-hq#10096](matrix-org/matrix-react-sdk#10096)). Contributed by @tnt7864.
* Open message in editing mode when keyboard up is pressed (RTE) ([\element-hq#10079](matrix-org/matrix-react-sdk#10079)). Contributed by @florianduros.
* Hide superseded rooms from the room list using dynamic room predecessors ([\element-hq#10068](matrix-org/matrix-react-sdk#10068)). Contributed by @andybalaam.
* Support MSC3946 in RoomListStore ([\element-hq#10054](matrix-org/matrix-react-sdk#10054)). Fixes element-hq#24325. Contributed by @andybalaam.
* Auto focus security key field ([\element-hq#10048](matrix-org/matrix-react-sdk#10048)).
* use Poll model with relations API in poll rendering ([\element-hq#9877](matrix-org/matrix-react-sdk#9877)). Contributed by @kerryarchibald.
* Support MSC3946 in the RoomCreate tile ([\element-hq#10041](matrix-org/matrix-react-sdk#10041)). Fixes element-hq#24323. Contributed by @andybalaam.
* Update labs flag description for RTE ([\#10058](matrix-org/matrix-react-sdk#10058)). Contributed by @florianduros.
* Change ul list style to disc when editing message ([\element-hq#10043](matrix-org/matrix-react-sdk#10043)). Contributed by @alunturner.
* Improved click detection within PiP windows ([\element-hq#10040](matrix-org/matrix-react-sdk#10040)). Fixes element-hq#24371.
* Add RTE keyboard navigation in editing ([\element-hq#9980](matrix-org/matrix-react-sdk#9980)). Fixes element-hq#23621. Contributed by @florianduros.
* Paragraph integration for rich text editor ([\element-hq#10008](matrix-org/matrix-react-sdk#10008)). Contributed by @alunturner.
* Add  indentation increasing/decreasing to RTE ([\element-hq#10034](matrix-org/matrix-react-sdk#10034)). Contributed by @florianduros.
* Add ignore user confirmation dialog ([\element-hq#6116](matrix-org/matrix-react-sdk#6116)). Fixes element-hq#14746.
* Use monospace font for room, message IDs in View Source modal ([\element-hq#9956](matrix-org/matrix-react-sdk#9956)). Fixes element-hq#21937. Contributed by @paragpoddar.
* Implement MSC3946 for AdvancedRoomSettingsTab ([\#9995](matrix-org/matrix-react-sdk#9995)). Fixes element-hq#24322. Contributed by @andybalaam.
* Implementation of MSC3824 to make the client OIDC-aware ([\element-hq#8681](matrix-org/matrix-react-sdk#8681)). Contributed by @hughns.
* Improves a11y for avatar uploads ([\element-hq#9985](matrix-org/matrix-react-sdk#9985)). Contributed by @GoodGuyMarco.
* Add support for [token authenticated registration](https ([\element-hq#7275](matrix-org/matrix-react-sdk#7275)). Fixes element-hq#18931. Contributed by @govynnus.
* Jitsi requests 'requires_client' capability if auth token is provided ([\element-hq#24294](element-hq#24294)). Contributed by @maheichyk.
* Remove duplicate white space characters from translation keys ([\element-hq#10152](matrix-org/matrix-react-sdk#10152)). Contributed by @luixxiul.
* Fix the caption of new sessions manager on Labs settings page for localization ([\element-hq#10143](matrix-org/matrix-react-sdk#10143)). Contributed by @luixxiul.
* Prevent start another DM with a user if one already exists ([\element-hq#10127](matrix-org/matrix-react-sdk#10127)). Fixes element-hq#23138.
* Remove white space characters before the horizontal ellipsis ([\element-hq#10130](matrix-org/matrix-react-sdk#10130)). Contributed by @luixxiul.
* Fix Selectable Text on 'Delete All' and 'Retry All' Buttons ([\element-hq#10128](matrix-org/matrix-react-sdk#10128)). Fixes element-hq#23232. Contributed by @akshattchhabra.
* Correctly Identify emoticons ([\element-hq#10108](matrix-org/matrix-react-sdk#10108)). Fixes element-hq#19472. Contributed by @adarsh-sgh.
* Should open new 1:1 chat room after leaving the old one ([\element-hq#9880](matrix-org/matrix-react-sdk#9880)). Contributed by @ahmadkadri.
* Remove a redundant white space ([\element-hq#10129](matrix-org/matrix-react-sdk#10129)). Contributed by @luixxiul.
* Fix a crash when removing persistent widgets (updated) ([\element-hq#10099](matrix-org/matrix-react-sdk#10099)). Fixes element-hq#24412. Contributed by @andybalaam.
* Fix wrongly grouping 3pid invites into a single repeated transition ([\element-hq#10087](matrix-org/matrix-react-sdk#10087)). Fixes element-hq#24432.
* Fix scrollbar colliding with checkbox in add to space section ([\element-hq#10093](matrix-org/matrix-react-sdk#10093)). Fixes element-hq#23189. Contributed by @Arnabdaz.
* Add a whitespace character after 'broadcast?' ([\element-hq#10097](matrix-org/matrix-react-sdk#10097)). Contributed by @luixxiul.
* Seekbar in broadcast PiP view is now updated when switching between different broadcasts ([\element-hq#10072](matrix-org/matrix-react-sdk#10072)). Fixes element-hq#24415.
* Add border to "reject" button on room preview card for clickable area indication. It fixes element-hq#22623 ([\element-hq#9205](matrix-org/matrix-react-sdk#9205)). Contributed by @gefgu.
* Element-R: fix rageshages ([\element-hq#10081](matrix-org/matrix-react-sdk#10081)). Fixes element-hq#24430.
* Fix markdown paragraph display in timeline ([\element-hq#10071](matrix-org/matrix-react-sdk#10071)). Fixes element-hq#24419. Contributed by @alunturner.
* Prevent the remaining broadcast time from being exceeded ([\#10070](matrix-org/matrix-react-sdk#10070)).
* Fix cursor position when new line is created by pressing enter (RTE) ([\element-hq#10064](matrix-org/matrix-react-sdk#10064)). Contributed by @florianduros.
* Ensure room is actually in space hierarchy when resolving its latest version ([\element-hq#10010](matrix-org/matrix-react-sdk#10010)).
* Fix new line for inline code ([\element-hq#10062](matrix-org/matrix-react-sdk#10062)). Contributed by @florianduros.
* Member avatars without canvas ([\element-hq#9990](matrix-org/matrix-react-sdk#9990)). Contributed by @clarkf.
* Apply more general fix for base avatar regressions ([\element-hq#10045](matrix-org/matrix-react-sdk#10045)). Fixes element-hq#24382 and element-hq#24370.
* Replace list, code block and quote icons by new icons ([\element-hq#10035](matrix-org/matrix-react-sdk#10035)). Contributed by @florianduros.
* fix regional emojis converted to flags ([\element-hq#9294](matrix-org/matrix-react-sdk#9294)). Fixes element-hq#19000. Contributed by @grimhilt.
* resolved emoji description text overflowing issue ([\element-hq#10028](matrix-org/matrix-react-sdk#10028)). Contributed by @fahadNoufal.
* Fix MessageEditHistoryDialog crashing on complex input ([\element-hq#10018](matrix-org/matrix-react-sdk#10018)). Fixes element-hq#23665. Contributed by @clarkf.
* Unify unread notification state determination ([\element-hq#9941](matrix-org/matrix-react-sdk#9941)). Contributed by @clarkf.
* Fix layout and visual regressions around default avatars ([\element-hq#10031](matrix-org/matrix-react-sdk#10031)). Fixes element-hq#24375 and element-hq#24369.
* Fix useUnreadNotifications exploding with falsey room, like in notif panel ([\element-hq#10030](matrix-org/matrix-react-sdk#10030)). Fixes matrix-org/element-web-rageshakes#19334.
* Fix "[object Promise]" appearing in HTML exports ([\element-hq#9975](matrix-org/matrix-react-sdk#9975)). Fixes element-hq#24272. Contributed by @clarkf.
* changing the color of message time stamp ([\element-hq#10016](matrix-org/matrix-react-sdk#10016)). Contributed by @nawarajshah.
* Fix link creation with backward selection ([\element-hq#9986](matrix-org/matrix-react-sdk#9986)). Fixes element-hq#24315. Contributed by @florianduros.
* Misaligned reply preview in thread composer element-hq#23396 ([\element-hq#9977](matrix-org/matrix-react-sdk#9977)). Fixes element-hq#23396. Contributed by @mustafa-kapadia1483.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants