[messaging] security notifications

Jeff Burdges burdges at gnunet.org
Fri Apr 8 16:02:29 PDT 2016


I've noticed worries around WhatsApp's security notifications around
issues like ratchet restarts.  Just a thought on security notifications,
not exactly about WhatsApp, Signal, etc. but really anytime you need to
compromise on security notifications.

As a general principle, if you cannot give a big scary security
notification, say for business reasons, then you should still give
*some* notification, even an innocuous one.

Imagine we've a messaging program that (a) uses an Axolotl ratchet for
both encryption and deniable authentication, and (b) must initiate a
completely new sessions if a user say buys a new device or restores from
backup.  In this scenario, the ratchet provides forwards or backwards
continuity for authentication, but any individual contact might not
really be authenticated, and contacts might stop being authenticated if
they switch to a new device. 

If Alice and Bob have authenticated, and Alice buys a new device, then
Bob's device should inform him that he must authenticate Alice again.
I'd imagine most system would get this right.

If however Alice and Bob have never authenticated, and maybe they even
have some "security notifications" setting off, then they should still
see a warning when a ratchet is forced to restart.  It might read : 

"Your session has restarted. This probably means Bob bought a new
phone!"

There is nothing scary about that message, but the insinuation that Bob
bought a new phone might prompt a conversation.  In practice, this
message increases the risk of running a man-in-the-middle attack.

If Alice turned on her now more-friendly-named "security explanations"
setting, then the same message might read : 

"Your authentication session has restarted.
 [Re-authenticate] [Read more]"

And "[Read more]" could say :

"This probably means Bob bought a new phone.
 We suggest you mention this to Bob though over 
 our voice chat.  If his device says the same,
 that's odd.  In that case, please re-authenticate
 carefully, like by QR code or ..."

Anyways, I like this principle that, if you must compromise on security
notifications, then even an innocuous notification is better than no
notification.  At the extreme, this could even simply be some silly
easter egg with a dancing spy or whatever, but it's best if the
innocuous notification has some continuity with the informative
version. 

Best,
Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20160409/10335c18/attachment.sig>


More information about the Messaging mailing list