User Experience Preview: End-to-end encryption
When using encrypted messages, most existing services fall short in one or all of the following:
- They don't allow you to use multiple devices independently. For example, a web session might be locally tethered to a mobile device.
- They don't support a way to restore or temporarily access message history. For example, if you don't have physical access to your main device because it's broken or has been stolen.
- They don't allow you to verify that devices are controlled by their owners rather than eavesdroppers, and persist that trust across multiple devices, sessions or rooms.
Cross-signing personal devicesWhen logging in to a new device, you'll be able to use an existing device to verify your new one. Verification is done by scanning a QR code on whichever device has the most convenient camera to use, or by comparing a short text string. You only have to complete this process once to mutually verify both devices.
Verifying your new device by cross-signing transfers encryption keys, giving it access to your encrypted messages, and also signals to other users that the new device is trustworthy.
Secure Message RecoveryTo the end user, Secure Message Recovery works a lot like setting up disk encryption or a password manager. A user can optionally secure their message history using a recovery passphrase and/or key. If logged out, or using another device, the user can use the recovery passphrase or key to access their encrypted message history.In practise, this incrementally encrypts and backs up encryption keys to a user's homeserver, kept secure by the homeserver never having access to the passphrase or key. Like cross-signing, using a recovery passphrase or key will also signal to other users that a device is trustworthy.We think that in most cases users will cross-sign personal devices, but as a safety net (for example, if a user's devices are broken or lost) Secure Message Recovery is an invaluable tool for users to minimise the chance of them losing their encrypted message history.
People should trust peopleWith both cross-signing and Secure Message Recovery in place, we think that people should trust people, instead of individual devices. Now, when you verify a device, it'll mark all of that users trusted devices as trusted.Gone are the days of every person you talk to having to independently verify your new device upgrade. Like cross-signing, you can verify a device by scanning a QR code or comparing a short text string.
Sensible and extensibleIn Riot, we're implementing these features with a sensible default experience that strikes a balance between usability and security. We think most people would prefer to trust cross-signed devices, and that user trust shouldn't block encryption. However, if you aren't most people, you'll be free to configure whatever level of security you need.
In SummaryWith all of the above in place, and after resolving any remaining technical issues, users will be able to:
- Use end-to-end encryption by default in private rooms.
- Use an existing device or Secure Message Recovery to access their encrypted message history on multiple devices, and to signal device trust to other users.
- Access their encrypted message history using Secure Message Recovery, by storing encrypted message keys on their homeserver.
- Mark a user as trusted by verifying one of their devices, persisting across all rooms and devices.
- Keep their encrypted messages out of the hands of eavesdroppers.
- Opt out, or further configure if they have more specific security requirements.