It’s been a long-standing goal to enable end-to-end encryption by default for private communication in Matrix. The technical effort so far has included our libolm library, an independent cryptographic review and a massive backlog of feature development and bug fixes. Today, instead I’d like to focus on some of the User Experience challenges and goals we’re facing.
I should also introduce myself—I’m Nad Chishtie (@nadonomy:matrix.org) and I recently joined the Matrix core team (at New Vector) as Lead Designer, most recently focusing on end-to-end encryption.
When using encrypted messages, most existing services fall short in one or all of the following:
- They don’t allow you to use multiple devices independently. For example, a web session might be locally tethered to a mobile device.
- They don’t support a way to restore or temporarily access message history. For example, if you don’t have physical access to your main device because it’s broken or has been stolen.
- They don’t allow you to verify that devices are controlled by their owners rather than eavesdroppers, and persist that trust across multiple devices, sessions or rooms.
Modern users, even those we talk to at security and privacy-led organisations, expect these features to ‘just work’ by default out of the box. Before enabling end-to-end encryption by default, we’ve been hard at work figuring out how we can deliver these features without compromising security or usability.
(For some users, restrictions such as limiting the number of places encryption keys reside, and not having a synchronised message history may be desirable security features. We’ll support these cases, but just not as the default behaviour.)
Let’s dive in to some of the fundamental concepts we’ll be putting forward to deliver a default end-to-end encryption experience that makes sense for most modern users. In this post we’ll look at an overview of work-in-progress wireframes, in the spirit of designing in the open and gathering feedback from the wider Matrix community. Please note that these don’t represent the actual interface design.
Cross-signing personal devices
When logging in to a new device, you’ll be able to use an existing device to verify your new one. Verification is done by scanning a QR code on whichever device has the most convenient camera to use, or by comparing a short text string. You only have to complete this process once to mutually verify both devices.
Verifying your new device by cross-signing transfers encryption keys, giving it access to your encrypted messages, and also signals to other users that the new device is trustworthy.
Secure Message Recovery
To the end user, Secure Message Recovery works a lot like setting up disk encryption or a password manager. A user can optionally secure their message history using a recovery passphrase and/or key. If logged out, or using another device, the user can use the recovery passphrase or key to access their encrypted message history.
In practise, this incrementally encrypts and backs up encryption keys to a user’s homeserver, kept secure by the homeserver never having access to the passphrase or key. Like cross-signing, using a recovery passphrase or key will also signal to other users that a device is trustworthy.
We think that in most cases users will cross-sign personal devices, but as a safety net (for example, if a user’s devices are broken or lost) Secure Message Recovery is an invaluable tool for users to minimise the chance of them losing their encrypted message history.
People should trust people
With both cross-signing and Secure Message Recovery in place, we think that people should trust people, instead of individual devices. Now, when you verify a device, it’ll mark all of that users trusted devices as trusted.
Gone are the days of every person you talk to having to independently verify your new device upgrade. Like cross-signing, you can verify a device by scanning a QR code or comparing a short text string.
Sensible and extensible
In Riot, we’re implementing these features with a sensible default experience that strikes a balance between usability and security. We think most people would prefer to trust cross-signed devices, and that user trust shouldn’t block encryption. However, if you aren’t most people, you’ll be free to configure whatever level of security you need.
With all of the above in place, and after resolving any remaining technical issues, users will be able to:
- Use end-to-end encryption by default in private rooms.
- Use an existing device or Secure Message Recovery to access their encrypted message history on multiple devices, and to signal device trust to other users.
- Access their encrypted message history using Secure Message Recovery, by storing encrypted message keys on their homeserver.
- Mark a user as trusted by verifying one of their devices, persisting across all rooms and devices.
- Keep their encrypted messages out of the hands of eavesdroppers.
- Opt out, or further configure if they have more specific security requirements.
There’s more nuance to making all this work than we can cover in this overview post; things like recovery key management and immutable security notifications are all important pieces of the puzzle. For further reading, we’re filling up more detail in UX reference documentation, interactive wireframes, GitHub issues and a work-in-progress threat model.
Over the coming days we’re polishing wireframes, nomenclature, iconography and microcopy as we dig deeper into development and implementation, as well as designing these features for the upcoming Riot redesign. Cryptography needn’t be intimidating, and we’re excited to iterate on these advanced features to make them work for everyone.
We’d love to hear your feedback! Let us know your thoughts here or in #e2e-dev:matrix.org.