Feature Request: Session verification

[jtrees]

Is your feature request related to a problem? Please describe.
My user profile gets a red shield on Element when I have an active Cinny session because the session is not verified. That makes me sad.

Also, security isn't as good as it good be without cryptographic verification.

Describe the solution you'd like
Emoji verification and (optionally) QR-code verification integrated in the UI.

Describe alternatives you've considered

• verification that's initiated via a slash command
• manual text-based verification

These are both fine as stop-gap solutions.

Additional context
Cinny looks incredible! I've been hoping a client like this would pop up out of nowhere someday. Thanks so much for making it!

[farribeiro]

isn't duplicated with issue #4 ?

[kidonsky]

I think that they are two different uses from the user point of view.
A session verification can be made with emojis verification and no more manual action. (see element)

Issue #4 mentions manual import/export.

So in my mind, one complete the other. (as you mentioned in your comment)

[farribeiro]

if a session is revoked, do automatic logout

[farribeiro]

if a session is revoked, do automatic logout

I think that they are two different uses from the user point of view.
A session verification can be made with emojis verification and no more manual action. (see element)

Issue #4 mentions manual import/export.

So in my mind, one complete the other. (as you mentioned in your comment)

BTW... if a session verified with success, then import the keys, must be automatic

[gpanders]

Here is the relevant section from the Matrix docs: https://matrix.org/docs/guides/implementing-more-advanced-e-2-ee-features-such-as-cross-signing

[ShadowJonathan]

For the record, this is keeping me from seriously recommending cinny to others, as it's basically standard at this point to implement this for cross-signing and all.

That said, the right technical term for this is "bootstrapping cross-signing", I'm putting it here so it turns up in search results

[woojoo666]

it seems like since Cinny sessions are unable to be verified, all the messages you send will have a "Encrypted by an unverified device" indicator when viewed from Element.

Steps to reproduce:

1. sign in on Element first, and make sure your session is verified and encrypted
2. sign in on Cinny
3. export your keys from Element and import to Cinny
4. send some messages using Cinny
5. your messages, when seen from your Element session, should have a red shield icon next to it that says "Encrypted by an unverified device" on hover (see screenshot)

Anybody know if this is permanent? I guess if I ever close/log out of Cinny, then it will be permanent, but if Cinny gets verification in the future, will I be able to verify my existing session and get rid of these warning icons?

[ajbura]

@woojoo666 importing keys doesn’t verify a session, it just decrypt encrypted messages sent by other sessions. To verify the session go to your profile in element in any room and click on unverified sessions, then click manual verify. You can see Cinny session details in Cinny’s settings (just to be sure when manually confirming). This is a workaround until we have emoji verification.

[woojoo666]

@ajbura I was trying to find a way to manual verify but I couldn't, when I click "verify" in Element desktop, I get the message "To proceed, please accept the verification request on your other login.", but nothing pops up on Cinny. And I don't see a button to manually verify, as was shown in the 2020 github discussion here: (element-hq/element-web#12586)

[woojoo666]

Nevermind it looks like you can only do it by going to one of your rooms, opening the room details, clicking on your username in the list, and clicking on the "Cinny Web" session. See element-hq/element-web#15365 (comment)

[kfiven]

@woojoo666 That's what ajbura said in above message ''go to your profile in element in any room''. Looks like everyone look for that option in settings as it used to be there but element removed it now.