Choice of security presets during setup #838
Comments
|
Wizards are a high bar for the average user to take. They are struggeling to accept to type in their phone number, why the heck they would like to adjust a thousand settings before start messaging? The average userhas to be considered to be dumb and lazy. That's the way Apple designs their products. They are pretty successfull with this concept. |
|
@LOTP you misunderstand the idea, I want to achieve the opposite - people should have to make as few choices as possible.
This would be one click for every person installing TS, but we can hide as many advanced settings behind this, which 99% of the user base will never (have to) see. |
|
Well I think that everybody deserves paranoid security by default with the possibility to opt-out from certain elements. And what should the average user think if he has to choose between safe and convenient? Well, we have to think of a concept that on the one hand is championing security and are on the other hand easy to use, too. For example, a random amount of maximum 25 messages to random accounts of friends via push could be a feature which the user can't opt-out. Furthermore, an implementation a la "We send a small number of dummy messages a day, you can set your maximum value to (100/200/300/1000) messages a day" in the advanced panel. But 25 as the absolute minimum. To prevent timing attacks: Am I right that the receiver of the message can only be determined by the server? If true, the server could be configured to "pulse" out new messages only every 5 seconds. That would, in the worst case, be a disadvantage to users who sent their message at the beginning of a new cycle, because their message would have to wait 4,5s on the server cache, but the chance for an attacker with a privileged position to see which message is going where would be reduced dramatically. |
|
I think i mixed up my answer with issue #878. They are very similar context wise. |
|
@LOTP You can always edit your own comments. That's why we will have to ask the user what he wants and if we explain it nicely with simple examples (aka lockscreen popup with picture of friend with beer in hand, asking when you'll be there, while you are explaining you'll have to leave early to support your sick child) nobody will bat an eye. |
|
@Lindworm: I really like your idea of asking the user to choose between these levels, so he doesn't have to go through all the settings and choose the right options. In my opinion, we should make it very clear that even the first level ("high convinience + medium security") results in a very good security level, at least way better than the security other apps like Wh**_app offer and even better than what you get from Threema (they don't have perfect forward secrecy for example). So the average user who comes from easy-to-use messengers like Wh**_app or F***book would choose the first option. Otherwise many users will probably choose the second option, although they don't really want to use security features like a passphrase. Additionally, it would be a good idea to tell the user in a simple way what the levels mean. We could include a help function here with easy to understand use cases, maybe something like this:
We should of course be careful giving promises here we maybe cannot hold, but this should really just give an idea of my point that the average user should be able to choose the right option for him. Just one last point: It should be possible to change these options later on in the settings and I would also introduce "extended settings" in the settings, where the user can en-/ disable all security functions himself if he really wants to. (Maybe someone likes the idea of sending dummy messages as suggested in #328 but doesn't want to use a passphrase for example.) |
|
I agree, the TS transport is the safest one that's currently available and we should point that out. How about we rephrase the cases like that:
I also really like the short descriptions (nice wording) right in the dialog and the extended settings too. The extended settings (of the app, not the conversation) should certainly also contain all the settings, as well as an option to re-run this dialog. |
|
Yes, that sounds really good. Users hear from others that TextSecure offers very good security and they should know that even the first case is suitable for that. Your new descriptions of the cases should do that pretty good. And yes, long clicking an option to get the description should be a good solution, because it also works on small devices. A short hint telling the user about it (maybe at the bottom) should also work well. |
Sorry, I phrased that ambiguously (fixed it now). I meant to make the settings available on long click. That way the user can instantly see which settings will be affected and modify them. If it's not possible to display the descriptions on small devices (or would look bad), I'd like an obvious help button that shows the descriptions with one click. |
|
Guys guys guys. You're missing the point. Asking the user to choose between security levels is confusing and will hinder adoption. DON'T. What might be OK: Asking the user something like "Does your personal security or life depend on keeping your messages out of reach of third parties who might be in possession of your phone?", maybe with a "what does this mean?" link. Your average WhatsApp or FB Messenger user will chuckle and go for "no", maybe thinking "wow, those guys are serius". Somebody who is truly dependant on the utmost secrecy that TextSecure can provide will have a different view and will go with stealth paranoia mode. Everything else is way to confusing and not an option for a product to be used by the masses. |
|
I tend to agree with @lorenzhs but it really depends on how this is implemented and what exactly the setting will do. Just from the "levels" you described here I am not sure how even a technical user would be able to chose what he really needs... how would a non technical user be able to make this convinience vs security tradeoff? |
|
@Lindworm You're very active here at the moment, so please let me repeat this. |
At least it's less confusing than dozens of technical options hidden away in the advanced settings ;-) However your solution is certainly better. I still think we should stick with the three modes, but take a different approach to implement them:
Edit: damn, the close button is too close to the comment button ;-) |
@Lindworm NO! It is way more confusing, because it's utterly vague. Hell, most people in this thread wouldn't know what to choose! And I oppose that second step. There should not be a medium setting, that just gives a false sense of security. Simplicity is absolutely essential. |
I think the medium setting is essential for all the privacy concious people that are not willing to give up on all the convenient features and don't want to do crazy things like sending dozens of paid SMS messages a day to thwart traffic analysis (#328), while a few data messages would be ok. Several of the options the paranoid setting will enforce are crazy enough that not even the most privacy loving folks will want to activate them, if their life doesn't depend on it. Your view of the average user as a thirteen year old is probably spot on. But they aren't brain dead. We can omit the second question by doing something like this:
We can preselect the paranoid setting, use a bold font, color it or highlight it otherwise, while using a smaller normal font for the expert setting. |
|
You have a lot of confidence in 13yolds. As I stated above, people in this thread are unable to answer this question because they don't understand the implications. So no, your suggestion is not an option. Face it, this community is a bubble and "normal people" have no idea what that stuff means that you're talking about. And a biased choice UI must be just about the worst idea anyone's come up with so far. If my previous suggestion hasn't led you to the conclusion that what you're suggesting won't work, ask yourself this instead: could this be an Apple product?, because user experience is the single most important thing in building and keeping a user base. If you're not designing your menus, dialogues, etc with that in mind, you won't reach mass adoption. |
|
A problem I see here is that the thirteen year old could read the question whether his life might depend on the confidentiality of his messages and than think: "Oh, this is not the right app for me. This sounds like a complicated app and I just want to chat with my friends." Maybe we should clear first which security functions we have that are optional. And than we can argue whether they justify adding new choices to the wizard. |
So what's your solution? Only normal and maximum security? I also think that you underestimate how high the security of the "medium" setting is supposed to be. This would activate things like a pop-up warning whenever you are about to start an unencrypted conversation via SMS, asking if you really want to do that. Other examples would be a 1-click shortcut to wipe the whole database and uninstall TS or making all messages editable so it can't be used as proof against you. Even the lowest setting is far safer than any other messaging app. The paranoid setting however would do some things that really mess up usability (no unencrypted at all, dozens of paid SMS, which aren't usually free in Europe or outside of the US. And the list will grow the more advanced security features become implemented. How are the implications of something along the lines of "will you die if somebody reads your texts or knows who you text" unclear in any way? Your average user will rightfully click no and that's it. -> Nothing hinders mass adoption. But if you take away the expert options with reasonable privacy settings from those who know what they are doing, you just messed with the current core userbase.
I think most people would be rather amused instead of afraid. And if they think what you wrote, they won't stop the setup and uninstall it right away. They'll click "no" and won't be bothered with any complicated security related questions.
I already linked and referenced many proposed privacy settings we may want to activate, as well as convenience settings we may want to turn off. But nearly every time when you are faced with two extremes, a compromise is usually the way to go. |
|
"There should not be a medium setting, that just gives a false sense of security." Not if that setting and its alternatives are all explained accurately in terms of how much security they offer. Then it will be a correct and appropriate sense of security in each case. ;) |
|
@donjoe0 well but that's a big usability issue. You can't make the user read a ton of stuff before getting started. There must not be an extensive setup routine, otherwise nobody will use the app. Users get confused really easily, and you can hardly do any worse than confuse somebody before they've even started using the app. Also, somebody concerned about prosecution for their opinions should not use SMS in the first place (network operator knows the recipient). Push is way better in that regard. So the argument for the smokescreen texts is maybe not the best. Additionaly, if you do stuff that's obviously designed to hide your tracks and leave false trails, that is rather likely to make whoever is after you have a closer look at you. Having settings like that is just a shit idea, as long as not everyone's install does that. And good luck telling the average western user that this app will send 100 texts a day to random people around the world because that may make some dude in some country more safe. To summarise: the idea isn't thought through. You could do that kind of stuff over push though, because nobody cares about an extra 2KB a day, and you don't even need a setting for it (just enable it for everyone). |
|
I think we all want the same things (more people using TS and beeing as safe as they need to be). I agree with @lorenzhs that we should probably not give them the choice between different security/comfort levels, because they don't know why they can't have both in the first place. I also think we should ask the average user only one yes/no question they can answer and that's it (if their life/personal safety depends on it may sound extreme but it's a good example). But @donjoe0 makes a serious mistake if he thinks the more secure options should be presented in a way where the user makes an informed decision himself. That may sound absurd at first but the problem is: the people who really need those features are usually even less informed than the average European/US-american kid. We should give the informed user the ability to set all this stuff himself, but we have to care about the helpless and clueless first. If you'd go to Venezuela today, talking to the people on the streets, do you think they know the difference between encryption and trust? Many people here haven't understood that. If we actually want to safe lifes, we have to make it easy to also use the more agressive security features. Yes, there should be the option to configure all the fancy stuff yourself, but it shouldn't pop up as soon as you click on the most secure option. There you may be able to choose between "set everything up for me" or "I'm an expert and want to do it myself". But the first option has to be big, fat, highlighted and marked as preferrable. I may disagree with @lorenzhs if we want to have two or three presets (with the third hidden as default settings in the expert dialog), but if we
then we have to make it easy for those groups. The nerdy people with a crypto fetish still won't have a problem to use the app, even when they have to make two more clicks to get to their advanced settings. And honestly they don't have a choice. From a crypto perspective TS is currently defining the new state of the art in mobile messaging. If they are into crypto, TS is their only viable option. For the people who need it, it may be the only logical choice, but that doesn't matter if they install W***sApp because they didn't like TS. |
|
I was afraid this was where you were going with this. The big problem is you're choosing as primary targets two very different demographics: the casual "first-world" texter who doesn't know anything about security and doesn't even want to know and the revolutionary "second-world" or "third-world" texter who doesn't know anything about security but needs to use as much of it as possible and needs to find out about it from this app's interface. When you put it that way it does indeed appear that there's no better option than simply asking the user right at the start if they plan to use the app in a threatening environment where they might be in physical danger if anyone unauthorized manages to read their messages or if they just want a convenient way to exchange text messages with members of their social environment. All this will lead to are the two most extreme security profiles, i.e. extremely high security or extremely low security. Anyone who wants anything between these extremes will have to go fiddle with the stuff in the Settings menu and unless they happen to be a nerd, we have to accept that they might not understand what they're selecting and that they might make the app unnecessarily cumbersome to use because we didn't want to help them understand threat models by including a well-designed wizard for this. (Keep in mind that even the revolutionary user will eventually get to the Settings menu and they still might try to flip some switches in there just to see what happens or just to get rid of some usage impediment. Are you sure you want them to not have a chance to understand what they're doing at least at the level at which a decent threat model wizard could explain it?) It doesn't even have to be a startup wizard - you can keep just the "revolution vs. casual texing" question at the startup and put the threat model wizard right in the Settings menu - so the Security section of the Settings menu wouldn't just show you all the detailed options directly but ask you first if you know what you're doing or if you want to go through a wizard that might make things clearer for you. |
I chose them because they are the important ones. And the second demographic mostly uses what the first decided on. There's a reason some of the Middle-Eastern revolutions are called "Facebook revolution". Were there better tools? Absolutely. But they used what everybody already had, because it doesn't matter if you are the safest activist in the world, if you don't have others to talk to securely.
I agree
This would be nice, really. But it will not happen. Ever. I have talked on end with critical journalists in South America. They were really pissed when I put a password on their wifi and made their mail clients use https. I am targeting those two demographics because of the people in need actually use what is widely available, not what is actually best for their usecase. And the more average chatty teenagers (not just western) use this, the better the deniability and protection for those in actual need. If there are 500 users with TS installed in an undemocratic country, the authorities can just do an easy network analysis (at least for the SMS verification and encrypted SMS messages) and then kick in every door with a 99% chance of getting an "enemy of the state". If there are 500000 users, with maybe 5000 activists, there are simply too many doors to kick in. And it's easier to hide 500 kicked in doors from the public than it is to hide a few thousand ones. |
|
Now you seem to be talking about adding security features that don't require the user to understand the app's settings or make any kind of informed choices whatsoever and I don't think that's what this thread is about. |
|
@donjoe0 The two main problems are the terminology, which is very precise and can be used to explain complex relations and differences with only a few words, and the complex relations themselves. I'm rather sure there isn't a big overlap between the groups who know and like encryption and those who actually need it. Your average Joe from Syria/Ukraine/Venezuela etc. doesn't even know what a server is. |
|
OK, so where are we at in terms of the topic question? Is there a general agreement that the most important security profiles to make available during setup should be the extremely-high and extremely-low security profiles and that they should be selected via a binary question about whether the user is a casual texter or is involved in protests or a revolution? |
|
I think the two stage method I described in #838 (comment) would be best: The first question weeds out the huge minority that wants comfortable texting, while the second one gives the uninformed activists as well as the crypto-lovers the chance to get a high security setup without much hassle. The medium settings would be kinda hidden as a preselection in the expert settings.
We can preselect the paranoid setting, use a bold font, color it or highlight it otherwise, while using a smaller normal font for the expert setting, to draw people to use the preset. |
|
I don't really get why we're discussing like this. There is an extremely successful application on the market which had to go through the exact same questions and found their answers - users seem to be pretty happy with it. I'm talking about Threema - there you don't have the chance to select a setting considered to be "unsecure" or "lower security level". To sum things up, I'd advocate to have a set of settings pre-set, which can be opt-out if the user wants to (in the settings panel). While configuring TextSecure for the first time we could ask after the telephone number was typed in if the user wants to have all of his messages encrypted in order to protect them. If yes, he types in a password (and not "Passphrase", as it's translated in the German version... No one really knows this word here!) and it's done. Things like questions asking for the users situation (like "are you in dager?", "do you need maximum protection?") are counterproductive and bad for TextSecures reputation. We could implement a help button for every setting, but provide a set of preferences that's advocating maximum security, from which the user has to opt-out individually (with help-buttons). |
|
@LOTP TextSecure is aimed at the average user, not the security professional. And the reality is that extremely maximum security will severely affect the usability, which average users won't understand and won't accept. Moxie even spoke out against showing the verification status (which can be a serious security risk) of people some time ago (#314 (comment), #227), so I'm pretty sure he doesn't approve of just choosing the highest security level, disregarding the usability. |
|
It won't damage anything to recognize that different people have different lives and different security needs and that what's best for some isn't best for others. If anything it will show that TS is a highly capable and adaptable product that can be made to fit many types of needs. Anyway, in that Step1 + Step 2 model I'm still not seeing anything aimed at people who aren't completely ignorant but not complete experts either or who are starting out as completely ignorant but want to learn more. If anyone wants any information other than what can be seen at Step1 or Step 2 (which is not much), you're just lumping them in with the experts and throwing them to the lions (i.e. sending them to the fully detailed version of the Settings menu). I think it can be done better (see above, I'm not going to repeat myself). |
|
I'd prefer the opt-in solution. Those who want more security and/or need it, are aware of it and can surely enable some extra features. A real anecdote: To sum it up: TextSecure is not really user-friendly yet. But if you want (more) people to chat to, it REALLY needs to become that!!! |
|
+1 |
|
I just witnessed two people installing TextSecure for the first time. They were confused with the options.... They were not really sure what the password is for. They thought it has something to do with the encrypted transmission. And they didn't know when they have to enter it, if they set one... I'm not even sure if it's necessary to ask for it in the wizard.... People coming from WhatsApp will be really fast annoyed by entering the password all the time. Perhaps it should just be in the options... |
mcginty
changed the title
|
GitHub Issue Cleanup: |
If we want TextSecure to compete with W**_sapp, F_book and other less privacy/security focused apps and plattforms, it has to be as user friendly as them. And it should be. Otherwise it'll never get a significant market share with the average users.
But we also want to provide maximum security for people who depend on it with their lives, maybe because they live in an undemocratic country and have an unpopular opinion, maybe because they are protesting the regime in Syria, maybe they are gay and happen to live in Uganda or any of the other 82 coutries where that can get you in jail or even executed.
As TextSecure is supposed to be secure and user friendly there are going to be more and more cases where we will have to decide on a default behaviour, often between the safer and the more convenient option.
Many of the convenient features, which many users want, because they know and love them from W**_sapp, F_book and other less privacy/security focused apps and plattforms leak data, which, in some really bad cases, could lead to people getting hurt or worse.
An example would be a notification popup with the message content like #798 requests. In some cases even mentioning the sender alone can be a threat (#308 and #366).
It gets really bad if this can even happen on a locked phone (#198).
If we neither want to force the average user to go deep into the advanced settings to manually activate all the features they expect (really bad usability) nor want to endanger some users by choosing insecure but convenient defaults, we should ask the user at the setup level what their use case is:
Based on their choice we'll set default settings for the above mentioned features, as well as security features like #175, #226 and #328 and future convenience features.
It should also be possible to re-run this from the advanced settings.
One of the most important presets for the paranoid mode would be to turn off SMS messages entirely, because the metadata, which is the most important tool in modern surveillance, can't be hidden. The network providers can also easily scan the traffic and find out who uses TS, which will put people at risk.
With data that problem doesn't exist, because the relay (GCM) probably isn't controlled by the "enemy" and it works like an anonymizing proxy, because lots of normal apps use GCM.
As long as HTTPS (TLS) isn't broken (again...), data should be safe.
The text was updated successfully, but these errors were encountered: