Signal-ios: Safety number change causes confusion

Created on 7 Dec 2015 · 12Comments · Source: signalapp/Signal-iOS

I suddenly got a diamond-shaped message in my friend's message feed that his identity key had changed. When tapping, it displayed a string of hex values and asked me to Accept, Copy or Delete.

There were no further explanation on 1) how I am supposed to verify that this is in fact my friend's key, or 2) why the key has changed in the first place (Did my friend choose to do it? Does the system do it automatically from time to time to increase security?)

I talked to him, and he sent me a QR-code on another communication channel and asked me to scan it. I asked him how? And he said "tap my name". Evidently it says so in a FAQ some where, but this is very non-intuitive.

Even so, I got "Conflict" when trying to scan his QR code. He tried to paste the hex values into the other communication channel, and I could manually see that they matched, so I accepted his new key. At this point, Signal crashed. I started Signal again, and I seem to have accepted his key (despite the crash, I think), but when trying to verify his identity again, I still got "Conflict".

I thought Signal was about bringing secure communication to the masses. After these experiences, and seeing that there are 132 open issues in the projects, I have become doubtful. If any product should be both bug-free and have a 100% intuitive user interface, it's this one.

needs design

Source

forthrin

👍2

Most helpful comment

Changing title to reference current UIUX. Users still may not understand that a message has arrived with the alert of the safety number change in the case that a change needs to be accepted (when Signal > Settings (wheel in top left) > Privacy > Require Approval on Change is enabled)

screen shot 2016-12-08 at 4 18 39 pm

Suggested Copy Options:
Incoming: "This new message can not be shown until you accept a safety number change. Tap for details."
Outgoing: "Safety number changed. This message will not send until you accept the change. Tap for details."
Generic: "Safety number changed. Tap for options to continue messaging."

riyapenn on 20 Dec 2016

👍2

All 12 comments

If I have understood correctly the UX of the identity key change is being rewritten in the upcoming months. See https://github.com/WhisperSystems/Signal-iOS/issues/975#issuecomment-160475467

The Android client does pretty good job at explaining the possible causes: your friend reinstalled their app or someone is attempting to impersonate as your friend (very unlikely but possible). But in general this is a hard UX problem with end-to-end secure products. If you silently accept all identity key changes you lose in security. If you show a warning you confuse users. There's no way this could be sufficiently explained in a single dialog to someone who is completely new to the subject.

So there's no "100% intuitive user interface" for this. Current situation can be improved though. You can also help by submitting pull requests, going through open issues trying to reproduce and test them, submitting new issues with helpful information, donating money and passing on this link https://whispersystems.org/workworkwork/ to your iOS developer friends who live in SF.

2-4601 on 8 Dec 2015

I'll check out the next release, but I defy the claim that the UX is difficult just because the underlying technicalities or other issues are difficult. There is always a good and optimal way to communicate what's happening and what the user should do. In fact, the user should do as little as possible, just exactly the minimum to safely confirm that the other party is still the same other party.

forthrin on 9 Dec 2015

I agree that when the key changes there should be an instruction to confirm the change with the other user out-of-band. Even if the fingerprint confirmation is non-trivial, confirming with the user that he has indeed using a new device or has reinstalled Signal should be rather easy to do.

ghost on 23 Apr 2016

👍1

(sent this as a support request, they told me to comment here!)
"Identity key changed. Tap to verify new key" needs more information: I have some feedback regarding the "identity key changed" alert. In my experience, I just ignore them, because I don't realize that the alert also means that the person is trying to message me. Then, at my leisure, I tap to verify, and I realize too late that they were trying to tell me something when the alert popped up.

Some suggestions would include changing the alert message to say, "Incoming message from new identity key. Identity key changed. Tap to verify new key" or something.

(here is Whisper Systems support's response, fyi)
Thanks for the suggestion and explaining how you interpret and react to the key change alerts! You can add this information to the GitHub issue which will track this (https://github.com/WhisperSystems/Signal-iOS/issues/991). However, the long-term change is to remove this from blocking you from messaging, so you won't need to see that in the future.

paulate on 10 Jun 2016

👍1

screen shot 2016-12-08 at 4 18 39 pm

riyapenn on 20 Dec 2016

👍2

Does IOS have a non-blocking option for safety number, like Android does which alerts the user that the safety number has changed and formats it like a group, call or disappearing message notice? It does not block the user from sending additional messages, and currently, is turned off by default. See this for more info.

sweeper3000 on 20 Dec 2016

Yes. Go to Signal > Settings (wheel in top left) > Privacy > Set Require Approval on Change so that it is DISABLED (Slider to the left and is gray)

riyapenn on 20 Dec 2016

I think that would help to somewhat resolve the issue as it advises, rather than require user action which seemed to cause confusion

sweeper3000 on 20 Dec 2016

Coming to +1 this request, in light of the current UX.

When I saw the above message ("Safety number changed. Tap to verify.", I initially interpreted it to mean "When you're ready to verify (i.e. with your friend in person or having the safety number in hand), tap to enter the verification process". I was obviously surprised when I met with my friend and tried to verify their number, only to have the app move along without even requiring a look at the safety number page. Perhaps changing to the messages you described above, along with a path that takes you directly to the safety number page if you choose, would make that whole verification process more discoverable for users.

rainmaker on 16 Feb 2017

👍1

so we are now opting to avoid confusion for a few users who probably don't even need a security app while allowing a man-in-the-middle attack to silently be an issue for every user?

is this really the choice signal has made?

am i missing something?

landry314 on 23 Jul 2017

so we are now opting to avoid confusion for a few users who probably don't even need a security app while allowing a man-in-the-middle attack to silently be an issue for every user?

is this really the choice signal has made?

am i missing something?

@landry314 - It sounds like either you have an unconventional definition of "silent" or you might have misunderstood how this feature works. We alert the user whenever the remote identity changes. We also optionally allow users to require an explicit acknowledgment before sending if they don't trust themselves to have seen the notification.

You can take a look at some of the design decisions we've made here: https://whispersystems.org/blog/verified-safety-number-updates/

Also, for the sake of the many people who watch this repository, we use Github for reporting bugs and making feature requests, not for discussion. If you'd like to have more discussion, please take it to the community forum: https://whispersystems.discoursehosting.net

michaelkirk on 24 Jul 2017

We did make some changes earlier this year to streamline how SN changes work which we believe better addresses this. Again, you can read more at: https://whispersystems.org/blog/verified-safety-number-updates/

michaelkirk on 24 Jul 2017

Was this page helpful?

0 / 5 - 0 ratings