I've noticed worries around WhatsApp's security notifications around issues like ratchet restarts. Just a thought on security notifications, not exactly about WhatsApp, Signal, etc. but really anytime you need to compromise on security notifications.
As a general principle, if you cannot give a big scary security notification, say for business reasons, then you should still give *some* notification, even an innocuous one. Imagine we've a messaging program that (a) uses an Axolotl ratchet for both encryption and deniable authentication, and (b) must initiate a completely new sessions if a user say buys a new device or restores from backup. In this scenario, the ratchet provides forwards or backwards continuity for authentication, but any individual contact might not really be authenticated, and contacts might stop being authenticated if they switch to a new device. If Alice and Bob have authenticated, and Alice buys a new device, then Bob's device should inform him that he must authenticate Alice again. I'd imagine most system would get this right. If however Alice and Bob have never authenticated, and maybe they even have some "security notifications" setting off, then they should still see a warning when a ratchet is forced to restart. It might read : "Your session has restarted. This probably means Bob bought a new phone!" There is nothing scary about that message, but the insinuation that Bob bought a new phone might prompt a conversation. In practice, this message increases the risk of running a man-in-the-middle attack. If Alice turned on her now more-friendly-named "security explanations" setting, then the same message might read : "Your authentication session has restarted. [Re-authenticate] [Read more]" And "[Read more]" could say : "This probably means Bob bought a new phone. We suggest you mention this to Bob though over our voice chat. If his device says the same, that's odd. In that case, please re-authenticate carefully, like by QR code or ..." Anyways, I like this principle that, if you must compromise on security notifications, then even an innocuous notification is better than no notification. At the extreme, this could even simply be some silly easter egg with a dancing spy or whatever, but it's best if the innocuous notification has some continuity with the informative version. Best, Jeff
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
