lurch icon indicating copy to clipboard operation
lurch copied to clipboard
verified publisher icon gkdr

There is no way to verify fingerprints in MUCs

Open elimohl opened this issue 8 years ago • 3 comments

Valid arguments for 'lurch' in groupchats are 'enable', 'disable', 'uninstall', and 'help'.

elimohl avatar Aug 03 '17 14:08 elimohl

Currently, you can only enable OMEMO in MUCs with people that are in your contact list anyway (because the presence subscription is needed for PEP node access). So the thought was that you can confirm the session's fingerprints in the 1-on-1-chat window, as there is no "group session", just the sessions all of the users. I think it would not be practical to show the same message listing all of the session's fingerprints since it would be very long. Do you have a suggestion on how to solve this, or did you think there is a separate session for the MUCs? If so, do you think it should be explained somewhere?

gkdr avatar Aug 09 '17 16:08 gkdr

Actually, I did not think how it works much. I think it whould be nice if you explain a policy about MUC in the lurch help or at least in the README. Will MUCs' messages be send only to not blacklisted devices? Is there a chance that an adversary somehow hide his device from 1-on-1-chat and join to a MUC?

elimohl avatar Aug 23 '17 00:08 elimohl

Like the compliance tester does?

https://github.com/iNPUTmice/ComplianceTester

https://github.com/iNPUTmice/ComplianceTester/blob/master/src/main/java/eu/siacs/compliance/tests/OMEMO.java#L12-L17

https://gultsch.de/compliance_ranked.html

splurched avatar Sep 24 '17 00:09 splurched