Front-and-center e2ee makes the app feel too technical #1565
Comments
Why use Google/Apple API? Why don't simply upload the keys to the Matrix server unencrypted? |
Because that completely defeats E2E Encryption |
|
So how can it be made less confusing and scary for new users? They get asked to store keys or store a long string of characters. The also get spammed to "Review where you are logged in". This latter is usually confusing as logging in on the same computer with a different browser or session prompts this message. Again this confuses new users and makes them think that somebody else is logged in on their account. Even my account has 27 unverified sessions. I mostly use just three PCs and mostly Firefox but still there are "Untrusted" sessions. Of course there is no way to confirm them as they have been closed for months or years. I'll raise another bug for that but I assume that's a Synapse issue not an Element one. |
turt2live
changed the title
So Google/Apple/AnyOtherCommercialCloud doesn't defeat it? It does. So maybe store the keys encrypted on these clouds. You are back to asking the user a password for encrypting the keys. |
They know the answer for the key backup question. Every instruction is displayed in the app, so if someone reads the text displayed, they know the answer. If it is not enough, display "?" or lightbulb buttons for opening help with longer description. |
A bit off topic, but if you have sessions you are not using / can't access, you should remove them from your account in settings. When people send you encrypted messages, they encrypt them to each of your sessions individually, so it means each message sender is doing wasted work for sessions you can't actually access. By removing unused sessions, your entire account can be verified (assuming you verify the active sessions), and also it avoids encryption work to unused sessions. These multiple goals combined are the reasoning for toasts to review unused sessions. |
|
I don't know about your users, but mine certainly don't "... know the answer for the key backup question." They are non technical and would still rather use WhatsApp. People are turned off by stuff they don't understand. Matrix/Element need to appeal to all users not just geeks (confession I AM a geek). |
|
On the OT of unused sessions, if there is a performance hit for them to remain, perhaps the server should vacuum ones that have not been used for some period of time then. |
So if you have a laptop you seldom use you think that session should get irreversibly nuked? |
|
If your keys are saved surely you can log in again even if there is no active session. That would be the same as starting a new session on a previously unused device. Or can I never change my phone again? |
|
The keys for existing encrypted messages would still be there, but since you removed it from the list of devices to encrypt for it may not be able to access messages since it was forcibly removed. Not everyone wishes to use Key Backup |
There are no answers to the key backup "question". It is an instruction to save the displayed characters to a paper, or a secure storage on your PC. But if they are so dumb, then they could simply download the key to their PC despite it is unencrypted. |
@notramo I don't know if you realize, but you come as very aggressive, especially against someone doing a first impressions feedback... If you are not ready to try to understand an outsider's point of view and don't want matrix to be used more broadly, you could say so explicitly... I agree with @the-moog. As I said multiple times in the past, E2EE is IMO not a feature users want if they have to trade convenience for it, and I rather agree with them. IMO, simply having my own homeserver is already a big improvement compared to other IM apps, and I don't feel like E2EE makes a big difference in my case... Anyway, since Matrix and Element devs are apparently not seriously involved in making E2EE an opt-in, at least let's try to make it less of a hassle! Until a user actually use E2EE, they should not be prompted with complicated and useless messages like device verification and key backup. |
|
@mlaily I also want Matrix to be more widespread, and I'm actually doing a "research" by curiousity to understand te UX for newcomers. Possible solution: |
t3chguy
added
S-Minor
Is your suggestion related to a problem? Please describe.
I'm fully behind the EEE as a default but the current implementation is not great for a new user,
They login and get 'spammed' with questions to which they don't know the answer.
Backup your keys and authenticate your device.
Describe the solution you'd like
Make the experience less 'techy' better for the average non savvy user.
Describe alternatives you've considered
Use Google/Apple APIs for automatically storing keys, sure keep the features as it but make it less scary.
Additional context
For desktops this is still an issue as there are no standard cloud database APIs.
Perhaps disable EEE for desktop unless the user knows what they are doing.
The text was updated successfully, but these errors were encountered: