User should be able to lock/unlock app and encrypt messages locally #2573
Comments
|
@anasouardini thank you for this request!
Messages you send are encrypted end-to-end and sent exclusively over Tor, but we haven't been audited yet so it is likely that there are some serious mistakes. Please treat Quiet as experimental and do not rely on it too much until we are audited! Quiet is not yet ready for use in situations where privacy and security is critical.
We've researched this and many users do not want to have to enter a password every time they open the app, so I wouldn't want to make it required, but I would like to make this an option! A question: Does a 4-6 digit PIN or biometric (fingerprint / faceID depending on what your phone does) option work for you? Or would you prefer to rely on encryption alone and have a very long and rigorously-random password? Some context: unless we rely on the phone's secure enclave to limit the number of password retries, the password will have to be very long (perhaps 4 random 5-letter words?) to provide meaningful protection, because if you used a normal memorable password to decrypt messages it would not be very expensive for someone to brute force it. And if we rely on the phone's secure enclave for protection, the length of the password doesn't really matter, so a 4-6 digit PIN makes more sense. You can play with the password encryption difficulty math here to get a sense of how it plays out: https://passwordbits.com/passphrase-cracking-calculator/ Thanks again for the request! |
holmesworcester
changed the title
|
Thanks for the heads-up, I was thinking that Tor-network is sufficient to hide identities of chat members! I'll be more careful with it then. A generic password is enough where the user chooses to make it as simple as 4 digits or as hard as the most random long password that's saved in a password manager or something. I heard that the biometric option is really not secure as it can't be changed in case of it being stolen (e.g: lifting fingerprints off of a table or the phone itself). YubiKey however look really promising, tho if my data is that sensitive I'd just delete it afterwards, which hints another option: temporary messages, perhaps this will help striking the right balance between security and convenience (all members should agree to this option or else it wouldn't be as effective). Maybe an option to backup/extract the messages in an encrypted state before deleting them would allow little convenience until they want to access the old data? |
|
We definitely plan to support disappearing messages. Also, I recently learned of this paper that uses the phone's security module to limit password retries, for arbitrary passwords: https://eprint.iacr.org/2023/1792.pdf -- this could be helpful to having meaningful password protection with short and memorable passwords.
This is a cool idea! Just to make sure I understand, you mean that older messages would require some additional step to unlock? |
I might be just paranoid, but I feel like not having a way to encrypt my (and others') messages is really unsecure. Perhaps we could have all data encrypted, and decrypted once you enter the password which ideally should be required every time you open the app.
Depending on which is the most preferred way to use it (encrypted vs. non-encrypted) one of them should be an option to be enabled for folks who want to have it.
Also, it would be great to easily delete all data from my local peer. I'm using the "delete channel" feature for now as an alternative.
Thanks for the great work, this app help me and other discuss our political issues without being arrested away from our families.
The text was updated successfully, but these errors were encountered: