From b3d56b378e3e5e959204fc0c1a880fb89b3203b7 Mon Sep 17 00:00:00 2001 From: "J. Ryan Stinnett" Date: Tue, 21 Jan 2020 12:03:46 +0000 Subject: [PATCH] Use cross-signing verification only for own devices The device verification checks are slightly more nuanced: we want to use stricter cross-signing checks for your own devices to encourage everyone to trust their devices via cross-signing so that other users can in turn trust them. However, for other users, it's okay to use the looser verification check that also includes locally verified devices. --- src/components/views/right_panel/UserInfo.js | 25 +++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/src/components/views/right_panel/UserInfo.js b/src/components/views/right_panel/UserInfo.js index 15387af8d5..a0819be472 100644 --- a/src/components/views/right_panel/UserInfo.js +++ b/src/components/views/right_panel/UserInfo.js @@ -64,10 +64,17 @@ const _getE2EStatus = (cli, userId, devices) => { const hasUnverifiedDevice = devices.some((device) => device.isUnverified()); return hasUnverifiedDevice ? "warning" : "verified"; } + const isMe = userId === cli.getUserId(); const userVerified = cli.checkUserTrust(userId).isCrossSigningVerified(); const allDevicesVerified = devices.every(device => { const { deviceId } = device; - return cli.checkDeviceTrust(userId, deviceId).isCrossSigningVerified(); + // For your own devices, we use the stricter check of cross-signing + // verification to encourage everyone to trust their own devices via + // cross-signing so that other users can then safely trust you. + // For other people's devices, the more general verified check that + // includes locally verified devices can be used. + const deviceTrust = cli.checkDeviceTrust(userId, deviceId); + return isMe ? deviceTrust.isCrossSigningVerified() : deviceTrust.isVerified(); }); if (allDevicesVerified) { return userVerified ? "verified" : "normal"; @@ -128,8 +135,14 @@ function verifyUser(user) { function DeviceItem({userId, device}) { const cli = useContext(MatrixClientContext); + const isMe = userId === cli.getUserId(); const deviceTrust = cli.checkDeviceTrust(userId, device.deviceId); - const isVerified = SettingsStore.isFeatureEnabled("feature_cross_signing") ? + // For your own devices, we use the stricter check of cross-signing + // verification to encourage everyone to trust their own devices via + // cross-signing so that other users can then safely trust you. + // For other people's devices, the more general verified check that + // includes locally verified devices can be used. + const isVerified = (isMe && SettingsStore.isFeatureEnabled("feature_cross_signing")) ? deviceTrust.isCrossSigningVerified() : deviceTrust.isVerified(); @@ -172,6 +185,7 @@ function DevicesSection({devices, userId, loading}) { if (devices === null) { return _t("Unable to load device list"); } + const isMe = userId === cli.getUserId(); const deviceTrusts = devices.map(d => cli.checkDeviceTrust(userId, d.deviceId)); const unverifiedDevices = []; @@ -180,7 +194,12 @@ function DevicesSection({devices, userId, loading}) { for (let i = 0; i < devices.length; ++i) { const device = devices[i]; const deviceTrust = deviceTrusts[i]; - const isVerified = SettingsStore.isFeatureEnabled("feature_cross_signing") ? + // For your own devices, we use the stricter check of cross-signing + // verification to encourage everyone to trust their own devices via + // cross-signing so that other users can then safely trust you. + // For other people's devices, the more general verified check that + // includes locally verified devices can be used. + const isVerified = (isMe && SettingsStore.isFeatureEnabled("feature_cross_signing")) ? deviceTrust.isCrossSigningVerified() : deviceTrust.isVerified();