How important is it really to check your friends fingerprint?


#1

I understand that everyone should be responsible with their privacy, and everyone should know how far should them take precautions to a point they feel is necessary and the risk of their decisions.

Don’t take me wrong, I my self don’t think that checking my friend’s fingerprint is such a big hassle, and privacy sure is worths it, but I can understand how other people I know feel this is inconvenience. I like kontlaks encryption philosophy I wouldn’t want it to change, but some times see some one use something else to whatsapp is already a win to me. Sure I can explain them why is important to check fingeprints and why they should care, but sometimes I feel that switching to kontalk is enough to ask them for.

In this post I will like to discus the really threats of not checking the fingerprints and try to understand more on the matter so that I can better explain my friends about it.

The two ways I can think someone could get advantage of you for not checking the initial fingerprint are the following:

1.- Some one could take your identity pretend it is you.
I think thought, that most of the time you will know if it’s your friend or not by analyzing the conversation you’ll have with them. Also, it will be very suspicious if someone you just added starts to ask you for private or personal information.

I know there are ways that smart people can get information about you and trick you, and maybe some other friend that knows you could want to get some info about your friend and you, but usually I don’t have long conversations on kontalk, and most of the time I pick up the conversation or arrange a meeting with friends in which case I will know it it wasn’t really them in the first place.

I suppose I could also ask them a question that only them will know. If I’m expecting some one to add me soon because I just talk about kontalk with them, what are the chances they will be an impostor?

Sure, you will be very cautious if your friend’s fingerprint is change from the first time, and I suppose, if you accepted the first fingerprint so blindly you could just do it again which would be a mistake.

2.- The second way I can think this can be exploit is that some one could be getting your message, reading them and then sending them back to the real destination.
This will mean that, the real receiver would be getting a different fingerprint than the one we have and we wouldn’t know about the trap unless we check our finger prints.

That made me think that maybe, sharing our finger print through kontalk wouldn’t be such a waste in that case. I suppose that spy could create an automatic fingerprint message detector that could read both from plain text and an image the finger print, change the message with their own and send it. I suppose a human interaction from the spy would be also feasible which will mean that sending a draw will also be detected. But then again if you are going to take the time to make a drawing of your fingerprint and send it why not just check the fingerprints already, but in the other side, would a spy also take the effort and time to be vigilance of a conversations just to read a conversation that may or may not have any relevance?

And I think that’s my final thought.

When I started using kontalk with my girl friend, there was no doubt we were going to check our fingerprints because our conversations were going to be very private. But when it comes to a really casual friend of mine, to which I don’t exchange any private words in kontalk from neither of both ways, is it really that harmful if I’m just happy the decided to use kontalk? at least for a while until i feel they are ready to listen to the whole story.

I know people should understand why is important not to use whatsapp, which is other than just convenience. And I believe they will be ready to listen if they see there are other options. I just don’t want to give them troubles so right away. i think some times you should be a little chill with things and be flexible. I’m attaching a very funny image one of my friends send me once xD

Anyway, I might be over simplifying the encryption process, but I will like to know if my supposing exploits are possible, and maybe hear some other ways the process might be abuse if the user doesn’t take the time to check fingerprints. I will like to also hear about your opinions about the matter.

Thank you.

17355121_1565501456813091_1791447072_n


#2

I feel so embarrassed. I didn’t know that kontalk behavior about the issue has changed, it had passed some time since I last used it. I’m sorry for not noticed before I wrote this. One of my friend added me yesterday and there was no warning anymore about the personal key, only a button to approve the chat request.

You know, it’s funny. I was one of the user that addressed that the message of the personal key where a little too frightening and that it could be change for something more informative. But now that is gone all together, I don’t know how to feel about it.

Is the personal key matter not address at all now in the new android client? If that is the case that’s alright, at least I know about it already. I’m just a little curios of how new user will or if they ever really need to know.

I’m sorry, it is really not my intention to be obnoxious. I feel like that famous saying one Argentinian friend told me once about the cat “Flora”, that is never happy with anything xD. I just want to be aware of how kontalk is developing because I really like to support it, and at the end, I really think that taking the message down all together was for the best.


#3

Ok, now I’m confuse. I got my cellphone restore by mistake, my same friend sends me the request to chat but this time the personal key message appeared. The only different I can find is that I used to have him on my contact list but this second time I didn’t.

Anyway, I don’t think there is much to say about all this subject. I just wanted to hear about the ways not checking for fingerprints can be could be exploit. Not to give ideas of course but just to understand the overall process of securing conversations. Thank you.

BTW: My friend and I checked our fingerprint through regular sms telephone’s message, although he is really conscience about privacy and free software, so it wasn’t difficult to agree on it. Trying to convince another regular Joe about it is a different story.


#4

It didn’t go away, the “accept” button included trusting the key in that case. The “identity” button in the middle can be used to see the fingerprint.
I suppose this could be misleading from a security point of view. Any suggestion on how to improve the whole process?
Also note that Kontalk is currently using TOFU when you send an invitation to someone, otherwise you’ll get an “untrusted key” warning when the other user accepts because you don’t get the key until he/she accepts (and that was even more confusing).