Unable to send non-encrypted SMS to previous TextSecure user #845
Comments
|
@moxie0 can shed more light on this. In the mean time, my uneducated help as I understand it: GCM will eventually (emphesis on "eventually") let the TextSecure server know that your friend is no longer a deliverable destination and will deregister them once they haven't been contactable for some amount of time. |
|
Perhapse an "Unregister" option in the advanced settings that would allow users to manually remove themselves before uninstalling the app would help alleviate this pain in the mean time? Also, even after the GCM fixes, this way users don't have a brief period where other TS users can't contact them if they remember to de-register themselves. |
|
If you just untick "push notifications" it'll unregister you. Good enough, or should we do something else? |
|
Good to know; thanks. |
|
I think unticking "push notifications" is sufficient for a user trying to remove him/herself. The problem's a little more complicated when someone else has uninstalled TextSecure without first unticking the "push notifications" box. I've encountered two problems here: (1) How do I revert my ongoing conversation with my friend (who previously had, and since has uninstalled, TextSecure) to SMS? My phone still thinks he's a textsecure user. (2) He shows up at the top of my contacts list as if he does have TextSecure. Presumably it appears this way for other TextSecure users who have him in their contacts. Is there a way to refresh the directory? |
|
Settings -> Advanced -> Refresh directory |
|
It might be beneficial to somehow let people know that they should unregister themselves prior to uninstalling the app for the good of their fellow users. Or automate it. Either would be sufficient in my opinion. |
|
Hm. I tried the [Settings -> Advanced -> Refresh directory] route to no avail. I think what's happening is that the central directory (the directory from which my phone refreshes when you hit 'refresh directory') is itself out-of-date because my friend did not unregister himself before uninstallation. How long after someone uninstalls TextSecure (without first unregistering) would it take for his/her listing to disappear from the central directory? |
|
I've come across the same issue. A possible solution would be to unregister someone's number before they uninstall the app. |
|
I'll just leave this here as a beacon of hope for the poor folks who deleted the app/wiped the rom/lost their phone without deregistering. Chris Soyars is working on setting up a webinterface to deregister from WhisperPush for CM users who don't have access to their phones anymore: I guess user deletion is not federated, so it won't work directly for TS users. But he is a nice guy and I'm sure he'd give the TextSecure devs access to his solution, when it's done. Adapting it should only be a matter of changing the server address and user credentials then. |
|
in my opinion this is the most serious problem in TextSecure because it prevents layman from using it and this is sad, because overall TextSecure is the best chat/messaging app available. what about the following ideas to solve this problem:
|
|
I dont think unregistering during uninstall can be done. There is already a PR to manually force the next message to SMS: The easiest solution right now is of course to tell your friend to reinstall textsecure, register for push and unregister from it. Then they can remove TS again. They only need to be able to receive SMS on this number. Unlike with WhisperPush it doesn't matter if they reflashed/lost the phone. |
|
@wischi-chr IMHO an option to force a conversation to SMS mode is really needed anyway: To make thing really user friendly TextSecure even could ask if you want to answer by SMS, if the last received message is an SMS. This already indicates your chat partner currently has no internet access. |
|
My friend was using TextSecure on an older android phone, and it's now stopped booting.. I can't text them unless I turn off push all together on my phone, or it tries to go through push and they never see the messages. It also frequently tries to send them encrypted texts, even though they're using an iphone for now (temporarily), even with push turned off. Since the old phone cannot boot anymore.. is there any way to deregister them? After going through similar dramas trying to get iMessage to stop hijacking my texts when I left iOS, I had expected TextSecure to be better than this. :/ |
|
If they can put their SIM into an Android device, install TextSecure, On 05/22/2014 12:23 AM, Jenna Fox wrote:
|
|
@thenktor is on the dead-on: My wife travels abroad with train. She has no data connection and therefore I get an encrypted SMS from her. But I cannot reply because replies are send over data. Actually I need to turn off WIFI and mobile network to communicate with her. After the sms is sent I turn WIFI/mobile network on again. A really weird procedure no user will understand. Why to just give the user the choice? TextSecure supports SMS and data. It should ensure that communication uses always the available channel and is always possible. Just my 5 cents to make a great software I really like more usable. |
|
Once this merged in, you will be able to use this tool to handle the re-registration. A WebUI shouldn't be that difficult to do, since this already exists. |
|
@mlsxlist |
|
I'd like to see a web-interface that can manage all aspects of TextSecure registration (check status / de-register from push / de-register from TextSecure entirely) as well. |
|
To add my voice to the crowd: I recently destroyed my Android Phone while trying to replace the screen. I use TextSecure (as does my girlfriend). I have reverted to a "dumb phone" for the time being until I can get a replacement "smart phone". Similar to others (but for a slightly different) I no longer have access to my TextSecure enable Phone (and I'm on Sprint so I don't even have a SIM card!). In my opinion: TextSecure needs a button at the top bar right next to the Padlock, the Phone, and the Overflow, that allows switching between Data & SMS Transmission Methods. |
|
This is totally ridiculous. TextSecure has one job to do - take my message and deliver it to the person I addressed. Users on either end shouldn't have to go about deregistering numbers or thinking about transport layers and switching modes to make that work. There should be zero ambiguity. Here's how I'd like to see it happen: When TextSecure sends a message to a TextSecure recipient via push, the recipient should non-optionally push back a delivery notification as soon as it receives the message. When a sender doesn't receive a delivery status message back from a receiver within, say, ten seconds, it should pop up a notification saying "Delivery Failed - resend over SMS?" and with one tap, resend it via SMS and also disabling the data transport permanently for that recipient until it receives a delivery status back from them or another message over data. Don't just put these messages in to a bottle and throw them in the ocean. We figured out how to do reliable messaging over the internet a long time ago. When in doubt, emulate TCP. Deregistering numbers is bad UI and bound to make people upset. Maybe expire people from the push directory if they haven't checked in in a few weeks, but whether or not someone has a public key in the push directory should have no impact on if they can receive texts reliably, no matter what. No excuses. TextSecure's behaviour today is worse than what Apple does with iMessage. |
|
I agree that TS should be easy to use AND reliable, but
doesn't really cut it - Whatsapp does that just fine. I'd add "without anybody else being able to know what I wrote". And this adds a lot of complexity. Your ideas are nice, but nothing new. Delivery receipts have been discussed on github for some time and a few weeks ago there was a very interesting discussion on the mailing list about the technical details of the implementation, which is beeing worked on.
From this I guess you aren't familiar with the prepaid mobile phone "contracts" which are widely used in Europe. If you have to pay 8-12 Eurocents per SMS you wouldn't ask for permanent fallbacks like this without asking the user about it.
GCM already does this. There aren't any excuses beeing made, the dev team is simply not big enough to do everything they want to do right away. I'm sure that your help would be greatly appreciated. |
|
@Bluebie The problem is that in @begleysm's case, that wouldn't work. He would be receiving unreadable encrypted SMS blobs on his feature phone. Fundamentally, if you move your SIM card to another device, there's just no way for us to know that you're not running TextSecure anymore without you explicitly telling us. The same is true for any other messenger -- if you uninstall WhatsApp you just won't get WhatsApp messages anymore. I think we definitely need to add delivery receipts, so that senders know when their messages aren't being delivered. This is easier said than done, though, and not just as simple as "sending a message back." Additionally, I think we also need to make it easier to unregister by providing a web interface, for instance. |
|
@begleysm That's already checked in and will be in the next release |
|
@moxie0 Excellent! Glad to hear it. |
|
Perhaps the encrypted SMS blobs could contain a short multilingual reference to a URL at the top for former TextSecure recipients who have downgraded to feature phones. The URL could start out as an explanation of the horrible gyrations they or their contacts need to go through to re-establish contact, and as TextSecure evolves, change to something more useful. |
|
I guess thats not possible because of the sms length restriction... |
|
I've thought a lot more about this issue in the past day and want to record my thoughts. I've added a note regarding @agrajaghh's comment below. I have three proposals here. One of them solves the exact problem described in this issue (Manual Fallback Proposal). Both the Manual Fallback Proposal and the SMS URL Proposal are relatively simple to implement, based on my guesswork as a developer who is not familiar with the codebase. Finally, I present a Degraded Contact Proposal which I believe improves the situational awareness of users in the unusual and transient state where a former TextSecure contact has lost access to TextSecure (possibly for malicious reasons, though likely not). This proposal is best illustrated with some scenarios. None of these proposals are mutually exclusive. Problem StatementWe need an easy way for the TextSecure user to say (required to close this issue, IMO) "As a TextSecure user, I have a former TextSecure contact with whom I no longer wish to use TextSecure, so please send only unencrypted SMS to said contact." We would like an easy way for the non-TextSecure capable recipient of encrypted SMS blobs to say (wishlist/icebox, IMO) "As a recipient of an encrypted TextSecure SMS who does not have TextSecure to decipher it, I would like to understand what I am receiving and possibly take further action." Finally, we need TextSecure users to be very clearly aware of a "degraded contact" state (TODO/backlog, IMO). A TextSecure contact falling back to unencrypted SMS has major security implications and is likely to be a relatively unusual and transient condition, thus making the user aware of it above and beyond the typical "message insecure" UI cues is warranted. Manual Fallback ProposalIn all cases, TextSecure MUST provide a way for Alice to fall back manually to unencrypted SMS communication with Bob. Essentially, this amounts to giving Alice the power to mark Bob as a "non-TextSecure contact" from within TextSecure at any time and for any reason she chooses, which would solve the problem described in this particular Github issue immediately. A "non-TextSecure contact" is a contact which is flagged in TextSecure as unable and unexpected to send/receive encrypted messages, because key exchange has never occurred. Only insecure SMS will be used with "non-TextSecure contacts." I further clarify this term in the Degraded Contact Proposal. SMS URL ProposalNOTE: @agrajaghh indicates this may not be practical due to SMS length limitations. This proposal allows Bob to potentially take action himself if Alice is sending him encrypted SMSes which he is no longer able to read, and allows any random user who may have inherited Bob's SMS number to understand what is happening and potentially to take action. The encrypted blob SMS SHOULD include a human readable string with a URL at the start: There may be objections to sending any non-ciphertext in a ciphertext payload, e.g. that it would tip off adversaries intercepting the SMSes that TextSecure is being used rather than some other program. I don't believe this objection has merit; it's a security-by-obscurity argument, and IMO sending ciphertext by SMS at all is rather obvious. Degraded Contact ProposalFinally, I have a more complex Proposal which I believe is very much worth considering, as there are security implications when a remote TextSecure contact - one who is expected to use encryption - suddenly reverts to not using encryption. TextSecure SHOULD implement a "degraded contact" flag for contacts which were formerly communicating with encrypted messages and currently are not. This is an unusual situation in which users and TextSecure itself may need or want to behave differently. To consider why and how we might implement this proposal, let us examine some scenarios. In all these scenarios, Alice and Bob normally use TextSecure to communicate with encryption. But, Bob loses access to a TextSecure device and can now only send and receive unencrypted SMS. Alice and Bob still need to communicate, however. Scenario 1. Alice sends a message to Bob first, after Bob loses TextSecure.
Scenario 2. Bob sends a message to Alice first, after Bob loses TextSecure.
ConclusionThe Manual Fallback Proposal would close this issue and I believe it would be relatively easy to implement. The SMS URL Proposal could allow Bob to take action without intervention by Alice in the situation where he has lost access to his TextSecure instance, or could simply provide instructions, or anything that the TS server operator wants to put at the URL. I'm sure I have not covered all the bases in the Degraded Contact Proposal. It would also be the most difficult proposal to implement. However, I believe it would improve situational awareness during an unusual mode of operation, keep users better informed of the security (or lack thereof) of their communications, and thus allow users to make more intelligent decisions. I remember very well the bad old days of OTR prompts and don't wish to go too far down a similar road here. OTR had entirely too many prompts relating to encryption state, most of which were useless from the user's point of view and which non-technical users would not understand the purpose of. However, I believe these UI choices are a fairly decent compromise:
The tradeoff is between the irritating outcome of over-prompting the user versus the really bad outcome of a silent degradation in security - or a non-silent degradation which the user fails to notice. The latter is why I include suggestions for an enhanced UI distinguishment of "degraded contacts." If Alice fails to notice "degraded contact" status and corresponds with Eve because of this, it is the same as a silent degradation from Alice and Bob's perspective. |
|
Could close #1497 as well. |
|
For the "enhanced UI distinguishment" of unencrypted messages with degraded contacts, here's what I proposed in #945:
|
|
@gordon-morehouse Yes, a way to remove a user from TextSecure contacts is IMO really needed. |
|
@nebulon42 +1 |
|
The latest version has a way in which to switch to SMS mode for a conversation (although it is temporary). You need to hold down the send button, and a selection comes up. This UI is not yet perfect and is likely to be improved soon. Additionally, would be nice to have the change permanent. |
|
It looks like there are three options, "Send TextSecure message", "Send secure SMS" and "Send insecure SMS". What does the middle one, "Send secure SMS", do? Is it the same as the first TextSecure one? |
|
So with my understanding of the way TextSecure works, "Send TextSecure message” sends it via the internet and the TextSecure service, "Send secure SMS” uses the TextSecure keys on file, but uses SMS as the transport mechanism, and “Send insecure SMS” sends a plaintext SMS.= |
|
Correct. |
|
The send button would need a little sth to know there's option and as @samlanning said it needs to remember the last choice, It can be PITA if you'r texting a lot. |
|
I opened a feature request for what was discussed in the last few comments (lack of "stickiness" in message transport method when selecting from the Send button) - please see #2285. Incidentally, I believe having such "stickiness" might close most or all of this issue. |
|
Having just gone through this issue with a friend, it seems to me that the behavior of the Lock / Unlock icon (button) is not intuitive. When I select the closed Lock icon, I should be able to clearly end the secure session, even if I am registered to use the Push feature and currently using the Push transport mode. To me, "clearly ending the secure session" would mean that sending new messages should default to the insecure SMS transport mode, I should have an option to re-initiate a secure session, and the "Locked" lock icon should change to the "Unlocked" lock icon. If you think that the changes ya'll have specified so far as a result of this thread deliver the experience I've described above (or an equivalent), then I am satisfied. Otherwise, please let me know. |
|
with the dropping of encrypted SMS and MMS and some bug fixes related to transport selection on the send button this should no longer be an issue, closing. |
|
@rhodey Maybe I missed something but I think it's still an issue. When I try to send a SMS to a friend who used to have TextSecure but uninstalled it, the default behavior in TextSecure is still set to TextSecure. I've to long press on the arrow and select SMS. Also, my friend is still appearing in the TextSecure users list. Or have some bug fixes you talked about not been released yet? |
|
your friend can unregister here: http://whispersystems.org/textsecure/unregister |
|
That's the info I was missing, thanks ! |
|
@rhodey I don't understand why this is closed. Until reading this thread it was impossible for me to send a normal SMS to somebody who uninstalled but did not unregister TextSecure first. I'm an experienced user and Android developer but holding down the send button which in no way indicates that there is another option to send a message is not a good user interface design decision in my opinion. Why is it not possible to select on a per user base if I want to use the encrypted TextSecure Channel or SMS permanently? I was under the impression that holding down the big secure Lock and selecting 'End secure conversation' would end the secure conversation and switch back to SMS. But I guess it just means that my messages are not being encrypted anymore but still sent via the TextSecure channel but I could not figure this feature out too... Being able to select by myself what channel to use would be the best user experience. I hope this will find it's way into future versions of your superb messanger App! Keep up the good work. |
|
@mgraupner if you long tap on send you can choose between non encrypted SMS and encrypted TextSecure message. |
and others
A friend of mine had TextSecure installed on their device and we exchanged keys. They have since uninstalled the app. My device hasn't realized that they no longer use the service so it continues to try to send encrypted push messages to them. I have tried clearing the app data and refreshing the push directory through the settings to no avail. I have also tried ending the secure session from the padlock menu in the thread but when I do it just changes back to secure before it sends the next message (presumably because it needs confirmation from the other user?). I'm not sure if this is a bug or if I am missing something but I would appreciate some guidance either way. Thank you.
The text was updated successfully, but these errors were encountered: