Option to not require a password

It would be nice to not have to set a password or not require it every time the program starts.

This is a security trade off, as it would limit the ability of at rest encryption, however some users may not need at rest encryption.

I will have a play around with Briar GTK and see if I can program a solution to this.

I understand if this is not wanted to be introduced due to the reduction in security that the optional removal of at rest encryption may be.

added Security T: feature request labels

changed title from Feature Request: Option to not require a password to Option to not require a password

You triggered a larger conversation on Briar's chat ;)

Torsten @grote 3:51 PM

Should other briar clients like Briar GTK follow the same security model as the android app? asking because of #82 matterbridge-bot 3:54 PM

<zaldim[m]> <briar-bridgebot " Should other briar cli"> People might expect the same program on different platforms to be similarly secure. @akwizgran 4:02 PM

i agree, and i'd also point out that we often take the ux into consideration when working out the security model for a feature (handling duplicate contact links is a recent example), so clients in some cases might need to implement the ux in a similar way to the android client

however, if there's a case where the platform provides different security properties then i guess we need to work out whether the decisions from android are appropriate on other platforms

is passwordless login one of those cases?

desktop platforms don't usually provide any protection between apps belonging to the same user in the way android does. so in that sense, the local message db might be even more exposed on desktop platforms than on android

windows can be set up to boot straight to the desktop without a password or fingerprint, although i don't know if that's the default. i don't know about macs. so in that respect we have the same problem as android: the briar password might be the only protection against an attacker with physical access

as with android, direct access to the filesystem without needing to log in is also a concern, if the disk isn't encrypted. last time i looked (which was a long time ago), disk encryption wasn't enabled by default on macs and wasn't available on home versions of windows without third-party software matterbridge-bot 4:16 PM

<zaldim[m]> <briar-bridgebot " as with android, dir"> Windows has this Bitdefender thingy akwizgran 4:28 PM

ah, looks like it's enabled by default on home versions since windows 8.1. it used to be enterprise-only

...or maybe that's only when you use a microsoft or domain account to log in https://www.howtogeek.com/173592/windows-8.1-will-start-encrypting-hard-drives-by-default-everything-you-need-to-know/

If you have an older Windows computer that you’ve upgraded to Windows 8.1, it may not support Device Encryption. If you log in with a local user account, Device Encryption won’t be enabled. If you upgrade your Windows 8 device to Windows 8.1, you’ll need to enable device encryption, as it’s off by default when upgrading.

matterbridge-bot 5:23 PM

<zaldim[m]> Question is, if the user even desires to encrypt their device, just to use briar properly.

<zaldim[m]> Signal comes by with keeping the encryption keys easily accessible in the filesystem akwizgran 6:18 PM

yeah, user have different needs and i doubt there's a single answer that suits everyone. what makes this tricky is that most people don't know enough about digital security to make an informed decision about risks and benefits. personally, i think that means we have a responsibility to choose secure defaults, and maybe even not to offer insecure options at all if we think they're likely to expose some users to risks they don't understand

This issue here is related to briar#590.

Thanks, here are my views on it,

I agree that secure defaults are needed to protect the average user.

However, I think a nice solution would be that when signing up, you have to enter a password.

Then once you are in the program you can check a box or something that explicitly tells you that this will reduce security by making at rest encryption useless and your password will be stored plaintext on your PC. Then if enabled it just reads the password file as the password variable each time the user starts the program.

I feel this gives the same level of security by default. But also the option to remove the password prompt, such as for an encrypted linux desktop that does not have malware, the password is relatively pointless.

I also want to throw in GNOME Keyring which could be used to store secrets on GNOME/GTK platforms.

This would be a really nice addition for convenience but still maintaining the same degree of security.

added UI/UX label

added Usability label