Lying - SafeSlingerProject/SafeSlinger-Media GitHub Wiki

There are 2 ways that one of your contacts may not be using the key you have verified: willingly and against their will. When your contact allows their key to be used by someone else willingly, this is called lying.

Identity Lie of Omission

During any key fingerprint verification out-of-band a user may not diligently compare keys allowing a network attacker to insert a key of their own design. This amounts to a lie of omission. We discourage this careless comparison by displaying two unique decoy phrases in addition to the common phrase. In this way, users are forced to compare phrases with at least one other user and actively choose which phrase matches among them. However, to prevent attacks, all users need to validate that they all have the same word phrase. The word phrase provided in this exchange enables out-of-band verification for users in close proximity where they may view each other’s screens, or via telephone or teleconference. This form of lie of omission to represent a physical identity can be strongly discouraged through use of our exchange protocol.

Identity Intentional Lie

If a contact you have verified physically belongs to a particular key and that same contact intentionally allows that key to be used by someone else, this is an intentional lie. Whether the intent was a practical joke or malicious, we recommend choosing secure contacts carefully. All security systems suffer from this vulnerability. In order to detect this lie, the secure text messaging system would have to continuously render video or audio of the false contact, defeating the purpose of establishing a text messaging service.