Doing security checks

Confirm end-to-end encryption

A person generates a code on their device for another person to scan.

Description

Check that shared data is encrypted and that the person receiving it is who they say they are. This is best done in person, by making sure each other’s unique codes (public key fingerprint) match. Doing this face to face makes it harder to forge or tamper with the codes. People are notified if other people’s unique codes change.

IF thinks that this isn’t something everyone will do, but it should be an option to reassure those who have particular needs of encryption. Knowing when the recipient’s phone number or device has changed helps flag potential risks.

Advantages

  • Helps detect impersonation attacks.
  • Reassures people that their calls or messages with each other are encrypted.
  • Usually people are notified if the recipient’s unique code has changed, so they don’t need to check this manually.

Limitations

  • Requires people to have a high level of digital literacy to understand why to check encryption in the first place.
  • It doesn’t work if an attacker has access to the recipient’s device.

Examples

  • Verify security code in WhatsApp →

    People can scan each other's QR codes or visually compare the unique 60-digit numbers.

  • Safety numbers in Signal →

    People can scan each other’s QR code and visually compare safety numbers. Once people have confirmed the codes are the same they can mark the contact as ‘verified’.

  • Device keys in Facebook Messenger →

    People can compare the device key that appears under their friend's name with the keys on their device to make sure they match.

  • Encryption key in Telegram →

    After establishing the secure end-to-end connection, Telegram generates a picture that visualises the encryption key for a chat. People can then compare these pictures to see if they’re the same.