Self verification button used for verification #295
Comments
|
There's a related issue here. The button was originally only intended for personal use, so you could force refresh the certificate check (e.g. to get the latest signature+revocation lists from the server). We're aware that this is now used in other ways and are re-evaluating it. Personally, I see the following problem: if you want to be stringent, you would need to hide all information on the cert's validity in the wallet app. Even without the green overlay -- what stops people from saying "Look, it says 'Valid in Switzerland until 01.01.2022' in the blue box!"? For example, try importing one of the test certificates into the production app. You'll see that these have a grey box with a label "invalid signature". Should we hide this box as well? Will people not just resort to showing this blue box if we remove the green overlay? At the same time, displaying the validity in the wallet is an important feature in several use cases: 1) short-lived test certificates, or 2) vaccination certificates from outside of Switzerland, or 3) people's vaccination certificates expiring (under the current validity range) as we get closer to the spring/summer 2022. Those are my personal thoughts. We're also discussing this internally, but any thoughts, comments and ideas are of course welcome! :) |
|
Adressing the issue thoroughly To cover the mentioned self-verification use cases, the verification app would need to show "valid until", introducing a small privacy leak. It still becomes a hassle to check your own certificate validity period. Maybe you could send some push notifications from the app, notifiying the user about the upcoming expiration. Not adressing it Middleground
If this measure is also side-stepped by some other means, as feared by @goebelUB , then a solution more in the direction of completely removing the validity information could be discussed, but I think we shouldn't go full-on with a bad-UX solution if we haven't even tried the less impactful ones. |
|
Thanks to both of you for laying this out in such great detail! My hypothesis on why the button is used so much is because it feels like it's the same thing as 'scanning' the QR code even though it clearly isn't. In my view all proposed middleground solutions would make it feel less like scanning in one way or the other and therefore many people should be aware again that this wasn't intended to be used this way. I hope that you can address this problem soon with one of the proposed middleground solutions. |
|
Hi folks. On 19 October, I informed the BIT about a problem in connection with the self-verification button. I suggest that not only the revocation list but also the server time be verified as a hotfix. This will at least prevent a privacy leak to the BIT, as no validTo would have to be sent from the client to the server. The problem mentioned also applies with the iOS Covid Certificate app. |
|
Please address it quickly as more and more are using this to check the certificate validity instead of the verification app. I would vote for "2. Have the button simply not trigger the green checkmark animation" with:
Just like it is displayed after the green stuff is disappearing. In case of "Update error", display the same messages / errors as when importing a PDF or scanning a new QR code |
|
Hi @goebelUB, Any news on this? I'm sure also the folks coming from a privacy perspective (e.g. especially EDÖB) would appreciate a solution, since the current practice of using the button leads to a privacy issue as well - the verification service knows when I'm being checked for a certificate. |
|
I would suggest removing the refresh button as a FAB but hiding it a little bit in the options menu, and yes, definitely dropping the green color and explaining what the button should be used for every time that it's clicked. Sadly nowadays people don't scan the QR code anymore, and those who should scan the QR code don't know what that button is, and why clicking it is not a replacement for scanning the certificate. The whole concept of the DGC is that the QR code presented to you cannot be trusted - and thus you need to scan it with an uncompromised device to prove its validity. That function on the app completely replace the "scan" behavior and thus everyone in Switzerland can recompile the app to show anything that will show the green color when that button is pressed. I switched to the light certificate, and I lost the count of people who still try to find the refresh button. When they don't find it, they simply don't scan the QR and they let me enter the venue / bar / restaurant. This sadly shows how such a bad UX jeopardizes the efforts of making a cryptographically secure solution like the DGC. |
|
We have similar experiences with official Corona-Warn-App in Germany, eventhough there is no green checkmark next to the QR code. I think, in the end it will rely on politics to integrate the check of QR codes into the COVID related legislation, and on massive promotion of the necessity to scan the code in the media. People who enter a venue where no reliable check is done should feel insecure about their own health. Many greetings from the north. |
|
I just had it happening to me yesterday - some restaurant staff "verified" my covid-cert by pressing on this button. |
|
Saw yesterday a queue of people at a restaurant showing their COVID Certificate and pressing on "verify" to show the checkmark. I showed the cashier my Light Certificate. She tried to find the "Refresh" button to confirm tjat my certificate is valid, didn't found it, didn't scan it, said it was all good. This needs to be fixed ASAP. I'll make a PR for the Android app soon. |
|
@denysvitali I created a PR #301 with updated checks where the green color is gone and the texts have been changed to "refreshing" instead of "validating". Feel free to review and update. Personally I think it should go a step further and remove completely this button for the end users, therefore the PR has been updated with this. As many persons are now used to use this "refresh" button in the country, they will not see the difference and trust what the end user is showing to them; like they did for your "Light Certificate". |
|
I'd personally keep the button as it is, and show a red warning on every click mentioning what the feature is used for. A message in the four languages should show that clicking the button doesn't replace scanning, and it is actually meaningless for the person scanning the QR code. |
|
I didn't find any use case for this button, you? The refresh of the certificate is done transparently at the startup of the app. |
|
It's now two months since I opened the iOS issue and we have to assume this is deliberately not dealt with. The only way to get anything moving would probably be to create an actual app that creates invalid QR-Codes for Mickey mouse etc. showing a green animated checkmark. The refresh button needs to be gone. There's simply no valid usecase for it. And as @goebelUB mentioned, the app should show only the QR code, at the very least when it's zoomed. There's simply no information that should be shown, not the name, not the birthday, not the validity, the only thing necessary is the QR code. |
The only good reason for such a button is to mislead people. I'd add a "Certificate valid only if scanned", right after the information that the certificate is valid only with a valid identity document, and the button notice explained above, together with another UI / UX for the validation process that should discourage the use of that button as an alternative to scanning. |
|
Nobody ever showed how messed up (in terms of UX) this problem is. So here is a quick screen recording of the current behavior with a modified app (just to mock the verification part): test-1.mp4Now, I can tell you that due to this bad UI / UX, I can most probably take this modified app with me, visit any place in Switzerland and get in without any issue. The problem is that the people that are supposed to scan the QR code are clicking this button on the user phone (thus trusting the user) to check their certificate. Needless to say, this is not how the verification should happen. This positive action on the FAB click resulted in a switch in behavior of how the people that are supposed to scan the QR code approach the situation. I'll propose a couple of designs / implementations of how I would solve the issue, and make some PRs. This thing has to be fixed ASAP. |
|
Thanks for the recording! And yes, it happens exactly as you're describing (with very few notable exceptions). Unfortunately, I think it's safe to assume that absolutely nothing is going to happen until after Nov. 28. |
|
My initial proposal: test-1.mp4 |
|
And here is an improved version (better layout) related to the previous idea: validation-1.mp4 |
|
Maybe the Infos you display can be taken from the "Important" out of https://www.bag.admin.ch/bag/en/home/krankheiten/ausbrueche-epidemien-pandemien/aktuelle-ausbrueche-epidemien/novel-cov/covid-zertifikat/covid-zertifikat-pruefer-aussteller-technische-informationen.html#1851413288 At the end not sure that this will be enough. The "checkers" will go to Plan B and ask for the "Certificate Light" and look at the remaining time of validity. Most of the "checkers" don't have any Device to Scan actively and prefer to trust and use the one of the person to be verified. Probably the FOPH and the press have to be taken in duty to inform the "checkers" properly on how to proceed. |
|
This is with the fineprint added:
|
|
Just to show how widespread the idea of "click the refresh button to validate" is. From today's news:
Source: https://archive.md/0Pdvb |
I personally don't think that this will help much as most users won't read the text. Therefore I would lean more toward one of the other possible solutions that were initally outlined by @simonerni. I think that they will help to resolve the problem in a better way regarding minimizing the misuse of the button and UX:
|
I don't care if the users won't read all the wall of text. The first part (the title) is what the person who verifies the certificate will read when the button is pressed - which is enough. If it happens consecutively on N people's phone, the person "scanning" the QR code by clicking on that button will realize the mistake and start scanning it correctly. My PR also includes a removal of the green validation bubble and relative text, avoiding any UI related visual saying that "certificate is good". Personally I think this is the best way to raise awareness on the issue, and the title + summary are enough to probably convince people that the button is not what they think it is. Hiding the button will only make things worse, as this will make other fake verification means (e.g: light QR certificate) take place: "counter on screen = certificate is good". I would suggest going with my proposal, and further hiding the light certificate countdown (or removing it entirely and implemeting #302). |
|
Newest design proposal (shortened title, added an alert icon) - 5d59cb5:
|
|
I had reported this problem to NCSC on October 15. Unfurtunately, I never heard back from them. |
|
The fake app will show up eventually, I don't think it will be widely used or be a big public health issue (which in the end is the whole point and only real concern). But I am worried about a scenario where this goes public under a bad light and the developers and open source in general are pointed as being incompetent. |
Some weeks ago, I would have had the same opinion. Just speaking about experiences currently made in Germany: Since we also have a similar button in our Corona-Warn-App (albeit with a different function) and with similar effects, I support the concern and the PR here. |
|
Sorry guys but this clearly shows that this Refresh button is "works as designed" and they want the people to use this; otherwise they would have reacted quickly. With the latest version they even made it even worse with the info about 2G / 3G. I bet there are already modified versions used in the field. It's just so easy to do.... and paper fakes are already out; just read the latest news of the boulevard press about St. Gallen. Especially that most of the control points are not using the Covid Check App anymore and rely fully on the enduser app or paper; WYSIWYG changed into WYSIWYT(rust) Maybe a responsible disclosure would be adequate here before we jump to the press and make a great demonstration on how easy it is to get into any place. |
|
Well, as a developer I have no data or evidence to say that this issue is exploited in a way that can actually have real public health impact as @vaubaehn suggested. Maybe some estimation could be done, but this is out of my field. As I said, I tend to trust people and thinking groups would organize to cheat and exploit this is nearly sci-fi to me. Having said that, what I can assert is that the UX design is bad and encourage misuse, even with no malicious intent whatsoever. And that it would be very easy for a malicious actor to publish a web app (PWA) that prompt for any name and mimic the official app. It could even be bundled with a real shared certificate (that can easily be stolen with a picture of someones phone during a check and could be updated if invalidated), then it would show green on the "scanner", with the wrong name yes, but with a bit of social engineering, you could show your ID along YOUR phone with the fake name, and the person scanning would just remember "yeah it passed on my phone". Again, for me the only proper solution is to fully remove the name from the certificate. |
|
I personally would vote for removing the button. After a release of an updated App, I would wait some Days until all apps Phones have updated. |
|
Okay, let's go down the responsible disclosure way. Let's give Ubique / @admin-ch 30 days to comment on this issue / come up with an official statement. Failure to do so would result in a PoC shared with the public in form of an APK / website. I don't want to go down this way, but it's the only thing we can do to finally get them to solve this issue. I'll send this in CC to their info email address and to the government CSIRT. This isn't even responsible disclosure to be honest, the issue is already stated and a solution is already provided. If the situation doesn't change, on January 20, 2022 a PoC will be provided here and to the press. Sorry guys but apparently we have to go this way to solve the issue. cc/ @goebelUB, @simonroesch, @benz-ubique, @UBaggeler, @maurhofer-ubique, @ubamrein |
|
NCSC and Ubique have been informed by email about the responsible disclosure plan. |
|
@denysvitali
|
|
In case you didn't get it: the repository is open. And the press is reading it anyway. Greetings: someone from the press. |
|
@petarmarj But you're the responsible press ;-) Let's just close this issue. The no-reaction and addition of the "3G 2G" indication makes it quite clear that it works as intended. And given that it's apparently easily possible to get valid certificates as shown in https://www.watson.ch/!569351676 makes a fake app not even necessary. |
|
Publishing a PoC only serves selfish reasons. It will also lead to abuse, infections, hospital admissions, and ultimately deaths. I wouldn‘t want to be responsible for even a single one. I‘m normally supportive of a responsible disclosure process. But this is already over, it’s an open repo, it‘s already publically disclosed (@petarmarj conveniently proves this). There is no „disclosure process“ anymore at this stage. We can just twiddle thumbs and write angry letters to the FOPH. @denysvitali - in your certificate analysis repo you say: „Please - stay safe and get vaccinated!“ |
Yes, it kind of is an hypocritical move, but I feel it's the only possible way to raise awareness on the issue. Doing it yourself is extremely simple, and only takes two steps:
It seems like @admin-ch and Ubique are both fine with this since they have been silent since a long time on the issue, and by now I'm pretty sure someone already created such an app and is using it. Maybe the responsible disclosure deadline will help move things, maybe not, we'll see. I don't intend to help any unvaccinated person to avoid the certificate checks - quite the opposite! I'll make sure my PoC will be clearly fake and will not be usable with any real name / surname. |
|
The problem with making more "noise" around this issue is that I think it will clearly NOT be fixed, so any more publicity would give ideas to malicious actors. |
|
Hi everyone, the project team would like to comment on this as follows: First, we would like to thank you for your interest and ideas regarding this topic. We are aware of the issues you have raised in connection with the refresh button. Currently, possible solutions are under review. We will keep you updated within due notice. |
If it's not going to be fixed, a PoC will hopefully make the people realize that a fix is indeed needed, and hopefully raise awareness. Don't get me wrong. I don't want help malicious actors use such a method, but by now we can assume someone in the wild already did that and he is using that. Responsible Disclosures are made exactly for this reason:
It's just sad to see that the efforts made to have a cryptographically secure COVID Certificate are jeopardized by a stupid UX mistake |
Well, I'm happy to have been wrong. If you want more feedback/ideas, I'd be happy to provide some. |
|
@denysvitali No, it‘s not the only way to go about this issue - as outlined in my statement above. The way you‘re going about this feels a lot like blackmail to me, disguised as „responsible disclosure“. I understand your idea, publishing exploits as PoC helps in many cases after a fix has been available for some time. But here, we‘re concerned with health. Harm is not unlikely, it‘s almost guaranteed to follow. I therefore urge you to tread with utmost caution in your actions. And finally: Just because a person might‘ve done this already with some effort doesn‘t mean that suddendly everyone should be able to do this easily. |
|
I agree with @simonerni . We are not speaking of breaking DRM or showing we can download a movie, I don't think putting anymore "pressure" would help. We got an official response, late yes, but we got it. I don't think there is anything more to prove. |
|
Without an official answer, the PoC would have been the only way to move things. Thankfully we got a semi-official answer. I just wonder now how much it will take to solve the issue entirely. |
|
FYI, they started the dev over on the iOS side: https://github.com/admin-ch/CovidCertificate-App-iOS/tree/feature/reload-button-changes |
|
Thanks again for everyone's input! We will be phasing the button out over the course of the next weeks. |
|
Can you share a little bit what's the plan there? From the iOS repo the approach seems similar to my proposal (alert on click + grace period): but I might be wrong |
|
FYI: Relevant strings: CovidCertificate-App-Android/common/src/main/res/values-de/strings.xml Lines 1484 to 1501 in 7891750 |
Sure, I can give some technical details: The current plan is indeed to have a popup that is shown when the user clicks the FAB, just like you proposed. In addition, we plan to not immediately show the info popup in the new version. Instead, we introduce a flag to configure it via the backend. This allows us to switch from "refresh" to "info" once the majority of users have upgraded. Finally, all of this will be accompanied by communication on other channels, e.g. on the website. This complements the information in the info popup, which is deliberately kept short and non-verbose. |
|
Awesome! Thank you very much! |
|
I honestly still don't think the press underatood the change.
Which translates to:
I hope a press release from the government will follow, so that these media sources can stop disseminating false information. Blick on the other hand reports the news in a better way, and only down below in the article explains the real reason for the change. The situation was so messed up that people thought that the removal of the refresh button and its suggestion to use the Covid Check app is actually a new way of verifying the certificates to avoid people touching your smartphone...
It's still somehow a success, but I still think this has to be addressed with a press release, either from the government, or at this point the change is public by some more trchnically skilled journalists (looking at you @petarmarj) Watson.ch implies as well (following Blick and 20min) that the function was supposed to used like that. Thankfully they also mentioned the possible abuses.
|
|
As the self-verification button is now not available anymore, I think that we can close this issue. |
This is a question that I'm not sure where else to put and didn't find much information about.
Recently more and more people are not using the scanner app but the self-verification button to control my certificate. This doesn't seem right to me though. I mean someone could use the code here, remove the verification and then has a 'valid' certificate.
Can you confirm whether this is how this button is intended to be used?
Maybe this option needs to be rethinked.
The text was updated successfully, but these errors were encountered: