> I said, 'by default'. I know that it is possible to do a manual verification, but I am yet to have a chat with a person who would do that.
I'm not sure what else you'd expect. The alternative would be for Signal not to handle key exchange at all, and only to permit communication after the user manually provides a security key that was obtained out-of-band. That would be an absolutely disastrous user experience.
> Also, the Signal does not give any warnings or indication that chat partner identify is manually verified
That's not true. When you verify a contact, it adds a checkmark next to their name with the word "verified" underneath it. If you use the QR code to verify, this happens automatically. Otherwise, if you've verified it manually (visual inspection) you can manually mark the contact as verified and it adds the checkmark.
Ahem. I'd expect something that most xmpp clients could do 10+ years ago with OTR: after establishing an encrypted session the user is given a warning that chat identify of a partner is not verified, and is given options on how to perform this verification.
With CA you can make a mild warning that identity is verified by Signal, and give an options to dismiss warning or perform off-the-band verification.
Not too disastrous, no?
> That's not true. When you verify a contact, it adds a checkmark next to their name with the word "verified"
It has zero effect if the user is given no indication that there should be the word verified.
It is not true what you say. This [1] is what a new user sees in Signal - absolutely zero indication. To verify a contact user must go to "Conversation settings* and then "View safety number". I'm not surprised nobody ever established a verified session with me.
I'm not sure what else you'd expect. The alternative would be for Signal not to handle key exchange at all, and only to permit communication after the user manually provides a security key that was obtained out-of-band. That would be an absolutely disastrous user experience.
> Also, the Signal does not give any warnings or indication that chat partner identify is manually verified
That's not true. When you verify a contact, it adds a checkmark next to their name with the word "verified" underneath it. If you use the QR code to verify, this happens automatically. Otherwise, if you've verified it manually (visual inspection) you can manually mark the contact as verified and it adds the checkmark.