Devices without encryption support showing as unverified in "Security & Privacy"

[westerguard]

Steps to reproduce

When you setup double puppeting for for instance the Mautrix Telegram Bridge, the session shows up as unverified in the old and the new session manager, also see the printscreen below.

Outcome

I asked about this in the Mautrix-Telegram-Bridge room, and this shouldn't be the case, because it doesn't need encryption and it doesn't affect anything else.
And to quote Tulir: "actually might be a regression, I think there used to be a separate 'Devices without encryption support' section".

It also affects Element Android (don't know if you need a separate issue for Android).

Operating system

No response

Browser information

No response

URL for webapp

No response

Application version

Element version: 1.11.31 Olm version: 3.2.14

Homeserver

Synapse 1.83.0

Will you send logs?

No

[kerryarchibald]

Regressed by matrix-org/matrix-react-sdk@70b87f8

[kerryarchibald]

It's expected in new session manager for sessions that do not support encryption to be displayed as unverified, but they have an 'unverifiable' status under the hood and should not display the option to verify:

[westerguard]

Oh, well, mine does show the Verify session button.

But even without this button, I feel like a red warning shield for a bridge is not so great.
I get the idea, and technically it is the right way to show it, but I think that every 'normal' user will assume there's something wrong when they see a red shield.
From the end-user's perspective, it think it's confusing.

[richvdh]

This regressed in the old device list (under "Security & Privacy") between Element 1.11.24 and 1.11.25.

Before (EW 1.11.24):

After (EW 1.11.25):

The new session manager regressed between EW 1.11.29 and 1.11.30.

Before (EW 1.11.29):

After (EW 1.11.30):

Note that the device without E2E support has always shown as an "unverified device"; as @westerguard points out that is arguably a bug, but it's not a regression and is a separate problem.

[richvdh]

The regression in the old device list was in matrix-org/matrix-react-sdk#10200.
As @kerryarchibald notes, the regression in the new session manager was in matrix-org/matrix-react-sdk#10594.

[richvdh]

Both PRs have the same issue, which is switching from a version from isDeviceVerified which returned null for devices with no keys to one which returns false.

It's also worth noting that both implementations were subsequently updated by matrix-org/matrix-react-sdk#10663, though that doesn't seem to have changed any behaviour here (largely because they still end up with the same isDeviceVerified implementation, just via different code paths)