SoylentNews is people
SoylentNews
posted by
martyb
on Sunday November 08 2015, @02:06PM
from the Wbuaal-qbrf-abg-rira-haqrefgnaq-EBG13 dept.
from the Wbuaal-qbrf-abg-rira-haqrefgnaq-EBG13 dept.
This paper presents the results of a laboratory study involving Mailvelope, a modern PGP client that integrates tightly with existing webmail providers. In our study, we brought in pairs of participants and had them attempt to use Mailvelope to communicate with each other. Our results shown that more than a decade and a half after "Why Johnny Can't Encrypt," modern PGP tools are still unusable for the masses. We finish with a discussion of pain points encountered using Mailvelope, and discuss what might be done to address them in future PGP systems.
The PDF of the study can be found here.
This discussion has been archived.
No new comments can be posted.
Why Johnny Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client
|
Log In/Create an Account
| Top
| 69 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
The world is full of people who have never, since childhood, met an
open doorway with an open mind.
-- E. B. White
(Score: 2, Disagree) by opinionated_science on Sunday November 08 2015, @02:48PM
the really hard jobs is writing the complicated maths software! Seems strange making it usable is such a problem...
Under linux I think it is half-usable. Using KDE , you have KGPG and Thunderbird with (Enigmail), I get automatic prompting for encrypted things arriving.
Probably a more important educational point, is that keys are "free". No point just having one, create "themed" key usage. Or a master and sub-signed keys.
This also extends to browsers - have profiles that match the activity. Your bank is much less likely to carry malware than some chat site. Why mix them?
This would seem to be a general educational point?
(Score: 5, Insightful) by bzipitidoo on Sunday November 08 2015, @04:33PM
Treating the problem of usability as trivial, not worthy of attention, has been the bane of free software. Usability has also been mostly ignored by security experts. Lot of them take this attitude that security is all important and therefore only an idiot would sacrifice security for usability, or just ignore it. And, idiots get what they deserve. There's not much sympathy for people who don't lock things down, set their passwords as "12345" or "password" or don't even do that much, never even realize there was a default password, and get hacked.
The default password is an excellent example of a usability failure. We had all these commodity modem/router/firewall set top boxes that shipped with the same default password. Often, manufacturers didn't even change the password between models. Now their boxes ship with unique passwords. Why was that so hard to do, what took them so long to do it? Databases have had the same issue. Came with default configuration files containing default settings for database user accounts. Often the default is not to require a password. But think about that problem a bit. If the source site generates unique configuration info for each download and bundles it in, it complicates things considerably. Now to verify that the download wasn't corrupted, their site has to compute hash values each time, and, then, what, save them all in case the customer ever wants to download or verify the download again? So, try to handle it programmatically, and as part of the installation process, generate unique security credentials.
This email encryption commits stupid usability errors. Why would users ever want to encrypt an outgoing message with their own public key? Answer: they wouldn't. Why then does the encryption interface enable users to stumble into doing just that by mistake? Another mistake is making it too possible for users to accidentally send out their private key.
Another usability problem is suppose the user wants to send 1 email to multiple people? (Assume it's not spam.) Have to get the public key of every recipient and encrypt the message for each one. If just one recipient does not use encryption, that makes the whole exercise somewhat pointless. One could set up a group account, let everyone on the mailing list share a common key pair, but that has lots of problems too.
(Score: 2) by opinionated_science on Sunday November 08 2015, @05:50PM
to be honest I don't know how it does it , but it works fine. My setup use my key to store outgoing in sent (so I need to unlock to see my sent). But when I send to someone else, and they reply, I still need to unlock the portion I originally sent. I think the system is smart enough to know:
http://superuser.com/questions/554513/pgp-encrypt-single-message-for-multiple-recipients [superuser.com]
(Score: 0) by Anonymous Coward on Sunday November 08 2015, @11:34PM
funny, i used to hand out my email to just a few people. I am sure those few people would use encryption if it was built into their email client. I dont think any of us actually used webmail ourselves, but have set up the servers so suits or something could do it.
i was surprised to learn gmail was webmail but I guess they are the web app company... so anyway, gmail is a spam domain, right, and their adblocking there is just a method of filtering out spam they do not like in favor of providing spam you that you do like? I thought spam was spam.
But, if my client only allowed encrypted messages to my friends, then really none of that behavior inherent to spam like that would be an issue, since it wouldn't get accepted. I mean, I never accepted it, but spoofing even gets past white lists. But not with encryption.
So, I really dont see a problem with your suggestion provided people involved in it actually care enough to receive only what they want.
The cable tv company damn well isnt going to unencrypt channels they dont want me to have and send them to me for free, so I wish theyd take the same approach to email.
(Score: 2) by Grishnakh on Monday November 09 2015, @02:21AM
Treating the problem of usability as trivial, not worthy of attention, has been the bane of free software.
Oh bullshit. The Gnome team talks all the time about usability and how user-friendly Gnome3 is. This doesn't mean it's actually all that usable, especially since it's so stripped-down that you can't do anything with it or customize it without jumping through hoops, but it's not like free software devs aren't actually thinking about it, even if they are completely misguided.
(Score: 2) by bzipitidoo on Monday November 09 2015, @03:46AM
Talking and thinking about usability all the time, but not achieving it, is not exactly a ringing endorsement of their commitment. Apple is the usability leader, why can they not simply follow Apple's example? No, they seem determined to reinvent the GUI. As you say, misguided. They need discipline. Gnome3 sounds like the systemd of desktop environments.
I use LXDE/Openbox. Though lighter and faster, it's still a classic example of functional overkill. When I bother to configure Openbox, most of what I do is get rid of a bunch of functionality I don't want or use. Shade/unshade windows? Do not want. Minimize works better. Also don't like having the scroll wheel overloaded with functionality. By default, the scroll wheel scrolls if the mouse pointer is in a window, shades and unshades if on a title bar, and switches desktops if on the desktop. I prefer that it not change functionality based on the mouse pointer location. I am forever whizzing through the desktops when the mouse pointer wanders off the edge of the window I'm scrolling. I want it to scroll the active window no matter where the mouse pointer is, no shading/unshading, no switching between desktops. Why did the devs decide to get fancy? It's like they're entranced by "cool" ideas, eager to implement them, but can't be bothered to test them on users to see if they're actually any good. That's not taking usability seriously.
Another problem both KDE and Gnome suffer more than any other desktop environment is bloat. They're seriously slow and unusable on slow, limited hardware. Could be the "cool" factor contributed to the bloat.
(Score: 2) by Grishnakh on Monday November 09 2015, @05:49AM
By default, the scroll wheel scrolls if the mouse pointer is in a window, shades and unshades if on a title bar, and switches desktops if on the desktop. I prefer that it not change functionality based on the mouse pointer location.
Well I prefer that it does. I like being able to scroll background windows without having to change focus.
Why did the devs decide to get fancy? It's like they're entranced by "cool" ideas, eager to implement them, but can't be bothered to test them on users to see if they're actually any good. That's not taking usability seriously.
No, it's giving people the power to have what they want. If you want it configured differently, then do so. If you make it one-size-fits-all, you get Apple crap where it's their way or the highway, which is the exact same philosophy the Gnome3 devs have.
Another problem both KDE and Gnome suffer more than any other desktop environment is bloat. They're seriously slow and unusable on slow, limited hardware.
Gnome3, sure, but for KDE that's completely false. Turn off the indexing stuff and it's fine.