Stories
Slash Boxes
Comments

SoylentNews is people

Why Johnny Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client

posted by martyb on Sunday November 08 2015, @02:06PM   Printer-friendly
from the Wbuaal-qbrf-abg-rira-haqrefgnaq-EBG13 dept.

Phoenix666 writes:

This paper presents the results of a laboratory study involving Mailvelope, a modern PGP client that integrates tightly with existing webmail providers. In our study, we brought in pairs of participants and had them attempt to use Mailvelope to communicate with each other. Our results shown that more than a decade and a half after "Why Johnny Can't Encrypt," modern PGP tools are still unusable for the masses. We finish with a discussion of pain points encountered using Mailvelope, and discuss what might be done to address them in future PGP systems.

The PDF of the study can be found here.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Why Johnny Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client | Log In/Create an Account | Top | 69 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Interesting) by Anonymous Coward on Sunday November 08 2015, @04:27PM

    by Anonymous Coward on Sunday November 08 2015, @04:27PM (#260386)

    Yes, Enigmail's setup wizard does simplify things. It certainly sounds much easier than the software used in the study. Still many gotchas after that. Would your idiot after setting everything up know not to put sensitive information in the subject line? What about verifying the fingerprint of a key?

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Total Score:   1  

  • (Score: 2) by frojack on Sunday November 08 2015, @05:03PM

    by frojack (1554) on Sunday November 08 2015, @05:03PM (#260402) Journal

    Would your idiot after setting everything up know not to put sensitive information in the subject line? What about verifying the fingerprint of a key?

    There is no technical fix for stupid. None of the headers are encrypted. Not all headers originate with the sender. (There are more advanced encryption tools that that wrap your email in a new email with generic headers - but this is even less common.).

    Verification is something the client does. Messages show up in your inbox already verified, and decrypted if the public key of the sender is valid. Its automated. Even fetching the sender's public key is automated.

    --
    No, you are mistaken. I've always had this sig.

  • (Score: 2) by hemocyanin on Sunday November 08 2015, @06:27PM

    by hemocyanin (186) on Sunday November 08 2015, @06:27PM (#260427) Journal

    Here's a major gotcha, and maybe it has changed now as my experience with setting up enigmail is 3-4 years old now, but I recall that after setting it up and building your keys (and also after adding new public or private keys) you have to quit thunderbird and restart. Otherwise it's just failure after failure. I spent several hours trying to understand WTF wasn't working and nowhere did I see a popup that said "completely quit email and restart if you have added a key or this is a fresh install".

    The same thing is true with GPGtools for the Mac.