Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday November 08 2015, @02:06PM   Printer-friendly
from the Wbuaal-qbrf-abg-rira-haqrefgnaq-EBG13 dept.

This paper presents the results of a laboratory study involving Mailvelope, a modern PGP client that integrates tightly with existing webmail providers. In our study, we brought in pairs of participants and had them attempt to use Mailvelope to communicate with each other. Our results shown that more than a decade and a half after "Why Johnny Can't Encrypt," modern PGP tools are still unusable for the masses. We finish with a discussion of pain points encountered using Mailvelope, and discuss what might be done to address them in future PGP systems.

The PDF of the study can be found here.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by Francis on Sunday November 08 2015, @05:08PM

    by Francis (5544) on Sunday November 08 2015, @05:08PM (#260404)

    That doesn't sound like a solved problem. I assume I'm missing something here.

    The only difference I see is that I've spent some time setting something up that nobody I know is using. The main is still unencrypted and still vulnerable to snooping. Whether or not the mail is being stored on my end or on the servers in plain text doesn't much matter as there's an additional copy on the other end that's not encrypted and will be there as long as the files haven't been deleted and the backups are still available.

  • (Score: 4, Interesting) by frojack on Sunday November 08 2015, @05:42PM

    by frojack (1554) on Sunday November 08 2015, @05:42PM (#260412) Journal

    The instant someone publishes their public key to the key-servers your mail to them would be encrypted. You don't have to think about it. They don't have to think about it. It just happens.

    Setting it up and turning on opportunistic encryption costs you nothing. For all you know, They are all waiting for you to go first! But because you won't bother, there is no momentum to use encryption.

    Note, you can give them the hint by setting it up to PGP "sign" all your outgoing mail.

    If you or they ONLY use web mail, nothing will ever happen.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 1, Touché) by Anonymous Coward on Sunday November 08 2015, @06:05PM

      by Anonymous Coward on Sunday November 08 2015, @06:05PM (#260419)

      You do realize that anyone can upload a key to a key server? This might work if the key was signed by a mutual friend that you really trust. Otherwise, do you have any idea of who holds the private key?

    • (Score: 2) by NotSanguine on Monday November 09 2015, @12:44AM

      by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Monday November 09 2015, @12:44AM (#260593) Homepage Journal

      Note, you can give them the hint by setting it up to PGP "sign" all your outgoing mail.

      That's quite amusing Frojack. In point of fact, I *do* PGP sign all my outgoing emails, and have done so for years. It hasn't made a lick of difference with anyone, except one person who has a vested interest in secure communications. Even then, that person's partner (an IT person) needed to set it up for them.

      The best was when I sent my investment advisor an email who then called me and said -- "I just wanted to make sure this was really from you, since there was all this garbage at the end." Very cute.

      Before I jumped ship from Facebook, I figured it would be okay to continue its use if I could store and publish my PGP key in my FB profile and encourage others to do the same. Facebook certainly won't allow that, as it would mean we can encrypt our posts and they can't mine the data.

      I realize that from a practical/usage-based perspective, there isn't anything stopping huge numbers of people from using existing resources to encrypt their communications. However, the problem is one of ignorance and a lack of visibility amongst the great unwashed. Until that changes, encrypted email will be the domain of techies, spooks, journalists and dissidents. Because no one else cares. Sad, but true.

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
      • (Score: 2) by frojack on Monday November 09 2015, @03:23AM

        by frojack (1554) on Monday November 09 2015, @03:23AM (#260638) Journal

        I *do* PGP sign all my outgoing emails, and have done so for years. It hasn't made a lick of difference

        So do I. And many of my European customers have decided to do the same, usually after a chat about it.
        I only started doing it because some of my customers have to send me code samples and small test data sets.

        My customers in the EU, Germany and Italy principally, are much less likely to use Microsoft Outlook, they mostly use Linux
        so its Thunderbird, Kmail or Claws. Of those Tbird with Enigma does the closets job of getting you into encryption.

        Now, I grant you, your grandma isn't going to use encryption. Neither are your casual friends. But just having that signature
        there invites others. And I would have taken that opportunity to ask that investment adviser why he doesn't employ it in
        his line of work.

        --
        No, you are mistaken. I've always had this sig.