Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday November 08 2015, @02:06PM   Printer-friendly
from the Wbuaal-qbrf-abg-rira-haqrefgnaq-EBG13 dept.

This paper presents the results of a laboratory study involving Mailvelope, a modern PGP client that integrates tightly with existing webmail providers. In our study, we brought in pairs of participants and had them attempt to use Mailvelope to communicate with each other. Our results shown that more than a decade and a half after "Why Johnny Can't Encrypt," modern PGP tools are still unusable for the masses. We finish with a discussion of pain points encountered using Mailvelope, and discuss what might be done to address them in future PGP systems.

The PDF of the study can be found here.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Touché) by kurenai.tsubasa on Sunday November 08 2015, @07:42PM

    by kurenai.tsubasa (5227) on Sunday November 08 2015, @07:42PM (#260462) Journal

    Er… this is perhaps a nitpick, but the recipient's (and your own if you want to be able to read what you wrote later) public key is used in the encryption operation, and your private key is used during the signature operation.

    I think the car analogy is spot on. Until Johnny understands (really understands) what the difference is between the public key and private key, how they're related (i.e. the public key can be derived from the private key but not the other way around), and what the consequences are of losing control of the private key, it's just a matter of weeks, months, maybe years before Johnny's private key gets phished or otherwise compromised. When that happens and forged emails he hasn't sent start showing up, he'll just dismiss the entire thing as some egghead scheme.

    The other barrier to entry I feel is often missed is the suggestion that you shouldn't trust people you do trust until some egghead software tells you that your mom or your grandson or whoever is really who they say they are.

    Awareness of how utterly simple it is to forge an email, or perhaps how devilishly simple impersonation on the internet is in general, is what I think is missing. Until the public understands that no, you really can't know that's an email from your grandson without crypto, this issue will persist.

    Your points that this is a solved problem on the technical end are entirely correct. I haven't tried any of the webmail add-ons, but it really is all quite simple. I'd say KMail in KDE 3.5 is probably the best product I've used for encryption features, supporting both GnuPG and S/MIME completely transparently. So, something else has to be going on here.

    There is just way too much magical thinking when it comes to computers in the first place.

    Starting Score:    1  point
    Moderation   +1  
       Touché=1, Total=1
    Extra 'Touché' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3