[messaging] Are we pursuing real solutions for security?

Christine Corbett Moran corbett at alum.mit.edu
Tue Mar 11 10:45:52 PDT 2014


I'll echo what Trevor says here; I think broader studies would
absolutely also be useful given resources and interest. The area in
which I've found someone with experience and interest (and the area
that piques my personal interest) is in information
representation, an issue which has been a large compenent of the
thread. Given that we can begin to address this in parallel with other
important questions deserving of research.

Christine

On Tue, Mar 11, 2014 at 6:33 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> On Tue, Mar 11, 2014 at 3:33 AM, Tony Arcieri <bascule at gmail.com> wrote:
>>
>> I feel like solutions that rely on manual verification of key fingerprints
>> fall into this category:
>>
>> http://i.imgur.com/2bEWKNS.png
>>
>> I don't think these solutions are providing effective security. I feel we
>> need to start from the real needs of real users, and work backwards.
>
>
> How fingerprints fit into an overall secure-comms UI is a good question.
>
> I agree that asking users to compare fingerprints routinely is a bad idea.
> Automating authentication (e.g. "trust-on-first-use", key servers) will be
> better for most users most of the time.
>
> But anything automated breaks down occasionally (the TOFU key has changed -
> what do you?), and requires assumptions not every user will be comfortable
> with (might a MITM have been present in first contact?  do I trust the key
> server?).
>
> So being able to manually verify fingerprints comes in handy, and has been a
> part of crypto UIs for a long time (PGP, SSH, OTR, TextSecure, CryptoCat,
> etc.).  Since there's almost no UI research here it seems reasonable to look
> into it and try to establish some best practices.
>
>
>>
>> One can propose a study for optimum time-based fingerprint verification
>> and study fingerprint accuracy, but are fingerprints even a good idea? I
>> feel that's where you need to start with any sort of usability study.
>
>
> Christine is talking to a researcher with specific experience in usability
> studies of information representation.
>
> Broader studies would of course be worthwhile too, if someone wanted to
> volunteer resources for that.
>
>
> Trevor
>
>
> [1] https://moderncrypto.org/mail-archive/messaging/2014/000129.html
>
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>


More information about the Messaging mailing list