[messaging] Are we pursuing real solutions for security?
Moxie Marlinspike
moxie at thoughtcrime.org
Tue Mar 11 14:35:02 PDT 2014
You might enjoy this paper written by a non-cryptographer:
https://www.usenix.org/system/files/1401_08-12_mickens.pdf
In his words, "people feel genuine anxiety when asked if they want large
fries for just 50 cents more."
Some of my other favorite quotes:
"'Chains of Attestation' is a great name for a heavy metal band, but it
is less practical in the real, non- Ozzy-Ozbourne-based world..."
"PGP enthusiasts are like your friend with the ethno-literature degree
whose multi-paragraph email signature has fourteen Buddhist quotes about
wisdom and mankind’s relationship to trees. It’s like, I GET IT. You
care deeply about the things that you care about. Please leave me alone
so that I can ponder the inevitability of death."
- moxie
On 03/11/2014 03:33 AM, Tony Arcieri wrote:
> I feel like solutions that rely on manual verification of key
> fingerprints fall into this category:
>
> http://i.imgur.com/2bEWKNS.png
>
> I don't think these solutions are providing effective security. I feel
> we need to start from the real needs of real users, and work backwards.
>
> One can propose a study for optimum time-based fingerprint verification
> and study fingerprint accuracy, but are fingerprints even a good idea? I
> feel that's where you need to start with any sort of usability study.
>
> Cryptocat's usability studies are addressing this problem. Short
> Authentication Strings are addressing this problem. Solutions for
> optimal fingerprint comparison accuracy, IMO, are ignoring the problem,
> and studying the wrong solution.
>
> Thoughts?
>
> --
> Tony Arcieri
>
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
--
http://www.thoughtcrime.org
More information about the Messaging
mailing list