[messaging] Let's run a usability study (was Useability of public-key fingerprints)
Guy K. Kloss
gk at mega.co.nz
Wed Apr 2 21:26:01 PDT 2014
On 02/04/14 03:33, Ximin Luo wrote:
> Why is it a given assumption that people "will not check
> fingerprints"? People exchange phone numbers all the time.
But people also don't verify phone numbers before dialling them. Why?
Because the cost associated with the risk of a wrong phone number is low
(usually something like making a local phone call). So they just don't
bother as it's comparable to the cost involved in making a legitimate
use of the phone number. (I know what it costs to call a cell phone in
my country, so in the worst case, I've only made an extra call to find
out that I got the wrong person.)
Obviously the cost could be higher, in case somebody *maliciously*
tricks me into using a wrong phone number and I'm getting an impostor or
a form of MitM attack. But that's rather unusual for most in real life.
> (Do people think it's *immoral* to encourage more
> people to verify fingerprints?)
Interesting point. I know many people who react to suggestions like that
with the usual "just go to your room and put your tin foil hat back on
..." response. I guess most want to be "normal" and not have to worry
about this crypto nerd stuff. In their mind unlocking the car with their
key (logging into their computer, entering the PIN on their phone) ought
to be enough, without the need to check the license plate/SIM card
number (analogue to fingerprint).
> Software is another way to change
> people's behaviour, and software that lowers the cost of a task
> will encourage more people to do that task.
At least it should hopefully lower the threshold that significantly more
will do so.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Messaging