[messaging] Let's run a usability study (was Useability of public-key fingerprints)

Thu Mar 6 09:18:38 PST 2014

(Recent versions of) TextSecure differ from many other products, in that there is no way to *remember* which contacts you have verified. Moxie thinks this is a usability improvement, but I think it's a security hole.

I don't know of any product that does this. Even SSH remembers which non-verified keys you have implicitly allowed.

I'm not saying it will completely invalidate a study, but it will definitely affect things from a user's POV. So, keep it in mind when doing a usability study using TextSecure.

X

On 06/03/14 16:27, Christine Corbett Moran wrote:
> The good news is that you don't need a partnership with an academic versed in experiment and data analysis to run one of these.
> 
> The bad news is that it may not generalize between clients.
> 
> But if anyone wants a candidate client to do a sort of study like that I suggest TextSecure =)
> 
> C
> 
> 
> On Thu, Mar 6, 2014 at 5:13 PM, Tony Arcieri <bascule at gmail.com <mailto:bascule at gmail.com>> wrote:
> 
>     On Thu, Mar 6, 2014 at 4:49 AM, Christine Corbett Moran <corbett at alum.mit.edu <mailto:corbett at alum.mit.edu>> wrote:
> 
>         What we'd need to get started is a list of methods we'd want to test, and some comparisons based on those methods to incorporate in the experiment.
> 
> 
>     I'd like to see more studies like the Cryptocat one:
> 
>     https://blog.crypto.cat/2014/01/cryptocat-at-the-openitp-dc-hackathon/
> 
>     The area of the most confusion — to the point where it made the users feel threatened or panicked — was the user information screens (either for a specific buddy or the user themselves). *Though “fingerprint” is widely known by cryptography and security experts, it is, at the end of the day, jargon*. There were several participants who immediately associated “fingerprint” with a negative connotation (i.e., leaving a fingerprint at a crime scene). Their tone was panicked in asking their questions on this issue, and were unsure of why that information needed to be displayed, and if it was even safe to display. There were a handful of users who understood encryption technology at a very basic level who were not confused by the terminology on this page, but were unsure of what to do with this information. 
> 
>     -- 
>     Tony Arcieri
> 
> 

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 880 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140306/bcb6123e/attachment.sig>