[messaging] Are we pursuing real solutions for security?

Moxie Marlinspike moxie at thoughtcrime.org
Tue Mar 11 14:35:02 PDT 2014

You might enjoy this paper written by a non-cryptographer:

In his words, "people feel genuine anxiety when asked if they want large
fries for just 50 cents more."

Some of my other favorite quotes:

"'Chains of Attestation' is a great name for a heavy metal band, but it
is less practical in the real, non- Ozzy-Ozbourne-based world..."

"PGP enthusiasts are like your friend with the ethno-literature degree
whose multi-paragraph email signature has fourteen Buddhist quotes about
wisdom and mankind’s relationship to trees. It’s like, I GET IT. You
care deeply about the things that you care about. Please leave me alone
so that I can ponder the inevitability of death."

- moxie

On 03/11/2014 03:33 AM, Tony Arcieri wrote:
> I feel like solutions that rely on manual verification of key
> fingerprints fall into this category:
> http://i.imgur.com/2bEWKNS.png
> I don't think these solutions are providing effective security. I feel
> we need to start from the real needs of real users, and work backwards.
> One can propose a study for optimum time-based fingerprint verification
> and study fingerprint accuracy, but are fingerprints even a good idea? I
> feel that's where you need to start with any sort of usability study.
> Cryptocat's usability studies are addressing this problem. Short
> Authentication Strings are addressing this problem. Solutions for
> optimal fingerprint comparison accuracy, IMO, are ignoring the problem,
> and studying the wrong solution.
> Thoughts?
> -- 
> Tony Arcieri
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging


More information about the Messaging mailing list