pinentry's new window titles could be more (less?) informative
Peter Lebbing
peter at digitalbrains.com
Thu Sep 28 20:42:41 CEST 2017
On 28/09/17 20:03, Robert J. Hansen wrote:
> He turned it into a Firefox plugin that
> would put a red warning banner at the top of the browser if you were
> apparently being phished.
I remember you telling this before, it's a really neat study that gives
good insights.
But I'm not convinced it can be transferred to this situation. Yes,
people ignore large parts of their browser screen; in fact, I'm willing
to bet this goes for a lot of windows, according to my n=1 usability
study that is my personal experience. It goes especially for browsers,
though, with all the useless cruft on websites. Navigational bars, by
the way, can also be ignored until one needs to navigate a site. If I
just followed a search engine hit to an interesting article, I don't
care about anything around that article no matter how useful it might be
in different circumstances. I automatically pay it no mind at all.
I don't think this pinentry feature will help identify an unwanted
pinentry request when in fact the user is not surprised by being
prompted for their key. They'll just think "ah, okay then" and type it
in. I know I would seven times out of ten, and then I'm being nice to
myself.
However, I think it's about when a user /didn't/ expect the pinentry,
and is wondering where it came from. People have occasionally come on
gnupg-users asking "why does my system keep asking me for my $#&%
key?!", and then it, for instance, turned out they had forgotten they
allowed their desktop environment's keyring manager to use GnuPG to
encrypt their keyring. If the pinentry would have just indicated
"gnome-keyring" (I'm not saying gnome-keyring supports this, it's just
an example), they wouldn't have been bewildered and worried their system
was doing bad stuff.
Basically, I don't think it's a security feature to catch malicious
activity, like the phishing. It's just informational, which can be quite
nice, having some information, knowing what's going on. It's there when
you _look_ for it.
My 2 cents,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170928/6fd0b365/attachment.sig>
More information about the Gnupg-devel
mailing list