Web of Trust itself is the problem

Robert J. Hansen rjh at sixdemonbag.org
Mon Jan 11 05:37:12 CET 2010

On 01/10/2010 11:01 PM, Mario Castelán Castro wrote:
>> Crypto is not like this.  Sure, you don't need to understand Feistel
>> networks or large number theory in order to use crypto, but look at
>> what you *do* need to understand: [...]
> Is good if you know that, you will use the crypto better but is not
> nessesary IMO.  Can you explain why that things are *nessesary* in
> order to use crypto?, we have "user friendly" crypto programs like
> seahorse, I can't figure out someone is unable to use it with the
> available "user friendly" software like seahorse.

Read this paper:

	Garfinkel, S. L., Margrave, D., Schiller, J. I.,
	Nordlander, E., and Miller, R. C. 2005. How to make secure
	email easier to use. In _Proceedings of the SIGCHI Conference
	on Human Factors in Computing Systems_ (Portland, Oregon, USA,
	April 02 - 07, 2005). CHI '05. ACM, New York, NY, 701-710.
	DOI= http://doi.acm.org/10.1145/1054972.1055069

Also read this paper:

	Gaw, S., Felten, E. W., and
	Fernandez-Kelly, P. 2006. Secrecy, flagging, and
	paranoia: adoption criteria in encrypted email.
	In Proceedings of the SIGCHI Conference on Human
	Factors in Computing Systems (Montreal, Quebec,
	Canada, April 22 - 27, 2006). R. Grinter,
	T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and
	G. Olson, Eds. CHI '06. ACM, New York, NY, 591-600.
	DOI= http://doi.acm.org/10.1145/1124772.1124862

Once you've read them, then let's have this conversation again.  The
obstacles we face in crypto adoption are not related to user interfaces.
 They're related to users.

There's a lot of good papers in the literature covering this problem.
Those two papers will helpfully point you in the right direction.

>> Try telling this to a noob who is:
>> a) convinced that only a nefarious low life has a use for encryption
>> b) afraid of and distrusts computers
>> c) convinced he/she is right and logic won't sway him/her..
> What is your point Robert?

I didn't write this; you're misquoting someone else's words and
attributing them to me.

>> The only crypto they use is the crypto that is invisible to them
>> (usually https, which is pretty invisible).
> HTTPS is not invisible, is transparent with most browers.

Likewise; David Shaw wrote this.  That said, I agree with him, and HTTPS
is /very/ invisible to most users.

A few years ago a fellow grad student of mine, Peter Likarish, developed
a really cool anti-phishing technology.  (I don't know if it's been
cleared for publication, or if he's still wrestling with it privately,
so I can't talk about how it works.)  It was a phenomenally effective
phishing-detection engine.  For testing purposes, he packaged it up into
a Firefox plugin.

When a user visited a phishing site, a small red bar would appear across
the top of the screen.  "Warning: this site appears to be impersonating
another site," it would say.  He figured users would see it.  He
recruited a number of normal, everyday users to test the plugin.  He
gave them a computer preinstalled with Firefox and the anti-phishing plugin.

*Not one of them* saw the red bar across the top.  They all considered
it to be visual noise and filtered it out.

Peter decided the solution was to make the bar grow steadily bigger over
time.  The user could click on the bar at any time to make it vanish;
but if the user ignored the bar, the bar would grow and grow until it
took over a third of the screen.

He repeated the test, and this time videotaped people as they were
interacting with the system.

*Not one* saw the bar.  According to Peter, when watching the videotape
you could watch users' eyes scroll down the screen as the bar grew.
There was no question that on some level they were seeing the bar,
processing it.

Peter's hypothesis was that Flash ads are to blame.  Users have become
conditioned to having Flash ads appear on the screen, take over real
estate, and so on.  Therefore, users were subconsciously filtering out
this big red alert bar and it was never percolating up to the conscious
level where users could make an informed decision about the risks.


Yes.  HTTPS is invisible.  Users typically do not have anywhere near the
visual recognition of web interface that people like to think they do.

ObDisclaimer: Peter told me this about two years ago now.  My memory is
not perfect; I may be off on details.  However, I am confident the
salient parts of the story are correct.

More information about the Gnupg-users mailing list