PGP/MIME considered harmful for mobile

Mon Feb 28 23:23:28 CET 2011

On 2/28/11 4:59 PM, MFPA wrote:
> I'm sure Martin would have something to say *if* he
> spotted his key's signature on messages he didn't write...

Yes: but I suspect that may be a big "if."  If you see a message is
signed by an unknown key 0xDEADBEEF, do you really notice the 0xDEADBEEF
and go, "hey, that's my own key ID!", or do your eyes just gloss over it?

A few years ago, a fellow Ph.D. candidate named Peter was doing some
research into new anti-phishing technologies.  His research was good:
his HCI results were positively stunning.

He packaged his anti-phishing toolkit into a Firefox extension.  When
visiting a page, if the toolkit decided it was probably a phishing page
it would display a red bar across the top of the page: "This might be a
phishing site."

He set up an HCI experiment to see how easily people would notice.  Of
his 25 test subjects (all of whom were "regular users" -- non-geeks who
weren't especially tech-savvy), not one chose to avoid the site when the
warning bar came up.  In post-experience interviews, *all 25* said they
didn't see the bar at all.

So, Peter figured he'd make the bar bigger.  Same results -- except this
time it was like 21, 22, or so, didn't see it.

So, Peter figured he'd get really obnoxious.  The bar started off at a
discreet size, but steadily grew and grew until it took over a full
third of the browser window.  You had to click on a "I know this may be
a phishing site, go away!" button to close it.

20+ users, if I recall correctly, still didn't report seeing the warning
bar at all.

Finally, in a fit of deepest, darkest frustration, Peter followed-up
with people and asked, "WHY?  WHY didn't you see this?  I couldn't make
it more obvious, could I?  Did I need to rent out a parade and send up a
parachute flare while the Marine Corps Marching Band plays a selection
of Sousa marches?"

He then learned that his users thought the banner across the top was
"just another one of those annoying Flash ads," and they tuned it out.

When Peter told me about this, I didn't believe it.  It's a pretty
incredible story.  But given he'd videotaped the users' interactions
with the system...

Anyway.  The lesson I draw from this is when experts say "of course
users will notice!", well... it's very likely the users *won't* notice.

(ObWarning: I am going on memories that are now a few years old.  Doing
a little hunting, I see that he published a paper on his experiences.
Likarish, Peter, et al.  B-APT: Bayesian Anti-Phishing Toolbar,
published in _Proceedings of the International Conference on
Communications_.  He had another paper on a similar thing, BayeShield:
Conversational Anti-Phishing User Interface, in the _Proceedings of the
Symposium on Usable Privacy and Security_.  If you're concerned about
this stuff, read Peter's original papers: don't trust my own memory!)