First steps with GPG, am I off to a good start?

Sat Oct 12 05:59:55 CEST 2013

On 10/11/2013 10:47 PM, Doug Barton wrote:
> Twenty years of experience shows us that it's a lost cause.

(Please don't read this as disagreement with Doug.  Rather violent
agreement, in fact...)

I have told this story several times on-list: apparently it's time to
tell it again.

=====

Some years ago during grad school, my colleague Peter Likarish came up
with an interesting phishing-detection technology.  He turned it into a
Firefox plugin.  Whenever the engine thought you were on a phishing site
it would put a small red banner over the top of the page with text
reading, "This may be a phishing site."

During human trials he got a number of "real users" to experiment with
his plugin in a controlled laboratory environment.  Amazingly, despite
his detection engine working perfectly not one single user managed to
avoid giving data to a (simulated) phishing site.

Peter figured the problem was the banner was too unobtrusive.  In
version 2 the banner would start off as a thin ribbon over the top of
the page and would gradually grow until it took up about a third of the
page.  If the user clicked a "Dismiss" button the ribbon would vanish.
In the next round of human trials the clear majority of users clicked
"Dismiss", and yet not one single user managed to avoid giving data to a
simulated phishing site.

Finally, Peter did one-on-one guided walkthroughs of the plugin.  He
would sit there beside a user, watch, and ask questions directly as the
user was doing actions.  The first time someone clicked "Dismiss," he
asked, "So what did that banner say?"

"I dunno," the user answered with a shrug.  "I don't read Flash ads."

=====

There are two types of people on this list: the ones who know that on
some level they're Real Users just like everyone else, and the ones who
believe they're part of some anointed geek elite that's immune to such
pedestrian mistakes and thereby have just made a Real User mistake.

We literally cannot make GnuPG simple enough.  The more we use
agreed-upon default behavior, the fewer opportunities there are for us
to go all Real User on ourselves.

> PGP is simply too hard for "average" computer users.

My only objection here is the use of the word 'average'.

> So whether either of us like it or not, any plan that requires users
> to refresh their key rings for it to work is simply impractical.

More than that: if the enforcement of *your* security model ("I've got
an expiration date in order to...") depends on *other people*
cooperating with it, then you don't have a security mechanism at all.

I have a security model: my email should not be read in transit.  I'm
cheerfully depending on all parties interested in my email to understand
this and to respect my policy and help me enforce it by cooperating and
voluntarily choosing to not read my email.

Sounds kind of silly, no?

My key expirations should be respected.  I'm cheerfully depending on all
parties who use my keys to understand this and to respect my policy and
help me enforce it by cooperating and voluntarily choosing to refresh my
key at periodic intervals.

It's the same thing, and the same level of silliness.

> Robert's right

And I am enough of an egotistical S.O.B. to love hearing this.  :)