GuiGui's Show - Liens« This paper presents the results of a laboratory study involving Mailvelope, a modern PGP client that integrates tightly with existing webmail providers. In our study, we brought in pairs of participants and had them attempt to use Mailvelope to communicate with each other. Our results shown that more than a decade and a half after Why Johnny Can’t Encrypt, modern PGP tools are still unusable for the masses.
We finish with a discussion of pain points encountered using Mailvelope, and discuss what might be done to address them in future PGP systems.
[...]
Demographics
We recruited Gmail users for our study at a local university. Participants were two-thirds male: male (13; 65%), female (7; 35%). Participants skewed young: 18 – 24 years old (18; 90%), 25 – 34 years old (2; 10%). We distributed posters broadly across campus to avoid biasing our results to any particular major. All participants were university students, 4 with the majority being undergraduate students: undergraduate students (17; 85%), graduate students (3; 15%).
[...]
During the study, participants were asked to role-play a scenario regarding completing taxes. Participant A was told they needed Participant B’s help with filing taxes. Participant A was also told they since they were sending sensitive information (e.g., SSN) that they should encrypt this information using Mailvelope. 5 Participant B was told to wait for his friend to send him the necessary sensitive information (e.g., SSN). Once Participant B had received this information, he was instructed to use Mailvelope to respond to Participant A with a confirmation code (encrypted using Mailvelope) to conclude the task.
After the instructions were given, Participant A was provided with the the Mailvelope website and instructed to begin the task. 6 While participants waited for email from each other, they were told that they could browse the Internet, use their phones, or engage in other similar activities. This was done to provide a more natural setting for the participants, as well as to avoid frustration if participants had to wait for an extended period of time while their friends figured out how to use Mailvelope.
[...]
Of the ten participant pairs, nine were unable to successfully complete the task. In two of the nine pairs, participants A never figured out how to use Mailvelope to send any message. In another two pairs, Participant B was completely mystified by the encrypted PGP email and was unaware that they needed to install Mailvelope to read the message. Only one of the nine pairs actually traded public keys, though this pair was still confused about what to do after sharing their public keys.
The one pair that did complete the task required the full fortyfive minutes to do so. The successful pair was unique in that they were the only pair of participants where one of the participants had previously learned about public key cryptography. It is likely that this heavily influenced their ability to finish within the time limit.
[...]
Mistakes
All participant pairs made mistakes. The most common mistake was encrypting a message with the sender’s public key. This occurred for seven of the participant pairs, including for the participant pair that was eventually successful. Three of the participant pairs generated a key pair with their friend information, and then tried to use that public key to encrypt their message. One participant modified the PGP block after encryption (while still in the PGP compose window), adding their sensitive information to the area before the PGP block. Finally, one participant eventually exported his private key and sent it along with his keyring password to his friend so that his friend could decrypt the message he had received. In this case, even though the participants had transmitted the required information, they were informed that they needed to try some more and accomplish the task without sending the private key.
[...]
Mailvelope clearly failed to help the majority of participants encrypt their email. All participants expressed frustration with Mailvelope, with the most comical expression of this frustration coming from M3A: “Imagine the stupidest software you would ever use, and that was what I was doing.”. The difficulty also led several participants to indicate that in the real world they would have given up trying to use Mailvelope long before they did during the study. For example, M3A also said, “After five minutes, I would have just given up and called.”
[...]
Nearly all participants indicated that they wished Mailvelope had provided instructions that were integrated with the Mailvelope software, and would walk them through, step-by-step, in setting up Mailvelope and sending their first encrypted email.
[...]
The only participant pair that successfully completed the study task likely did so because one of the participants in the pair had previous knowledge related to public key cryptography. Additionally, the only other pair that made progress did so because they realized that they needed each other’s public keys, but even that pair did not know how to then use those shared public keys. For the remaining eight participant pairs, the post-study interview made it clear that they did not understand how public and private keys were used. To help address this, a simple explanation of PGP needs to be created that is accessible to the masses. »
Étude intéressante même si :
* Focalisée sur Mailvelope ;
* Un panel peu représentatif (des universitaires de sexe masculin entre 18-25 ans provenant tous/toutes de la même université...). Lors de cryptos-party, j'ai été témoin de personnes du 4e âge plus débrouillardes et ayant compris Enigmail et les principes cryptos sous-jacents alors que des futurs ingénieurs en 4e année d'école d'ingé en informatique galéraient alors bon...
On remarque que les cryptos parties et les OpenPGP Box (boîtes en carton pour expliquer la crypto asymétrique et quelques concepts des mails chiffrés (comme le fait que le sujet n'est pas chiffré), voir
https://github.com/shiromarieke/shiro_tutorials/blob/master/gpgboxENG.pdf) ont de l'avenir : la connaissance de la crypto asymétrique a donné un avantage inégalé à un binôme de cette étude !
On valide que la masse attend une solution miracle qui soit sécurisée, facile à utiliser avec une prise en main immédiate... Ça ressemble à un triangle de Zooko, on n'est pas arrivé. :S On remarque que Caliopen est dans la bonne voie puisque le constat sur lequel se base le projet est vérifié : personne ne veut prendre plus de 5 minutes pour sécuriser ses communications... Donc il faut faire naître l'intérêt via un système de grade/jeu...
Via
https://twitter.com/aeris22/status/665100132183105536(
Permalink)