Dead on Arrival: Recovering from Fatal Flaws in Email Encryption Tools

Background. Since Whitten and Tygar’s seminal study of PGP 5.0 in 1999, there have been continuing efforts to produce email encryption tools for adoption by a wider user base, where these efforts vary in how well they consider the usability and utility needs of prospective users. Aim. We conducted a study aiming to assess the user experience of two open-source encryption software tools – Enigmail and Mailvelope. Method. We carried out a three-part user study (installation, home use, and debrief) with two groups of users using either Enigmail or Mailvelope. Users had access to help during installation (installation guide and experimenter with domain-specific knowledge), and were set a primary task of organising a mock flash mob using encrypted emails in the course of a week. Results. Participants struggled to install the tools – they would not have been able to complete installation without help. Even with help, setup time was around 40 minutes. Participants using Mailvelope failed to encrypt their initial emails due to usability problems. Participants said they were unlikely to continue using the tools after the study, indicating that their creators must also consider utility. Conclusions. Through our mixed study approach, we conclude that Mailvelope and Enigmail had too many software quality and usability issues to be adopted by mainstream users. Methodologically, the study made us rethink the role of the experimenter as that of a helper assisting novice users with setting up a demanding technology

EARMARKED UTXO FOR ESCROW SERVICES AND TWO-FACTOR AUTHENTICATION ON THE BLOCKCHAIN

The security of accounts on the blockchain relies on securing private keys, but they are often lost or compromised due to loopholes in key management strategies or due to human error. With an increasing number of thefts in the last few years due to compromised wallets, the security of digital currency has become a significant concern, and no matter how sophisticated and secure mechanisms are put in place to avoid the security risks, it is impossible to achieve a 100% human compliance. This project introduces a novel concept of Earmarked Unspent Transaction Outputs (EUTXOs). EUTXOs enable every user on the blockchain to lock their funds to be spendable only to a designated set of users, even if the private key gets compromised. We validate the utility of EUTXOs by using it to implement an Escrow service in the blockchain to overcome the limitations introduced by traditional Escrow services. We also implement decentralized two-factor authentication (2FA) on the blockchain using EUTXOs and discuss the tradeoffs of this design

Obstacles to the Adoption of Secure Communication Tools

The computer security community has advocated widespread adoption of secure communication tools to counter mass surveillance. Several popular personal communication tools (e.g., WhatsApp, iMessage) have adopted end-to-end encryption, and many new tools (e.g., Signal, Telegram) have been launched with security as a key selling point. However it remains unclear if users understand what protection these tools offer, and if they value that protection. In this study, we interviewed 60 participants about their experience with different communication tools and their perceptions of the tools' security properties. We found that the adoption of secure communication tools is hindered by fragmented user bases and incompatible tools. Furthermore, the vast majority of participants did not understand the essential concept of end-to-end encryption, limiting their motivation to adopt secure tools. We identified a number of incorrect mental models that underpinned participants' beliefs

ANALISIS FAKTOR-FAKTOR YANG MEMPENGARUHI TINGKAT PENGGUNAAN SISTEM KEAMANAN E-MAIL DI INDONESIA

Abstrak Pada era digital saat ini sistem keamanan e-mail memiliki peranan vital dalam menjaga keaslian dan kerahasiaan dari pesan yang dikirimkan. Akan tetapi sampai saat ini masih belum banyak individu maupun perusahaan yang menggunakannya, sehingga membuka jalan bagi berlangsungnya serangan-serangan cybercrime yang melibatkan e-mail seperti spoofing, phishing dan penyadapan pesan. Penelitian ini bertujuan untuk menginvestigasi faktor-faktor yang menyebabkan rendahnya tingkat penggunaan fitur enkripsi dan tanda tangan digital pada e-mail, untuk kemudian memberikan sejumlah rekomendasi yang dapat diterapkan untuk meningkatkan penggunaan fitur-fitur tersebut. Dalam hal proses survey dan analisis dibatasi pada kalangan mahasiswa, profesional dan pengguna TI di Indonesia yang sudah terbiasa menggunakan e-mail dalam aktivitas sehari-hari. Penelitian ini menggunakan pendekatan survey research yang dilakukan secara eksploratif, dimana peneliti melakukan studi literatur untuk menentukan faktor-faktor yang akan diteliti, untuk kemudian melakukan survey dan analisis statistik dalam rangka menyelidiki lebih lanjut pengaruh dari faktor-faktor tersebut terhadap rendahnya tingkat penggunaan sistem keamanan e-mail. Dari hasil penelitian ini diharapkan dapat meningkatkan penggunaan fitur-fitur keamanan yang terdapat pada sistem keamanan e-mail, meningkatkan kepercayaan terhadap keamanan komunikasi lewat e-mail dan sebagai referensi bagi penelitian/perancangan selanjutnya di masa yang akan datang, secara umum dalam bidang keamanan Teknologi Informasi dan secara khusus dalam analisa dan perancangan sistem keamanan e-mail yang dapat digunakan secara efektif oleh para pengguna e-mail. Kata kunci: Enkripsi, sistem keamanan e-mail, sosialisasi, survey, tanda tangan digital, tingkat penggunaan sistem, usabilit

Rule-based conditional trust with OpenPGP.

This thesis describes a new trust model for OpenPGP encryption. This trust model uses conditional rule-based trust to establish key validity and trust. This thesis describes Trust Rules that may be used to sort and categorize keys automatically without user interaction. Trust Rules are also capable of integrating key revocation status into its calculations so it too is automated. This thesis presents that conditional trust established through Trust Rules can enforce stricter security while reducing the burden of use and automating the process of key validity, trust, and revocation

A framework for the lived experience of identity

This paper presents a framework for the design of human-centric identity management systems. Whilst many identity systems over the past few years have been labelled as human-centred, we argue that the term has been appropriated by technologists to claim moral superiority of their products, and by system owners who confuse administrative convenience with benefits for users. The framework for human-centred identity presented here identifies a set of design properties that can impact the lived experience of the individuals whose identity is being managed. These properties were identified through an analysis of public response to 15 historic national identity systems. They capture the practical design aspects of an identity system, from structural aspects that affect the flow of information - Control Points, Subject Engagement, Identity Exposure, Population Coverage—to the metrical aspects that considers how information is used and perceived—Expert Interpretation, Population Comprehension, Information Accuracy, Information Stability, Subject Coupling, Information Polymorphism. Any identity system can be described in terms of these fundamental properties, which affect individuals’ lived experience, and therefore help to determine the acceptance or rejection of such systems. We first apply each individual property within the context of two national identity systems—the UK DNA Database and the Austrian Citizen Card, and then also demonstrate the applicability of the framework within the contexts of two non-government identity platforms—Facebook and Phorm. Practitioners and researchers would make use of this framework by analysing an identity system in terms of the various properties, and the interactions between these properties within the context of use, thus allowing for the development of the potential impacts that the system has on the lived experience