25 research outputs found
SoK: Why Johnny Can't Fix PGP Standardization
Pretty Good Privacy (PGP) has long been the primary IETF standard for
encrypting email, but suffers from widespread usability and security problems
that have limited its adoption. As time has marched on, the underlying
cryptographic protocol has fallen out of date insofar as PGP is unauthenticated
on a per message basis and compresses before encryption. There have been an
increasing number of attacks on the increasingly outdated primitives and
complex clients used by the PGP eco-system. However, attempts to update the
OpenPGP standard have failed at the IETF except for adding modern cryptographic
primitives. Outside of official standardization, Autocrypt is a "bottom-up"
community attempt to fix PGP, but still falls victim to attacks on PGP
involving authentication. The core reason for the inability to "fix" PGP is the
lack of a simple AEAD interface which in turn requires a decentralized public
key infrastructure to work with email. Yet even if standards like MLS replace
PGP, the deployment of a decentralized PKI remains an open issue
Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study
Passwords are still a mainstay of various security systems, as well as the
cause of many usability issues. For end-users, many of these issues have been
studied extensively, highlighting problems and informing design decisions for
better policies and motivating research into alternatives. However, end-users
are not the only ones who have usability problems with passwords! Developers
who are tasked with writing the code by which passwords are stored must do so
securely. Yet history has shown that this complex task often fails due to human
error with catastrophic results. While an end-user who selects a bad password
can have dire consequences, the consequences of a developer who forgets to hash
and salt a password database can lead to far larger problems. In this paper we
present a first qualitative usability study with 20 computer science students
to discover how developers deal with password storage and to inform research
into aiding developers in the creation of secure password systems
Friedrich Maximilian Klinger in his relation to the Romantic movement
Thesis (M.A.)--University of Illinois, 1918.Typescript.Includes bibliographical references (leaves 43-45)
Making Mac Listen: A Voice Recognition Toolkit for Macintosh Applications
: Commercial products now exist for the Macintosh which can perform recognition of discrete utterances for a set of pre-trained words. The question arises of how this capability might be integrated into and used within an application. In particular, how we might integrate such capabilities into an application without radical redesign, while maintaining its original non-voice capabilities and appearance to the user. We have developed and implemented a toolkit in Macintosh Common Lisp which can be used with any voice recognition product capable of generating an AppleEvent with a recognized utterance as a string parameter. The toolkit is a package consisting of centralized processing code and a set of specialized versions of standard MCL user-interface objects, such as windows, buttons and other dialog items. Integrating the toolkit into an application allows the user to refer to any on-screen object by a sufficient subset of its text label, causing the object to respond as if it had bee..
Usability of security: A case study
Human factors are perhaps the greatest current barrier to effective computer security. Most security mechanisms are simply too difficult and confusing for the average computer user to manage correctly. Designing security software that is usable enough to be effective is a specialized problem, and user interface design strategies that are appropriate for other types of software will not be sufficient to solve it. In order to gain insight and better define this problem, we studied the usability of PGP 5.0, which is a public key encryption program mainly intended for email privacy and authentication. We chose PGP 5.0 because it has a good user interface by conventional standards, and we wanted to discover whether that was sufficient to enable non-programmers who know little about security to actually use it effectively. After performing both user testing and a cognitive walkthrough analysis, we conclude that PGP 5.0 is not sufficiently usable to provide effective security for most users. In the course of our study, we developed general principles for evaluating the usability of computer security utilities and systems. This study is of interest not only because of the conclusions that we reach, but also because it can serve as an example of how to evaluate the usability of computer security software