On 3/18/15 5:54 AM, Daniel Kahn Gillmor wrote:
On Wed 2015-03-18 03:23:04 -0400, Doug Barton wrote:On 3/17/15 11:03 PM, Daniel Kahn Gillmor wrote:My composition toolbar currently already has:Send | Spelling | Attach | S/MIME | SaveYes, that's the default, and I have those as well (icons and text).thanks for the reportback, and for the screenshot. I guess i should note that while we have the same buttons in the same layout, our icons are entirely different (i'm running Debian GNU/Linux, i suspect our OS integration packages are involved with these decisions).
Surely. That said, I use all 3 major OS' and none of the icons are fuzzy. :) They feel "not ready for prime-time" to me.
So it may not be possible for enigmail to ship icons that match everyone's iconsets, without selecting icons from thunderbird's default set.
I'm not sure that's necessary ... a good graphics person could come up with a "least common denominator" button that would fit in with all 3 platforms.
They are not necessary to have as part of the compose window itself. The icons for encrypt and sign already change status when those features are enabled. That will serve for your "status" indicator. I experimented with moving those two buttons up to the composition toolbar, and it works ... I attached an example. It would be nice if the icons were a little cleaner and matched the existing style better, but it's a good start. Users for whom this is cramped and do not use S/MIME could simply delete that button.Alternately, users who do not want the new toolbar can do the customization you just did. That is: start with the beginner mode, and let advanced users customize.
As I said to Patrick, my objection is not about what experts like us can, or cannot do. It's about what the average user will see when they install, and what actions they will be led to by what they see.
You listed some good questions, and like you I don't want to get dragged down into arguing them point by point. However they are all questions that new users need to learn the answers to. Putting a shiny button for attaching their public key doesn't aid in that process.Thanks for not arguing with the questions -- they weren't intended as points for debate, just as a handful of the thousand papercuts that people run into when trying to use these tools for the first time. I think we have a couple choices: (a) we can expect that users learn the answers (and rationales) behind all of these questions before they ever start to use the tool, or (b) we can help them get started and then help them answer these questions later, as they come up.
In your ridiculously limited set of options b is the obvious answer, but I think we draw the line very differently in terms of what they need to know before they start.
As a community, we seem to have been trying (a) for a long time. And i'm a big fan of it too -- i really really want people to understand the nuances. But we've been failing at getting people to just use the tools, and without users, the tools don't achieve their purpose.
In this line of argument you're assuming that the reason people don't use the tools is the learning curve. I don't think that's true, and I don't think there is a lot of evidence that it's true, if any.
I've done what you've done in the past, sit down with a room full of people and explain to them how PGP works, the barest of fundamentals they need to know in order to get started, and walked through some demo e-mails. I've done this with groups, and I've done it with individuals. I have a near-zero uptake percentage on these presentations. When I ask people later why they aren't using the tools, they give a variety of reasons ... Too hard, Confusing, Weird, No one else I know uses it, etc.
Enigmail is currently in the middle of a grand experiment at pushing toward (b). I welcome this change.
I could make a very persuasive argument that social engineering isn't enigmail's job. We've already committed to social engineering for the transition to GnuPG 2.x, and now we're doing more social engineering to try and attract new users? This is a very disturbing trend.
Unencrypted mail will be in the clear, just like the many web sites we still use that are in the clear (for routine business communications like http://amazon.com/, for example). Users should know about this.I may regret asking this question, but why? For users who have not explicitly enabled signing and/or encryption what good thing will come from hitting them over the head with the fact that their messages are not signed or encrypted (just like they never have been in the past)?As said on the chromium proposal about marking HTTP as non-secure: "The goal of this proposal is to more clearly display to users that HTTP provides no data security." I think you're operating from the default assumption that everyone knows From the beginning that networked communications are insecure, and that this should be the default (quiet) state of the UI. I'm not sure most people besides computer security nerds like us really understand that, though maybe some more of them do now, post-Snowden.
Yes, more of them know, AND THEY STILL DON'T CARE. I saw a report on post-snowden user behavior the other day that said that among people who were knowledgeable about what Snowden is revealing that less than 10% had previously done anything to secure their communication, and less then 30% were doing *anything* new, and the steps they were taking were weak. I apparently didn't even bookmark the page, which I vaguely recall thinking wasn't necessary because it just demonstrated stuff I already knew.
You are making the typical security nerd mistake of thinking that IF PEOPLE ONLY KNEW that their communication was insecure that they would do something about it. But studies and experience have shown over and over again that this is not true at all. People either know that their communication is insecure, and don't care; or they don't know, and don't care after it's pointed out to them.
No amount of making tools easier is going to change that. Doug --I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks!
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
