I'll echo what Trevor says here; I think broader studies would absolutely also be useful given resources and interest. The area in which I've found someone with experience and interest (and the area that piques my personal interest) is in information representation, an issue which has been a large compenent of the thread. Given that we can begin to address this in parallel with other important questions deserving of research.
Christine On Tue, Mar 11, 2014 at 6:33 PM, Trevor Perrin <[email protected]> wrote: > > On Tue, Mar 11, 2014 at 3:33 AM, Tony Arcieri <[email protected]> wrote: >> >> I feel like solutions that rely on manual verification of key fingerprints >> fall into this category: >> >> http://i.imgur.com/2bEWKNS.png >> >> I don't think these solutions are providing effective security. I feel we >> need to start from the real needs of real users, and work backwards. > > > How fingerprints fit into an overall secure-comms UI is a good question. > > I agree that asking users to compare fingerprints routinely is a bad idea. > Automating authentication (e.g. "trust-on-first-use", key servers) will be > better for most users most of the time. > > But anything automated breaks down occasionally (the TOFU key has changed - > what do you?), and requires assumptions not every user will be comfortable > with (might a MITM have been present in first contact? do I trust the key > server?). > > So being able to manually verify fingerprints comes in handy, and has been a > part of crypto UIs for a long time (PGP, SSH, OTR, TextSecure, CryptoCat, > etc.). Since there's almost no UI research here it seems reasonable to look > into it and try to establish some best practices. > > >> >> One can propose a study for optimum time-based fingerprint verification >> and study fingerprint accuracy, but are fingerprints even a good idea? I >> feel that's where you need to start with any sort of usability study. > > > Christine is talking to a researcher with specific experience in usability > studies of information representation. > > Broader studies would of course be worthwhile too, if someone wanted to > volunteer resources for that. > > > Trevor > > > [1] https://moderncrypto.org/mail-archive/messaging/2014/000129.html > > > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging > _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
