Testing the Usability of PGP Encryption Tools
“Why Johnny Still, Still Can’t Encrypt: Evaluating the Usability of a Modern PGP Client,” by Scott Ruoti, Jeff Andersen, Daniel Zappala, and Kent Seamons.
Abstract: This paper presents the results of a laboratory study involving Mailvelope, a modern PGP client that integrates tightly with existing webmail providers. In our study, we brought in pairs of participants and had them attempt to use Mailvelope to communicate with each other. Our results shown that more than a decade and a half after Why Johnny Can’t Encrypt, modern PGP tools are still unusable for the masses. We finish with a discussion of pain points encountered using Mailvelope, and discuss what might be done to address them in future PGP systems.
I have recently come to the conclusion that e-mail is fundamentally unsecurable. The things we want out of e-mail, and an e-mail system, are not readily compatible with encryption. I advise people who want communications security to not use e-mail, but instead use an encrypted message client like OTR or Signal.
Required • November 12, 2015 2:43 PM
I have recently come to the conclusion that e-mail is fundamentally unsecurable.
That seems wrong. Fundamentally and from a user’s point of view, emails are arbitrary text data with an arbitrary text subject you can send and receive asynchronously.
Everything else is implementation details.
There is nothing making this fundamentally harder to secure than instant messages, it may be even easier thanks to the relaxed synchronicity requirement.