[David Strom's Web Informant] Why Johnny still can't encrypt his emails

David Strom david at strom.com
Sun Nov 8 11:29:00 EST 2015


Web Informant, November ​8, 2015: Why Johnny still can’t encrypt his emails

As some of you who follow my work know, I have had a long history of using
and complaining about email encryption programs, ever since working with
Marshall Rose on our breakthrough 1998 book on enterprise Internet
messaging. Rose was one of the key innovators of the Internet email
protocols that we still use today, and a wonderful co-author.

Since those dark days, email encryption has certainly gotten better, as I
wrote this past summer when I tested a bunch of products for Network World
<http://www.networkworld.com/article/2948615/security/review-email-encryption-has-gotten-so-much-better-so-you-d-be-crazy-not-to-use-it.html>.
But is it good enough to pass muster with academia? Not yet, at least on
the level of the average undergraduate recruited for a recent academic
paper in the “Johnny Can’t Encrypt” research series.

These papers began in 1999, when a Berkeley computer science team published
the first study based on trying to use PGP
<https://www.cs.berkeley.edu/%7Etygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf>
​ ​
<https://www.cs.berkeley.edu/%7Etygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf>
​v​
<https://www.cs.berkeley.edu/%7Etygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf>
5
<https://www.cs.berkeley.edu/%7Etygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf>.
The research design is very straightforward: pairs of students were asked
to send and decrypt messages back and forth under observation. Few of the
teams were able to complete the task in under 90 minutes. In 2006, another
team at Carnegie Mellon tried again, this time using an Outlook Express
plug-in with PGP v9
<http://www.chariotsfire.com/pub/sheng-poster_abstract.pdf>. They had
better software but less time to complete their tasks, and most eventually
still failed.

And last month, a team at BYU tried again, this time using Gmail and
Mailvelope <http://arxiv.org/pdf/1510.08555.pdf>. They gave their teams 30
minutes, with only one out of ten being able to get the job done. The most
common mistake was encrypting a message with the sender’s public key, a
rookie mistake. There were other user experience issues with the Mailvelope
browser plug-in, and some students were clearly very frustrated and vented
their low opinions of Mailvelope to the researchers.

PGP has been around a long time, since 1991 when it was created by Phil
Zimmermann. Phil is still active in the field, having worked on a newer
series of “Silent” email products. I spoke to another Phil involved with
PGP, Phil Dunkelberger, who ran PGP and now is running a major effort to
spread encryption to the world, Nok Nok Labs. He told met that their
results "weren't surprising, given that they were testing technology that
has its roots in the 1980s. The problem is balancing ease of use with key
management, and products need to focus on solving both issues if they are
going to succeed in the marketplace." While not singling out Mailvelope
specifically, the history of email encryption is filled with other efforts
that have failed because of these fundamental flaws.

I will admit that PGP, in whatever vintage (the current version that I have
used is v10) isn’t the easiest software to use. Since it was sold to
Symantec, it has fallen on disuse and there are a lot of other tools out
there that are better alternatives. I was a bit surprised at all vitriol
directed at Mailvelope by the BYU students: I gave it a brief spin and it
seemed to work reasonably well. Perhaps I would have chosen Virtru or some
other tool, but the BYU team was looking for a product that was highly
rated by the Electronic Frontier Foundation in their email scorecard posted
here <https://www.eff.org/secure-messaging-scorecard>.

While there are some issues with what EFF is trying to do, overall I like
their scorecard. A big plus is because it shows the multi-layered world of
how to protect your communications. Thanks to Ed Snowden, we are more
sensitive to how we manage our encryption key infrastructure, and also
understand the difference between encrypting the actual message data – the
message body and attachments – versus the metadata contained in each
message, such as subject lines and recipient names. As I wrote this summer,
“encryption has finally come of age, and is appealing to those beyond the
tinfoil-hat set.”

Certainly, we still have a long way to go before encryption will become the
default mechanism for email communications. But today’s tools are certainly
good enough for general use, even by the average undergraduate.
​Comments, either encrypted or not, are always welcome here:
http://blog.strom.com/wp/?p=5072 ​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20151108/ec97a524/attachment-0002.html>


More information about the WebInformant mailing list