Article

Johnny 2: a user test of key continuity management with S/MIME and Outlook Express

Authors:

Simson L. Garfinkel,

Robert C. MillerAuthors Info & Claims

SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security

Pages 13 - 24

https://doi.org/10.1145/1073001.1073003

Published: 06 July 2005 Publication History

Abstract

Secure email has struggled with signifcant obstacles to adoption, among them the low usability of encryption software and the cost and overhead of obtaining public key certificates. Key continuity management (KCM) has been proposed as a way to lower these barriers to adoption, by making key generation, key management, and message signing essentially automatic. We present the first user study of KCM-secured email, conducted on naïve users who had no previous experience with secure email. Our secure email prototype, CoPilot, color-codes messages depending on whether they were signed and whether the signer was previously known or unknown. This interface makes users signicantly less susceptible to social engineering attacks overall, but new-identity attacks (from email addresses never seen before) are still effective. Also, naïve users do use the Sign and Encrypt button on the Outlook Express toolbar when the situation seems to warrant it, even without explicit instruction, although some falsely hoped that Encrypt would protect a secret message even when sent directly to an attacker. We conclude that KCM is a workable model for improving email security today, but work is needed to alert users to "phishing" attacks.

References

[1]

Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644--654, 1976.

Digital Library

[2]

Simson L. Garfinkel. Email-based identification and authentication: An alternative to PKI? Security & Privacy Magazine, 1:20--26, Nov. - Dec. 2003.

Digital Library

[3]

Simson L. Garfinkel. Enabling email confidentiality through the use of opportunistic encryption. In The 2003 National Conference on Digital Government Research. National Science Foundation, 2003.

Digital Library

[4]

Simson L. Garfinkel, Jeffrey I. Schiller, Erik Nordlander, David Margrave, and Robert C. Miller. Views, reactions, and impact of digitally-signed mail in e-commerce. In Financial Cryptography and Data Security 2005. Springer Verlag, 2005. To Appear.

Digital Library

[5]

Peter Gutmann. Why isn't the Internet secure yet, dammit. In AusCERT Asia Pacific Information Technology Security Conference 2004; Computer Security: Are we there yet? AusCERT, May 2004.

[6]

Loren M. Kohnfelder. Towards a practical public-key cryptosystem. PhD thesis, MIT, Cambridge, MA, May 1978. Undergraduate thesis supervised by L. Adleman.

[7]

Kevin D. Mitnick and William L. Simon. The Art of Deception. John Wiley & Sons, 2002.

[8]

B. Ramsdell. RFC 3851: Secure/multipurpose Internet mail extensions (S/MIME) version 3.1 message specification, July 2004.

[9]

Frank Stajano and Ross Anderson. The resurrecting duckling: Security issues for ad-hoc wireless networks. In 1999 AT&T Software Symposium, pages 172--194. AT&T, September 15 1999.

Digital Library

[10]

TechSmith. Camtasia studio, 2005.

[11]

Thawte Consulting. Certification practices statement version 2.1, January 9 2004.

[12]

Alma Whitten. Making Security Usable. PhD thesis, School of Computer Science, Carnegie Mellon University, 2004.

[13]

Alma Whitten. Personal communication, December 6 2004.

[14]

Alma Whitten and J. D. Tygar. Usability of security: A case study. Technical report, Carnegie Mellon University, December 1998.

[15]

Alma Whitten and J. D. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In 8th USENIX Security Symposium, pages 169 -- 184. Usenix, 1999.

Digital Library

[16]

T. Ylonen. SSH - secure login connections over the Internet. In Proceedings of the 6th Security Symposium) (USENIX Association: Berkeley, CA), page 37. Usenix, 1996.

Digital Library

Cited By

Mangipudi EDesai UMinaei MMondal MKate AMeng WJensen CCremers CKirda E(2023)Uncovering Impact of Mental Models towards Adoption of Multi-device Crypto-WalletsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623218(3153-3167)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623218
Newman ZMeyers JTorres-Arias SYin HStavrou ACremers CShi E(2022)SigstoreProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560596(2353-2367)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560596
Stransky CWiese ORoth VAcar YFahl S(2022)27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833755(860-875)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833755
Show More Cited By

Index Terms

Johnny 2: a user test of key continuity management with S/MIME and Outlook Express
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

How to make secure email easier to use
CHI '05: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Cryptographically protected email has a justly deserved reputation of being difficult to use. Based on an analysis of the PEM, PGP and S/MIME standards and a survey of 470 merchants who sell products on Amazon.com, we argue that the vast majority of ...
Confused Johnny: when automatic encryption leads to confusion and mistakes
SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and Security

A common approach to designing usable security is to hide as many security details as possible from the user to reduce the amount of information and actions a user must encounter. This paper gives an overview of Pwm (Private Webmail), our secure webmail ...
The usability of end user cryptographic products
InfoSecCD '09: 2009 Information Security Curriculum Development Conference

Cryptography is an indispensable tool for securing data and for ensuring the privacy of communications such as web browsing and email. Although there are many practical utilities which can encrypt disks, file systems, and emails, these utilities are ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security

July 2005

123 pages

ISBN:1595931783

DOI:10.1145/1073001

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 July 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

119
Total Citations
View Citations
1,411
Total Downloads

Downloads (Last 12 months)31
Downloads (Last 6 weeks)4

Reflects downloads up to 12 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mangipudi EDesai UMinaei MMondal MKate AMeng WJensen CCremers CKirda E(2023)Uncovering Impact of Mental Models towards Adoption of Multi-device Crypto-WalletsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623218(3153-3167)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623218
Newman ZMeyers JTorres-Arias SYin HStavrou ACremers CShi E(2022)SigstoreProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560596(2353-2367)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560596
Stransky CWiese ORoth VAcar YFahl S(2022)27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833755(860-875)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833755
Schwenk JSchwenk J(2022)Email Security: S/MIMEGuide to Internet Cryptography10.1007/978-3-031-19439-9_17(401-430)Online publication date: 26-Nov-2022
https://doi.org/10.1007/978-3-031-19439-9_17
Schiller KAdamsky F(2022)Work in Progress: Can Johnny Encrypt E-Mails on Smartphones?Socio-Technical Aspects in Security10.1007/978-3-031-10183-0_9(182-193)Online publication date: 14-Jul-2022
https://doi.org/10.1007/978-3-031-10183-0_9
Reuter AAbdelmaksoud ABoudaoud KWinckler M(2021)Usability of End-to-End Encryption in E-Mail CommunicationFrontiers in Big Data10.3389/fdata.2021.5682844Online publication date: 14-Jul-2021
https://doi.org/10.3389/fdata.2021.568284
Qahtani EJaved YShehab M(2021)User Perceptions of Gmail’s Confidential ModeProceedings on Privacy Enhancing Technologies10.2478/popets-2022-00102022:1(187-206)Online publication date: 20-Nov-2021
https://doi.org/10.2478/popets-2022-0010
Borradaile GKretschmer KGretes MLeClerc A(2021)The Motivated Can Encrypt (Even with PGP)Proceedings on Privacy Enhancing Technologies10.2478/popets-2021-00372021:3(49-69)Online publication date: 27-Apr-2021
https://doi.org/10.2478/popets-2021-0037
Mueller TMichalek A(2021)Let’s Create! Automated Certificate Management for End-users2021 International Conference on Software, Telecommunications and Computer Networks (SoftCOM)10.23919/SoftCOM52868.2021.9559103(1-6s)Online publication date: 23-Sep-2021
https://doi.org/10.23919/SoftCOM52868.2021.9559103
Akgul OAbu-Salma RBai WRedmiles EMazurek MUr BKim YKim JLivraga GPark N(2021)From Secure to Military-GradeProceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society10.1145/3463676.3485602(119-135)Online publication date: 15-Nov-2021
https://dl.acm.org/doi/10.1145/3463676.3485602
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten