(Recent versions of) TextSecure differ from many other products, in that there is no way to *remember* which contacts you have verified. Moxie thinks this is a usability improvement, but I think it's a security hole.
I don't know of any product that does this. Even SSH remembers which non-verified keys you have implicitly allowed. I'm not saying it will completely invalidate a study, but it will definitely affect things from a user's POV. So, keep it in mind when doing a usability study using TextSecure. X On 06/03/14 16:27, Christine Corbett Moran wrote: > The good news is that you don't need a partnership with an academic versed in > experiment and data analysis to run one of these. > > The bad news is that it may not generalize between clients. > > But if anyone wants a candidate client to do a sort of study like that I > suggest TextSecure =) > > C > > > On Thu, Mar 6, 2014 at 5:13 PM, Tony Arcieri <[email protected] > <mailto:[email protected]>> wrote: > > On Thu, Mar 6, 2014 at 4:49 AM, Christine Corbett Moran > <[email protected] <mailto:[email protected]>> wrote: > > What we'd need to get started is a list of methods we'd want to test, > and some comparisons based on those methods to incorporate in the experiment. > > > I'd like to see more studies like the Cryptocat one: > > https://blog.crypto.cat/2014/01/cryptocat-at-the-openitp-dc-hackathon/ > > The area of the most confusion — to the point where it made the users > feel threatened or panicked — was the user information screens (either for a > specific buddy or the user themselves). *Though “fingerprint” is widely known > by cryptography and security experts, it is, at the end of the day, jargon*. > There were several participants who immediately associated “fingerprint” with > a negative connotation (i.e., leaving a fingerprint at a crime scene). Their > tone was panicked in asking their questions on this issue, and were unsure of > why that information needed to be displayed, and if it was even safe to > display. There were a handful of users who understood encryption technology > at a very basic level who were not confused by the terminology on this page, > but were unsure of what to do with this information. > > -- > Tony Arcieri > > -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
