Security usability: Difference between revisions
(Add case study) |
(→Case study: Key loss: Done) |
||
Line 32: | Line 32: | ||
== Case study: Installing programs == | == Case study: Installing programs == | ||
TODO, windows, linux, android, etc | TODO, windows, linux, android, etc | ||
== Case study: Passwords and accounts == | |||
== Case study: Key verification == | == Case study: Key verification == | ||
Line 55: | Line 57: | ||
== Case study: Key loss == | == Case study: Key loss == | ||
The effect of losing your key varies between applications. | |||
Some impacts it can have are: | |||
* Needing to do verifications again (a few or many) | |||
* Loss of service, for example with signing keys | |||
* Loss of data, for example with disk encryption | |||
* Loss of financial money, for example with cryptocurrencies | |||
Unfortunately humans lose keys a lot, mainly because it takes effort to avoid losing them. | |||
== Case study: Key compromise == | == Case study: Key compromise == |
Revision as of 10:00, 2 March 2022
This is a WIP page, come back later.
This is a quick page on my feelings towards security and how most security software fails to be usable.
Background
Recently I read the article F-Droid: how is it weakening the Android security model? which provides a critique of F-Droid's security model and recommends people use Google Play Store.
The GrapheneOS developers provided similar critique but it contains numerous uncorrected errors. Instead of correcting this information they have chosen to threaten SylvieLorxu with legal action for pointing out these mistakes. I strongly recommend reconsidering any trust towards GrapheneOS and its developers given their priorities shown here.
Usability
When you look at the current state of open source you tend to see two things:
- Security software is near perfect, able to prevent attacks from state actors
- People don't use the security software correctly
There's generally two places you could blame for this:
- Developers for making unusable software
- Users for using software incorrectly
In recent years the latter camp of blaming the user has died down given it's not very actionable to solve.
People have predictable patterns when it comes to usability:
- Pick the easiest way to accomplish a task
- Become complacent and skip tasks
- Do things wrong
- Fail at impossible tasks
Any process that humans interact with have to account for these patterns and lower risk to an acceptable level.
Case study: Installing programs
TODO, windows, linux, android, etc
Case study: Passwords and accounts
Case study: Key verification
I've used and use a lot of open source security software.
Here's a quick list of the best examples of modern security I can think of:
- OpenSSH
- Tor and its hidden services
- Matrix
All of these rely on users verifying keys in order to get any sane security guarantee.
There are a few ways to do this:
- Skip verifying the key
- Send the key using another communication service or method
- Ask for the key from someone you trust
- Meet the person in real life and exchange the key directly
- Verifying the key incorrectly
If I had to guess which method is the most common, it's skipping verification. This is the option I pick all the time now for two simple reasons: It's easy, and it's reliable.
Case study: Key loss
The effect of losing your key varies between applications.
Some impacts it can have are:
- Needing to do verifications again (a few or many)
- Loss of service, for example with signing keys
- Loss of data, for example with disk encryption
- Loss of financial money, for example with cryptocurrencies
Unfortunately humans lose keys a lot, mainly because it takes effort to avoid losing them.
Case study: Key compromise
TODO
Trust
security is a software problem to a social issue
libertarian threat model
not how reality works
bitcoin, keys