A User Study of Off-the-Record Messaging

« DNS Exploit "Weaponized," Major ISPs Still Flapping | Main | Secrecy About the Next iPod? Fine. A Major Vulnerability? No. - heise Security UK »

July 25, 2008

A User Study of Off-the-Record Messaging

Interesting summary of a user study on Off-the-Record (OTR) messaging security:

“By default OTR initiates encryption automatically, so nobody had problems getting the crypto going. Participants did, however, have trouble authenticating one another. The most common first attempt was to press the OTR button, but this does not actually authenticate a session (it actually rekeys the session). The next step was commonly to click the injected ‘authenticate’ link provided in the IM window, which brings the user to a help page. Unfortunately, this did not actually help any participants because it did not say to ‘right-click’. Many users just looked at the images on the help page, which unfortunately lead to authentication errors because there is an image of ‘how not to authenticate’ pictured before one describing how to do it properly.

“Two participants tried to perform the ‘old style’ authentication, which lead to much confusion as one buddy had thought they were verified while the other was not because the fingerprint verification method is one-way and must be performed on each side of the connection.”

I like reading things like this because they help me understand what I take for granted when I’m explaining things to people struggling with some technical issue. I’ve internalized Phil Agre’s dictum “if it’s not obvious to them, it’s not obvious,” but it isn’t always easy to discern how non-obvious something is, especially in a lopsided “help somebody fix a problem” conversation.

I’m particularly interested in this one because OTR is a promising form of IM security that doesn’t seem to have gotten its due yet. Or maybe it is getting its due if it’s as opaque to “normal users” as this study would indicate, in which case its implementations need to be fixed so it can earn more attention.

I was also mildly amused by the bit about how “there is an image of ‘how not to authenticate’ pictured before one describing how to do it properly.”

Of course there is. Geeks of any sort exist in the grip of two conflicting urges: To share what they know about their passions with everybody else; and to dread what will happen when Everybody Else gets its hands on the object of the geek’s passion.

Maybe the person who prepared the documentation has never had a four-year-old around. My son has taught me to never begin a sentence with what I don’t want him to do.

(Link) (There’s a link to the full study at the top of that page.)