Article

How to make secure email easier to use

Authors:

Simson L. Garfinkel,

David Margrave,

Jeffrey I. Schiller,

Erik Nordlander,

Robert C. MillerAuthors Info & Claims

CHI '05: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 701 - 710

https://doi.org/10.1145/1054972.1055069

Published: 02 April 2005 Publication History

Abstract

Cryptographically protected email has a justly deserved reputation of being difficult to use. Based on an analysis of the PEM, PGP and S/MIME standards and a survey of 470 merchants who sell products on Amazon.com, we argue that the vast majority of Internet users can start enjoying digitally signed email today. We present suggestions for the use of digitally signed mail in e-commerce and simple modifications to webmail systems that would significantly increase integrity, privacy and authorship guarantees that those systems make. We then show how to use the S/MIME standard to extend such protections Internet-wide. Finally, we argue that software vendors must make minor changes to the way that mail clients store email before unsophisticated users can safely handle mail that is sealed with encryption.

References

[1]

D. Atkins, W. Stallings, and P. Zimmermann. RFC 1991: PGP message exchange formats, August 1996. Status: INFORMATIONAL.]]

Digital Library

[2]

D. Balenson. RFC 1423: Privacy enhancement for Internet electronic mail: Part III: Algorithms, modes, and identifiers, February 1993. Obsoletes RFC1115. Status: PROPOSED STANDARD.]]

Digital Library

[3]

Ian Brown and C. Richard Snow. A proxy approach to e-mail security. Software Practice and Experience, 29:1049-1060, October 1999.]]

Digital Library

[4]

J. Callas, L. Donnerhacke, H. Finney, and R. Thayer. RFC 2440: OpenPGP message format, November 1998. Status: PROPOSED STANDARD.]]

Digital Library

[5]

Mark Delany. Domain-based email authentication using public-keys advertised in the dns (domainkeys), August 2004. INTERNET DRAFT.]]

[6]

S. Dusse, P. Hoffman, B. Ramsdell, L. Lundblade, and L. Repka. RFC 2311: S/MIME version 2 message specification, March 1998. Status: INFORMATIONAL.]]

Digital Library

[7]

M. Elkins. RFC 2015: MIME security with pretty good privacy (PGP), October 1996. Status: PROPOSED STANDARD.]]

Digital Library

[8]

Federal Trade Comission. Identity thief goes "phishing" for consumers' credit information, July 2003. http://www.ftc.gov/opa/2003/07/phishing.htm.]]

[9]

Simson Garfinkel. PGP: Pretty Good Privacy. O'Reilly & Associates, 1994.]]

Digital Library

[10]

Simson L. Garfinkel. Enabling email confidentiality through the use of opportunistic encryption. In National Conference on Digital Government Research, 2003.]]

Digital Library

[11]

Simson L. Garfinkel, Jeffrey I. Schiller, Erik Nordlander, David Margrave, and Robert C. Miller. Views, reactions, and impact of digitally-signed mail in e-commerce. 2005.]]

[12]

Peter Gutmann. Why isn't the internet secure yet, dammit. In AusCERT Asia Pacific Information Technology Security Conference 2004; Computer Security: Are we there yet?, May 2004. http://conference.auscert.org.au/conf2004/.]]

[13]

GVU. GVU's tenth WWW user survey results, 1999. http://www.cc.gatech.edu/gvu/user surveys/survey-1998-10/.]]

[14]

S. Kent. RFC 1422: Privacy enhancement for Internet electronic mail: Part II: Certificate-based key management, February 1993. Obsoletes RFC1114. Status: PROPOSED STANDARD.]]

Digital Library

[15]

J. Linn. RFC 989: Privacy enhancement for Internet electronic mail: Part I: Message encipherment and authentication procedures, February 1987. Obsoleted by RFC1040, RFC1113. Status: UNKNOWN.]]

[16]

J. Linn. RFC 1421: Privacy enhancement for Internet electronic mail: Part I: Message encryption and authentication procedures, February 1993. Obsoletes RFC1113. Status: PROPOSED STANDARD.]]

Digital Library

[17]

Mindy Pereira. Trusted S/MIME Gateways. Dartmouth College, May 2003. Senior Honors Thesis: Winter/Spring 2003, Department of Computer Science, Dartmouth College.]]

[18]

B. Ramsdell. RFC 3851: Secure/multipurpose internet mail extensions (s/mime) version 3.1 message specification, July 2004.]]

[19]

Jon Udell. How ray ozzie got his groove back. openp2p.com, October 24 2000.]]

[20]

VeriSign. Digital ids for secure email, 2004.]]

[21]

Alma Whitten. Making Security Usable. PhD thesis, School of Computer Science, Carnegie Mellon University, 2004.]]

[22]

Alma Whitten and J. D. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In 8th USENIX Security Symposium, pages 169--184, 1999.]]

Digital Library

[23]

T. Ylonen. SSH - secure login connections over the internet. Proceedings of the 6th Security Symposium) (USENIX Association: Berkeley, CA):37, 1996.]]

Digital Library

Cited By

Ogundokun RArowolo MDamaševičius RMisra S(2023)Phishing Detection in Blockchain Transaction Networks Using Ensemble LearningTelecom10.3390/telecom40200174:2(279-297)Online publication date: 31-May-2023
https://doi.org/10.3390/telecom4020017
Altulaihan EAlismail AHafizur Rahman MIbrahim A(2023)Email Security Issues, Tools, and Techniques Used in InvestigationSustainability10.3390/su15131061215:13(10612)Online publication date: 5-Jul-2023
https://doi.org/10.3390/su151310612
Guthoff CAnell SHainzinger JDabrowski AKrombholz K(2023)Perceptions of Distributed Ledger Technology Key Management - An Interview Study with Finance Professionals2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10335652(588-605)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10335652
Show More Cited By

Index Terms

How to make secure email easier to use

Recommendations

Johnny 2: a user test of key continuity management with S/MIME and Outlook Express
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security

Secure email has struggled with signifcant obstacles to adoption, among them the low usability of encryption software and the cost and overhead of obtaining public key certificates. Key continuity management (KCM) has been proposed as a way to lower ...
The usability of end user cryptographic products
InfoSecCD '09: 2009 Information Security Curriculum Development Conference

Cryptography is an indispensable tool for securing data and for ensuring the privacy of communications such as web browsing and email. Although there are many practical utilities which can encrypt disks, file systems, and emails, these utilities are ...
Secure Email - A Usability Study
Financial Cryptography and Data Security
Abstract
Several end-to-end encryption technologies for emails such as PGP and S/MIME exist since decades. However, end-to-end encryption is barely applied. To understand why users hesitate to secure their email communication and which usability issues ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '05: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

April 2005

928 pages

ISBN:1581139985

DOI:10.1145/1054972

Conference Chairs:
Wendy Kellogg
IBM T. J. Watson Research Center
,
Shumin Zhai
IBM Almaden Research Center
,
General Chair:
Gerrit van der Veer
Vrije Universiteit, The Netherlands
,
Program Chair:
Carolyn Gale
Stanford University, USA

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CHI05

Sponsor:

CHI05: CHI 2005 Conference on Human Factors in Computing Systems

April 2 - 7, 2005

Oregon, Portland, USA

Acceptance Rates

CHI '05 Paper Acceptance Rate 93 of 372 submissions, 25%;

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
3,267
Total Downloads

Downloads (Last 12 months)52
Downloads (Last 6 weeks)3

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ogundokun RArowolo MDamaševičius RMisra S(2023)Phishing Detection in Blockchain Transaction Networks Using Ensemble LearningTelecom10.3390/telecom40200174:2(279-297)Online publication date: 31-May-2023
https://doi.org/10.3390/telecom4020017
Altulaihan EAlismail AHafizur Rahman MIbrahim A(2023)Email Security Issues, Tools, and Techniques Used in InvestigationSustainability10.3390/su15131061215:13(10612)Online publication date: 5-Jul-2023
https://doi.org/10.3390/su151310612
Guthoff CAnell SHainzinger JDabrowski AKrombholz K(2023)Perceptions of Distributed Ledger Technology Key Management - An Interview Study with Finance Professionals2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10335652(588-605)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10335652
Mayer PPoddebniak DFischer KBrinkmann MSomorovsky JSasse ASchinzel SVolkamer MChiasson SKapadia A(2022)"i don't know why i check this ... " — investigating expert users' strategies to detect email signature spoofing attacksProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563614(77-96)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.5555/3563609.3563614
Stransky CWiese ORoth VAcar YFahl S(2022)27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833755(860-875)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833755
Schwenk JSchwenk J(2022)Email Security: S/MIMEGuide to Internet Cryptography10.1007/978-3-031-19439-9_17(401-430)Online publication date: 26-Nov-2022
https://doi.org/10.1007/978-3-031-19439-9_17
Stransky CWermke DSchrader JHuaman NAcar YFehlhaber AWei MUr BFahl SChiasson S(2021)On the limited impact of visualizing encryptionProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563595(437-454)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.5555/3563572.3563595
Kisembo IOcen GBongomin OAlunyu ANibikora IMatovu DBwire F(2021)An Algorithm for Improving Email Security on the Android Operating System in the Industry 4.0 EraJournal of Engineering10.1155/2021/46906112021(1-8)Online publication date: 20-Nov-2021
https://doi.org/10.1155/2021/4690611
Clark Jvan Oorschot PRuoti SSeamons KZappala D(2021)SoK: Securing Email—A Stakeholder-Based AnalysisFinancial Cryptography and Data Security10.1007/978-3-662-64322-8_18(360-390)Online publication date: 23-Oct-2021
https://doi.org/10.1007/978-3-662-64322-8_18
Fröhlich MGutjahr FAlt FWakkary RAndersen KOdom WDesjardins APetersen M(2020)Don't lose your coin! Investigating Security Practices of Cryptocurrency UsersProceedings of the 2020 ACM Designing Interactive Systems Conference10.1145/3357236.3395535(1751-1763)Online publication date: 3-Jul-2020
https://dl.acm.org/doi/10.1145/3357236.3395535
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents