[openpgp] New paper with user study on email signature spoofing
Marcus Brinkmann <marcus.brinkmann@rub.de> Mon, 08 August 2022 19:15 UTC
Return-Path: <marcus.brinkmann@rub.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F4AFC157B32 for <openpgp@ietfa.amsl.com>; Mon, 8 Aug 2022 12:15:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VSpYCjJMIQ_G for <openpgp@ietfa.amsl.com>; Mon, 8 Aug 2022 12:14:58 -0700 (PDT)
Received: from out3.mail.ruhr-uni-bochum.de (out3.mail.ruhr-uni-bochum.de [134.147.53.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47B97C157908 for <openpgp@ietf.org>; Mon, 8 Aug 2022 12:14:57 -0700 (PDT)
Received: from mx3.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out3.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 4M1m9V3WpCz8VXm for <openpgp@ietf.org>; Mon, 8 Aug 2022 21:14:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1659986094; bh=NalYooe12owGNXA9MkwkW+GSoAN8S9eb7kTPLDA3pTk=; h=From:Subject:Date:To:From; b=k/lghPmbWl/chmIyHkn7CtGgpB25dzMSE3w2QuCmvyWd61iK054h5n2ufHzlvMkOP P975rkLLVX9o/8iwqCrIIMVFgsaAslPt4mG42TX8NfOjikW6zr6ft+GCsCSWdOcOSz lOjY0QWwA+3dqZdV3SFh0Qb7XxOHsJLMvaWB2+7M=
Received: from out3.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx3.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 4M1m9V2p6yz8VWX for <openpgp@ietf.org>; Mon, 8 Aug 2022 21:14:54 +0200 (CEST)
X-RUB-Notes: Internal origin=IPv6:2a05:3e00:c:1001::8693:2aec
X-Envelope-Sender: <marcus.brinkmann@rub.de>
Received: from mail2.mail.ruhr-uni-bochum.de (mail2.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001::8693:2aec]) by out3.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 4M1m9V0xXGz8VT8 for <openpgp@ietf.org>; Mon, 8 Aug 2022 21:14:53 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.104.1 at mx3.mail.ruhr-uni-bochum.de
Received: from smtpclient.apple (p5dca454f.dip0.t-ipconnect.de [93.202.69.79]) by mail2.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 4M1m9T4nH9zDgyr for <openpgp@ietf.org>; Mon, 8 Aug 2022 21:14:53 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.104.2 at mail2.mail.ruhr-uni-bochum.de
From: Marcus Brinkmann <marcus.brinkmann@rub.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
Message-Id: <E6F129CB-585E-4A19-984C-5C77145F34CF@rub.de>
Date: Mon, 08 Aug 2022 21:14:53 +0200
To: openpgp@ietf.org
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/97AP7ukawCy_kFTo-Ds14d9Kizs>
Subject: [openpgp] New paper with user study on email signature spoofing
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2022 19:15:03 -0000
Hi, We[1] published a paper with a user study on signature spoofing where we examined how 25 expert users of Thunderbird and Enigmail check PGP signature for validity. It shows that users have a hard time verifying email signatures, and think the results can give guidance to implementers how to improve the usability of their software. [1] "I don’t know why I check this...'' - Investigating Expert Users' Strategies to Detect Email Signature Spoofing Attacks https://www.usenix.org/conference/soups2022/presentation/mayer Peter Mayer, SECUSO - Security, Usability, Society, Karlsruhe Institute of Technology; Damian Poddebniak, Münster University of Applied Sciences; Konstantin Fischer and Marcus Brinkmann, Ruhr University Bochum; Juraj Somorovsky, Paderborn University; Angela Sasse, Ruhr University Bochum; Sebastian Schinzel, Münster University of Applied Sciences; Melanie Volkamer, SECUSO - Security, Usability, Society, Karlsruhe Institute of Technology Abstract: OpenPGP is one of the two major standards for end-to-end email security. Several studies showed that serious usability issues exist with tools implementing this standard. However, a widespread assumption is that expert users can handle these tools and detect signature spoofing attacks. We present a user study investigating expert users' strategies to detect signature spoofing attacks in Thunderbird. We observed 25 expert users while they classified eight emails as either having a legitimate signature or not. Studying expert users explicitly gives us an upper bound of attack detection rates of all users dealing with PGP signatures. 52% of participants fell for at least one out of four signature spoofing attacks. Overall, participants did not have an established strategy for evaluating email signature legitimacy. We observed our participants apply 23 different types of checks when inspecting signed emails, but only 8 of these checks tended to be useful in identifying the spoofed or invalid signatures. In performing their checks, participants were frequently startled, confused, or annoyed with the user interface, which they found supported them little. All these results paint a clear picture: Even expert users struggle to verify email signatures, usability issues in email security are not limited to novice users, and developers may need proper guidance on implementing email signature GUIs correctly. Thanks, Marcus — Dipl.-Math. Marcus Brinkmann Lehrstuhl für Netz- und Datensicherheit Ruhr Universität Bochum Universitätsstr. 150, Geb. ID 2/461 D-44780 Bochum Telefon: +49 (0) 234 / 32-25030 http://www.nds.rub.de/chair/people/mbrinkmann
- [openpgp] New paper with user study on email sign… Marcus Brinkmann
- Re: [openpgp] New paper with user study on email … Daniel Huigens
- Re: [openpgp] New paper with user study on email … Peter Gutmann
- Re: [openpgp] New paper with user study on email … Marcus Brinkmann