A Case (Study) For Usability in Secure Email Communication

Abstract

As a network security researcher, the author finds it very disappointing that most users can't, or simply don't, secure their Internet communications. For good reason, usability in security has received a fair deal of attention in the past few years. To push the issue further, the author decided to initiate his own informal case study on the usability and practical relevance of standard security mechanisms for email communication. The author focused my attention on available public-key cryptography techniques for digitally signing and encrypting email. His first step was to establish a public-private key pair to use with email. The author chose to use Secure/Multipurpose Internet Mail Extensions (S/MIME), a standard for signing and encrypting email, because it's already supported by popular email clients such as Apple Mail, Outlook Express, and Mozillas Thunderbird. Unlike S/MIME, the author found that pretty good privacy (PGP) and the GNU Privacy Guard (GPG) were unusable with nontechnical correspondents because it required them to install additional software. S/MIME, it seemed, was the better solution for these everyday users, for whom the concepts of public-key infrastructure (PKI), PGP, certificates, keys, and so on remain elusive. Additionally, I decided to get my public key certified by Thawte (www.thawte.com), an online certificate authority (CA)