[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] edits throughout. Clean up some prose and parallelism.
Update of /home/freehaven/cvsroot/doc/wupss04
In directory moria.mit.edu:/tmp/cvs-serv9710
Modified Files:
usability.tex
Log Message:
edits throughout. Clean up some prose and parallelism.
Index: usability.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/wupss04/usability.tex,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -d -r1.20 -r1.21
--- usability.tex 2 Jan 2005 01:18:28 -0000 1.20
+++ usability.tex 2 Jan 2005 03:49:14 -0000 1.21
@@ -25,19 +25,21 @@
example, fetch a web page or send an email) without revealing their
communication partners.
-In this chapter we're going to focus on the \emph{network effects}
+In this chapter, we'll focus on the \emph{network effects}
of usability on privacy and security: usability is a factor as before,
but the size of the user
-base also becomes a factor. Further, in anonymizing systems, even if you
+base also becomes a factor. As we will see, in anonymizing networks, even if
+you
were smart enough and had enough time to use every system
perfectly, you would nevertheless be right to choose your system
based in part on its usability for \emph{other} users.
+%AWK
\section{Usability for others impacts your security}
-While security software is the product of developers, the operation of
-software is a collaboration between developers and users. It's not enough
-to develop software that is possible to use securely; software that
+While security software is the product of developers, the security it
+provides is a collaboration between developers and users. It's not enough
+to make software that \emph{can} be used securely; software that
is hard to use often suffers in its security as a result.
For example, suppose there are two popular mail encryption programs:
@@ -49,18 +51,19 @@
But if you do, it's likelier that when your friends send you
confidential email, they'll make a mistake and encrypt it badly or not at
all. With LightCrypto, you can at least be more certain that all your
-friends' correspondence with you will get a minimum of protection.
+friends' correspondence with you will get some protection.
What if you used {\it both} programs? If your tech-savvy friends use
HeavyCrypto, and your less sophisticated friends use LightCrypto, then
-everybody will be getting as much protection as they can. But can all your
+everybody will get as much protection as they can. But can all your
friends really judge how able they are? If not, then by supporting a less
-usable option, you've made it likelier that they'll shoot themselves in the
-foot.
+usable option, you've made it likelier that your non-savvy friends will
+shoot themselves in the foot.
-The crucial insight here is that in email encryption, the cooperation of
-multiple people is needed to keep you secure, because both the sender and the
-receiver of a secret email want to protect its confidentiality. Thus, in
+The crucial insight here is that in email encryption, secuirty is a
+collaboration between multiple people: both the sender and the
+receiver of a secret email must work together to protect its confidentiality.
+Thus, in
order to protect your own security, you need to make sure that the system you
use is not only usable by yourself, but by the other participants as well.
@@ -136,7 +139,7 @@
suspicious of Bob and Carol, even though the anonymity sets are the same
size. Because of this, recent research is moving beyond simple anonymity
sets to more sophisticated measures based on the attacker's confidence.}
-Therefore, when more users join the network, existing users become more
+When more users join the network, existing users become more
secure, even if the new users never talk to the existing
ones! \cite{econymics,back01} Thus, ``anonymity loves company.''\footnote{This
catch-phrase was first made popular in our context by the authors of the
@@ -145,11 +148,12 @@
In a data confidentiality system like PGP, Alice and Bob can decide by
themselves that they want to get security. As long as they both use the
software properly, no third party can intercept the traffic and break
-their encryption. However, in the case of an anonymity system, Alice
+their encryption. However, Alice
and Bob can't get anonymity by themselves: they need to participate in
an infrastructure that coordinates users to provide cover for each other.
-No organization can build this infrastructure for itself. If a single
+No organization can build this infrastructure for its own sole use.
+If a single
corporation or government agency were to build a private network to
protect its operations, any connections entering or leaving that network
would be obviously linkable to the controlling organization. The members
@@ -162,7 +166,7 @@
In practice, existing commercial anonymity solutions (like Anonymizer.com)
are based on a set of single-hop proxies. In these systems, each user
connects to a single proxy, which then relays the user's traffic. This
-provides only weak security, since a compromised proxy can trivially
+provides comparatively weak security, since a compromised proxy can trivially
observe all of its users' actions, and an eavesdropper only needs to
watch a single proxy to perform timing correlation attacks against all
its users' traffic. Worse, all users need to trust the proxy company to
@@ -221,9 +225,9 @@
controls both ends of a communication can trivially correlate message timing
and link the communicating parties.
-Clearly, users who need to resist strong attackers need to choose
+Clearly, users who need to resist strong attackers must choose
high-latency networks or nothing at all, and users who need to anonymize
-interactive applications need to choose low-latency networks or nothing at
+interactive applications must choose low-latency networks or nothing at
all. But what should flexible users choose? Against an unknown threat
model, with a non-interactive application (such as email), is it more secure
to choose security or usability?
@@ -286,7 +290,7 @@
extension based on their security needs. In reality, however, if the
extension is enabled by default, nearly all users will leave it on whether
it's secure or not; and if the extension is disabled by default, users will
-tend to enable it first based on their perceived demand for the extension
+tend to enable it based on their perceived demand for the extension
rather than their security needs. Thus, only the most savvy and
security-conscious users---the ones who know more about web security
than the developers themselves---will actually wind up understanding
@@ -295,8 +299,8 @@
The real issue here is that
designers often end up with a situation where they need to choose between
`insecure' and `inconvenient' as the default configuration---meaning they've
-already made a mistake in designing their application; but that discussion
-is left to chapters X and Y.
+already made a mistake in designing their application. (This issue is
+discussed more in chapters X and Y.)
Of course, when end users {\it do} know more about their individual security
requirements than application designers, then adding options is beneficial,
@@ -332,7 +336,7 @@
it works. Of the fraction of users who change the default at all, most will
not, in fact, understand the security implications; and those few who do will
need to decide whether the increased traffic-analysis resistance that comes
-with higher latency is worth the decreased anonymity that comes from
+with more variable latency is worth the decreased anonymity that comes from
splitting away from the bulk of the user base.
\section{Case study: Mixminion and MIME}
@@ -359,17 +363,17 @@
Other possible solutions to this problem could include limiting users to
a single email client, or simply banning email formats other than plain
-7-bit ASCII. But these procrustean approaches limit usability, and
+7-bit ASCII. But these procrustean approaches would limit usability, and
turn users away from the Mixminion network. Since fewer users mean less
-anonymity, we had to ask whether users would be better off in a larger
+anonymity, we must ask whether users would be better off in a larger
network where their messages are likelier to be distinguishable based on email
client, or in a smaller network where everyone's email formats look the same.
-Some distinguishability is inevitable, since users differ in
+Some distinguishability is inevitable anyway, since users differ in
their interests, languages, and writing styles: if Alice writes about
astronomy in Amharic, her messages are unlikely to be mistaken for Bob's, who
writes about botany in Basque. Also, any attempt to restrict formats is
-likely to backfire. If we limit Mixminion to 7-bit ASCII, users won't
+likely to backfire. If we limited Mixminion to 7-bit ASCII, users wouldn't
stop sending each other images, PDF files, and messages in Chinese: they
would instead follow the same evolutionary path that led to MIME in the first
place, and encode their messages in a variety of distinguishable formats,
@@ -442,10 +446,10 @@
At the time of this writing, the most important solutions for these users have
been improve Tor's documentation for how to configure various applications
-to use Tor, to change the warning messages to refer users to a description of
+to use Tor; to change the warning messages to refer users to a description of
the solution (``You are insecure. See this webpage.'') instead of a
description of the problem (``Your application is sending IPs instead of
-hostnames, which may leak information. Consider using SOCKS4a instead.''),
+hostnames, which may leak information. Consider using SOCKS4a instead.'');
and to bundle Tor with the support tools that it needs, rather than
relying on users to find and configure them on their own.
@@ -524,7 +528,7 @@
anonymity set size. As in market economics, expectations themselves can
bring about trends: a privacy system which people believe to be secure and
popular will gain users, thus becoming (all things equal) more secure and
-popular. Thus, security depends not only on usability, but on {\it
+popular. Thus, security depends not only on usability, but also on {\it
perceived usability by others}, and hence on the quality of the provider's
marketing and public relations. Perversely, over-hyped systems (if they are
not too broken) may be a better choice than modestly promoted ones,
@@ -543,12 +547,13 @@
survivors, privacy enthusiasts, and so on) and now I'm hard to profile.
The more cancer survivors on Tor, the better for the human rights
-activists. The more script kiddies, the worse it is for the normal
-users. On the surface this may not appear to be an anonymity issue,
-but it is for two reasons. First, it impacts the sustainability of the
+activists. The more script kiddies, the worse for the normal
+users. Thus, reputation is an anonymity issue
+for two reasons. First, it impacts the sustainability of the
network: a network that's always about to be shut down has difficulty
attracting and keeping users, so its anonymity set suffers. Second,
-it attracts the attention of powerful attackers who may not mind
+a bad reputation attracts the attention of powerful attackers who may not
+mind
revealing the identities of all the users to uncover the few bad ones.
While people therefore have an incentive for the network to be used for
@@ -598,17 +603,17 @@
and usability. On the one hand, we might remark that anonymity is already
tricky from a technical standpoint, and if we're required to get usability
right as well before anybody can be safe, it will be hard indeed
-to come up with a good design. That is, if lack of anonymity means lack
+to come up with a good design: if lack of anonymity means lack
of users, then we're stuck in a depressing loop. On the other hand, the
loop has an optimistic side too. Good anonymity can mean more users: if we
can make good headway on usability, then as long as the technical designs
are adequate, we'll end up with enough users to make everything work out.
-In any case, choosing not to figure out a good solution means leaving most
+In any case, declining to design a good solution means leaving most
users to a less secure network or no anonymizing network at all. Cancer
-survivors and abuse victims are going to continue communications and
+survivors and abuse victims would continue communications and
research over the Internet, risking social or employment problems; and human
-rights workers in oppressive countries are going to continue publishing
+rights workers in oppressive countries would continue publishing
their stories.
The temptation to focus on designing a perfectly usable system before
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxx with
unsubscribe freehaven-cvs in the body. http://freehaven.net/