On Thu, 20 Aug 2015 17:02:24 +0300
George Kadianakis <desnacked@xxxxxxxxxx> wrote:
> Jacek Wielemborek <d33tah@xxxxxxxxx> writes:
>
> > W dniu 20.08.2015 o 15:49, George Kadianakis pisze:
> >> Some real UX research needs to be done here, before we decide
> >> something terrible.
> >
> > Just curious, has anybody seen any cognitive studies on the SSH
> > randomart visualisation? I always found them impossible to remember.
> > Perhaps adding a bit more color could help...
> >
>
> Hm. Indeed.
>
> I can remember the general shape and edges of my SSH server's key,
> but not any details.
>
> I doubt I would remember the randomart of like 10 onion websites,
> especially if I didn't visit them regularly. But maybe I would
> remember the randomart of my webmail better than my SSH server's.
What would be useful here is the number of onion addresses an average
user visits. If it's small, something like this would probably be
sufficient:
0. Browser generates/stores a long term salt.
1. On onion access, calculate SHAKE(salt | onion address) map that to
a poker hand (5 card draw).
P(52,5) = 311,875,200
C(52,5) = 2,598,960
2. Goto 1.
Benefits:
0. Collisions between addresses are unlikely and don't weaken the
scheme (though it will be confusing to the user that does encounter
the situation).
1. Brute-forcing is mitigated via the per-client salt.
2. Incomplete recall still useful (User needs to forget all of order,
suite, and card value).
3. Easy to memorize.
4. Easy to extend up to a point.
5. Can probably display it with fonts present on the system (or the
one that will be bundled).
Cons:
0. Having to propagate the salt value if the user uses multiple boxes
is somewhat annoying.
1. May get confusing to remember lots and lots of onions->hand
mappings.
2. No "canonical" visualization that can be shared across users.
3. Something Yawning randomly made up before going to bed.
Regards and good night,
--
Yawning Angel
Attachment:
pgpzEyIly6c4z.pgp
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev