Security fails without usability

Security fails without usability

Summary: When you make security hard to use, users look for a way around it. That's why efforts to make the internet more secure must be held to a high usability standard.

TOPICS: Security

There's a general trade-off between usability and security. It's an old phenomenon, going back well before the computer age. General Benjamin W. Chidlaw, while commander in chief of the joint service Continental Air Defense Command (part of what eventually became NORAD) in 1954, put it this way:

    Simply put, it is possible to have convenience if you want to tolerate insecurity, but if you want security, you must be prepared for inconvenience.

We hadn't yet invented the word "usability" in 1954, but in this context it means pretty much the same thing as convenience.

Flash forward to 2014, and it's still the case that if it were convenient to be secure, there wouldn't be so much insecurity about.

Professional security software has always tended to be difficult to use, at least to use it properly. Perhaps the classic example is PGP (Pretty Good Privacy), a program written in 1991 to secure email. PGP uses symmetric public key cryptography and hashing to allow users to exchange messages securely and to prove the provenance of those messages.

PGP has always been high-quality software. The Federal Government was so alarmed at the prospect of people communicating securely that they opened a criminal investigation of Phil Zimmerman, PGP's author. At the time, US export regulations deemed cryptographic software that used keys larger than 40 bits to be munitions (!) requiring a special license.

But PGP is a clumsy multi-step process, requiring users to keep track of other users' public keys. There have been attempts to integrate it into more popular email programs, but I've never been impressed with any of them. It's amazing how little the usability of PGP has improved in 23 years.

Recently I wrote about the latest attempt to make secure email accessible: Mailvelope. It's a PGP-like system designed to work within any webmail program. Google also recently announced an effort to make end-to-end encryption usable within GMail, and Yahoo has announced that they will do the same by forking Google's implementation. Mailvelope is easy to use only compared to command-line PGP.

The complexity of PGP doesn't just make it hard to use, it makes it insecure. Consider Matthew Green's recent savaging of PGP, in which he describes all the things that go wrong because it's all so complicated. As Green says, "[t]ransparent (or at least translucent) key management is the hallmark of every successful end-to-end secure encryption system." 

The recent push for secure software is an aspect of the privacy mania resulting from Edward Snowden's revelations. A PR push for it came from Reset The Net, a campaign to make the internet NSA-resistant.

Privacy is all well and good, and in fact it's been available for internet use for decades. It's just too hard to bother with, and a PR campaign won't make it any easier. There is a long history of people proficient enough with computers to find this software usable arguing that everyone should use it. Telling a normal, non-techie human being to use PGP is unfair to that person.

Some of the newer high-security systems are easier to use. This EFF story advocates the use of TOR, an anonymous world wide web, to protect privacy. But the jury's still out on Tor if you ask me; there are many potential security problems with it. On top of that, Tor is a favorite place for the not-so-nice, such as those selling drugs and trafficking in children.

The trade-off between convenience and security is a surprisingly universal concept. It applies to programming as much as to the end-user experience on computers. The infamous Heartbleed bug is, in a sense, a result of an attempt to enhance the convenience of secure programming. Writing secure communications software often involves renegotiating and establishing secure connections. It's a pain. To make this less necessary, a standard for a TLS Heartbeat Extension was created, the periodic "heartbeat" keeping the connection open. OpenSSL implemented the code in 2012 and turned it on by default.

Special Feature

Why business leaders must be security leaders

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

There's nothing inherent in the idea of TLS heartbeats that should diminish security. The problem with them is that they expand the "attack surface" of the program (especially when there's no security auditing in place, as was the case with OpenSSL). New code creates the potential for new vulnerabilities. In the immediate aftermath of the Heartbleed revelations, I witnessed some contentious discussions over this on Twitter between security experts I respect.

Not long ago I wrote about PassPoint, a new standard designed to make secure public wifi easier. PassPoint, also known as HotSpot 2.0 and a bunch of other names, shows how to do a high level of security and privacy right, by making it completely seamless to the user.

PassPoint also shows how hard it is to do security well. The standard has been in the works for years. The technical end of it isn't the problem. The hard part is that there are so many significant players involved, from software companies to broadband providers to mobile networks.

It's worth noting that much of what we and this story call security is really just privacy, which is only part of security. But effective privacy requires not just a secure architecture, like PGP, but good security in other ways throughout the software system. If the server can be hacked and the database scraped for personal information, then it doesn't matter how secure everything else was.

This is why security is so hard. It has to be done right at all levels of the system. And if it's too hard to do, people won't do it. For that reason, difficult security just isn't enough and we should demand more.

It's easy to use PGP! Image courtesy Wikimedia Commons.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Absolutely right, Larry

    I was once working from home for an extended period and my client kept sending me documents for my work containing sensitive trade secrets of theirs in the clear by standard e-mail attachments. They were the ones who should have been alarmed by that, but I was, and convinced their contact who sent me the stuff to generate a PGP key pair and encrypt all our correspondence with it. Or at least, that's what he said. In practice, he never used it and kept sending me everything in cleartext. He said he didn't remember, he didn't have time to study the procedure, he was too much in a hurry to use PGP, and so on.

    I remembered this when I read the title of your article already. After reading it, my opinion still stands, and you got it absolutely right. People will choose convenience or usability over security all the time, unless there is some real strong pressure to put security first - and usually, the mere possibility that one's security and/or privacy MAY be compromised is not enough, even if there's a lot at stake. The human mind simply works that way...
    • You would have been better off with SSL webmail

      At least it would have been encrypted on the wire.
  • This is 101

    Any security practitioner realizes that usability drives the level of success of any security initiative.
  • IronPort wasn't bad

    The last time I didn't a mortgage, they bank used Ironport to send secure emails. That actually worked pretty good. PGP would be hopeless for interacting with end users.
    Buster Friendly
  • There's also the issue of openness

    Apple, with iOS and its app stores, and Microsoft, with Windows RT/Windows Phone 8 and its app stores, have made great strides in security largely by being closed. Unless one jailbreaks their iOS-, WP8- or Windows RT-based device, one is restricted to those apps that default on the device and apps available from the app store.

    Google's Android is open to users users choosing to download and install apps from outside of Google Play (or Amazon's app store) aka 'Unknown sources' as well as rooting the device and installing an Android mod. Despite the updating/upgrading problem endemic to Android, save for Google Nexus devices, Android's biggest problem is openness, allowing users to choose to install software from unknown sources. This is, by and large, how Android malware gets installed on users devices.

    Windows, OS X, GNU/Linux and BSD are similarly open. In every case, the user can choose to download software for installation from wherever s[he] chooses. With OS X, one must change the default app installation setting from the Mac app store to allow any application to be installed from anywhere (unrestricted).
    Rabid Howler Monkey
    • I install from trusted sources with Linux.

      But most of my installs, using Mint 17, are from the Software Manager, which currently has 71,163 free software packages. They are safe and convenient to install.

      A lot of programs you would normally go to the packages' web site for are already in the software manager, so it becomes even more convenient.

      Most average users are focusing on web now anyway. And when you use Linux with Firefox, Chrome, Chromium or Opera, the behavior is exactly the same as Windows.

      Of course, the added benefit with Linux Mint has always been the Update Manager updates installed programs automatically, so you don't have to keep track of updating your software separately, from the host website.

      This, along with never having to use any AV products, scanning or AV maintenance, is invaluable. Security is automatic with simply typing in your password and running the update manager (at your convenience).

      I used to buy Tax Act, Tax Cut and TurboTax to do taxes. But recently I found a much better alternative called It's completely web based, and currently costs $12.95 to complete and electronically file your Federal and State Taxes. This is much better, because there is no installation or updates necessary. Any form updates or corrections are made once to the website by the company.. Once you use this, it's almost guaranteed you will never want to go back to installing programs for taxes. PDF files are generated, available for download at any time and instantly available from the website, even for previous years. There's even verification for acceptance by the IRS for e-filing. It really doesn't get any better than this.
    • With properly configured Mint, most normal users don't install programs.

      Since Linux Mint 17 already comes with most common applications, most users don't need to install external programs.

      For my use, I install Chrome, Chromium, Opera, Filezilla, CloneZilla, Google Earth, Google Call, Google Voice, and other trusted programs from trusted web sites.

      The Windows ecosystem pretty much relies on installing random programs from the Web with double clicking. You can't double click and install something from the web with Linux.
    • Linux Mint offers an option to encrypt the entirehard disk when installing.

      That's a great feature.
      • No usability

        I know there's this kind of Linux religion out there but that OS isn't support by Office, Creative Suite, AutoCAD, and any of the other architectural and engineering packages we use. The only reason to have a computer is to run applications and not an OS.
        Buster Friendly
        • You're kind of out of date here.

          First, you have to want to run Microsoft Office, which at this point of development of LibreOffice is completely unnecessary. Bottom line, it's absolutely foolish to pay for MS Office, or for any Windows product.

          It doesn't take much common sense for even ordinary people to understand that MS is pushed into a financial corner constantly fighting free software, which parallels almost all of their products.

          The technique used to (somewhat) combat this is to constantly develop proprietary formats and features to provide some sort of perceived marketing edge that can differentiate their products from free alternatives enough for (some) people to continue justify purchasing them.

          What is happening at this point in time is their "lock-in" bag of tricks isn't having the desired effect any more on the general population. They are constantly trying new names and gimmicks to gain marketing traction, but, bottom line, people aren't watching.

          And, don't for one minute think what you read here at ZDNet has any reflection on reality. ZDNet has to try and sell Microsoft. People like Ed Bott don't teach computing at all, they teach Microsoft, and if you don't see or understand that, I feel sorry for you. This site is the Fox News propaganda equivalent for selling Microsoft and creating product "hype".

          It's not hard to see why Linux Android has dominated smartphones. The OEM has total control to modify, copy, distribute and install the OS depending on their production requirements. They can't do that with Microsoft. Another facet, is they don't want to derive their income from intentional recurrent security faults like Microsoft does. i.e. they don't want the phone to be unreliable or constantly become infected like Microsoft. does. That's right, the Microsoft ecosystem includes AV companies, support companies, repair shops, etc., that feed off of Microsofts' inability to provide even rudimentary security without AV protection.

          So, usability is hampered by failing, virus, botnet, rootkit, garbage Microsoftt Operating Systems. But in your distorted view, and to some degree because of ZDNet propaganda, you refuse to acknowledge it. Fine.

          Google activating 1.5 million Android devices a day says it all. The Navy, using Red Hat Linux in it's nuclear submarine fleet says it all. Westinghouse, using SUSE Enterprise Linux for operation and core calculations in their 8 new AP-1000 nuclear power plants being built in the US and China, says it all to. Microsot is a loser.

          As far as Autocad is concerned, I run MicroStation SE using WINE in my Linux Mint with no problems (Home Use License). But it will also run MicroStation J 7.1 and V8 with no issues.

          Anyway I use Scribus, with is free and better than Microsoft Publisher because the files can be directly edited with a text editor, unlike proprietary Microsoft.

          I use Google for almost everything else, Google Earth, Picasa, Call, Voice and Gmail. Google DNS outperforms everything else for IPv4 and iPv6,

          I'm a Linux user for 14 year and never used any AV, and have never been infected. I don't need Microsoft BS, especially on a mobile device.
  • PGP an excellent example

    Usability issues of PGP extend beyond email. When Symantec acquired PGP, I thought there may be improvements in the usability. There was a keyserver and full disk encryption added since the origin of PGP. None of this really helped. I also witnessed traditional responses to the complexity. I saw an implementer recommend users be assigned their passphrases which would then be written down and stored in a safe. This was chosen because the keyserver proved to be less usable to the administrator. Passphrase changes would involve an administrator and updating the hardcopy. This worked most of the time because passprhase change was to un-usable for most end users. Such is the case in the real world.

    Similar issues abound with CA certificate encryption of email. There are too many usability issues with the email clients, even Active Directory implemented Exchange and Outlook.

    Additionally, changing your certificate or key forces another level of management not often considered. Ideally, true archives would be re-encrypted to the new keys/certificates with the current strong algorithm and the previous treated as plaintext and wiped. No-archival old files are just abandoned and deleted. Usually, archiving the expired keys/certificates is chosen due to it's simplicity. Less secure of course, but more usable.
  • Controversial, but...

    Until the internet is completely revamped with something like a dual level system where there is a high security level where everyone is known and verified and another level where people can have their privacy, ease-of-use, and insecurity we will continue to use a fire-fighting approach to the current chaos and increasing financial loss.
  • security is only as strong as the weakest link

    you can make the email as secure as possible, but do you leave the email printouts on your desk? Do you always lock the doors of your office, and lock your screen when you walk away from your computer to get your coffee, and keep the blinds down?

    let's be real - if someone really really needs to steal that information, he or she will not limit themselves to electronic means of theft. so everything must become equally secure.

    so if you ask me, I would say that instead of creating an isolated monster of secure email, just send that one sensitive document overnight ups.
    • True

      That's true but you really only need reasonable methods compared to the value of the data. I've worked in a couple high security places that everything was isolated in a double locked vault with only minimal monitored wiring going in and out. You needed two people to open it and no one was ever allowed to be inside alone. If a hard drive crashed, it had to go through a declassification procedure and then into a shredder. There was a man trap to get out where you could be held and searched at any time. That would be completely impractical for your averages receivables department handling credit cards.
      Buster Friendly
    • makes sense

      Actually in proper situations... yes of course you don't leave the printouts on your desk or on your printer or whatever. If you go through all the trouble of securing your electronics (for instance by encrypting everything a few times in different ways and having proper "rights to deny" because you have taken the trouble) --- you would then not leave those paper prints on your desk if you care about your safety at all.
  • It's not just email security though...

    How many companies enforce "draconian" password rules, which effectively force users to write down every password, and tape it to the bottom of their keyboard?

    One place I worked required 16 characters, with every known restriction on passwords (no consecutive letters or numbers, caps and lowercase, numbers, symbols, no duplicate passwords ever, no more than 8 same characters from the previous password). Last Pass made it a breeze for me, but most just wrote them down.
    • Tradition over reason

      That's tradition over reason. For some reason people have long equated difficult to type with difficult to crack and it's completely false. There's been numerous papers showing that a simple series of ordinary case insensitive words is orders of magnitude more difficult to crack and orders of magnitude easier to remember and type. One problem is legacy systems that still use the old crypt method and can't do arbitrary length password.
      Buster Friendly
  • some of those password requirements are total crap

    Nothing pisses me off more than when a host won't allow consecutive repeated characters in a password. This may be standard Exchange ActiveSync, but at a recent employer our phone PINs had this restriction, so a long number like 295624402850 would be disallowed because there are two consecutive 4's in the middle.

    You're right that Lastpass (or something like it) is the answer, but you can't use the password manager everywhere.
    • this message was meant to be a reply to rshores

    • Besides... using a password manager is still writing them down...

      And focuses the effort to just cracking ONE password.