Improving the usability of the authentication ceremony in secure messaging applications
Recent disclosures of government surveillance and fears over cybersecurity attacks have increased public interest in secure and private communication. As a result, numerous secure messaging applications have been developed, including Signal, WhatsApp, and Viber, which provide end-to-end encryption of personal messages.
Most popular secure messaging applications are usable because they hide many of the details of how encryption is provided. However, the strength of the security properties of these applications rests on the authentication ceremony, in which users validate the encryption keys being used. Unfortunately, recent studies show that most users do not know how to successfully complete this ceremony and are thus vulnerable to potential attacks. Any user who does not execute the authentication ceremony for a particular conversation is essentially trusting the application's servers to correctly distribute the encryption keys. This leaves users vulnerable to threats that can intercept communications.
We are studying methods to improve the usability of the authentication ceremony, so that it is easy for users to locate and complete the ceremony.
We are currently conducting a survey of Telegram users, with a focus on Iranians.
This project is supported by the National Science Foundation under Grant No. 1528022
Any opinions, findings, and conclusions or recommendations expressed in this work are those of the author(s) and do not necessarily reflect the views of the sponsors.