skip to main content
10.1145/3361331.3361332acmotherconferencesArticle/Chapter ViewAbstractPublication PagesstastConference Proceedingsconference-collections
research-article

Beware the downgrading of secure electronic mail

Published: 22 May 2020 Publication History

Abstract

Researchers have investigated the usability challenges of end-to-end encryption for electronic mail while users seem to place little value into the confidentiality of their mail. On the other hand, users should see value in protection against phishing. Designing mail apps so that they help users resist phishing attacks has received less attention. A well-known and widely implemented mechanism can be brought to bear on this problem - digital signatures. We investigated contemporary mail apps and found that they make limited use of digital signatures to help users detect phishing mail. We developed and studied an opinionated user interface design that steers users towards safe behaviors when confronted with phishing mail. In our study with 18 participants we found that the control group was phishable whereas the experimental group remained safe.

References

[1]
Eric P. Allman, Jon Callas, Jim Fenton, Miles Libbey, Michael Thomas, and Mark Delany. DomainKeys Identified Mail (DKIM) Signatures. RFC 4871, May 2007. URL https://rfc-editor.org/rfc/rfc4871.txt.
[2]
Hazim Almuhimedi, Adrienne Porter Felt, Robert W. Reeder, and Sunny Consolvo. Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning. In Symposium on Usable Privacy and Security (SOUPS 2014), SOUPS '14, pages 113--128. USENIX Association, 2014. ISBN 978-1-931971-13-3.
[3]
Mohamed Alsharnouby, Furkan Alaca, and Sonia Chiasson. Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies, 82(Supplement C):69 -- 82, 2015. ISSN 1071-5819.
[4]
Erinn Atwater, Cecylia Bocovich, Urs Hengartner, Ed Lank, and Ian Goldberg. Leading Johnny to Water: Designing for Usability and Trust. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015), pages 69--88, Ottawa, 2015. USENIX Association. ISBN 978-1-931971-249.
[5]
Aaron Bangor, Philip Kortum, and James Miller. Determining What Individual SUS Scores Mean: Adding an Adjective Rating Scale. Journal of Usability Studies, 4(3):114--123, 2009.
[6]
Frank Bentley, Nediyana Daskalova, and Nazanin Andalibi. "If a Person is Emailing You, It Just Doesn'T Make Sense": Exploring Changing Consumer Behaviors in Email. In Proc. Conference on Human Factors in Computing Systems, CHI, pages 85--95. ACM, 2017. ISBN 978-1-4503-4655-9.
[7]
Mark Blythe, Helen Petrie, and John A. Clark. F for Fake: Four Studies on How We Fall for Phish. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '11, pages 3469--3478, New York, NY, USA, 2011. ACM. ISBN 978-1-4503-0228-9.
[8]
John Brooke. SUS - A quick and dirty usability scale. Usability evaluation in industry, 189(194):4-7, 1996. ISSN 1097-0193.
[9]
Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why Phishing Works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '06, pages 581--590, New York, NY, USA, 2006. ACM.
[10]
Julie S. Downs, Mandy B. Holbrook, and Lorrie Faith Cranor. Decision Strategies and Susceptibility to Phishing. In Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS '06, pages 79--90, New York, NY, USA, 2006. ACM. ISBN 1-59593-448-0.
[11]
Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, and J. Alex Halderman. Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security. In Proc. Internet Measurement Conference, IMC, pages 27--39. ACM, 2015. ISBN 978-1-4503-3848-6.
[12]
Serge Egelman, Lorrie Faith Cranor, and Jason Hong. You'Ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '08, pages 1065--1074, New York, NY, USA, 2008. ACM. ISBN 978-1-60558-011-1.
[13]
Hal Finney, Lutz Donnerhacke, Jon Callas, Rodney L. Thayer, and David Shaw. OpenPGP Message Format. RFC 4880, November 2007. URL https://rfc-editor.org/rfc/rfc4880.txt.
[14]
Ian D. Foster, Jon Larson, Max Masich, Alex C. Snoeren, Stefan Savage, and Kirill Levchenko. Security by Any Other Name: On the Effectiveness of Provider Based Email Security. In Proc. Conference on Computer and Communications Security, CCS, pages 450--464. ACM, 2015. ISBN 978-1-4503-3832-5.
[15]
Simson L Garfinkel and Robert C Miller. Johnny 2: a user test of key continuity management with S/MIME and Outlook Express. In Proceedings of the 2005 symposium on Usable privacy and security, pages 13--24. ACM, 2005.
[16]
Shirley Gaw, Edward W. Felten, and Patricia Fernandez-Kelly. Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted Email. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '06, pages 591--600, New York, NY, USA, 2006. ACM. ISBN 1-59593-372-7.
[17]
Tom N. Jagatic, Nathaniel A.Johnson, Markus Jakobsson, and Filippo Menczer. Social Phishing. Commun. ACM, 50(10):94--100, October 2007. ISSN 0001-0782.
[18]
D. Scott Kitterman. Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. RFC 7208, April 2014. URL https://rfc-editor.org/rfc/rfc7208.txt.
[19]
Dr. John C. Klensin. Simple Mail Transfer Protocol. RFC 5321, October 2008. URL https://rfc-editor.org/rfc/rfc5321.txt.
[20]
Joscha Lausch, Oliver Wiese, and Volker Roth. What is a secure email? EuroUSEC '17, 2017.
[21]
Adam Lerner, Eric Zeng, and Franziska Roesner. Confidante: Usable Encrypted Email: A Case Study with Lawyers and Journalists. In 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, April 26--28, 2017, pages 385--400, 2017.
[22]
Franck Martin, Eliot Lear, Tim Draegen, Elizabeth Zwicky, and Kurt Andersen. Interoperability Issues between Domain-Based Message Authentication, Reporting, and Conformance (DMARC) and Indirect Email Flows. RFC 7960, September 2016. URL https://rfc-editor.org/rfc/rfc7960.txt.
[23]
Pete Resnick. Internet Message Format. RFC 5322, October 2008. URL https://rfc-editor.org/rfc/rfc5322.txt.
[24]
Scott Ruoti, Nathan Kim, Ben Burgon, Timothy van der Horst, and Kent Seamons. Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes. In Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS '13, pages 5:1--5:12, New York, NY, USA, 2013. ACM. ISBN 978-1-4503-2319-2.
[25]
Scott Ruoti, Jeff Andersen, Scott Heidbrink, Mark O'Neill, Elham Vaziripour, Justin Wu, Daniel Zappala, and Kent Seamons. "We're on the Same Page": A Usability Study of Secure Email Using Pairs of Novice Users. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, CHI '16, pages 4298--4308, New York, NY, USA, 2016. ACM.
[26]
Scott Ruoti, Jeff Andersen, Travis Hendershot, Daniel Zappala, and Kent Seamons. Private Webmail 2.0: Simple and Easy-to-Use Secure Email. In Proceedings of the 29th Annual Symposium on User Interface Software and Technology, UIST '16, pages 461--472, New York, NY, USA, 2016. ACM. ISBN 978-1-4503-4189-9.
[27]
Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proceedings of the 18th Conference on USENIX Security Symposium, SSYM'09, pages 399--416, Berkeley, CA, USA, 2009. USENIX Association.
[28]
Sean Turner and Blake C. Ramsdell. Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification. RFC 5751, January 2010. URL https://rfc-editor.org/rfc/rfc5751.txt.
[29]
Min Wu, Robert C. Miller, and Simson L. Garfinkel. Do Security Toolbars Actually Prevent Phishing Attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '06, pages 601--610, New York, NY, USA, 2006. ACM. ISBN 1-59593-372-7.
[30]
Yue Zhang, Serge Egelman, Lorrie Cranor, and Jason Hong. Phinding phish: Evaluating anti-phishing tools. In In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007). Internet Society, 2007.

Cited By

View all
  • (2023)Checking, nudging or scoring? evaluating e-mail user security tools76Proceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632190(57-76)Online publication date: 7-Aug-2023
  • (2023)A Large-Scale Study of Device and Link Presentation in Email Phishing SusceptibilityProceedings of the 35th Australian Computer-Human Interaction Conference10.1145/3638380.3638434(78-85)Online publication date: 2-Dec-2023
  • (2021)SoKProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563590(339-357)Online publication date: 9-Aug-2021

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
STAST '18: Proceedings of the 8th Workshop on Socio-Technical Aspects in Security and Trust
December 2018
62 pages
ISBN:9781450372855
DOI:10.1145/3361331
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 May 2020

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. end-to-end-encryption
  2. phishing
  3. secure electronic mail

Qualifiers

  • Research-article

Funding Sources

  • BMBF

Conference

STAST 2018

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)27
  • Downloads (Last 6 weeks)2
Reflects downloads up to 10 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Checking, nudging or scoring? evaluating e-mail user security tools76Proceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632190(57-76)Online publication date: 7-Aug-2023
  • (2023)A Large-Scale Study of Device and Link Presentation in Email Phishing SusceptibilityProceedings of the 35th Australian Computer-Human Interaction Conference10.1145/3638380.3638434(78-85)Online publication date: 2-Dec-2023
  • (2021)SoKProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563590(339-357)Online publication date: 9-Aug-2021

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media