Enhancing usability using automated security interface adaptation (ASIA)

Zaaba, Zarul Fitri

January 2014

Many users are now significantly dependent upon computer application. Whilst many aspects are now used very successfully, an area in which usability difficulties continue to be encountered is in relation to security. Thus can become particularly acute in situations where users are required to interact and make decisions, and a key context here is typically when they need to respond to security warnings. The current implementation of security warnings can often be considered as an attempt to offer a one size fits all solution. However, it can be argued that many implementations are still lacking the ability to provide meaningful and effective warnings. As such, this research focuses upon achieving a better understanding of the elements that aid end-users in comprehending the warnings, the difficulties with the current approaches, and the resulting requirements in order to improve the design and implementation of such security dialogues. In the early stage of research, a survey was undertaken to investigate perceptions of security dialogues in practice, with a specific focus upon security warnings issued within web browsers. This provided empirical evidence of end-users’ experiences, and revealed notable difficulties in terms of their understanding and interpretation of the security interactions. Building upon this, the follow-up research investigated understanding of application level security warnings in wider contexts, looking firstly at users’ interpretation of what constitutes a security warning and then at their level of comprehension when related warnings occurred. These results confirmed the need to improve the dialogues so that the end-users are able to act appropriately, and consequently promoted the design and prototype implementation of a novel architecture to improve security warnings, which has been titled Automated Security Interface Adaptation (ASIA). The ASIA approach aims to improve security warnings by tailoring the interaction more closely to individual user needs. By automatically adapting the presentation to match each user’s understanding and preferences, security warnings can be modified in ways that enable users to better comprehend them, and thus make more informed security decisions and choices. A comparison of the ASIA-adapted interfaces compared to standard versions of warnings revealed that the modified versions were better understood. As such, the ASIA approach has significant potential to assist (and thereby protect) the end-user community in their future interactions with security.

005.8

security and usability ; usable security

Usability : low tech, high security / Utilisabilité : haute sécurité en basse technologie

Blanchard, Enka

21 June 2019

Cette thèse est consacrée au domaine de l’utilisabilité de la sécurité, en particulier dans le contexte de l’authentification en ligne et du vote vérifiable.Le rôle toujours plus important de nos identifiants en ligne, qu’ils soient utilisés pour accéder aux réseaux sociaux, aux services bancaires ou aux systèmes de vote, a débouché sur des solutions faisant plus de mal que de bien. Le problème n’est pas juste technique mais a une forte composante psycho-sociale, qui se révèle dans l’usage des mots de passe --- objet central d'étude de cette thèse. Les utilisateurs font quotidiennement face à des compromis, souvent inconscients, entre sécuriser leurs données et dépenser les ressources mentales limitées et déjà trop sollicitées. Des travaux récents ont montré que l'absence de règles communes, les contraintes ad-hoc si fréquentes et les recommandations contradictoires compliquent ce choix, mais ces recherches sont généralement ignorées, victimes d'une probable incompréhension entre chercheurs, développeurs et utilisateurs. Cette thèse vise à résoudre ces problèmes avec des solutions inspirées par la cryptographie, la psychologie, ainsi que sept études utilisateurs, afin d'obtenir des outils simplifiés non seulement pour l'utilisateur final mais aussi pour le développeur.La première partie des contributions se concentre sur le fournisseur de service, avec deux outils permettant d'améliorer l'expérience utilisateur sans effort de sa part. Nous commençons par une étude sur la facilité de transcription de différents types de codes, afin d'obtenir un design réduisant les erreurs tout en augmentant la vitesse de frappe. Nous montrons aussi comment accepter les fautes de frappe dans les mots de passe peut améliorer la sécurité, en offrant un protocole compatible avec les méthodes de hachage standard.La deuxième partie offre des outils directement aux utilisateurs, avec un gestionnaire de mot de passe mental qui ne nécessite que la mémorisation d'une phrase et d'un code PIN, avec des garanties sur la sécurité des mots de passe si certains sont compromis. Nous proposons aussi une méthode de création de phrase de passe à la fois plus facile et sécurisée, et terminons en montrant empiriquement des failles dans le principal modèle de calcul mental utilisé aujourd'hui dans le domaine.Enfin, nous nous consacrons aux nouveaux protocoles de vote, en commençant par les difficultés à les faire accepter en pratique. Nous répondons à une demande pour des systèmes non-électroniques en proposant plusieurs implémentations de vote vérifiable en papier, une panoplie de primitives et un protocole de vote pour les très petites élections. / This dissertation deals with the field of usable security, particularly in the contexts of online authentication and verifiable voting systems.The ever-expanding role of online accounts in our lives, from social networks to banking or online voting, has led to some initially counterproductive solutions. As recent research has shown, the problem is not just technical but has a very real psychosocial component. Password-based authentication, the subject of most of this thesis, is intrinsically linked to the unconscious mechanisms people use when interacting with security systems. Everyday, users face trade-offs between protecting their security and spending valuable mental resources, with a choice made harder by conflicting recommendations, a lack of standards, and the ad-hoc constraints still frequently encountered. Moreover, as recent results from usable security are often ignored, the problem might stem from a fundamental disconnect between the users, the developers and the researchers. We try to address those problems with solutions that are not only simplified for the user's sake but also for the developer's. To this end, we use tools from cryptography and psychology, and report on seven usability experiments.The first part of the contributions uses a service provider's point of view, with two tools to improve the end-user's experience without requiring their cooperation. We start by analysing how easily codes of different structures can be transcribed, with a proposal that reduces error rates while increasing speed. We then look at how servers can accept typos in passwords without changing the general hashing protocol, and how this could improve security. The second part focuses on end-users, starting by a proposed mental password manager that only depends on remembering only a single passphrase and PIN, with guarantees on the mutual security of generated passwords if some get stolen. We also provide a better way to create such passphrases. As mental computing models are central to expanding this field, we finish by empirically showing why the main model used today is not adapted to the purpose.In the third part, we focus on voting protocols, and investigate why changing the ones used in practice is an uphill battle. We try to answer a demand for simple paper-based systems by providing low-tech versions of the first paper-based verifiable voting scheme. To conclude, we propose a set of low-tech primitives combined in a protocol that allows usable verifiable voting with no electronic means in small elections.

Utilisabilité de la sécurité

Authentification

Protocoles de vote

Vote vérifiable

Usability of security

Authentication

Voting protocols

Passwords

Verifiable voting

Psychometrics

Online Banking Information Systems Acceptance: An Empirical Examination of System Characteristics and Web Security

Hussain Chandio, F., Irani, Zahir, Zeki, A.M., Shah, A., Shah, S.C.

31 October 2016

No / Prior work on the technology acceptance model (TAM) is mainly devoted to the influence of TAM’s core motivational factors and their impact on behavioral intent toward IS acceptance. Relatively little research has focused on what specific system design characteristics motivate individuals toward IS acceptance. This article identified specific systems design factors and examined their impact on TAM’s motivational factors through the TAM. The findings will help designers to design and implement better user-accepted systems.

Privacy and Security Enhancements for Tor

Arushi Arora (18414417)

21 April 2024

<p dir="ltr">Privacy serves as a crucial safeguard for personal autonomy and information, enabling control over personal data and space, fostering trust and security in society, and standing as a cornerstone of democracy by protecting against unwarranted interference. This work aims to enhance Tor, a volunteer-operated network providing privacy to over two million users, by improving its programmability, security, and user-friendliness to support wider adoption and underscore the importance of privacy in protecting individual rights in the digital age.</p><p dir="ltr">Addressing Tor's limitations in adapting to new services and threats, this thesis introduces programmable middleboxes, enabling users to execute complex functions on Tor routers to enhance anonymity, security, and performance. This architecture, called Bento, is designed to secure middleboxes from harmful functions and vice versa, making Tor more flexible and efficient.</p><p dir="ltr">Many of the attacks on Tor's anonymity occur when an adversary can intercept a user’s traffic; it is thus useful to limit how much of a user's traffic can enter potentially adversarial networks. We tackle the vulnerabilities of onion services to surveillance and censorship by proposing DeTor_OS, a Bento function enabling geographic avoidance for onion services- which is challenging since no one entity knows the full circuit between user and onion service, providing a method to circumvent adversarial regions and enhance user privacy.</p><p dir="ltr">The final part focuses on improving onion services' usability and security. Despite their importance, these services face high latency, Denial of Service (DoS) and deanonymization attacks due to their content. We introduce CenTor, a Content Delivery Network (CDN) for onion services using Bento, offering replication, load balancing, and content proximity benefits. Additionally, we enhance performance with multipath routing strategies through uTor, balancing performance and anonymity. We quantitatively analyze how geographical-awareness for an onion service CDN and its clients could impact a user’s anonymity- performance versus security tradeoff. Further, we evaluate CenTor on the live Tor network as well as large-scale Shadow simulations.</p><p dir="ltr">These contributions, requiring no changes to the Tor protocol, represent significant advancements in Tor's capabilities, performance, and defenses, demonstrating potential for immediate benefits to the Tor community.</p>

System and network security

Networking and communications

Privacy and data rights

tor

anonymity networks

privacy

usability and security

programmable networks

onion services

CDN

censorship

anonymity

NFV