“A nearly impenetrable thicket of geekitude…”

"Responsible Behaviour" Revisited

It has been more than a decade since I wrote Responsible Behaviour, in which I mused about how many Wikipedia articles the man on the Clapham omnibus would need to read to understand a particular cryptography-related joke. I saw this, in part, as a proxy for whether cryptography was becoming mainstream. I ended with:

Do you agree? More interestingly, what do you think the answer will be in ten years?

To answer my own question, things have in many ways not moved forwards at all in the last ten years:

  • There’s no question that the MOTCO rating of the joke in question is still at least four.

  • I’m still one of the few people I know who regularly signs e-mail to build trust and ultimately prevent spoofing.

  • Mail systems still frequently break when I do. Specifically, there is still a tendency to alter the message body to add helpful corporate branding or “we have scanned this message” boilerplate and thus corrupt the signed text. Anyone receiving mail through such systems is being taught that signature validation failures are normal events.

  • Almost no-one ever uses encrypted e-mail. PGP/GPG is still as user-hostile as ever, “web of trust” is too hard for non-zealots, and S/MIME certificates are still painful to acquire.

  • This is true even amongst members of the security community. In a recent security incident simulation, for example:

It became apparent that a secure messaging system was required. Those attempting to send encrypted, or even signed, emails experienced significant delays to communication.

I think it’s safe to say, then, that cryptography — at least in the context of e-mail — is no closer to the mainstream now than it was a decade ago.

In some ways, of course, the focus of the celebrated rider of the Clapham omnibus has moved from e-mail to chat applications. I don’t think the situation is any better there, and it’s arguably worse due to the lack of standardisation. I’m also sure that the average layperson’s understanding of cryptography in this area hasn’t progressed since Responsible Behaviour.

It would be nice to be able to think that we’ve moved past the point where a user of cryptography — say, someone sending a private message — needs an understanding of cryptography in the way that, for example, a user of PGP/GPG needs to understand the web of trust. It should “just work,” right?

I don’t think so. With e-mail, we’re pretty much there (except for the previously mentioned difficulty of getting yourself set up with S/MIME) because of standardisation. With chat, there is no standardisation outside XMPP and the dozens of chat applications in common use don’t interoperate. The lack of standardisation at the protocol level allows many products to use proprietary snake oil rather than peer-reviewed cryptography, and even an expert can find it difficult to know whether applications are actually secure in this environment. I’d argue that a layperson therefore needs to understand more about cryptography to make good choices now than they did ten years ago in the e-mail domain.

Is this situation going to improve in the next ten years? I don’t have any real expectation that it will — unless we can standardise, and for now there doesn’t seem to be an incentive for application developers to do that.