Human Aspects in Secure Messaging

Abstract

The widespread adoption of digital communication demands robust security and privacy protections, particularly through secure messaging systems that can protect personal and sensitive information. Despite advancements in end-to-end security, encryption, and anonymity, significant gaps remain in usability and user trust, limiting widespread adoption. This cumulative dissertation examines the human aspects of secure messaging systems through four peer-reviewed studies, addressing fundamental challenges in usability, trust establishment, and practical implementations. <br /> Diverse methodological approaches drive the research, including systematic protocol analysis with a focus on human aspects, large-scale empirical studies, and qualitative investigations, alongside the proposal and evaluation of improved technical implementations. First, a comprehensive systematization of knowledge establishes a unified framework for evaluating secure messaging protocols and “in-the-wild” tools, investigating critical gaps in current approaches. Second, an empirical study with 1047 participants examines fingerprint representation approaches for trust establishment. Third, qualitative research explores potential misconceptions in user mental models and trust for end-to-end security in general. Finally, a novel hardware-based approach utilizing NFC-enabled wearables demonstrates practical solutions for simplifying cryptographic key management while maintaining security. <br /> Key findings indicate that (1) trust establishment remains the cornerstone of secure messaging, as it requires user interaction and underpins the entire security guarantees; failure in this area compromises the system entirely. (2) traditional hex-based fingerprint representations significantly underperform in both attack detection and perceived usability compared to the proposed sentence-based representation, but also numeric representation, as commonly used outside cryptographic contexts, also proving more effective; (3) users mistrust messaging platforms and security features in general and substantially overestimate attackers while underestimating cryptographic capabilities; and (4) less invasive security mechanisms as with using wearables show promise for broader adoption. The findings align with current developments in secure messaging applications, where similar verification approaches are used. <br /> This work advances the field of usable security by bridging theoretical understanding with practical implementation, contributing to the development of more effective and accessible secure communication systems. The findings provide guidance for designing next-generation secure messaging solutions that balance robust security with user needs and capabilities.