26.1. Usability for Others Impacts Your SecurityWhile security software is the product of developers, the security it provides is a collaboration between developers and users. It's not enough to make software that can be used securely; software that is hard to use often suffers in its security as a result. For example, suppose there are two popular mail encryption programs: HeavyCrypto, which is more secure (when used correctly), and LightCrypto, which is easier to use. Suppose you can use either one, or both. Which should you choose? You might decide to use HeavyCrypto because it protects your secrets better. But if you do, it's likelier that when your friends send you confidential email , they'll make a mistake and encrypt it badly or not at all. With LightCrypto , you can at least be more certain that all your friends' correspondence with you will get some protection. What if you use both programs? If your tech-savvy friends use HeavyCrypto and your less sophisticated friends use LightCrypto, then everybody will get as much protection as they can. But can all your friends really judge how able they are? If not, then by supporting a less usable option, you've made it more likely that your nonsavvy friends will shoot themselves in the foot. The crucial insight here is that for email encryption, security is a collaboration between multiple people: both the sender and the receiver of a secret email must work together to protect its confidentiality. Thus, in order to protect your own security, you need to make sure that the system you use is usable not only by yourself, but also by the other participants. This observation doesn't mean that it's always better to choose usability over security, of course; if a system doesn't address your threat model, no amount of usability can make it secure. But conversely, if the people who need to use a system can't or won't use it correctly, its ideal security properties are irrelevant. Hard-to-use programs and protocols can hurt security in many ways:
|