How can developers deal with public-key certificates and OpenSSL?
There have been many studies exposing poor usability of security software for the common end user. However, only a few inspect the usability challenges faced by more knowledgeable users, e.g., developers. We conducted our first experiment to empirically assess usability of the command line interface of OpenSSL, a well known and widely used cryptographic library. Based on the results, we try to propose specific improvements that would encourage more secure behavior. Based on the overall results, we deem the OpenSSL usability insufficient according to both user opinions and standardized measures. Moreover, the perceived usability seems to be correlated with previous experience and used resources. There was a great disproportion between the participant views of a successful task accomplishment and the reality. A general dissatisfaction with both OpenSSL interface and its manual page was shared among the majority of the participants. As hinted by a participant, OpenSSL gradually “turned into a complicated set of sharp kitchen knives” – it can perform various jobs very well, but laymen risk stabbing themselves in the process.
In a following study, we investigated certificate validation errors and we observed 75 people investigating, comprehending and assessing different certificate validation errors. Furthermore, we focused on the influence of re-worded error messages and redesigned documentation. We find that IT professionals have nuanced (and mostly correct) opinions regarding the tested certificate flaws. However, they seem to overly trust the self-signed and the name constrained certificates (the latter ones also being poorly understood). The redesigned error messages and documentation helped to increase the comprehension in the name constraints case and to lower the perceived trust in the self-signed certificate. Links to documentation provided directly in the re-worded error messages were frequently followed, pointing to a good and cost effective design opportunity to lead IT professionals to a trusted unified documentation source.
Vašek Matyáš
Václav (Vashek) Matyáš is a Professor at Masaryk University, Brno, CZ, acting as the Vice-Dean for Industrial and Alumni Relations at the Faculty of Informatics. His research interests are related to applied cryptography and security; he has published well over 150 peer-reviewed papers and articles and has co-authored several books. He worked in the past with Red Hat Czech, CyLab at Carnegie Mellon University, as a Fulbright-Masaryk Visiting Scholar at the Center for Research on Computation and Society of Harvard University, Microsoft Research Cambridge, University College Dublin, Ubilab at UBS AG, and as a Royal Society Postdoctoral Fellow with the Cambridge University Computer Lab. Vashek also worked on the Common Criteria and in ISO/IEC JTC1 SC27.
Phone: +420 737 215 220
E-mail: