Reading Codebreakers, I came across a section on American cryptography during WWI. The production of codebooks was both secure and efficient, but the front line was a different story. According to Kahn, no other army could match the American’s frustration when it came to actually using the damn things. One general even commanded his division not to use the codes at all before or during crucial operations! This is better than sending messages improperly encoded, or re-sending those messages in the clear after the fact, but it’s still incredibly reckless.
User experience is not a new concept. Luckily, we live in an age where UX has come to the forefront of app development concerns, teaching more people than ever about the necessity of designing something that’s not just easy, but simple for actual people to actually use.
Despite this, we have APIs like OpenSSL, which allow you to do insanely stupid things like using ECB mode, which is no better than a simple codebook, or CBC mode with a null IV, which will encrypt the same plaintext/key combo the same way, every time. Then we have GPG, which makes encrypting emails about as easy as pulling your own teeth.
I get why this is the case: developers want to give their users options. They want to make the tool as widely usable as possible. But it’s like Kurt Vonnegut said, “if you open a window and make love to the world, your story will get pneumonia”. He was talking about writing, but the same applies to the UX of your software. If you try to be everything to everyone, you’ll end up being nothing to no one.
So how do we create simple systems? Easy: put your system in front of regular folks, and listen to what they say. Put your app in front of someone who has no idea what it does, and see how they use it. Again, this isn’t a new concept. Cryptanalysis has a similar dictum: only real-world experience will prove (or disprove) the security of your system. No amount of theoretical hand-waving will do this for you. If your user has to worry about key sizes and verifying signatures manually (I’m looking at you, GPG), you’ve already lost.
Signal does an excellent job of simply securing communications, without making the user worry about details that are insignificant to them (but crucial to actual security). I’m not saying the problem is easy to solve. But I am saying it’s tractable.