Bridging the Gap Between Usable Security Research and Open-Source Practice - Lessons From a Long-Term Engagement With VeraCrypt

Abstract

VeraCrypt is a freely available open-source encryption tool popular with tech-savvy users. In a 4-year effort to improve VeraCrypt’s usability to reach less tech-savvy users, we conducted 3 user studies (N=77) and found that participants struggled to successfully encrypt their devices with VeraCrypt. We iteratively redesigned the UI and instructions and suggested significant usability improvements to the VeraCrypt community. Since 7 professional developers struggled to compile the project, we created a step-by-step compilation guide and contributed 5 pull requests for bug fixes and interface improvements. However, our efforts to translate academic findings into practical applications were unsuccessful. In this work, we explore why our usability improvements failed. Due to code complexity and a lack of transparency, the OS community was concerned our changes could undermine security. Based on our findings, we provide recommendations for researchers collaborating with open-source communities.