On Sat 26/Sep/2020 05:03:51 +0200 Dave Crocker wrote: > On 9/25/2020 4:21 PM, Scott Kitterman wrote: > > Well, ok, here's one that shows lack of efficacy, and it's a big one: EV-certs > > /Google to bury indicator for Extended Validation certs in Chrome because > users > barely took notice/ > > https://www.theregister.com/2019/08/12/google_chrome_extended_validation_certificates/ > > > > "The reason is simple. "Through our own research as well as a survey of prior > academic work, the Chrome Security UX team has determined that the EV UI does > not protect users as intended... users do not appear to make secure choice..."
A pointer to a better aimed report circulated on this list: *End-to-End Measurements of Email Spoofing Attacks* https://www.usenix.org/conference/usenixsecurity18/presentation/hu They say: Our phishing experiment shows that security indicators have a positive impact on reducing risky user actions, but cannot eliminate the risk. >> If this is just an input into an algorithm, then your assertion that you are >> only providing another input is supportable, but that's contrary to the DMARC >> design. > > Perhaps you have not noticed but the demonstrated field use of DMARC, to > date, > tends to be contrary to the design, to the extent anyone thinks that the > design > carries a mandate that receivers follow the directives of the domain owners. Some organizations are very careful at setting DMARC policies. Paypal is a classic example, as they don't allow protected transactional domains to be casually used by humans. Such organizations need to be able to explicitly opt out of the Sender experiment. Other organizations may want to opt in, possibly allowing a limited class of mediators. The real word bond is something along the lines of /I tell you how to discard phishing, how you protect your users is up to you/. Some receivers focus more on MTA filtering, other focus on security indicators. Both actions depend on the DMARC policy published at the From: domain. If the From: domain participates in the Sender experiment, then the policy at Sender: may be relevant as well. Best Ale -- _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
