On 1/5/2021 11:34 AM, Michael Thomas wrote:
On 1/5/21 11:22 AM, Dave Crocker wrote:
From: header field rewriting demonstrates that DMARC is, indeed,
trivial to defeat (or rather, to route around.) Also, receiver
filtering engines are all that matter. Real-time actions by
recipients are demonstrably irrelevant to DMARC (and all other
anti-abuse) utility.
That's not the conclusion of the paper that Doug Foster linked to the
other day.
1. I've looked back over his postings to this mailing list and am not
finding the link you refer to. Please post it (again).
2. A single study is unlikely to be definitive about much of anything.
3. Especially when it counters years of experience, including the Web EV
experiment:
https://en.wikipedia.org/wiki/Extended_Validation_Certificate
Effectiveness against phishing attacks with IE7 security UI
In 2006, researchers at Stanford University
<https://en.wikipedia.org/wiki/Stanford_University> and Microsoft
Research <https://en.wikipedia.org/wiki/Microsoft_Research> conducted
a usability study^[21]
<https://en.wikipedia.org/wiki/Extended_Validation_Certificate#cite_note-21>
of the EV display in Internet Explorer 7
<https://en.wikipedia.org/wiki/Internet_Explorer_7>. Their paper
concluded that "participants who received no training in browser
security features did not notice the extended validation indicator and
did not outperform the control group", whereas "participants who were
asked to read the Internet Explorer help file were more likely to
classify both real and fake sites as legitimate".
When I first came back and saw the From rewriting I was very confused
by what it was until I figured out what was going on.
You think you are representative of end users? Try again.
d/
--
Dave Crocker
[email protected]
408.329.0791
Volunteer, Silicon Valley Chapter
American Red Cross
[email protected]
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
