On 7/5/25 11:08 AM, Amir Herzberg wrote:
Friends, I think we all agree we have a big problem here; and while
Rich focused on email, I'm sure he and all of us know it's actually
universal - SMS, social-networks, everywhere. Yes, part of the problem
is due to the ease of registering misleading domain, along with other
parts...
But I beg to differ on one point. It seems that Rich, Alex and others
think that the better solution is to educate users to understand
domain names and be careful. Well, sorry, I don't believe in that.
Some of my research was (and is) about usable security; it's really a
critical component that does not receive as much attention as it
should. But, basically, I think I can confidently say that attempting
to teach users so that they notice the phishing domains is futile. But
I do agree that the UI _is_ an important part of the problem. I simply
think is should also be a big part of the solution.
Indeed. Part of the problem with email is that there isn't anything
universal like the lock icon on browsers. Yes, we all know that the lock
icon isn't a cure all, but it does serve the purpose of letting users
know that their web pages, etc, are not being shipped in clear text with
no domain authentication.
Email doesn't even have that. Thunderbird, which is what I use, has
precisely *nothing* to say about DKIM/SPF/DMARC. It doesn't even exist
to it. Some MUA's do things in their UI's, but from what I can tell
it's nothing approaching some standard(s). IETF doesn't do UI stuff, and
apparently the industry groups don't care or are politically wrapped
around the axle, or whatever the cause of the dysfunction, but the
net-net is that going from MUA to MUA to MUA, you get different
experiences with the email authentication results.
There is a Usenix paper
<https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf>
that dove into this, and it showed that UI improvements modestly help.
If the indicatiors were more uniform and widely implemented, it would
probably be even better.
If there were an industry-wide effort to standardize this and especially
uniform messaging about its meaning, it would probably approach the
utility of the lock icon -- maybe even better than the lock icon since
its messaging was sort of muddled with words like "safe" and "secure"
thrown around without enough context, especially since it came around
when nobody actually knew what any of it meant except a few security geeks.
We have developed a prototype of a UI-based defense against phishing,
for both websites and emails, that actually can benefit from the
deployment of DKIM/SPF/DMARC. The idea is simple; let me explain
for email. We train the user to click on a button when they open an
email which is - or they think it is - from a trusted sender. So, when
they do, we can check (and here DKIM/SPF etc. are helpful !) if this
is correct - and block the phishing attack if it isn't.
Do you have any visibility into, say, MAAWG and why they don't take this
up as a standards effort? When we were developing DKIM, even though a UI
component was out of scope for IETF it didn't mean there was anything
like consensus that it was also a bad idea. It's just not what IETF
does. 20 years on, it's pretty depressing that it has either fallen
through the cracks and nobody took it up, or it flamed out due to
dysfunction, leaving it to be a mish-mash in MUA's, where nothing at all
like Thunderbird is in the range of things that end users have to
contend with.
Mike
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/3CM3YMGDRMADR72ZK4KY6KG4UAKYBEP3/
