On 7/5/25 11:08 AM, Amir Herzberg wrote:
Friends, I think we all agree we have a big problem here; and while Rich focused on email, I'm sure he and all of us know it's actually universal - SMS, social-networks, everywhere. Yes, part of the problem is due to the ease of registering misleading domain, along with other parts...
But I beg to differ on one point. It seems that Rich, Alex and others think that the better solution is to educate users to understand domain names and be careful. Well, sorry, I don't believe in that. Some of my research was (and is) about usable security; it's really a critical component that does not receive as much attention as it should. But, basically, I think I can confidently say that attempting to teach users so that they notice the phishing domains is futile. But I do agree that the UI _is_ an important part of the problem. I simply think is should also be a big part of the solution.
Indeed. Part of the problem with email is that there isn't anything universal like the lock icon on browsers. Yes, we all know that the lock icon isn't a cure all, but it does serve the purpose of letting users know that their web pages, etc, are not being shipped in clear text with no domain authentication. Email doesn't even have that. Thunderbird, which is what I use, has precisely *nothing* to say about DKIM/SPF/DMARC. It doesn't even exist to it. Some MUA's do things in their UI's, but from what I can tell it's nothing approaching some standard(s). IETF doesn't do UI stuff, and apparently the industry groups don't care or are politically wrapped around the axle, or whatever the cause of the dysfunction, but the net-net is that going from MUA to MUA to MUA, you get different experiences with the email authentication results. There is a Usenix paper <https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf> that dove into this, and it showed that UI improvements modestly help. If the indicatiors were more uniform and widely implemented, it would probably be even better. If there were an industry-wide effort to standardize this and especially uniform messaging about its meaning, it would probably approach the utility of the lock icon -- maybe even better than the lock icon since its messaging was sort of muddled with words like "safe" and "secure" thrown around without enough context, especially since it came around when nobody actually knew what any of it meant except a few security geeks.
We have developed a prototype of a UI-based defense against phishing, for both websites and emails, that actually can benefit from the deployment of DKIM/SPF/DMARC. The idea is simple; let me explain for email. We train the user to click on a button when they open an email which is - or they think it is - from a trusted sender. So, when they do, we can check (and here DKIM/SPF etc. are helpful !) if this is correct - and block the phishing attack if it isn't.
Do you have any visibility into, say, MAAWG and why they don't take this up as a standards effort? When we were developing DKIM, even though a UI component was out of scope for IETF it didn't mean there was anything like consensus that it was also a bad idea. It's just not what IETF does. 20 years on, it's pretty depressing that it has either fallen through the cracks and nobody took it up, or it flamed out due to dysfunction, leaving it to be a mish-mash in MUA's, where nothing at all like Thunderbird is in the range of things that end users have to contend with. Mike