Friends, I think we all agree we have a big problem here; and while Rich focused on email, I'm sure he and all of us know it's actually universal - SMS, social-networks, everywhere. Yes, part of the problem is due to the ease of registering misleading domain, along with other parts... But I beg to differ on one point. It seems that Rich, Alex and others think that the better solution is to educate users to understand domain names and be careful. Well, sorry, I don't believe in that. Some of my research was (and is) about usable security; it's really a critical component that does not receive as much attention as it should. But, basically, I think I can confidently say that attempting to teach users so that they notice the phishing domains is futile. But I do agree that the UI _is_ an important part of the problem. I simply think is should also be a big part of the solution. We have developed a prototype of a UI-based defense against phishing, for both websites and emails, that actually can benefit from the deployment of DKIM/SPF/DMARC. The idea is simple; let me explain for email. We train the user to click on a button when they open an email which is - or they think it is - from a trusted sender. So, when they do, we can check (and here DKIM/SPF etc. are helpful !) if this is correct - and block the phishing attack if it isn't. We should do some usability experiments soon, and hopefully publish, but I thought the idea is simple enough that some of you may find it interesting, and maybe provide some useful feedback. Obviously, if interested, ask me and I'll send the results/ppr when done. Or if someone wants to actually help... best, Amir Herzberg Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut Homepage: https://sites.google.com/site/amirherzberg/home Textbook (Applied Introduction to Cryptography and Cybersecurity): https://sites.google.com/site/amirherzberg/crypto-cyber-book On Thu, Jul 3, 2025 at 9:25 PM Michael Thomas via NANOG < nanog@lists.nanog.org> wrote:
On 7/3/25 6:16 PM, Alex Buie wrote:
On Thu, Jul 3, 2025 at 8:12 PM Michael Thomas via NANOG <nanog@lists.nanog.org> wrote:
. >> So by all means, let's get rid of TLS as well. ::eyeroll:: >> >> Mike >> >> > I'm not saying to get rid of any of these things. I'm just saying expecting > them to replace user training in critical thinking is foolish, and overall, > the point Rich made makes sense. If you tell people "as long as you check > these things you can trust it" they are way more likely to believe > something unbelievable if it has all those "you can trust me"
flags.
Good thing nobody thought that it's a substitute. Making incremental improvements don't have to be viewed as, uh, cure-alls. That would be, uh, foolish.
Mike
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/4FPNUYKZ...
I agree with you they are not a substitute and that is foolish. There are many who come to say they have the one and final true solution to spam and email auth though. My argument is anything purporting to do so is attempting to critically think for the user.
While the incremental improvement to auth is good, one could argue the user experience implementing is not, as I think Rich is saying, and I agree. We are training people to only check for and believe the machine signal which can sometimes be “truthfully false” as in the case of email credential compromise and trademark impersonation.
The idea is to train people that something might be wrong. Not that something is right. He's wrong if he thinks that is what the intent was. That would be bad read of history.
Mike _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/7UWD2DOB...