[Cryptography] bad advice, was New SSL/TLS certs

[John Levine]

It appears that Kent Borg <kentborg at borg.org> said:
>-=-=-=-=-=-
>
>On 4/21/25 7:15 PM, John Levine wrote:
>> No, that's not the reason. Endless failures have told us that trying
>> to train users just does not work.
>
>We have never tried.

I'm sorry, but that is not even within hailing distance of being true.

I agree with all of your points that much of the training is poor, and big
companies often run their systems in foolish ways that are even to our skilled
eyes indistinguishable from phishes.

If your point is that companies should stop doing dumb things that make it
easy to phish them, well, of course, but good luck with that.  I've gone
to conferences and talked to bank security people who just sigh deeply.  They
know what the bank should do, but they can't make the bank do it.

R's,
John

PS: For anyone interested in this topic, the Usenix SOUPS conferences have
been going on since 2005 and have a lot of relevant papers.  The recent ones
are open access, older ones at the ACM.