[Cryptography] Well Known Bad Idea: ask users to make security decisions, or If you *work* for Apple, please update your email software

John Levine johnl at iecc.com
Sat Oct 4 14:25:53 EDT 2025 

It appears that Henry Baker <hbaker1 at pipeline.com> said:
>Here's an example of a standard email address:
>
>"Bank of America" <nigerianprince at fraud.com>
>
>Guess what name Apple Mail shows you? [A: "Bank of America", the so-called "Display Name"]
>
>Guess how hard it is for a non-wizard to see the "nigerianprince at fraud.com" part on an Apple product ?
>
>Thanks, Apple, for protecting our loved ones from the ugliness of email addresses, while exposing them to the far-larger problems of
>fraud and spam.

Showing people security indicators and expecting them to make security decisions
doesn't work. There's endless practical evidence and lots of academic studies.*

This isn't because people are stupid. It's because the world is complicated,
figuring out what the indicators mean is hard, and it's not worth the effort.
For example, let's say you have a credit card at Bank of America, and you get
two email messages from:

  CARDSERVICE at APPLYONLINENOW.COM

  SECURITY at BANK-AMERICA.COM

Which one is really Bank of America? Unless you are the sort of person who does
RDAP lookups for fun, it's unlikely you'd know the first domain is BofA and the
second is not.

That's also why there are no more "green bar" SSL certificates -- nobody knew
what they meant, and good luck explaining exactly where in the window a green
bar meant secure and where it was just part of the phish page.

Can we put this bad idea to bed, please? The way to keep people from being
phished is not to deliver the phish in the first place, not to dangle it in
front of them and say here is a message (or web page or whatever) and here is
where not to click. Sometimes the warnings are wrong, people click anyway.

R's,
John

* - For example, here's a paper from 2007, "The Emperor's New Security Indicators:
An evaluation of website authentication and the effect of role playing on usability
studies"

https://stuartschechter.org/papers/emperor.pdf

More information about the cryptography mailing list