[Cryptography] Well Known Bad Idea: ask users to make security decisions, or If you *work* for Apple, please update your email software
Henry Baker
hbaker1 at pipeline.com
Sat Oct 4 15:05:24 EDT 2025
-----Original Message-----
From: John Levine <johnl at iecc.com>
Sent: Oct 4, 2025 11:26 AM
To: <cryptography at metzdowd.com>
Cc: <hbaker1 at pipeline.com>
Subject: Re: [Cryptography] Well Known Bad Idea: ask users to make security decisions, or If you *work* for Apple, please update your email software
It appears that Henry Baker said:
>Here's an example of a standard email address:
>
>"Bank of America"
>
>Guess what name Apple Mail shows you? [A: "Bank of America", the so-called "Display Name"]
>
>Guess how hard it is for a non-wizard to see the "nigerianprince at fraud.com" part on an Apple product ?
>
>Thanks, Apple, for protecting our loved ones from the ugliness of email addresses, while exposing them to the far-larger problems of
>fraud and spam.
Showing people security indicators and expecting them to make security decisions
doesn't work. There's endless practical evidence and lots of academic studies.*
This isn't because people are stupid. It's because the world is complicated,
figuring out what the indicators mean is hard, and it's not worth the effort.
For example, let's say you have a credit card at Bank of America, and you get
two email messages from:
CARDSERVICE at APPLYONLINENOW.COM
SECURITY at BANK-AMERICA.COM
Which one is really Bank of America? Unless you are the sort of person who does
RDAP lookups for fun, it's unlikely you'd know the first domain is BofA and the
second is not.
That's also why there are no more "green bar" SSL certificates -- nobody knew
what they meant, and good luck explaining exactly where in the window a green
bar meant secure and where it was just part of the phish page.
Can we put this bad idea to bed, please? The way to keep people from being
phished is not to deliver the phish in the first place, not to dangle it in
front of them and say here is a message (or web page or whatever) and here is
where not to click. Sometimes the warnings are wrong, people click anyway.
R's,
John
* - For example, here's a paper from 2007, "The Emperor's New Security Indicators:
An evaluation of website authentication and the effect of role playing on usability
studies"
https://stuartschechter.org/papers/emperor.pdf
----
Lemme see; we've spent 3 decades trying to set up a cryptographically secure DNS
to make sure that www.bankofamerica.com (http://www.bankofamerica.com) resolves to an actual instance of a BOA
server, and our browsers attempt to assure us of this with various signals. Of course,
people still don't check the URL's, but the (almost non-existence of) competitive browser
world has tried hard to make this work.
So, given the trivially (by a 5th grader!) spoofed "Display Name" from an email address
(no crypto in sight), and the "fraud.com" domain name (which can be crypto checked),
why does Apple Mail choose to show the trivially spoofed name and hide the crypto
checked name ???
More information about the cryptography
mailing list