[Cryptography] Well Known Bad Idea: ask users to make security decisions, or If you *work* for Apple, please update your email software

[Henry Baker]

-----Original Message-----
From: John Levine <johnl at iecc.com>
Sent: Oct 4, 2025 4:48 PM
To: <cryptography at metzdowd.com>
Cc: <hbaker1 at pipeline.com>
Subject: Re: [Cryptography] Well Known Bad Idea: ask users to make security decisions, or If you *work* for Apple, please update your email software

It appears that Henry Baker said:
I said:
>>Showing people security indicators and expecting them to make security decisions
>>doesn't work. There's endless practical evidence and lots of academic studies.*

>So, given the trivially (by a 5th grader!) spoofed "Display Name" from an email address
>(no crypto in sight), and the "fraud.com" domain name (which can be crypto checked),
>why does Apple Mail choose to show the trivially spoofed name and hide the crypto
>checked name ???

Um, what I said in the bit of the message you quoted above. If you think that
showing people the header e-mail address will keep them from being phished,
experience says you're wrong.

Also, having wasted far too much time screwing around with DKIM, DMARC, SPF,
ARC, and related acronyms, I can tell you that even if the header address were a
reliable way to tell whether a message is malicious, which it is not, sometimes
the address is crypto checked, sometimes it isn't, and it is not easy to tell
whether it was.

It would be nice if email were simple but it most definitely is not.

R's,
John

PS:

>Lemme see; we've spent 3 decades trying to set up a cryptographically secure DNS
> to make sure that www.bankofamerica.com (http://www.bankofamerica.com) resolves to an actual instance of a BOA
> server, ...

No, it just ensures that the server is under the same control as the bankofamerica.com domain
name. As I said in another part of the message you quoted, you can't tell by looking at a
domain name who owns it. You can guess, sometimes you guess right, sometimes you don't.

Thirty years ago the people who signed SSL certificates tried to check who owned domain names;
for my first cert I had to fax someone a copy of my business license. That didn't work either,
these days it's just automated ACME checks.

----
Cory Doctorow came up with the brilliant term: "enshitification":

https://doflo.com/blog/what-is-enshitification-and-can-we-stop-it

https://pluralistic.net/2023/01/21/potemkin-ai/#hey-guys

Apple has "enshitified" email, because they don't want Apple users talking to anyone
outside their "walled gardenXXXXXXprison" -- just look at their blue v. green "bubbles"
on text messages.

https://support.apple.com/en-us/105087