[Cryptography] Well Known Bad Idea: ask users to make security decisions, or If you *work* for Apple, please update your email software

[Kent Borg]

On 10/4/25 5:24 PM, Jerry Leichter wrote:
> For*legitimate* mail messages, the display name is something that actually make sense to a human being, while the email address typically is often something pretty meaningless.

If major players such as Apple displayed the actual e-mail address 
(maybe correlated with whether the sending machine was consistent), 
mailers would maybe learn to behave themselves and make that useful 
information. (And the mailer services would see their business hurt.)


I have to comment that I hate the updated subject line.

We spend a lot of time (or at least used to) teaching children how not 
to be scammed in the real world. But *only* in the real world. In 
cyberspace everyone is supposed to be dumb as a rock and stay dumb as a 
rock, as the Wizards come up with yet another technical solution to the 
age old problem of people defrauding other people. Any education of 
users is condemned as blaming the user. People way say "It doesn't 
work!" but I assert we still haven't really tired it, and when we have 
tried a little we have taught silly things like "If the e-mail has 
spelling mistakes maybe don't click and then type your banking password."

Grrr.

I say we should instead teach things like "Don't click on an e-mailed 
link and then type credentials. Login first by hand." But I have one 
bank account where I have NO choice, I have to carefully read the 
e-mails I get on money transfers and hope it is real, because once I 
click I have to type my banking password in that page, there is not way 
around that that I can find. (That bank has added an e-mailed login 
link. In other words they have offloaded their security to my e-mail 
being secure.)

We train people to be phished and then say "We can't do any user 
education about phishing, look it doesn't work! Now were where we? Oh, 
that's right, we were working on replacing passwords, again."


-kb, the Kent who is grumpy about some things.


P.S. People die in car crashes. Does that mean there is no point in 
driver education? In having speed limits? I guess not. Look at current 
cars: Technical solutions being added everywhere, removing 
responsibility from the driver. Hit the /GAS!/ If we can get the user 
out of the loop entirely (public transportation) that would be cool, but 
if we can't, the split responsibility is a mess and the user still needs 
to be knowingly in the loop.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20251004/0061fef9/attachment.htm>