[Cryptography] Well Known Bad Idea: ask users to make security decisions, or If you work for Apple, please update your email software

Tue Oct 7 21:13:41 EDT 2025

-----Original Message-----
From: Jon Callas <jon at callas.org>
Sent: Oct 7, 2025 4:19 PM
To: <hbaker1 at pipeline.com>
Cc: John Levine <johnl at iecc.com>, <cryptography at metzdowd.com>, Jon Callas <jon at callas.org>, <iang at iang.org>
Subject: Re: [Cryptography] Well Known Bad Idea: ask users to make security decisions, or If you *work* for Apple, please update your email software

> On Oct 7, 2025, at 08:11, Henry Baker wrote:
> I keep getting emails from banks telling me to double check the sender of
> any emails to make sure that they aren't spoofed (although they don't use
> that technical term ! ).
>
> But Apple makes it very difficult to do exactly that, so perhaps these banks
> should put the pressure on Apple instead of bothering their customers.
>
> As I keep saying, Apple is missing in action in the fight against fraudsters
> and spammers.
>
> Some more cynical than I might think that Apple, as a purveyor of a walled
> garden, has an incentive to scare the pants off its customers in order to
> keep them locked inside their walled garden -- even to the extent of making
> their communications with those outside this garden vulnerable to 5th
> graders.

I'm really not sure what to say, Henry.

As we've all noted, none of us really like the present situation, and yet there's not just one single actor. On iOS, it's slightly inconvenient to see a sender, but it's there. I do my serious email things on my laptop because there's an explicit setting to always show the full email address, and I too just like it like that.

There's a similar situation on Android, and please don't get me started about Outlook, which makes it nigh impossible to do anything but top-post with rich text. And they really don't like me deleting spam messages. This is dangerous, don't read it! Are you sure you want to delete it, 'cause deleting it is irrevocable!

Nonetheless, on iOS, you *can* see the sender by tapping the highlighted sender. They've also implemented the latest go-around on authenticated logos. I've attached a screenshot, where you can see an Amazon message both with the authenticated logo and the pop-up that tells me it's . If you're asking for a setting to make it so that the default is the full email address, we're all with you.

At the same time, we know that pushing the decision to the user doesn't work. We've totally given up on green bar TLS certs for that reason and it's basically a good thing. (Moreover, the present thinking is that there's no UI information on something secure, the extra UI is for things that are insecure in some way.) It's even worse when, as John Levine noted, a trusted sender (like BoA) is using a skank-looking sender like .

What actionable thing would you like?

Jon

---
Thx, Jon, for the screenshot.  Some other email readers show the full email address when the mouse "hovers" over the address, so I don't have to click it.

I hate having to click on things, because that means I have to click *everywhere* on a page to see what's clickable and what's not.

You suggestion of making the full email (display name + email address) is a good one; alternatively, Thunderbird's idea of using the "display name" ONLY when the full email address already appears in the user's contact database, which presumably has already been vetted in order to be included in that database.

But I still haven't figured out how to display the email address on iOS; how do you "hover" with your finger?  I have to resort to looking at the raw ascii email headers, which I wouldn't recommend to any but the hardest core wizards.

---
I am concerned that a number of you in this list appear to be "burned out" over these issues, and don't care about the billions of people still stuck with these less-than-optimal UX decisions.  That means many more years of big tears due to spamming and scamming.