[Cryptography] Well Known Bad Idea: ask users to make security decisions, or If you *work* for Apple, please update your email software

[Jon Callas]

> On Oct 7, 2025, at 18:13, Henry Baker <hbaker1 at pipeline.com> wrote:
> 
> Thx, Jon, for the screenshot.  Some other email readers show the full email address when the mouse "hovers" over the address, so I don't have to click it.
> 
> I hate having to click on things, because that means I have to click *everywhere* on a page to see what's clickable and what's not.

Yes, it is indeed maddening when it isn't clearly denoted what's tappable and what isn't. I'm specifically using that word that is almost what you wrote -- tap, instead of click. Tapping and clicking are similar, but not the same. More below.

> 
> You suggestion of making the full email (display name + email address) is a good one; alternatively, Thunderbird's idea of using the "display name" ONLY when the full email address already appears in the user's contact database, which presumably has already been vetted in order to be included in that database.

Sure. As a matter of fact, that's already there. If someone is in one's address book, they get treated differently with separate gingerbread. Some email clients treat potential spam differently if the sender is in the address book. This is why lots of marketers try to get people to put them in a contact list.

However, I (and others) have noted that there's still lots of edge conditions and type 1 and type 2 errors. It's also neither necessary nor sufficient. If senders are using skanky-looking domains, it doesn't matter if they're properly authenticated. Similarly, as we have all noted, in the browser world, we have come to a consensus that the best indicators are no indicators. So, this is hard.

I have a smartass aphorism that all email clients suck, they just suck differently and as a user one has to find one that sucks in a way that we can deal with on a day-to-day basis. It's not a matter of what's good, but what's least bad -- and let us remember that the least bad solution is both least and bad. 

> 
> But I still haven't figured out how to display the email address on iOS; how do you "hover" with your finger?  I have to resort to looking at the raw ascii email headers, which I wouldn't recommend to any but the hardest core wizards.

I hear you. I don't even recommend that to myself. I mutter very snide things when I have to and often I work with the assumption that if I need to look at the headers, it can probably just be deleted.

This is part of why touch interfaces (taps) are not the same as pointer interfaces (click). There is no hovering with a touch interface. Hovering as a mechanism is not available on touch interfaces. If I were to go into a UX rant, part of it would be developers who think they can throw their mouse-oriented UX onto a touch device and it will work the same. A major issue is that it's easy to look around a mouse cursor in a way that it is not with a finger -- a physical object in the way of vision that is simultaneously making physical actions.

Here's a real-world example. A number of apps like Slack or Discord have a feature where someone can put a reaction emoji below a post. On a desktop, you can hover your mouse over the reaction and it shows you who reacted with a tooltip floating element. There is no way to do this on a touch device.

Relevantly to us here, to get the full sender, I tapped the blue-text sender, there was an animation and quasi-modal interstitial that brought up the sender details that I took a screenshot of, and that goes away once I touch the screen anywhere. It's totally different experience to convey the same information. This stuff is hard to do correctly.

> 
> ---
> I am concerned that a number of you in this list appear to be "burned out" over these issues, and don't care about the billions of people still stuck with these less-than-optimal UX decisions.  That means many more years of big tears due to spamming and scamming.

I am not sure we're burned out so much as in violent agreement over many things and yet disagreeing on some things. Forgive me, but it sounds like you think there's an easy fix here and for some reason they're not doing it, and that I disagree about.

We are not UI/UX people; this is the cryptography list, not even the security-ux list. I used to be a UI/UX person. Before I did cryptography, that was one of my main jobs and I got into cryptography because a project I was working on needed it and I drew the short straw. (And then discovered it was more fun and rewarding than UX.) I don't consider myself to be a UX expert any more, but I know enough to know that this stuff is hard and there are far more pick-your-poison situations than one-true-way ones.

I know you're frustrated and have vented in intemperate ways. A bunch of us both empathize and sympathize. I think the disagreement and debate involves the meta-problem of whether is a Right Thing at all, and if it's easy to do or intractable.

I use Mail.app because I can live with the ways in which it sucks. I recently did a tour of other email clients because my elderly father was having issues. I ran about five clients simultaneously to see what might be best for him, and well, they all sucked. It turned out that the way to fix his issues was to get on a Zoom call with him, do screen sharing and just fix all the crap that he was dealing with because Mail.app sucks least for the likes of him and me, but it still sucks.

Anyway, to sum up, I think that our disagreement is that I think that there's no good answer, and you think there's a good answer that people are just not doing despite it being obvious that it's the right answer.

(If you wanna know what I'd do if I were emperor, I'd tell you. It starts with things like I think a major security issue is that we store email on servers and use a query language to get to it. For another day.)

	Jon