On Tuesday, December 27, 2016 7:14 AM, Dave Crocker wrote:
On 12/26/2016 6:03 PM, Christian Huitema wrote:
But your mail and many comments on this lists point to the huge
responsibility of the MUA with respect to phishing. Phishing is about duping
the user by displaying misleading information. The effective defenses have
to rely on proper user interface design,
Unfortunately, this is mostly /not/ true.
The actual experience, both in field work and usability research, is
that UI design does not affect user processing of phishing very much.
Neither design nor user training have much effect.
Hence most effective phishing protection is in the filtering engine(s)
below the UI.
We actually agree. In my mind, I was not thinking of UI as the arrangement of
displayed pixels, but rather the intelligent selection of which information to
present and what interactions to design. Without this local intelligence, MUA
are not likely to handle the example that Viktor gave, "Joe Banker
<joe@bank.notbank.example>". Among other examples. My point is that this
intelligent filtering benefits from information about the user context, such as
what bank the user normally deals with. That kind of information might be
available in the user context, but is normally not available to the mail
delivery system.
-- Christian Huitema