On 12/27/2016 10:36 AM, Christian Huitema wrote:
On Tuesday, December 27, 2016 7:14 AM, Dave Crocker wrote:
On 12/26/2016 6:03 PM, Christian Huitema wrote:
But your mail and many comments on this lists point to the huge
responsibility of the MUA with respect to phishing. Phishing is
about duping the user by displaying misleading information. The
effective defenses have to rely on proper user interface design,
Unfortunately, this is mostly /not/ true.
The actual experience, both in field work and usability research,
is that UI design does not affect user processing of phishing very
much. Neither design nor user training have much effect.
Hence most effective phishing protection is in the filtering
engine(s) below the UI.
We actually agree. In my mind, I was not thinking of UI as the
arrangement of displayed pixels, but rather the intelligent selection
of which information to present and what interactions to design.
Without this local intelligence, MUA are not likely to handle the
example that Viktor gave, "Joe Banker <joe@bank.notbank.example>".
Among other examples. My point is that this intelligent filtering
benefits from information about the user context, such as what bank
the user normally deals with. That kind of information might be
available in the user context, but is normally not available to the
mail delivery system.
To that end, saying "MUA" might have some formal validity, but it does
not help the discussion. Too many readers think it refers to something
having to do with end-user interaction.
Worse, Viktor's line of logic presumes the modified From field somehow
gets the message past filters better, and that is just plain wrong.
The modifications to the From line are intended for end users, not
filtering engines.
(Whether they are actually helpful for end-users is a different
discussion. cf, my previous note. To my knowledge, there have been no
studies to establish that the ad hoc modifications are at all useful.)
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net