Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...]

[Amir Herzberg via NANOG <nanog () lists nanog org>]

Friends, I think we all agree we have a big problem here; and while Rich
focused on email, I'm sure he and all of us know it's actually universal -
SMS, social-networks, everywhere. Yes, part of the problem is due to the
ease of registering misleading domain, along with other parts...

But I beg to differ on one point. It seems that Rich, Alex and others think
that the better solution is to educate users to understand domain names and
be careful. Well, sorry, I don't believe in that. Some of my research was
(and is) about usable security; it's really a critical component that does
not receive as much attention as it should. But, basically, I think I can
confidently say that attempting to teach users so that they notice the
phishing domains is futile. But I do agree that the UI _is_ an important
part of the problem. I simply think is should also be a big part of the
solution.

We have developed a prototype of a UI-based defense against phishing, for
both websites and emails, that actually can benefit from the deployment of
DKIM/SPF/DMARC. The idea is simple; let me explain for email. We train the
user to click on a button when they open an email which is - or they think
it is - from a trusted sender. So, when they do, we can check (and here
DKIM/SPF etc. are helpful !) if this is correct - and block the phishing
attack if it isn't.

We should do some usability experiments soon, and hopefully publish, but I
thought the idea is simple enough that some of you may find it interesting,
and maybe provide some useful feedback. Obviously, if interested, ask me
and I'll send the results/ppr when done. Or if someone wants to actually
help...

best, Amir Herzberg

Comcast professor of Security Innovations, Computer Science and
Engineering, University of Connecticut
Homepage: https://sites.google.com/site/amirherzberg/home
Textbook (Applied Introduction to Cryptography and Cybersecurity):
https://sites.google.com/site/amirherzberg/crypto-cyber-book



On Thu, Jul 3, 2025 at 9:25 PM Michael Thomas via NANOG <
nanog () lists nanog org> wrote:

> On 7/3/25 6:16 PM, Alex Buie wrote:
> > On Thu, Jul 3, 2025 at 8:12 PM Michael Thomas via NANOG
> > <nanog () lists nanog org> wrote:
> >
> >
> >     .
> >     >> So by all means, let's get rid of TLS as well. ::eyeroll::
> >     >>
> >     >> Mike
> >     >>
> >     >>
> >     > I'm not saying to get rid of any of these things. I'm just
> >     saying expecting
> >     > them to replace user training in critical thinking is foolish,
> >     and overall,
> >     > the point Rich made makes sense. If you tell people "as long as
> >     you check
> >     > these things you can trust it" they are way more likely to believe
> >     > something unbelievable if it has all those "you can trust me"
> flags.
> >     Good thing nobody thought that it's a substitute. Making incremental
> >     improvements don't have to be viewed as, uh, cure-alls. That would
> >     be,
> >     uh, foolish.
> >
> >     Mike
> >
> >     _______________________________________________
> >     NANOG mailing list
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/4FPNUYKZPDZELNK3XY5KWBH6HY7X4RK5/
> > I agree with you they are not a substitute and that is foolish. There
> > are many who come to say they have the one and final true solution to
> > spam and email auth though. My argument is anything purporting to do
> > so is attempting to critically think for the user.
> >
> > While the incremental improvement to auth is good, one could argue the
> > user experience implementing is not, as I think Rich is saying, and I
> > agree. We are training people to only check for and believe the
> > machine signal which can sometimes be “truthfully false” as in the
> > case of email credential compromise and trademark impersonation.
>
>
> The idea is to train people that something might be wrong. Not that
> something is right. He's wrong if he thinks that is what the intent was.
> That would be bad read of history.
>
> Mike
> _______________________________________________
> NANOG mailing list
>
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/7UWD2DOBK2EOECTHVWXBXYDDOIZ3WELJ/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/FTT36SLTJF3RPFWX5QWPUVI6M25A75XF/