1. 14

  2. 10

    I’m not convinced the HTML / PDF confusion is a relevant part of the problem here. Most users don’t know or care what either of those are and will click on an HTML invoice just as they would on a PDF. The problem is that we’ve trained people to type their passwords into any prompts that pop up.

    1. 3

      The problem is that we’ve trained people to type their passwords into any prompts that pop up.

      The article does address that, though:

      It’s also things like creating a world where opening an attachment might plausibly require a password or additional authentication to actually see it. It’s a computing world where you can be challenged for authentication at what feels like random times for random reasons and there’s enough noise that what’s one more roadblock in the way of getting your work done.

      But yeah, the specific implementation of “show the user a login box that sends you their password” isn’t all that relevant.

      1. 11

        Apple is especially bad about this IMO. iOS will occasionally, and at completely random times which has nothing to do with user interaction, just pop up a system dialog asking for your apple ID email and password. How is a user supposed to see the difference between a legit such dialog from the system and an identical-looking imitation in an email or web page or app? I have absolutely no idea.

      2. 2

        Correct. And, a PDF isn’t necessarily safe either.

        1. 3

          True, a PDF file can contain JavaScript that submits a form to a remote site, so you could write exactly the same phishing form in a PDF.

          1. 2

            I’m fairly certain you can find some nice parsing errors for PDF renderers without any Javascript, or just go straight to custom fonts and their various CVEs..

      3. 3

        HTML email is a result of network effect, and a world dominated by just one or two companies doing email (Microsoft and Google). There are technical solutions, like making the URL/link visible in the HTML email or using the MTAs’ computing resources to map the URL against a whitelist etc., but largely the problem is pushed onto the end users, who are then left to defend themselves.

        And a rant: Incompetent CISOs’ also benefit immensely from this garbage, since they can run those “got phished” campaigns every quarter and generate useless reports for the management only the justify their existence.

        1. 1

          My metric is any company where the CTO does a self-phishing expedition you know that they don’t have enough real work and they should be laid off.

          1. 1

            Selling services to the US federal government under “FedRAMP” requires companies to run these campaigns at regular intervals.

            1. 2

              If you are talking about the “awareness and training” control [1], then it can be satisfied by exactly that - training. Though I can imagine using the self-phishing campaigns…

              [1] NIST SP 800-53: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

        2. 3

          There are a whole bunch of individual pieces and steps that got us here, each sensible on their own in some view, but the collective result is that we did this to ourselves. We have no one else to blame when ordinary people fill in their password and hit ‘Sign in’.

          I think it’s an argument that is too generalized. Everything can be “reduced” to it; we created the situation that there is famine in the world. We created a situation that we have wars. We created a situation that we depend on oil, etc.

          E-mail was developed in the ‘80s (maybe even before that). It’s not that anyone is able to reliably predict how the world will look like in 40 years, let alone how a particular technology will be used with other technologies that will be developed in the future.

          An obvious solution to that is strict whitelisting. It won’t solve the whole problem, but a large part of it. It will generate other problems as well, but there will be solutions for these problems as well, if not now, then in the future.

          1. 6

            For a great many people out there, html email was a security red flag when it was introduced. Instead of bailing out on the first real signs of trouble, it has been pushed forward.

            Some renderer-related issues come and go, remote content can be blocked, but eventually using html email in a safe manner resembles plaintext to the point of indistinction.

            So it’s not like a historical dependence on oil, more like a country shutting down its nuclear power plants and being surprised electricity becomes scarce and expensive. Or whatever, all analogies are lies.

            1. 3

              The email we have now is strictly less functional across a lot of areas than systems that were developed around the same time, like X.400. People were considering things like authenticated senders and guaranteed delivery but the lowest common denominator won out.

              1. 5

                We do have authenticated sending now. DKIM.

                Edit: gerikson is my friend and we email all the time, between different services but both use DKIM and TLS. I love email. As I’ve said before:

                It’s good stewardship to care for a protocol the way mail has been cared for and repaired and improved over the years. Like an old watch lovingly repaired. It’s not disposable, it’s built to last.

                1. 4

                  I don’t see email as a fine watch, I see it as an old and creaky bridge that has to be maintained because if it were to fail the entire digital economy would seize up. It’s great we have security stuff and so-on bolted on, but as a negative side effect rampant spam has caused a lot of email centralization.

                  (That said I have no idea if X.400 would have helped with the spam problem.)

                  SMTP is a classic case of Worse is Better.

                  1. 1

                    It’s a world-writable folder. I get ten times as much spam on IRC and Fedi than on email. (I mean, after all the milters and such.)

              2. 1

                Electronic messaging dates back to 1965 and ARPAnet mail to 1971 https://en.wikipedia.org/wiki/History_of_email . Email is over 50 years old.

                1. 1

                  I think it’s an argument that is too generalized. Everything can be “reduced” to it; we created the situation that there is famine in the world. We created a situation that we have wars. We created a situation that we depend on oil, etc.

                  Well, there is a common source to these problems, and a common solution. So I don’t think the argument is too generalized in that sense. Possibly inapplicable (we will never apply the common solution), but still describing things correctly.

                2. 3

                  A problem being my own fault doesn’t necessarily make it any less serious or any easier to prevent or solve, as OP does allude to here:

                  I don’t have any solutions. I’m not sure a solution is even possible at this point.