Dnia 14.12.2021 o godz. 08:30:11 Sebastian Nielsen via mailop pisze: > > The idea here is that a end-user should be able to scan'n'verify a email > by QR-code and not have to worry about phishing. [...] > > Its about excluding the client and the receiving server from the equation.
I think you are missing a very important point. If someone actually is so much aware of possible phishing that he/she is willing to take extra steps (like scanning the QR code) to verify that the email is not a phishing, then he/she has already taken these steps (for example, checking the exact sender address, checking links in the message, and before all, being very suspicious to all messages that are *unexpected* - which is probably the most effective safeguard against phishing). For these people, your idea is pretty much redundant, as they already check their emails for possible phishing. For those that are not aware enough, it is much better to teach them some simple rules like "NEVER click on any links in an email message" - as for example banks do to their customers - than to teach them about DKIM and using some app to verify it. In my opinion it is too much to expect from people that they will scan the code and compare details of the message headers with what the app shows. It's too complicated, too much effort needed. And you still haven't addressed the case when someone receives their mail on their phone. Do they need another phone to scan the QR code? And reading the mail on the phone is just the case when one can easier fall a victim of a phishing message than on a computer, because of obvious lacks of the phone's UI. It's not so easy to check the real sender of the email, headers, links etc. on a phone while you can quite easily do that on a computer. Currently the majority of successful phishing attacks is via the phone. And more and more often, these attacks use SMS messages rather than email. Email phishing starts to become a bit "outdated", so I think it's a valid question, does it have now any sense to invent a new methods of protection against email phishing. So my opinion is that your idea does not increase protection level against phishing. It's mostly superfluous for "phishing-aware" users and when reading mail on a computer, too complicated for "not-phishing-aware" users and hard (if not impossible) to use when reading mail on a phone. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
