Dear RIPE: Please don't encourage phishing

Vinny Abello vinny at abellohome.net
Sun Feb 12 03:44:13 CST 2012


On 2/11/2012 4:37 PM, Keith Medcalf wrote:
>> Unfortunately that's not under control of those businesses. This
>> plain text email you sent comes across with clickable mailto and
>> http links in your signature in most modern email clients despite
>> you having sent it in plain text. "Helpful" email program
>> defaults won't force people to copy and paste the URL. They just
>> create the hyperlink for people based on the pattern in the plain
>> text message. It seems anything beginning with www or http(s):// 
>> will be converted to a clickable link out of convenience to the
>> user. It's always that endless struggle of security vs.
>> convenience...
> 
> At least it is what is says, and the effect is precisely the same
> as if one copied and pasted the link into the browser.
> 
> What is truly evil is non text/plain email.  Anyone who permits or
> assists in the rendering of non-plaintext email deserves whatever
> befalls them -- and they should not be permitted zero-liability for
> their stupidity and ignorance.
> 
> They end-user is of course entitled to cross-claim against the
> manufacturer of the defective system or device which rendered the
> message in a deceptive way (such as Dell and Microsoft in
> particular).

The average person won't know that "it is what it says" if it's
possible for it not to be... which I think is what you're driving at
with eliminating that as a possibility. And the effect is the same,
but the time to do it is different. I wouldn't want to have to use web
sites with no hyperlinks and I was expected to just copy and paste
every URL I wanted to follow into the address bar.

However, the vast majority of the Internet population (and human
beings in general) like aesthetically pleasing things and therefore
don't want to upgrade to mutt and lynx to be safe on the Internet.
HTML based email looks much better despite embedded hidden <evil>
tags. All recent email clients I've come across give you anti-phishing
warnings in one way or another if the URL does not match the actual
link. I honestly can't remember the last time I've seen a phishing
email because they are so easy to detect before they even get to your
inbox. Sure, you could also keep the HTML and disable the links (which
I've seen done), but then you inconvenience people. Things take too
long as it is now anyway despite the constant advancements we see
constantly. We need to speed technology up more and make them easier
AND safer. Technology needs to be unobtrusive to the end user and get
out of their way.

I personally don't believe the mantra of stripping away technology to
solve problems rather than applying technology and advancing standards
is the answer just because technology makes something dangerous for
the average consumer. Despite all the car fatalities on a yearly basis
and the constant safety advancements we have in the auto industry, I
have never heard people say we should get rid of cars and go back to
horses. Of course scam emails are much more prevalent than car
fatalities by far, but they're also less serious.

Most of the younger generation I know doesn't even use email. They
have it as a formality because things require it and exchange
everything via Facebook or video chat or IM... which simply means this
concern over the trickery of immoral scammers on the average
unsuspecting person will just shift mediums as has throughout history.
It's already prevalent on these mediums now.

Not sure what the jab at Dell was specifically other than the email
address I posted from originally. As far as I have seen, Dell doesn't
make email clients. That's like someone holding Sony/Samsung/LG liable
because their TV showed them a TV program they didn't want to see.

Anyway, just my $0.02 wrapped in rambling from a tired mind. Sorry if
some of this didn't make sense as a result. :)

-Vinny

P.S. I prefer plain-text email. ;)



More information about the NANOG mailing list