Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
fiatpandas 4 days ago

His email client even puts a green check mark next to the fake NPM email. UX fail.

yencabulator 4 days ago | parent [-]

The claim is valid -- it is legit from npm.help

If you think npm.help is something it isn't, that's not something DKIM et al can help with.

kccqzy 4 days ago | parent | next [-]

Do you remember a few years ago that browsers used to put a lock icon for all HTTPS connections? That lock icon signified that the connection is encrypted alright. To a tech geek that's a valid use of a lock icon. But browsers still removed it because it's a massive UX fail. You have to consider what the lock icon means to people who are minimally tech literate. I understand and have set up DKIM and SPF, but you cannot condense the intended security feature of DKIM/SPF/DMARC into a single icon and expect that to be good UX.

yencabulator 4 days ago | parent | next [-]

Browsers moved away from the https lock icon after https become very very common. Email hasn't reached a comparable state.

kccqzy 4 days ago | parent [-]

We are talking about a UX failure regarding what a lock icon or a checkmark icon represents. Popularity is irrelevant. It's entirely about the disconnect between what tech geeks think a lock/checkmark icon represents and normal users think it represents.

yencabulator 4 days ago | parent [-]

Instead of ranting, can you say something constructive?

I can think of 3 paths to improve situation (assuming that "everyone deploys cryptographic email infrastructure instantly" is not gonna happen).

1. The email client doesn't indicate DKIM at all. This is strictly worse than today, because then the attack could have claimed to be from npmjs.com.

2. You only get a checkmark if you have DKIM et al plus you're a "verified domain". This means only big corporations get the checkmark -- I hate this option. It's EV SSL but even worse. And again, unless npmjs.com was a "big corporation" the attacker could have just faked the sender and the user would not notice anything different, since in that world the authentic npmjs.com emails wouldn't have a checkmark either.

3. The checkmark icon is changed into something else, nothing else happens. But what? "DKIM" isn't the full picture (and would be horribly confusing too). Putting a sunflower there seems a little weird. Do you really apply this much significance to the specific icon?

The path that HTTPS took just hasn't been repeatable in the email space; the upgrade cycles are much slower, the basic architecture is client->server->server not client->server, and so on.

zokier 3 days ago | parent | prev [-]

> Do you remember a few years ago that browsers used to put a lock icon for all HTTPS connections?

Few years ago? I have lock icon right now in my address bar

yencabulator 3 days ago | parent [-]

Chrome removed it, Firefox de-emphasized it by making it grayscale.

4 days ago | parent | prev [-]
[deleted]