| ▲ | mxuribe 4 days ago | |||||||
I'm not a top-level expert in cybersecurity nor email infra....but the little that i know has taught me that i merely have to create a similar-looking domain name... Let's say there's a company named Awesome...and i register the domain name of AwesomeSupport.com. I could be a total dark hat/evil hacker/neverdoweller....and this domain may not be infringing on any trademark, etc. And, then i can start using all the encryption you noted...which merely means that *my domain name* (the bad one) is "technically sound"...but of course, all that use of encryption fails to convey that i am not the legitimate Awesome company. So, how is the victim supposed to know which of the domains is legit or not? Especially considering that some departments of the real, legit Awesome company might register their own domain name to use for actual, real reasons - like the marketing department might register MyAwesome.com...for managing customer accounts, etc. Is encryption necessary in digital life? Hellz yeah! Does it solve *all issues*? Hellz no! :-) | ||||||||
| ▲ | emporas 3 days ago | parent | next [-] | |||||||
Email is not relevant to a good encryption scheme. You could sign an email, an image you post on Insta, a chat message, anything really. Thing is, where are the user's credentials stored. In a goverment's computer probably. Greece is taking some steps towards this [1]. A Greek citizen to obtain a digital signature, he has to go to a bank, the bank verifies him, he pays a fee and then the government can accept his digital signature. My guess is that the dictatorship banks established with the Covid excuse might start to bear some fruits finally. But, people on the internet might want something more advanced, more secure than some COBOL computers storing their identity. Then we save digital certificates and digital identities on the blockchain, making essentially the blockchain the heart of the internet. When a person from a company sends a message to a client, he can sign the message with his own identity and the identity of the company. Problem solved. No one get's confused when the cryptographic signatures are not verified. The message is invalid and it is redirected to the spam folder. [1] https://www.gov.gr/en/ipiresies/polites-kai-kathemerinoteta/... | ||||||||
| ▲ | gfody 4 days ago | parent | prev | next [-] | |||||||
an OV cert "solves" this, but you'd still have to bother to check it | ||||||||
| ||||||||
| ▲ | AlienRobot 4 days ago | parent | prev [-] | |||||||
This honestly doesn't feel like it should be the case. There aren't that many websites. The e-mail provider could have a list of "popular" domains, and the user could have their own list of trusted domains. There is all sorts of ways to warn the user about it, e.g. "you have never interacted with this domain before." Even simply showing other e-mails from the same domain would be enough to prevent phishing in some cases. There are practical ways to solve this problem. They aren't perfect but they are very feasible. | ||||||||
| ||||||||