| ▲ | verdverm 6 hours ago |
| Agree with this middle path you point out. On one hand, I do not want some apps to be distributed anonymously, I need to know who is behind it in order to trust the app. On the other hand, many apps are benign. Permissions are a great way to distinguish. |
|
| ▲ | amiga386 6 hours ago | parent [-] |
| Do you need Google to compel the author to start a business relationship with them, which they can cut off at any time? Or would you be OK knowing that Thunderbird you downloaded from https://thunderbird.net/ is signed by the thunderbird.net certificate owner? |
| |
| ▲ | jyoung8607 6 hours ago | parent | next [-] | | Typo squatting is a thing, and so are Unicode homographs. The permissions approach isn't bad. I may trust Thunderbird for some things, but permission to read SMS and notifications is permission to bypass SMS 2FA for every other account using that phone number. It deserves a special gate that's very hard for a scammer to pass. The exact nature of the gate can be reasonably debated. | |
| ▲ | verdverm 6 hours ago | parent | prev | next [-] | | Something like Thunderbird might be an exception, but also domain confusion exists, so in the general case, most likely not because most users are susceptible to this. | |
| ▲ | joshuamorton 5 hours ago | parent | prev [-] | | should I be confident that thunderbird.net is the real one, or could it be hosted at thunderbird.org, thunderbird.com, or thunderbird.mozilla.org? |
|
