| ▲ | amiga386 6 hours ago | |
Do you need Google to compel the author to start a business relationship with them, which they can cut off at any time? Or would you be OK knowing that Thunderbird you downloaded from https://thunderbird.net/ is signed by the thunderbird.net certificate owner? | ||
| ▲ | jyoung8607 6 hours ago | parent | next [-] | |
Typo squatting is a thing, and so are Unicode homographs. The permissions approach isn't bad. I may trust Thunderbird for some things, but permission to read SMS and notifications is permission to bypass SMS 2FA for every other account using that phone number. It deserves a special gate that's very hard for a scammer to pass. The exact nature of the gate can be reasonably debated. | ||
| ▲ | verdverm 6 hours ago | parent | prev | next [-] | |
Something like Thunderbird might be an exception, but also domain confusion exists, so in the general case, most likely not because most users are susceptible to this. | ||
| ▲ | joshuamorton 5 hours ago | parent | prev [-] | |
should I be confident that thunderbird.net is the real one, or could it be hosted at thunderbird.org, thunderbird.com, or thunderbird.mozilla.org? | ||