On 20.03.15 20:47, Daniel Kahn Gillmor wrote: > On Fri 2015-03-20 13:43:27 -0400, Bob (Robert) Cavanaugh wrote: >> > One thought to add to the mix: Phishng attacks by having >> > unknowledgable users "click on this link" are pretty >> > successful. Doesn't this proposal open a new threat vector?
Yeah… I don't really see much of a problem as proposed by Bob. Any verification emails for any purpose should always be related to an action the user did very recently. I.e. they visited a site or used an application, whatever the route and method but they should already /be expecting an email verification/. > If the followup is just "click this link" then i agree it's probably > encouraging bad habits. Any verification should certainly be worded better, yes :). > What if the suggested followup was an e-mail > reply? What if we require the verifier to sign its outbound messages, > and tell users "don't do this unless the message is signed by the > verifier"? Good ideas. -- Ville
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
