On Freitag, 14. Juni 2013 19:31:50 CEST, Jan Kundrát wrote:
I was actually aware of this threat
Ok, proof damanged.
and expected the users to be aware of the risks
Depends on "users" - as long as pot. facebook an trojitá users are disjunct,
this is probably true.
But the majority of all users will just see the need to allow domains as needless annoyance. And
they will click *ever* if they trust the sender once, regardless of the "domain"
("that's lists.flaska.net, ie. the part after the @, is it?") unless you scare them with
an annoying warning everytime they try.
What do you propose?
Given that the amount of domains under a users control will be rather readily
comprehensible (if any)?
A warning and a lineedit to enter a CSV list, supporting wildcards (*.company.com) on >
2nd level domains (not "*.com")
To me, and with the threat model that I can imagine, the target
domain is the only information which can be trusted, at least
until Trojita ships with support for verifying signed mail. Do
you see a flaw in this reasoning?
Not at all.
I see a flaw in providing users a "click-me" button to build that list.
Adding that ability to a "yes, i know what i am doing - it's my server"
experienced admin is hardly any problem. They're paid to know what they're doing.
Enabling regular users to do that, with the ability to act-without-thinking, exposes them
to self-damaging. They're certainly (often...) able to oversee the current situation
(spam ./. notspam) but not to create a reasonable filter for certain actions,
understanding that it's not secure to trust imageshack, just because it's a popular
service and "likely not infiltrated".
Given that the threat is limited to "you'll get more spam" and not "you're now a drone",
one could argue: "pfff... evolution" - but that's not very nice (and you can be sure that they'll
blame you for their mistakes ;-)
Cheers,
Thomas
