WingNews logo WingNews
top | item 47140416

(no title)

amiga386 | 7 days ago

Do you need Google to compel the author to start a business relationship with them, which they can cut off at any time?

Or would you be OK knowing that Thunderbird you downloaded from https://thunderbird.net/ is signed by the thunderbird.net certificate owner?

discuss

order

jyoung8607|7 days ago

Typo squatting is a thing, and so are Unicode homographs.

The permissions approach isn't bad. I may trust Thunderbird for some things, but permission to read SMS and notifications is permission to bypass SMS 2FA for every other account using that phone number. It deserves a special gate that's very hard for a scammer to pass. The exact nature of the gate can be reasonably debated.

amiga386|6 days ago

They are, but this the next-layer-up problem. Most people don't type memorise and type URLs into their browser bar, they use a search engine result, browser history or browser bookmark.

It's therefore on their choice of search engine, or choice of app store, to lead them from "thunderbird" to "The app downloadable from https://thunderbird.net/", which can then be validated as signed by the verified owner of the same domain.

I'm not proposing changing the permissions system.

verdverm|7 days ago

Something like Thunderbird might be an exception, but also domain confusion exists, so in the general case, most likely not because most users are susceptible to this.

joshuamorton|7 days ago

should I be confident that thunderbird.net is the real one, or could it be hosted at thunderbird.org, thunderbird.com, or thunderbird.mozilla.org?

amiga386|6 days ago

That's a search engine / reputation problem and it's also present even in Daddy Google's and Daddy Apple's walled gardens.

If you search any web search engine for "thunderbird", https://thunderbird.net/ is the top result. You can choose your preferred search engine, you should be able to choose your own app store, and your level of confidence stems from your own estimation of that entity's past competence.

If you do search Google Play for "thunderbird", you'll find it lists an app with internal name "net.thunderbird.android" as the top result (along with lots of other mail clients). What I'm proposing is that if your choice of search engine or app store shows you https://thunderbird.net/ as the place to download Thunderbird, and you do, PKI can then verify that the app was independently signed by the owner of the matching domain, and that the certificate was issued to them by a CA who regularly validates they control that domain.