Tuesday, 7 February 2006

More on Goodmail's wasted opportunity

As I said in my previous missive, Goodmail adds no practical value from the user's perspective. Goodmail deliberately misses the opportunity to protect them from phishing.

Goodmail could do so much more to warn users about scams involving sender impersonation ("phishing"). Right now, it's only certifying legitimate mail as "good." It's not spotting scam mail as "bad" -- even though it should be perfectly capable of doing so. It's very little use to consumers to simply reinforce the good, without issuing warnings about the bad. You're asking people to infer that scam email is bad (because it's not "good"). That simply doesn't work -- the psychology is all wrong.

Let's imagine that your mom's bank is a Goodmail customer. When she gets email from her bank, there's a comforting icon promising that the email is authentic. However, if a Russian mafia gang sends her some email pretending to be her bank, Goodmail says nothing -- even though they should be fully capable of popping up a big red, flashing warning.

The lack of phishing warnings is a huge missed opportunity. Both for consumers and for Goodmail's customers. Neither you, your mom or her bank want your mom to be fooled by criminals.

2 comments:

Bart Schaefer said...

Goodmail works on the sending system by adding a cryptographic token to the message. The "good" icon appears when the token is present and matches the message in which it appears. There's no interaction with Goodmail after the message leaves the sender's system, and the message itself does not pass through Goodmail.

A forged message would never touch Goodmail's system at all.

So it'd be up to the receiving system, not Goodmail, to determine whether mail that does not have a token is a forgery or phish.

Richi Jennings said...

Bart, this is true. But my point is that Goodmail does have the ability to do this -- you are of course correct in pointing out that it would need to be done in association with its "partners" (AOL etc.)

One of Goodmail's messages is that its system is helpful in the fight against phishing. I'm asserting that, without a way of warning the user that they're being phished, that Goodmail actually isn't very helpful to users at all.

Post a Comment