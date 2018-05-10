Does Gmail's New 'Confidential Mode' Make It Easier to Phish? (vortex.com) 33
Gmail's new confidential mode lets its users create "expiration dates" for emails, or require recipients to provide an SMS passcode. (And Google also claims they've removed the option to forward, copy, download or print messages.)
But Slashdot reader Lauren Weinstein warns that Google is also opening up a new vector for phishing emails: The problem arises since non-Gmail users cannot directly receive Gmail confidential mode messages. Instead...when a Gmail user wants to send a non-Gmail user such a message, the non-Gmail user is instead sent a link, that when clicked takes them to Google's servers where they can read the confidential mode message in their browser.
The potential risks for any service that operates in this way are obvious. Those of us working on Internet security and privacy have literally spent many years attempting to train users to avoid clicking on "to read the message, click here" links in emails that they receive. Criminals have simply become too adept at creating fraudulent emails that lead to phishing and malware sites.
And Google also claims they've removed the option to forward, copy, download or print messages.)
So then you just print screen or take a picture of the email and then just transcribe it?
Also how can Google stop someone from doing these things if the recipient doesn’t use Gmail?
Yep. Sounds just as dumb as this [arstechnica.com].
"Those of us working on Internet security and privacy have literally spent many years attempting to train users to"
So... tell me your success stories.
You have to admit, this is a hellava awesome attack vector. Just spoof a gmail confidential email - what ever could go wrong? Ima grab me some popcorn!
I quit trying to train lusers long ago. Too many corporate types training them to be insecure. Hiding extensions, active-x, hiding email addresses, link shortening, click link to install, auto-start. Idiot proofing forces the evolution of better idiots
The Uni I work at warns people about phishing, and has an address to forward phishing attempts to to report them. Here's the success stories:
1. Employees are required to fill out a timesheet once a month showing vacation, sick, etc days. This used to be paper. It is now a web form -- on a site external to the Uni but which requires a login using the Uni credentials. There are daily email reminders with a link to the site that start showing up on the first day of the month.
2. The Uni purchasing people don'
You’re probably not a target demographic for this product then, gramps.
What about those of us without a freakin' internet connection?
No worries, Methuselah. They can send it on papyrus or stone tablet. Whichever way you’re accustomed to receiving messages.
That's fine really, because I have yet to come up with any legitimate reason to use this "service". If someone sends me one of these, I'll just send it to spam right away because there's no way it's a legitimate email.
I would recommend that anyone running a mail server should probably do that system wide.
Don't expect a reply.
Over 300 story submissions and only 8 comments, none in the last two years.
So the service links have to stay deep in their free networks to ensure the encrypted ads get seen by consumers.
Microsoft has had this service for awhile (Score:2)
Microsoft has had this service for awhile: confidential and expiring email. If you’ve done a loan or bought house in the last two years, you may have encountered it. Usually the loan or escrow company calls me ahead and tell me to expect it. So the best practice for these type of emails would be don’t click unless you’re expecting it.