[into_infinity]

What I find a bit startling in this article is not as much that it rejects the old (half-baked) paradigm, but that I was holding out for that big reveal of a solid alternative... and it never came. The article offers three choices:

1. Invest in negative security warnings. This is fair, but how would that really work? HTTPS seems like an odd example, given how binary it is. How do you generalize it to online safety? Blocking known bad sites or behaviors is a never-ending game in a world where it costs next to nothing to set up a new phishing site or roll out a new malicious binary.

2. Unphishable credentials. This is reasonable - but what about attacks that don't care about credentials? Again, malicious downloads and plenty of other things that are happening today.

3. App-level content moderation. Sure, but this works only as long as you stay within walled gardens of a small number of platforms and are not an interesting target. What if you go to an URL not ending with .google.com or .facebook.com? What about specific, targeted populations that aren't adequately protected by the heuristics used at that scale?