[ajonit]

Now that certificates are free, of course, all phishing sites use Let's Encrypt. Evaluating a website's legitimacy using SSL should not have been initiated by browser vendors. The messaging was wrong for the non-tech folks. They do not have anything to do with the site is fake/fraud/malicious. It was just the data-in-transit is safe or not.

[ocdtrekkie]

That's not my point: My point is that it became a real world tendency because it was pretty accurate: The malicious websites weren't paying for certificates.

If even some legitimate businesses balk at the cost of a VMC, your average scammer isn't going to drop that kind of money to get one either, especially since that cost is per-attempt and the approval is somewhat manual and likely involves humans seeing that it is wrong. But Bank of America will and hence the BoA logo on your email is pretty effective proof of legitimacy.

[ajonit]

Of course I understood your larger point on barriers to entry for a malicious actor.

If a thing like BIMI is not widespread, would it even help an average non-tech Joe who won’t even understand the reason behind that checkmark on a logo?

[ocdtrekkie]

It certainly can. Most people interact with the same organizations time and time again, so any visual indicator something is different can be useful. If you're used to seeing a bank logo on every email from your bank... and then you get an email without that logo... it's just one more visual indicator something is off, and it's more obvious than say... looking at the full email address behind the display name.

BIMI (and EV certs) should not be considered "for all organizations", but probably something worthwhile for organizations that transact in a lot of money and a lot of personal data.

[ajonit]

Now consider getting same visual indicators for ALL legit emails not just big companies. Which case would have a bigger recall value?

For a malicious actor spoofing a combo of SPF + DKIM + DMARC + BIMI won’t be a trivial job.

[ocdtrekkie]

I would argue that would make it worse. I don't think any given site or user needs a personal verified email icon. A big part of the goal here is to highlight legitimate trust. Real people don't need a cryptographic proof, what they want to see is "This is really from the official company Microsoft which you've heard of" and something M1cros0ft registered in a tax haven can't technically request to participate in.

This is what I feel us tech people have missed about what the old school lock icon used to at least sort of (inaccurately) express when HTTPS was rare and what EV intended to express (although the qualification criteria needs work there).

Not everyone should be eligible for an EV cert, not everyone should be eligible for BIMI/VMC. Some sort of scale and legitimacy and manual approval (think the old school Verified checkmark before Elon bought Twitter) that not everyone qualifies for.