Because security really is never a good reason to be skeptical and skepticism, no matter how valid, is just a cloak for hating on Google. I love GMail and lots of Google's products. I even like that this feature will be limited to companies that register with Google. It doesn't change the fact that those partners could be broken into and used to send out malicious emails.
Also, please don't try to insinuate that I'm against the feature. I'm not. I can stop using GMail if I ever want to. I just think everyone should consider their own security and decide how valuable it is to them based on reasonable possibilities.
> So many possibilities? There is nothing here that couldn't be achieved by having the user click on a link.
Because its machine parseable, it makes a lot of presentation options available that aren't available when you rely on a standard hyperlink without a data format with a standardized identification of the requested action.
> And he's right, it does make phishing easier.
Well, that depends on what the requirements are to have the client present the actions from the schemas: the current Google requirements, I would say, do not make phishing easier. You must register with Google for the schemas in the email you send to be recognized in Google products (e.g., Gmail) [1], and the registration is per-set-of-emails, and fairly specific as to the content, and appears to be manually reviewed [2].
>Because its machine parseable, it makes a lot of presentation options available that aren't available when you rely on a standard hyperlink without a data format with a standardized identification of the requested action.
You're right: this addition turns email into a data or event queue of sorts with standardized actions that can be performed on it. I like it. Given that email is one of the few non vendor-locked communication technologies we have and we already have a lot of infrastructure to deliver it reliably, this seems a promising evolution path.
I'd like to see something similar for IM: currently SMS is the only open standard for instant messaging, and any other option locks you into either a platform or a specific client, which the other person will probably not use.
> currently SMS is the only open standard for instant messaging
XMPP is an open standard (through IETF RFCs and related standards) for messaging and presence whose motivating use case was instant messaging: http://en.wikipedia.org/wiki/XMPP
Just like short sellers, we need these naysayers to keep us grounded. :) Yes, I choose to see the positive possibilities and the opportunities that show up thanks to our beloved naysayers.
No. It's more that there are so many positive possibilities yet a large group of people still choose to exploit them to make themselves money by harming others and end up breaking things for everyone else.
The whole history of modern operating systems and the Web is the example of that. Think of all the amazing and useful things that could be (and have been) done had there was no Data Execution Prevention or Same-Origin Policy or any other limit introduced because of security.
a company that inserts this type of response hook in their emails needs to register with google. the response interface looks clearly separated—its not in the body of the email—so there is no way that a phisher could fake it.
so it actually could help to SOLVE the phishing issue. especially if other mail providers sign on.