Comment by amiga386
4 months ago
Do you need Google to compel the author to start a business relationship with them, which they can cut off at any time?
Or would you be OK knowing that Thunderbird you downloaded from https://thunderbird.net/ is signed by the thunderbird.net certificate owner?
Typo squatting is a thing, and so are Unicode homographs.
The permissions approach isn't bad. I may trust Thunderbird for some things, but permission to read SMS and notifications is permission to bypass SMS 2FA for every other account using that phone number. It deserves a special gate that's very hard for a scammer to pass. The exact nature of the gate can be reasonably debated.
They are, but this the next-layer-up problem. Most people don't type memorise and type URLs into their browser bar, they use a search engine result, browser history or browser bookmark.
It's therefore on their choice of search engine, or choice of app store, to lead them from "thunderbird" to "The app downloadable from https://thunderbird.net/", which can then be validated as signed by the verified owner of the same domain.
I'm not proposing changing the permissions system.
Something like Thunderbird might be an exception, but also domain confusion exists, so in the general case, most likely not because most users are susceptible to this.
should I be confident that thunderbird.net is the real one, or could it be hosted at thunderbird.org, thunderbird.com, or thunderbird.mozilla.org?
That's a search engine / reputation problem and it's also present even in Daddy Google's and Daddy Apple's walled gardens.
If you search any web search engine for "thunderbird", https://thunderbird.net/ is the top result. You can choose your preferred search engine, you should be able to choose your own app store, and your level of confidence stems from your own estimation of that entity's past competence.
If you do search Google Play for "thunderbird", you'll find it lists an app with internal name "net.thunderbird.android" as the top result (along with lots of other mail clients). What I'm proposing is that if your choice of search engine or app store shows you https://thunderbird.net/ as the place to download Thunderbird, and you do, PKI can then verify that the app was independently signed by the owner of the matching domain, and that the certificate was issued to them by a CA who regularly validates they control that domain.