5 September 2025 ⋅ Back to blog index
In the past six months, I have received all of the following advice from the official cybersecurity office of my academic institution.
Much of this comes from government-level security guidance. To illustrate how ridiculous0 this is, let me propose the ultimate checklist for your physical security as the government could write it by imitating the one for cybersecurity:
End of sarcasm.
These harebrained “security best practices” have apparently penetrated the general public well enough that I my family found me reckless when I recently connected to an airport's Wifi in a foreign country.
Meanwhile, I did not find any of the following sensible and actually important advice given even once:
.com
, .org
or such.)wikippedia.org
instead of wikipedia.org
, git-hub.com
instead of github.com
, hsbc.org
instead of hsbc.com
, dwp.uk
instead of dwp.gov.uk
, etc.github.com
, or visit the Wikipedia page if the website has one).https://xyz-party.org
. On the other hand, visiting its Wikipedia page https://en.wikipedia.org/wiki/XYZ_party
is fine since all an attacker could see is en.wikipedia.org
. (Note that on your home network, your Internet Service Provider still can record which websites you are visiting. If you're Chinese and party XYZ is an opponent to Xi Jinping, better use a VPN to browse https://xyz-party.org
.)Coming back to the “security best practices” I got in my inbox:
(0) “Check the sender of emails” will inevitably make people think that an email can be trusted to originate from the sender address it appears to be sent from, which it cannot. Most people don't know that you can send an email from any email server you own and pretend it comes from a totally arbitrary email address that you don't have any control over. Yes, phishers don't always bother to do this, but sometimes they do. (They could also make it look like they sent you an email from your own email address, to let you believe they hacked your email account. This actually happened to me as a young teen and I believed it.) Yes, SPF, DKIM and DMARC exist and go a long way, but not all email providers check them in all cases, and they might not refuse the bad emails but just route them to the spam folder. (For example, Gmail has been requiring these since February 2024, but only for servers which send more than 5000 emails to Gmail addresses daily.)
(1) “Don't click on links you don't trust” is pure paranoia. I actually complained about this one, and was pointed to some years-old CVEs. Browser vulnerabilities exist, and they are a serious problem insofar as a single vulnerability can affect some number in the billions of users for popular browsers, but for an individual user, the likelihood of getting hacked through a browser vulnerability is incredibly tiny (especially on an up-to-date browser), many orders of magnitude smaller than the likelihood of getting hacked by an utterly unsophisticated phishing scam. It is uncommon enough to be worthy of mention when a browser CVE is found that even has a single confirmed exploit — while the awareness campaigns performed at my institution have seen about 15% of people enter their institutional login and password in a phishing resistance test. I find it pointless to worry about these vulnerabilities unless you expect to be targeted by military espionage level attacks.
Many of the other points are cast in the same mould. The chief effect of such advice will be to divert users' attention from actually important security measures. If you give a checklist of ten points of which only one really matters, chances are most users will only remember two or three, or feel that these are already enough, and you've lost.
Worse, this sort of FUD is one of the ways (competing with frequent forced password changes) in which “security fatigue” is created. It gives the feeling that if you try to follow all the security guidelines, it's going to be impossible to do anything on the Internet, so you have no choice but to mostly ignore them anyway.
To top it all, point (8) “the email you will soon receive is legitimate” somehow manages to again avoid mentioning the only definitive source of trust in a link, the DOMAIN NAME, and encrusts the idea that you can trust an email if someone told you without even seeing it that you could. Facepalm.
It is already amazingly hard to get people not to fall in the most basic phishing attacks (especially while trying not to exclude the elderly and the less educated from technology even more by making them afraid of every tiny action they might take on a computer). This sisyphean enterprise really doesn't need to be made extra hard by this kind of nonsense in official IT security communications.
I'm sorry for the employees of those institutional and governmental services, who are certainly well-meaning and doing their job as best they can, but it really feels ridiculous to me. For their defense, I've seen this kind of bad advice elsewhere; it seems all too common.
Making HTTPS-only mode practical is the main reason why I think as many websites as possible should switch to HTTPS, for all its technical flaws and for all the racket played by registrars to make it convenient for website owners only if they pay extra fees. It is already hard enough to make non-geeks follow extremely basic and essential security practices like thinking for one second before typing their password on a fake version of their bank website. You just cannot make my elderly grandfather who's struggling with the difference between “Save” and “Save as” buttons pay any amount of attention to a small padlock icon in a browser or understand what it means. The only solution to avoid sensitive information shared over plain HTTP is to make visiting an HTTP website impossible to ignore, by showing a big red fat warning and asking the user to confirm while making sure they read the bold sentence that tells them not to enter their bank password on this site. I really hope major browsers will enable HTTPS-only mode by default as soon as possible.
# Comment by Selim (5 September 2025 at 13:30)
I agree with you on security fatigue and your list of sensible advice.
I understand that not connecting to public wireless networks seems too much for some people.
However, the list of exploited vulnerabilities is longer than the trans-Siberian and the Great Wall of China combined! These are everywhere, from user devices to routers or USB firmware.
This means that a bad actor connected to the same wireless network as 1000s of people in an airport can compromise the the router and access the connected devices and target the vulnerable ones for code injection for example. And no, this is not science fiction.
Cheers, Selim
Leave a comment