j7n Posted April 23 Share Posted April 23 On almost every forum or forum-like website we need an e-mail. Using it we can change passwords almost unrestricted, in rare cases there might be a secondary security question (your pet's name). Some websites now enforce a password change every once in a while. Even some simple discussion boards. The e-mail is assumed to be much more trustworthy than whatever else that is password protected, and access to the e-mail is set in stone. But that is not necessarily true. We can forget the password to it just the same. Increasingly often an e-mail is just a website, and not something tied to my person. Back when Google was still young and brown, I used to juggle a few accounts there to access to some stuff that had "X per user". Over time the site became bloated as it is, and I let those accounts lapse from my memory, and maybe from their cloud. My ISP decided to discontinue its e-mail service in favor to a freemium bloat site. If I had quit my contract with the ISP, I would likely lose access to the e-mail within some period of time. (This didn't happen, but it should be expected.) Even before Baidu came to be, I used a mail server provided as a public service by my city council. It was free of ads, had POP access, simple web UI, and a decent amount of space: 5 to 15 MB. No need for more for plain letters that will be retrieved regularly. But people eventually expected more. And the city repurposed the domain to create some modern app service. They did give us an advance notice. But there are hundreds of internet sites that I can't remember to reassign. Some software or video game support site that I may need once a year. They keep chugging along just fine, until years later they decide it is time to up the security game and reset the password. Like the almighty Discogs. They have some money element to them because, besides ripping metadata, you can also trade records. I can't even recall which of the above options I used for signing up to it 12 years ago. I was without Internet for for about two years. When I returned, I used my old ISP e-mail to reset a whole host of sites. (It was old school and managed by the admins manually.) If one were to hack it, they could do that too. Because it unexpectedly is the "master key". I suspect that the smartphone might become the "master key" in the future. What if that fails or is lost? Or more likely deemed obsolete and unsupported. I have a Gingerbread 2.9 something smartphone, and I can do zero current "apps" on it. And it is younger than WinXP. Link to comment Share on other sites More sharing options...
Nokiamies Posted April 23 Share Posted April 23 (edited) I think biggest issue is not email itself. Back in day it used to open protocol, it is companies trying lock you into their web apps these days for email access and block imap and pop3 access in name of security or atleast make it hard to access. Also many sites not allowing you to use more than few predefined email providers. I noticed that when switched into my custom email server, many sites says my email address is not allowed please use other provider. I can understand on spam standpoint maybe reduce it a bit but when been working on IT and email servers, most of spam comes from either free gmail or outlook addresses and rarely from new domains. Also big providers mark any email coming from custom email domain as spam even if SPF and DKIM records exists and are valid. It is fight against the windmills. What annoys me even more than requiring email is requiring smartphone app to verify yourself to some sites. Always asked about MFA that why do you need it everywhere, if you passwords are stored on piece of paper and are over 20 characters long. If you device where you logged in to MFA enabled service gets compromised, MFA wont help as they just use login token stolen from browser to access service. I am not saying that MFA is unneeded, in banking for example asking random number from piece of paper makes it harder for random transactions to be made but many people see using constantly internet connected spyware platform as more security option for MFA. I am lucky to be able still use what i have to use without needing smartphone and smartphone apps. If it has to go that point I will do all banking on their office. Edited April 23 by Nokiamies 2 Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted April 23 Share Posted April 23 (edited) Yes, almost everyone uses the same e-mail they have in their smartphone (Gmail). I include 2 more secure email services: https://proton.me/mail https://tuta.com/ It is possible to register a free account. Edited April 23 by Sampei.Nihira 1 Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted April 23 Share Posted April 23 It's not just your e-mail address. It's also your phone number. Whenver I try to so much as get a haircut, they ask for my phone number. When I tell them "zero" they get all offensive so I tell them, I do not own a phone, so that makes my phone number ZERO. 1 Link to comment Share on other sites More sharing options...
Nokiamies Posted April 23 Share Posted April 23 (edited) 17 minutes ago, Sampei.Nihira said: Yes, almost everyone uses the same e-mail they have in their smartphone (Gmail). I include 2 more secure email services: https://proton.me/mail https://tuta.com/ It is possible to register a free account. Such as thing as secure email does not exist due to email nature. It was never built to be secure in first place. Even if you encrypt SMTP traffic with ssl and only access email using some client with perhaps even ip based blocking it is still not 100% secure. Solutions like that only add bandages into root issue. Point you are sending email outside "secure" provider it is as secure as on any other provider. Even if you use something like deltagon secure mail which many companies uses it does not offer full security as all i need is link for secure email and open it before original recipient does. And that email link is sent to any insecure email server. Even got SMS MFA to view secure messages there are means to intercept text messages (which i cant talk here) Closest for secure email is to use PGP to encrypt email but I just opt not send anything confidential over the email and treat it like sending postcards. Edited April 23 by Nokiamies 4 Link to comment Share on other sites More sharing options...
Nokiamies Posted April 23 Share Posted April 23 (edited) 6 minutes ago, NotHereToPlayGames said: It's not just your e-mail address. It's also your phone number. Whenver I try to so much as get a haircut, they ask for my phone number. When I tell them "zero" they get all offensive so I tell them, I do not own a phone, so that makes my phone number ZERO. Even worse they expect you to have whatever smartphone app for something. For example if I need pay someone something they want me to use app called Mobilepay for it and look me like I am crazy when I say I will pay with bank transfer or cash as in Finland transferring money between IBAN addresses is common and does not require any mobile app, it can be done by going to bank or from their website. Or I can just go ATM and get some cash to pay it which can be instantly verified and does work even if phone battery runs out. Some people also only store their train tickets on phone app and then whine when train is on area without cellular or phone battery runs out. Edited April 23 by Nokiamies 3 Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted April 23 Share Posted April 23 3 minutes ago, Nokiamies said: Such as thing as secure email does not exist due to email nature. Bingo! I once had an ONLINE bank account try to DENY me an account because I *refused* to give them an email address for them to SOLICIT. I had to include THEIR corporate lawyers - it is ILLEGAL to conduct FINANCIAL BUSINESS over email, therefore you do NOT "need" my email address. NONE of my bank accounts have an email address!!! NONE of them. I do not need three emails telling me my statement is ready, four emails to confirm/verify a transfer between accounts, seven emails to solicit me into an account type I did not ask for, et cetera. 1 Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted April 23 Share Posted April 23 (edited) 1 hour ago, Nokiamies said: Such as thing as secure email does not exist due to email nature. It was never built to be secure in first place. Even if you encrypt SMTP traffic with ssl and only access email using some client with perhaps even ip based blocking it is still not 100% secure. Solutions like that only add bandages into root issue. Point you are sending email outside "secure" provider it is as secure as on any other provider. Even if you use something like deltagon secure mail which many companies uses it does not offer full security as all i need is link for secure email and open it before original recipient does. And that email link is sent to any insecure email server. Even got SMS MFA to view secure messages there are means to intercept text messages (which i cant talk here) Closest for secure email is to use PGP to encrypt email but I just opt not send anything confidential over the email and treat it like sending postcards. Try Tutamail. By default (but you then change) it uses password encrypted email sending. In order for the recipient to read the email and possibly open attachments, they must know the password you chose during sending. The recipient of course is informed (via client-email) that he or she has received an email. Obviously all this assumes that you have a browser (the email is read using the web-mail method) set up reasonably well from a security/privacy standpoint. In the image the email received. Without a password it cannot be read. Edited April 23 by Sampei.Nihira 1 Link to comment Share on other sites More sharing options...
UCyborg Posted April 23 Share Posted April 23 (edited) 5 hours ago, j7n said: Gingerbread 2.9 That would be (Android) 2.3. I still have a Samsung Galaxy Mini, sitting unused in a drawer, half physical buttons broken with a battery which depletes in half-hour or so. It was upgraded to Android 4 something unofficially. Latest Android 4 is also pretty much dead. I wanted to try Android Auto on a newer phone (unofficially upgraded to Android 7.1.2) some time ago, not because it is something I really need, just curious as the new car came with Android Auto support. Turned out that software also comes with expiration date. Can't even use an older version of the app. Searching "run android auto on older phones" returned practically nothing. Late edit: I've got a hitch to experiment with this again, actually got further this time with one of the latest versions that could still be run (7.4.620993), made it to the main interface somehow, not sure if adding Android Auto to MagiskHide was the key (hiding root access from it). Android Auto wants oversized Google App to run, we'll see if the phone is still usable with it installed...had to do the dance with deleting whole Dalvik cache (which AFAIK isn't even Dalvik on Android 7 but the folder is still called like that) to force install Google App along with updated Maps on very size limited internal storage. Did experimenting with Android Auto before rebooting, which is a bad idea when I've just nuked the cache... Later when I rebooted the phone, it took a while, but it didn't get stuck and still have little breathing room on internal storage. Still have to check if it even works in the car... Edited April 23 by UCyborg Link to comment Share on other sites More sharing options...
Nokiamies Posted April 23 Share Posted April 23 35 minutes ago, Sampei.Nihira said: Try Tutamail. By default (but you then change) it uses password encrypted email sending. In order for the recipient to read the email and possibly open attachments, they must know the password you chose during sending. The recipient of course is informed (via client-email) that he or she has received an email. Obviously all this assumes that you have a browser (the email is read using the web-mail method) set up reasonably well from a security/privacy standpoint. In the image the email received. Without a password it cannot be read. I think you missed my point. Even though you send link trough email it is not standard email anymore as I cant read and answer it using email client of my choice. Tutanota and Proton while internally encrypting all still cant talk to outside world without utilising SMTP which is like sending your email on postcard. Even if over ssl it is just writing message to postcard using some secret language, if someone cracks it can read you message. Also you are relying on their server to be secured and not get compromised and even if they actually would be not storing encryption key on their server like they claim some hacker could just inject malicious javascript to steal your secret key and access all your mails. No system is hacker proof and point you become valuable enough target it is matter of time is hacked. And even if they made is hacker proof you still trust for them to run what they claim on their server. Unless you walked there without warning and scanned all server code you can only take their word for it. Showing server source code wont mean they run it on server side unless can inpsect the servers. On the other hand PGP I mentioned is standard and decryption key is only stored locally, if you try read email on server there is nothing to read. While there been exploit like Efail for PGP those been since patched and it did not affect Claws mail. 4 Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted April 23 Share Posted April 23 Sending on a postcard is hilarious. Secure is secure only if all the players follow the rules. The last three "certified" letters I received via United States Postal Service were left at my house without so much as a SIGNATURE acknowledging receipt. H3ll, one of those three was left on my front door step where any light breeze could have sent it flying. 1 Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted April 23 Share Posted April 23 (edited) 40 minutes ago, Nokiamies said: I think you missed my point. Even though you send link trough email it is not standard email anymore as I cant read and answer it using email client of my choice. Tutanota and Proton while internally encrypting all still cant talk to outside world without utilising SMTP which is like sending your email on postcard. Even if over ssl it is just writing message to postcard using some secret language, if someone cracks it can read you message. Also you are relying on their server to be secured and not get compromised and even if they actually would be not storing encryption key on their server like they claim some hacker could just inject malicious javascript to steal your secret key and access all your mails. No system is hacker proof and point you become valuable enough target it is matter of time is hacked. And even if they made is hacker proof you still trust for them to run what they claim on their server. Unless you walked there without warning and scanned all server code you can only take their word for it. Showing server source code wont mean they run it on server side unless can inpsect the servers. On the other hand PGP I mentioned is standard and decryption key is only stored locally, if you try read email on server there is nothing to read. While there been exploit like Efail for PGP those been since patched and it did not affect Claws mail. This is clearly stated in the Tuta FAQ. I recommend that you read them: Quote Tuta does not support the use of third-party email clients or IMAP/POP3/SMTP protocols because we cannot guarantee end-to-end encryption of data Have a good evening. P.S. I don't comment on javascript injection because I still have to eat dinner and I don't want food to get stuck in my stomach. You are right @NotHereToPlayGames here users have preconceived notions that are difficult to eradicate............. Edited April 23 by Sampei.Nihira 2 Link to comment Share on other sites More sharing options...
Nokiamies Posted April 23 Share Posted April 23 (edited) 13 minutes ago, Sampei.Nihira said: This is clearly stated in the Tuta FAQ. I recommend that you read them: Have a good evening. Well then Tutonota cant send anyone not using Tutanota email messages and MXtoolbox or other tools that can check for SMTP will say no stmp found, oh wait it says there is MX record and SMTP https://mxtoolbox.com/SuperTool.aspx?action=mx%3atutanota.de&run=toolpage STMP is not just for sending emails from client it is also means which email server communicate with other email server. Just because you cant connect to SMTP to send message does not mean it wont exist. If there is email server you can send email to there is SMTP on both ends. Now STMP can (and should be) wrapped in SSL/TLS tunnel where it is encrypted similar to HTTPS traffic but if encryption is breached it is readable. And all this time I am referring to standard email, one other side will receive. There are similar commercial solutions with ability to send link to protected mail server but that mail telling you got secured mail is still sent using SMTP between two mail servers. I highly recommend you do more research on email system before you start argue about this topic. I work almost daily with email servers and know how it runs under the hood on any of them. Even Microsoft Exchange despite using MAPI protocol uses SMTP to talk with other mail servers. Edited April 23 by Nokiamies 5 Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted April 23 Share Posted April 23 Email servers and communication protocols are "above my paygrade". My mantra is that if you are ONLINE, then your privacy is compromised. "End of story." We each, every one of us, has to decide just where to draw the line. On one extreme, you live in a hill, no phone service, no electricity, no running water, in a house weaved together from small tree limbs. On the other extreme, you're on FACEBOOK or TIKTOK but cite privacy or security "concerns" on web sites like MSFN. 1 Link to comment Share on other sites More sharing options...
XPerceniol Posted April 23 Share Posted April 23 (edited) I sort of live a life in between (no extreme) just a few online places and no social media at all. Don't like phones or email either. Yeah where to draw the line, I guess. I used to trust people but over the years life has taught me to offer trust little (cautiously - only when earned) anymore regarding people (both online and IRL) I like to keep a low profile and I don't do things to draw attention to myself and if that means isolation; then so be it. Edited April 23 by XPerceniol 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now