| |
| ▲ | SoftTalker 4 days ago | parent [-] | | Some of these places are between a rock and a hard place. HIPAA or other rules may prevent a doctor from using email to send you personal medical information such as test results. For any of them, email isn't "secure" and they don't want to be accused of "leaking" personal or confidential information. GPG exists, but it's been a non-starter for the average user the entire time, so no reason to expect that it will suddenly become workable now. | | |
| ▲ | briHass 4 days ago | parent | next [-] | | Ironic, because it's assumed your email is insecure and visible to more than just you, but it's used as a password reset and/or 2FA mechanism for almost everything. It would be nice if sites had a checkbox that allowed you to affirm that your email is secure and private, so then detailed emails were sent. | | |
| ▲ | SoftTalker 4 days ago | parent [-] | | There's no way to guarantee that. SMTP is not a secure protocol. Your message could be read by any intermediary along its delivery route. | | |
| ▲ | grayhatter 4 days ago | parent [-] | | It is possible to deliver emails IFF the receiving server presents a valid TLS connection and cert. I don't think I've seen anyone actually enforce that though. | | |
| ▲ | SoftTalker 4 days ago | parent | next [-] | | Yes but the server itself has full visibility on the message while it is handling it. It can scan it for viruses, parse it for ad insertion, feed it to train an LLM, just keep a copy of everything, whatever. | | |
| ▲ | grayhatter 4 days ago | parent [-] | | yeah... that's why it's important to be able to trust your email provider... I assumed you meant anyone passing along the message, like a router, or rogue ISP. I was more going for the idea that you can make SMTP secure from sender domain to destination domain. If you don't trust your host, nothing else really matters, in all cases. |
| |
| ▲ | kevin_thibedeau 4 days ago | parent | prev [-] | | SMTP can use intermediate relays. TLS doesn't guard against the middlemen. | | |
| ▲ | xp84 3 days ago | parent | next [-] | | I recognize that that is part of the protocol's design, but how common is that in practice on the modern Internet? If I'm using say, Outlook, or even some personal home server, and I have mail for example @ gmail.com, I would expect two things: 1. Microsoft, or my server, would look up the MX for gmail and send the email directly there, where I'd presume it's safe from maliciousness (obviously Google itself has access to it, I admit) 2. The only server that would accept mail from my server and relay it for me would be someone I'm paying, and they probably would accept it over TLS right? | |
| ▲ | grayhatter 4 days ago | parent | prev [-] | | When I suggested using TLS, signed by a trusted cert authority; and you're imagining some system, where a message sender connects to some 3rd party middleware box to relay the message, and this middleware box has a cert for the destination domain? |
|
|
|
| |
| ▲ | LoganDark 4 days ago | parent | prev | next [-] | | It could also be that they want to know when some communication has been received (by the real person, not the email server) and that's not possible with email. I still maintain that I hate that practice because I just don't want anyone to have that information, I want to be invisible. | |
| ▲ | AStonesThrow 4 days ago | parent | prev [-] | | > HIPAA or other rules Sure, sure, rules, yeah. But there are plenty of reasons that are as numerous as reasons to build a walled garden. If they’re storing your records, then they control the audit trail. They detect every time you, or someone, visited that site, logged in, viewed pages, downloaded or viewed a document, changed settings, updated profile, added contact info, deleted contact info. They control the expiration and retention periods. They control the file formats. They control the uptime and the downtime. They control the horizontal and the vertical. Oh wait, that’s on T.V. There will be increasing gauntlets to run and obstacles and hurdles to the consumer getting our hands on documents and information. Until we really need that proprietary online viewer to open the file at all. Or at least their mobile app. Or you could pay fees for records access. It costs them to store it all, does it not? | | |
| ▲ | SoftTalker 4 days ago | parent [-] | | Absolutely those things are all valid concerns. But even if they are not doing those things, email is problematic for delivering confidential information. | | |
| ▲ | chii 4 days ago | parent [-] | | If physical post is acceptable for such things, i see no reason why email cannot be held to the same level. | | |
| ▲ | AStonesThrow 3 days ago | parent [-] | | Often the postal mail is required by regulations, such as when your bank sends a notice or disclosure, or some creditor sends you a bill, or a government agency sends something in the mail. Whether or not you’ve gone “paperless” matters not, when they are legally required to send a paper letter. And it drives me crazy, because it never fails that the most important and most informative letters are not even backed-up by an electronic copy, and so these days, the onus is on me to scan the letter into Google Drive or OneDrive, and I've been using my smartphone to do it, one page at a time. And that's the only way I can keep a searchable, accessible record of the most important communications, by scanning them back in from the paper. But here's what the email situation looks like, with a USPS analogy: you receive a letter from the tax office that says they have a message for you. And the letter has arrived at 5:30 p.m. on a Friday evening. So on Monday, you get your ID and you drive down to the tax office. Except you can't immediately drive, because you don't own a car, so you walk to the library to borrow a car. The library says that you can borrow a car, but they need another household bill that you didn't bring with you. So you walk back home, and you get the documentation the library needs, and you walk back to the library, and you borrow a 1995 car, and you drive to the tax office, and the tax office says that the message for you says that they need a check from your bank. So you go home, because it was already late in the day. And then you walk back to the library, and you borrow another car, and it’s a different car, so you learn how to use this car, and you drive to the bank. And you ask the bank for a check. And the bank needs additional ID, so you go home, and you gather all the ID that the bank needs, and then you drive back to the bank, and you ask them for a check again, and then the teller says that they can give you a check, but the checks are issued in a different branch. So they give you a voucher token for your money, and then you have to go drive to the other bank branch across town to get your money. So you arrive at the bank branch that has the money, and after 15 days you have the correct ID and all the documentation and you also have the voucher and the token to take the money out and get the check. So you obtain the check, and then you take it home and return your library car, because it's late in the day. And then you wait over the weekend, because it was a holiday weekend. And then you gather your ID again and you put your tax check in your pocket, and you go walk back to the library, and you borrow a third car, and then you drive to the tax office, and then you try to show them your check. And the responsible person at the tax office isn't there because they're a short staffed. And there's a sign on the door that says to go drive downtown to the main tax office, and that's where you’ll be able to drop off your check. So you arrive at the main tax office, and there's a queue 2 hours long, and there's a security guard who pretends not to recognize your ID. And you get in a rigmarole with the security guard for a while, and a second security guard comes along and they have a nice extended discussion over whether your ID is from a Cracker Jack box. And so eventually they escort you to a disused lavatory in the sub basement and it's got a sign that says “beware the leopard”, and the bureaucratic functionary at the desk accepts your check, and then you go outside to the downtown parking lot that cost $12, and your car has broken down because it was a library car and library cars are always the most unreliable ones. So this is what it's like online, using email and online cloud services to retrieve documents because “email is insecure”. |
|
|
|
|
|
