Follow

Using Firefox's HTTPS-only mode I've noticed that a huge number of companies send emails with HTTP links. It appears at though a lot of these are marketing redirects for click tracking. This is bad, we need these services to support HTTPS!

@kevincox ...or to stop rendering links in e-mail, since they have only bad security properties. Send them the way of remotely-loaded images, except also take away the option to let you load them.

@LionsPhil I'm not convinced. Links are a critical feature of my email usage.

@kevincox They're also a critical feature of phishing attacks and privacy-intruding tracking.

You could hypothesize about a world of digitally signed e-mail and an allowlist of recognized legitimate businesses by the megacorp that produces your MUA which lets them link to their own first-party domain, but this already fails at the first hurdle because nobody has ever made digitally signed e-mail actually work.

@kevincox Think of it like Safe Browsing, but for e-mail. It's even easier, because no human sends e-mail any more; it's just a legacy root-of-identity layer for account signups and fallback for notifications if the appropriate app is not yet installed.

Except that all signed e-mail is a disaster. Perhaps there should be a replacement built around modern secure distributed/federated system design. I'm sure adding another competing system will solve it. :blobcatcoffee:

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!