Hacker News new | ask | show | jobs
by slau 990 days ago
Your username is not a secure part of the authentication process. In most companies, people’s username is easily guessable, or even public information.

I feel you’re making a very massive issue out of something that is… not?

Yes, sharing the full headers of your emails will reveal some information, potentially even personally identifiable information.
2 comments
k_roy 990 days ago
I think you are missing the point by a mile.

Their whole spiel is about "privacy first". https://www.fastmail.com/privacy-first-company

I don't even use my @fastmail.com address. I have like 6 domains that I use for various things, and a single domain for one-time/throwaway/order emails via 1Password integration.

I just verified every time I send an email, my main @fastmail account is attached in every email.

I don't care about people knowing my email, but security isn't the point or even the concern.

If I'm using an alias, I don't want account A associated to account B, especially for a service I'm paying for to keep my email out of the hands of Google.

link
slau 990 days ago
I was mainly responding to OP’s claim that this is “a security leak”. Likewise, from OP, I mainly understood that this was only an issue when giving a third party the headers of emails you have received.

However, you (and other commenters) appear to be indicating it’s also in the headers of all sent emails?

I’ve been using Fastmail for nigh on a decade, however if this turns out to be true, I may accelerate my migration towards Migadu.

link
reilly3000 989 days ago
Migadu and don’t look back
link
k_roy 988 days ago
This is a bit of an interesting take from: https://www.migadu.com/procon/

"We could enable 2FA on the webmail, but IMAP/POP/SMTP accesses remain unprotected which beats the purpose. We are working on solution here which will allow sand-boxing a username/password pair to a webmail use only."

That's an incredibly misguided sentiment

link
dejan 987 days ago
Why?
link
k_roy 983 days ago
Because it's the difference between someone gaining access to a single mailbox versus the whole config.
link
wrboyce 989 days ago
How did you verify this? That isn’t the issue being reported, the header is attached to your inbound mail.
link
throwawayfm 989 days ago
It is. I'm using custom domains, but my username email is private and NEVER used or known.
link
rlpb 989 days ago
> ...but my username email is private and NEVER used or known.

This feels like an architectural flaw to me. If it's supposed to be private, then why is it available to send to on the public Internet, in a way that you are now therefore sensitive about?

link
throwawayfm 988 days ago
That's the whole issue.. I don't use that email address for email, and I don't want it leaked.
link