Hacker News new | ask | show | jobs
by DanBC 4803 days ago
Email is not secure. Email has never been secure. Nothing you send over email is secure. There's little authentication and no signing.

All this stuff can be kludged onto email, but the attitude should be "unless I've taken measures to add security this thing is not secure".
1 comments
potatolicious 4803 days ago
Sure, but that's also like saying "car accidents are inevitable, so let's not put on our seat belts".

A basic bit of security, especially one that doesn't put any more load on the user (to have to maintain or set up) is a pretty big no-brainer. Raising the bar for a successful hack is also worth doing when the cost is a single line of code and no effort on the user's part.

link
DanBC 4803 days ago
If we're using analogy it's more like telling bicycle riders to use anti-puncture tape. Sure, it'll reduce the chance of getting a puncture but does nothing when they go under a truck.

What's on offer here? 10 minutes extra tamper resistance? For a protocol which is inherently insecure?

link
potatolicious 4803 days ago
What's on offer here is the ability to exclude a large class of attackers entirely - script kiddies with a commonly available file explorer tool.

Sure, if you're the CEO of some big company and a skilled attacker really wants at your email, this is only a stopgap - but this is also sufficient to stop less proficient attackers entirely. For most people this is all they need.

> "it's more like telling bicycle riders to use anti-puncture tape."

If anti-puncture tape has literally no downsides whatsoever to the bicycle rider's experience, and costs nothing, then yes. Why wouldn't you have it?

link
Blahah 4803 days ago
Actually a small class of attackers - script kiddies with a commonly available file explorer tool and physical access to your phone.
link
bjustin 4803 days ago
Email in may not be generally secure but it is still easier to plug a phone into a computer than to access someone's email account without knowing their credentials. 10 minutes could be the difference between someone copying your emails from your lost iPhone and said person being unable to copy anything because you remote wiped your phone.
link