|
|
Subscribe / Log in / New account

Email insecurity (was One of the great benefits of Open Source)

Email insecurity (was One of the great benefits of Open Source)

Posted Nov 6, 2025 8:26 UTC (Thu) by taladar (subscriber, #68407)
In reply to: Email insecurity (was One of the great benefits of Open Source) by dskoll
Parent article: Debian to require Rust as of May 2026

Personally I think that the 90% of automated emails that come from systems where I have an account anyway would be much better served by some simple web hook and a message format that includes more information on what it is actually sending.

That way I wouldn't have to e.g. login to my bank website to see their actual message or download their monthly list of transactions as a PDF just because email is insecure.

Messages that communication from other people with some kind of email notification tacked on could be sent directly to me as desktop notifications or phone push notifications by my server if I wish, maybe even according to some rules.

Email seems like a bad format for that.

Email as an account recovery or login control tool is also pretty bad, especially the way everyone uses email as logins and can thus associate my accounts on a vast number of platforms with each other once each of them had a data breach.

to post comments

Email insecurity (was One of the great benefits of Open Source)

Posted Nov 6, 2025 8:46 UTC (Thu) by Wol (subscriber, #4433) [Link]

> That way I wouldn't have to e.g. login to my bank website to see their actual message or download their monthly list of transactions as a PDF just because email is insecure.

And yet they were quite happy to send stuff by snail-mail, which is arguably even less secure!

Once you've verified the end points, email is as - or likely more - secure than snail mail. Sure stuff can get lost. Sure a determined cracker can steal email in transit. But the only place it's likely to get stolen from is the customer's own system, and forcing the customer to log in and retrieve a message or PDF provides absolutely no security there!

And as implemented, where you have to login to read messages, can be a disaster too. My "Building Society" (it was one - thanks to the mess of UK Banking reforms I don't have a clue what it is now) seems to be a bit clueless on that front. I got sent an important - time sensitive - message via their internal messaging systems, only for me never to see it because I got no notification whatsoever it was waiting for me. The zeroth rule of successful investing (which the investment firms are desperate for us to break because it earns them loads of lovely commission) is treat investments like mushrooms - leave them alone in the dark until they mature. Which I did, so I never logged in, and never saw the message ... WHOOPS!

Cheers,
Wol

Email insecurity (was One of the great benefits of Open Source)

Posted Nov 6, 2025 9:15 UTC (Thu) by anselm (subscriber, #2796) [Link] (1 responses)

That way I wouldn't have to e.g. login to my bank website to see their actual message or download their monthly list of transactions as a PDF just because email is insecure.

My bank apparently thinks that PGP-encrypted email is secure enough to send me individual notices of transactions on my current account, but not secure enough to send me monthly statements or other types of communication. I should probably be grateful for small miracles.

Email insecurity (was One of the great benefits of Open Source)

Posted Nov 6, 2025 11:29 UTC (Thu) by paulj (subscriber, #341) [Link]

You have a bank that knows how to send PGP encrypted email? Wow :)

Email insecurity (was One of the great benefits of Open Source)

Posted Nov 6, 2025 14:38 UTC (Thu) by dskoll (subscriber, #1630) [Link] (2 responses)

I actually hate having to log in to some system or even visit a web site just to read a message that could have been sent by email. The absolute worst are the ones that send you an email just to tell you that you have a message you need to read. Just send me the damn message in the first place!!

I don't want phone or desktop notifications for most things. Those are far more intrusive than emails because they generally make a noise or pop something up that demands attention. A unexpected withdrawal from my account? Yes, interrupt me. A notification that my statement is ready? No, do not interrupt me! If I get too many notifications, I'll block them which will defeat the purpose of important notifications getting through.

I agree that relying on email for account recovery is not all that secure. But until everyone has a Yubikey that they never lose (plus a spare!) and uses it religiously, we're kind of stuck with best-effort mechanisms.

Email insecurity (was One of the great benefits of Open Source)

Posted Nov 6, 2025 15:14 UTC (Thu) by geert (subscriber, #98403) [Link] (1 responses)

The best ones are the emails from the government (delivered multiple times, through multiple portals), which tell you you have a new message.
After logging in securily, you can download the message, which is a PDF file containing a nice formal letter on government letterhead telling you you have a new document at another government site.
After logging in on the second site, you can finally enjoy the real document, which turns out not to be that urgent and important anyway...

Email insecurity (was One of the great benefits of Open Source)

Posted Nov 6, 2025 18:59 UTC (Thu) by rschroev (subscriber, #4164) [Link]

Are you talking about Belgium? Because that sounds just exactly like it. Or is there another government with systems just as convoluted?


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds