The email protocol sucks ass at the core and can not be "fixed". it should be killed off for something entirely new to replace it.
All the attempts at making email "secure" are impractical at best, and placebo at worst.
Henry Jenkins
Other urls found in this thread:
youtube.com
en.wikipedia.org
twitter.com
Nathaniel Howard
yes
the worst thing about it is that it's not even hard to design similar but good correspondence system
Josiah Adams
email has in it my favorite example of how can simplicity emerge from complexity: the address validation
as the standards grew and grew with retarded additions, address form got extended into being very hard to validate, especially by regexes
for example:
(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])
but as this continues, the whole thing simplified into
.*@.*
Joshua Taylor
this is irrelevant to why the email protocol sucks ass.
Wyatt Fisher
that was a joke
see youtube.com
Wyatt Cook
What do you propose? Slack/DIscord over QUIC? Fuck off. You CAN'T propose something so simple, it'd work on every Arduino.
Justin Williams
Email is fine as it is and is not intended for secure communication. Use a service or protocol that meant for security instead of trying to make everything convoluted crap just to hide the fact that you're a pedo.
Jonathan Wilson
t. glow in the dark nigger
Cooper Martinez
SMTP over SSL is a good start but really it's just a patch.
It should be more like SSH- Email servers should just be SSH servers. Your domain dangles a publicly available SSH pubkey for each address it receives mail for, and then the messages are sent after the SSH handshake.
Although really Email's current bodge security things are fine.
Adrian Foster
We've had XMPP for nearly 20 years and it never made a dent. Email is just fucking eternal.
David Gray
I'm invisible, we don't glow.
Nathaniel Richardson
all the "patches" and attempts at "fixing" email are shit because if it doesn't work seamlessly without any extra effort (meaning if it isn't the standard), no one will use it, and when everyone doesn't use it, there's no point in it, because only one of the correspondents needs to leak the data for it all to have been for nothing.
this is why the entire protocol needs replacing with something that is inherently secure.
Michael Scott
An SMTP server runs 2 services:
>public relay (port 25)
>mail submission (port 587)
The public relay is the endpoint other email servers will connect to to deliver mail to a mailbox behind your relay. Traffic is unencrypted on port 25 unless server/client both agree to open an encrypted tunnel.
Mail submission is the endpoint that users' clients (thunderbird) connect to when sending a new message. This is encrypted with a cert on the SMTP server. This is also authenticated so the user has to log in with their mailbox credentials to be able to send mail.
So, provided the SMTP server is set up with secure auth and proper cert for mail submission it will be reasonably secure to being abused as an open relay, and the messages being submitted are encrypted from client to server. But since port 25 is unencrypted and unauthenticated technically anybody can connect and submit a message to a mailbox behind the server with a header that makes it look like it was sent from some other domain/address. So the receiving server looks at DNS TXT records for the domain the mail says it's coming from:
>SPF - lists what IPs are allowed to send mail on behalf of that domain
>DKIM - public key in TXT record, sending server signs message with private key, receiving server verifies signature with public key
>DMARC - says what to do if received message fails combination of SPF/DKIM/etc checks
All of these things put together will strongly secure a mail server - if they are implemented and if they were implemented properly. Which they usually aren't outside of major providers. Even then the receiving server still can only verify the identity of a sending server through DNS. If that gets attacked you can send fully authenticated email to that server using literally any domain or address you want and the server will happily accept it.
tl;dr the technology exists to make email secure but people are lazy and/or stupid and don't use it and compromise everyone else's servers too
Adrian Gray
Just use GPG, retards.
Jack Williams
XMPP is for texting, not sending electronic mail.
Ian Nguyen
>>tl;dr the technology exists to make email secure but people are lazy and/or stupid and don't use it and compromise everyone else's servers too
this is what I meant in the OP by it being impractical. you're not making the protocol secure, because it would not be a standard that would work everywhere without extra effort on part of the end-users.
it has to be part of the protocol so that it "just werks" without having to rely on every end-user to go through the hassle of "fixing" shit just to send a secure message. it should work like secure instant messaging protocols work today. The user doesn't have to bother with anything, and it just werks.
>not getting the point
Nolan Bell
That replacing email mentality can be dangerous. I remember when the EFF misrepresented the efail vulnerability to try and shill Signal. This is quite kikeish because it means going from a decentralized protocol to a centralized one.
Xavier Green
>The email protocol sucks ass at the core
this applies to most technology we use, from x86 to xorg to operating systems to the underlying infrastructure of the internet, it was all designed a long time ago and has far exceeded its original design limits only to be hacked on to keep it working and interoperable with everything else.
Jackson Clark
fuck signal, but the email protocol needs replacing either way.
Dylan James
With what? It had better be as decentralized as email, if it is to be an acceptable replacement.
Anthony Howard
>It had better be as decentralized as email, if it is to be an acceptable replacement.
well of course.
Leo Hill
I really like the im2000 proposal, too bad it never made it
en.wikipedia.org
basic model
>sender server is responsible to be always online
>sender sends only a notification instead of full message
>recipient downloads the message directly from sender's server
simplified scenarios
>no DoS scenarios for mailing lists, even the notification is optional for them thus receiving mailing lists becomes similar to RSS
>no bouncing, smaller transmits overall
>spam is more expensive for the spamming server
>no address spoofing for messages (might be possible for notifications)
Jayden Barnes
t. professor einstein
Elijah Peterson
Glad we can agree on that.
So what do you have in mind then? Got any particular protocols or ideas in mind?
Noah Hernandez
It's the same thing. You could easily write an interface on XMPP that was more email-like. The important part is everyone gets an address, anyone can send a message to anyone using their address, and the network is decentralized.
Henry Howard
It may not be the best but I'd bet my dick whatver succeeds it as the de facto standard would be worse
Cameron Walker
it can't get much worse
Julian White
Sure it can. With email you can host your own mail server with open source tools and use any of dozens of open source clients to check/send your mail. That could all go away with a replacement
Matthew Rodriguez
>That could all go away with a replacement
I don't think so. for a standard to take over(wide spread adoption), it can not be centralized or proprietary.
Juan Lee
>for a standard to take over(wide spread adoption), it can not be centralized or proprietary.
tell that to Discord
Isaiah Lee
no thanks. discord sucks ass and should die.
Juan Morgan
I feel the same way, but you can't tell me that it doesn't have widespread adoption. I never hear about peoples IRC servers anymore. It's always Discord.
Cameron Wilson
bitmessage already serves as a better and safer substitute and it's possible to setup a bridge to regular email for legacy support.
Henry Martin
>security
security depends on being able to spoof addresses so you can remain anonymous, you're in favor of weakening security in the name of fighting spam
Thomas Howard
Since when is email unsecure?