[kwlug-disc] So I was auditing my accounts online and thought of something.

Andrew Stevanus (KWLUG) andrew+kwlug at hoot.tech
Sun Dec 17 19:25:17 EST 2017 

I believe I understand a little better now what you're talking about.

Services like Mailinator aren't ideal because they usually function as
open mailboxes where anyone who knows the address can see the inbox.
Also, they are frequently blocked by services for signup because of spam
concerns.

Hosting your own email (or at least using your own domain) also isn't
ideal because even if you have a wildcard/alias setup to use a different
address for each service, you're still the only one using the domain (or
one among a very small number). You would have to register different
domains for each service you sign up to, which would quickly become
costly. Really, the only thing it's good for is preventing spam (you can
filter spam much more easily if it only comes to a specific address;
plus, you know which service sold you out), and, of course, having
control of your own email setup, increasing privacy and extensibility.

Signing up for a new email account every time you sign up for a new
service is tedious, but is likely the best option for preserving
privacy. One problem is that you now have a hundred different mailboxes
to check for new email. You could setup forwarding to one address (if
the provider allows it), but then the email provider knows who you are
(also everyone else in the world would also know if that information
gets leaked). Additionally, how much are you willing to trust a free
email provider? Gmail, of course, mines all of your data, and because
Google is a member of PRISM, the NSA also has a copy of all of your
mail. (I sometimes wonder what would happen if Gmail's entire database
got leaked. It would be pretty disastrous.) The most trustworthy ones
are probably the smaller providers who get sufficient donations and/or
provide freemium services. Here's a list of privacy-conscious email
providers: <https://prxbx.com/email/> and ones that work through Tor:
<https://www.reddit.com/r/onions/comments/6krt34/list_of_onion_email_providers/>

ProtonMail is probably one of the better providers. Their free plan
supports plus addressing (user+alias at protonmail.com gets redirected to
user at protonmail.com) and their paid plans support up to 50 aliases.
Perhaps most importantly, all of the emails are stored encrypted on the
server with a key derived from your password which only you know, so
ProtonMail can't be compelled to hand over their contents (the most they
could probably be forced to do is make an unencrypted copy of new
incoming mail before it gets encrypted). The downside is that you have
to use their webmail or their mobile app; you can't use a local
IMAP/SMTP client because of how their encryption works. Fortunately,
they're working on a bridge to fix this:
<https://protonmail.com/bridge/>. You would run it locally on your
computer and it would provide an IMAP/STMP interface that you connect to
and proxy client-side encrypted information in the background.
Unfortunately, it does not yet run on GNU/Linux, though this is planned.

A truly ideal solution would be one in which sites that you sign up to
don't know who you are and can't link your identity *and* the email
providers you use also don't know who you are and can't link your
identity *and* your communications are end-to-end encrypted so no one
but the sender and the receiver can see the message. I don't think a
service like that currently exists. Email isn't really designed for it.

This whole conversation is basically about self-sovereign identity, so
anyone who's interested in that may be interested in this talk at
ADISummit on that topic: <https://www.youtube.com/watch?v=DZbyiJqKT8c>.
(It doesn't really talk about email in particular, but rather the
concept of identity itself and why you might not want to reveal it
everywhere you go.)

On 2017-12-17 05:57 PM, Chamunks wrote:
> I was heavily inspired to look into something like this trying to find ways
> to obfuscate linkages between accounts. Gmail works fine filtering spam but
> my problem is keeping my data when it's leaked by other entities from
> helping spammers build profiles.  I don't worry about data leaks on sites
> because I never recycle passwords so that's not an issue but if the website
> has personally identifiable information then I start to become linked from
> site to site.
> 
> I have this thought that if the website doesn't ever need money from me and
> even in most cases when they do.  They will never need my real identity nor
> should they get it. So having a fake random alias for each site is also
> probably equally beneficial.
> 
> Now to my direct responses.
> 
> The idea is something like Mailinator where you can use a heap of
> registered domains but be a bit less prone to being blocked by online
> service providers by not just being an open door system.
> 
> The problem that I see with Mailinator is anyone can just open your inbox
> at any point given they know your email.
> 
> Runbox style catch all addresses could work but it's a single domain which
> is probably hosted by one person and likely used by very few people.  This
> doesn't provide very good obfuscation.
> 
> Fakenamegenerator.com does kind of do this but again requires no sign up
> and provides no ownership of the identities generated.
> 
> On Sun, Dec 17, 2017, 2:08 PM Andrew Stevanus (KWLUG)
> <andrew+kwlug at hoot.tech> wrote:
> 
>> (Resending this since a lot of people probably didn't see it due to
>> being marked as spam last time.)
>>
>> There's an extension for Firefox called "Bloody Vikings!" which
>> essentially automates this process through a menu in your browser. I
>> haven't used it myself, but it looks interesting. Mailinator is one of
>> the services they support, but there are others as well.
>>
>> On 2017-12-17 12:30 AM, Bob Jonkman wrote:
>>> There are existing services that do something similar. I've used
>>> https://mailinator.com but their domain is often blocked by sites that
>>> require registration. They do have a bunch of donated MX domains that
>>> point to their service, in an effort to obfuscate their domain name.
>>>
>>> --Bob.
>>>
>>>
>>> On 2017-12-16 10:47 PM, Keefer Rourke wrote:
>>>> What you're describing sounds a lot like a catch-all or wildcard
>>>> email address. You can set this up easily if you own a domain with
>>>> MX records and use a host such as Runbox for example
>>>> (https://runbox.com). They at least have some help docs and
>>>> tutorials [1].
>>>
>>>> How would this be different exactly? You could for instance use a
>>>> vanity domain that isn't directly identifiable to you (set up whois
>>>> guard or whatever) and just specify whatever string you want on the
>>>> local part of the email address.
>>>
>>>> So if you own the imaginary domain foobar.bazz, then
>>>> facecreep at foobar.bazz, tweeter at foobar.bazz,
>>>> grubleminus at foobar.bazz, etc can specified as your account details,
>>>> and all incoming mail to those addresses is "caught" by your
>>>> wildcard address. Of course this might invite unwanted spam,
>>>> SpamAssassin is usually good enough, and a good mail host will let
>>>> you configure filters.
>>>
>>>> [1] https://help.runbox.com/catch-all/
>>>
>>>> - Keefer, who hopes this helps in place of such a yet-to-exist
>>>> mail-service
>>>
>>>> On December 16, 2017 10:22:10 PM EST, Chamunks <chamunks at gmail.com>
>>>> wrote:
>>>>> What about making an email provider that you log in with a 12
>>>>> English word seed and a password.  The word seed would result in
>>>>> you having possibly tens if not hundreds of disposable email
>>>>> addresses for only incoming mail.
>>>>>
>>>>> The point of this technology would be so that you could use any
>>>>> of these email addresses for signing up for online services where
>>>>> you don't want them to have your email address.
>>>>>
>>>>> Just thinking about ways to make social graphing more difficult
>>>>> for those who are taking your privacy for no value added.
>>>>>
>>>>> Maybe as a premium service to help support the website you could
>>>>> sell SMTP/POP3 access so that you could respond to people.  Maybe
>>>>> you could send a message or two outgoing here and there in case
>>>>> you needed to resolve something to do with your account or talk
>>>>> to support but otherwise spam could be a real problem with this
>>>>> provider without precautions like this.
>>>
>>>
>>>
>>>> _______________________________________________ kwlug-disc mailing
>>>> list kwlug-disc at kwlug.org
>>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>>
>>>
>>> _______________________________________________
>>> kwlug-disc mailing list
>>> kwlug-disc at kwlug.org
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
> 
> 
> 
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20171217/ace5b74c/attachment.sig>

More information about the kwlug-disc mailing list