HackerTrans
TopNewTrendsCommentsPastAskShowJobs

15characterslon

no profile record

comments

15characterslon
·4 года назад·discuss
It worked perfectly well. It still works. Companies can transfer the data and no one gets sued. Legal enough.
15characterslon
·4 года назад·discuss
It doesn't support syncing properly, if you use it on desktop + Android + iOS you have to trust three different app vendors, browser integration isn't nearly as good as 1Password, custom fields are badly integrated.
15characterslon
·4 года назад·discuss
Bitwarden is subscription-based too. Or are you on the free tier with almost no features?
15characterslon
·4 года назад·discuss
They had massive problems with their main database cluster (MySQL). If you read through their engineering blog, most of the outages were related to their growth and the main database cluster. They moved workloads for some features to different clusters, but that's only to buy more time. Eventually they'll do proper shredding (by user or org I guess, not by feature) but that takes time.

Their engineering blog is full of articles about MySQL and the main "mysql1" database cluster, e.g. https://github.blog/2021-09-27-partitioning-githubs-relation...
15characterslon
·4 года назад·discuss
Best not turn it on again at all. Just to be sure ;)
15characterslon
·4 года назад·discuss
Maybe you could use family sharing. https://support.google.com/youtube/answer/7507744?hl=en
15characterslon
·4 года назад·discuss
It's funny you say that because kids today don't really have files either, since all the content is confined in apps.
15characterslon
·4 года назад·discuss
And that's why we shouldn't fix bugs anymore? https://xkcd.com/1172/

Fixing this would only affect users who send emails "from" other users email addresses, basically users who commit fraud.
15characterslon
·4 года назад·discuss
That's not true. SPF and DKIM were explicitly made to prevent email forging by authenticating the server, and the server is responsible for authenticating the user.

Please name even a single major mail provider that allows to send emails with arbitrary "from" headers.

https://datatracker.ietf.org/doc/html/rfc7208 https://datatracker.ietf.org/doc/html/rfc7489
15characterslon
·4 года назад·discuss
No, they don't do that check, that is the problem.
15characterslon
·4 года назад·discuss
As others said, DKIM always includes "from". And almost none of the emails I get are S/MIME or PGP signed.

Like you said: SPF and DMARC only authenticate the server. It's up to the server to authenticate the user.

Scenario: imagine your bank uses Mailbox.org to send emails. How would you verify that an email is legit? Any Mailbox user can send emails through Mailbox with your bank as "from" and all of these emails pass SPF and DKIM checks. Your mail server has no way to distinct a legit email from a fake one. This is why it's important that the server does this check (check that sender account and "from" match / are a valid combination).
15characterslon
·4 года назад·discuss
AFAIK they still refuse to acknowledge the problem. But since they deleted the forum thread, how would I know.

What they said in the forum doesn't make much sense. Yes, anyone in the wold can send emails with any address as "from". The big difference is that those emails won't pass SPF and DMARC checks.

If I wanted to use them, I would need to configure SPF and DMARC for my domain so that their mail servers pass those checks. At this point I would expect their mail servers only to allow sending "from" my domain when my account is used.

Note that just about any major mail provider does this check (e.g. Google). It is industry standard. It is crazy that they even refuse to acknowledge this. I'm working in this field and this is basic knowledge. I just don't get how they can do this professionally and not understand what the problem is. The only explanation I have is that for some reason it would be hard for them to fix and so they try to ignore it / make it disappear by deleting the forum thread.

Also they use the same DMARC key for all customers, which is weird. Usually each customer gets it's own DMARC key.
15characterslon
·4 года назад·discuss
Be aware that Mailbox.org allows any user to send emails as ("from") any other user via SMTP and these emails will look legit since they pass SPF and DKIM checks. Many consider this a security issue.

There was a quite lengthy discussion about this in their forum but they deleted it since. They refused to fix it. Archive.org still has it. Content is in German (sorry):

https://web.archive.org/web/20210123192856/https://userforum...
15characterslon
·4 года назад·discuss
But what alternatives are there? I just need a solution for the usual stuff: mail, contacts, calendar, notes, tasks, files and meetings. Microsoft? Haha, hell no (they never did free anyway). Also using multiple services (e.g. Fastmail for mail and Dropbox for files) is way more expensive.
15characterslon
·4 года назад·discuss
Gotta know exactly what is behind those mosaic pixels.
15characterslon
·4 года назад·discuss
How much does it cost to run this on Azure?
15characterslon
·4 года назад·discuss
According to statista, the UK has about 14 million residents younger than 20 years, so they're just counting everyone as a potential victim.

https://www.statista.com/statistics/281208/population-of-the...
15characterslon
·5 лет назад·discuss
Maybe deliver high quality results for adblock users only. Lower server costs for adblock users while maximizing ad-revenue for users without adblock. Win-win.
15characterslon
·5 лет назад·discuss
You can set your own passphrase in sync settings. This will enable end-to-end encryption and Google won't be able to read your synced data (not just passwords but also history and other synced data).
15characterslon
·5 лет назад·discuss
I didn't mean to insult you. I think it's great if you're experimenting and I fully support that. It's just that the headline set high expectations and the article reads like this is being used in production, which I would strongly advise against.