privacyguides
/
privacytools.io
Archived
1
0
Fork 0
Code Issues 304 Pull Requests 47 Activity

Consider removing email providers without 2FA support #135

New Issue
Closed
opened 2016-12-28 12:52:49 +00:00 by jonathanKingston · 18 comments
jonathanKingston commented 2016-12-28 12:52:49 +00:00 (Migrated from github.com)
Copy Link

Email is a large attack vector for any individual and not having the ability to separate auth by something you own vs something you know makes an easier attack vector. It has become pretty common place within the industry to require it and yet some of the providers are not supporting it.

2FA Supported

  • mailfence
  • posteo
  • countermail
  • Protonmail

2FA Not supported

Do you have 2FA?

We currently do not have 2FA (Two Factor Authentification) as we are yet to find a suitably secure solution to offer our customers, however it is on our roadmap.)

Confirmation of support needed

  • openmailbox
  • tutanota
  • mailbox.org
  • runbox
  • neomailbox
  • startmail
  • cryptoheaven

Just securing the account settings of your profile is a start that these providers should consider.

Email is a large attack vector for any individual and not having the ability to separate auth by something you own vs something you know makes an easier attack vector. It has become pretty common place within the industry to require it and yet some of the providers are not supporting it. ## 2FA Supported - mailfence - posteo - countermail - Protonmail ## 2FA Not supported - kolabnow (Their FAQ listed here: https://kolabnow.com/faq?question_tid=2 suggests they dont) > **Do you have 2FA?** > >We currently do not have 2FA (Two Factor Authentification) as we are yet to find a suitably secure solution to offer our customers, however it is on our roadmap.) ## Confirmation of support needed - openmailbox - tutanota - mailbox.org - runbox - neomailbox - startmail - cryptoheaven Just securing the account settings of your profile is a start that these providers should consider.
👍 1
ghost commented 2016-12-28 13:56:27 +00:00 (Migrated from github.com)
Copy Link

I use 2 of the ones you listed and what you're saying is not true for any of them.

You're suggesting to remove ProtonMail - a provider that does support 2FA and separate passwords for logging in and decrypting, because they don't support 2FA (while they actually do).

I use 2 of the ones you listed and what you're saying is not true for any of them. - What does `Confirmation needed` mean? Tutanota doesn't require any confirmation. - [ProtonMail **does** support 2FA](https://protonmail.com/support/knowledge-base/two-factor-authentication/). You're suggesting to remove ProtonMail - a provider that does support 2FA and separate passwords for logging in and decrypting, because they don't support 2FA (while they actually do).
jonathanKingston commented 2016-12-28 14:30:07 +00:00 (Migrated from github.com)
Copy Link

"Confirmation needed" is to confirm if they support it in their accounts.

Good to know about proton mail, I quickly checked and it wasn't on!

"Confirmation needed" is to confirm if they support it in their accounts. Good to know about proton mail, I quickly checked and it wasn't on!
ghost commented 2016-12-28 14:34:39 +00:00 (Migrated from github.com)
Copy Link

Tutanota is blocked by some other e-mail providers, as they don't even use a captcha, and therefore is used a lot for spam.

Tutanota is blocked by some other e-mail providers, as they don't even use a captcha, and therefore is used a lot for spam.
jonathanKingston commented 2016-12-28 14:40:12 +00:00 (Migrated from github.com)
Copy Link

@Shifterovich perhaps a column in the table for 2FA support or advice like "just use for spam" etc.

@Shifterovich perhaps a column in the table for 2FA support or advice like "just use for spam" etc.
ghost commented 2016-12-28 15:59:56 +00:00 (Migrated from github.com)
Copy Link

What do you mean? I was saying that because of absence of any verification, Tutanota is frequently abused. Anyway, I would only add a column "2FA support", as it's undesired for some people, since privacy != security. Removing a provider because they don't support a feature good for security, but bad for privacy makes no sense.

What do you mean? I was saying that because of absence of any verification, Tutanota is frequently abused. Anyway, I would only add a column "2FA support", as it's undesired for some people, since **privacy != security**. Removing a provider because they don't support a feature good for security, but bad for privacy makes no sense.
👍 2
jonathanKingston commented 2016-12-28 16:28:07 +00:00 (Migrated from github.com)
Copy Link

I mean perhaps adding a seperate comments section below each provider on with any comments like you mentioned would help people decide without having to do further research. So Tutanota would have a comment like: "Highly abused service and is blocklisted by many providers, consider using only for throwaway emails".

Sure, however without decent security you likely have no privacy. However a 2FA column is good enough anyway.

I mean perhaps adding a seperate comments section below each provider on with any comments like you mentioned would help people decide without having to do further research. So Tutanota would have a comment like: "Highly abused service and is blocklisted by many providers, consider using only for throwaway emails". Sure, however without decent security you likely have no privacy. However a 2FA column is good enough anyway.
ghost commented 2016-12-28 17:33:19 +00:00 (Migrated from github.com)
Copy Link

Well, it's blacklisted by some and not too abused, still very usable.

Well, it's blacklisted by some and not too abused, still very usable.
ghost commented 2017-01-03 18:13:29 +00:00 (Migrated from github.com)
Copy Link

2FA is bad for privacy but good for security. We should add 2FA column to the email provider comparison table though. Outright removing these providers is a bad idea (we're a privacy project, not a security project). #144

2FA is bad for privacy but good for security. We should add 2FA column to the email provider comparison table though. Outright removing these providers is a bad idea (we're a privacy project, not a security project). #144
👍 2
Hillside502 commented 2017-01-08 19:04:54 +00:00 (Migrated from github.com)
Copy Link

@Shifterovich

2FA is bad for privacy but good for security.

other than:-

The user must share their personal mobile number with the provider, reducing personal privacy and potentially allowing spam.
https://en.wikipedia.org/wiki/Multi-factor_authentication#Mobile_phone_two-factor_authentication

why is 2FA "bad for privacy"?

Use of an authenticator app gives away nothing:-
https://prism-break.org/en/all/#authentication

@Shifterovich > 2FA is bad for privacy but good for security. other than:- > The user must share their personal mobile number with the provider, reducing personal privacy and potentially allowing spam. https://en.wikipedia.org/wiki/Multi-factor_authentication#Mobile_phone_two-factor_authentication why is 2FA "bad for privacy"? Use of an authenticator app gives away nothing:- https://prism-break.org/en/all/#authentication
Hillside502 commented 2017-01-08 19:44:44 +00:00 (Migrated from github.com)
Copy Link

@jonathanKingston

Kolab Now does indeed appear not to have 2FA.

A big let down!

however it is on our roadmap

I'm a Kolab Now customer --- but not for much longer.

@jonathanKingston Kolab Now does indeed appear not to have 2FA. A big let down! > however it is on our roadmap I'm a Kolab Now customer --- but not for much longer.
Hillside502 commented 2017-01-08 19:48:53 +00:00 (Migrated from github.com)
Copy Link

Two Factor Auth List
https://twofactorauth.org/

2factorauth/twofactorauth: List of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software.
https://github.com/2factorauth/twofactorauth

Two Factor Auth List https://twofactorauth.org/ 2factorauth/twofactorauth: List of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software. https://github.com/2factorauth/twofactorauth
ghost commented 2017-01-08 19:52:34 +00:00 (Migrated from github.com)
Copy Link

@Hillside502 Giving away your personal phone number is bad for privacy and anonymity per se.

@Hillside502 Giving away your *personal* phone number is bad for privacy and anonymity *per se*.
Hillside502 commented 2017-01-08 19:55:47 +00:00 (Migrated from github.com)
Copy Link

@Shifterovich
By using an authenticator app, how would one "give away a phone number"?

@Shifterovich By using an authenticator app, how would one "give away a phone number"?
ghost commented 2017-01-08 19:56:42 +00:00 (Migrated from github.com)
Copy Link

@Hillside502 I was not talking about authenticator apps, you were. I was answering a question regarding giving away phone number.

@Hillside502 I was not talking about authenticator apps, you were. I was answering a question regarding giving away phone number.
ghost commented 2017-01-08 19:58:10 +00:00 (Migrated from github.com)
Copy Link

Authenticator apps require you to have a device that supports them. I never used any apart from the Google one, but I think the website would have to support them too?

Authenticator apps require you to have a device that supports them. I never used any apart from the Google one, but I think the website would have to support them too?
Hillside502 commented 2017-01-08 20:02:31 +00:00 (Migrated from github.com)
Copy Link

@Shifterovich

Authenticator apps require you to have a device that supports one.

True --- and it's probably true that ALL smartphones are privacy nightmares to one degree or another.

@Shifterovich > Authenticator apps require you to have a device that supports one. True --- and it's probably true that ALL smartphones are privacy nightmares to one degree or another.
ghost commented 2017-11-04 11:10:58 +00:00 (Migrated from github.com)
Copy Link

Startmail seems to support 2FA, see https://support.startmail.com/index.php?/Knowledgebase/Article/View/704/0/how-to-set-up-two-factor-authentication-2fa

Startmail seems to support 2FA, see https://support.startmail.com/index.php?/Knowledgebase/Article/View/704/0/how-to-set-up-two-factor-authentication-2fa
ghost commented 2017-11-04 11:11:27 +00:00 (Migrated from github.com)
Copy Link

Startmail seems to support 2FA. See https://support.startmail.com/index.php?/Knowledgebase/Article/View/704/0/how-to-set-up-two-factor-authentication-2fa

Startmail seems to support 2FA. See https://support.startmail.com/index.php?/Knowledgebase/Article/View/704/0/how-to-set-up-two-factor-authentication-2fa
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
master
dependabot/bundler/nokogiri-1.13.6
dependabot/bundler/addressable-2.8.0
freddy-m-patch-3
pr-add_RemoveMyPhone_sponsor
pr-browser_cleanup_1257_1328_1430
freddy-m-patch-2
freddy-m-patch-1
pr-vpn_hated_one_video
cdn
update-nitrohorse-image
promote-metager-to-card
hardware
pr-add_azirevpn
pr-add_mailfence
shop
1673
pr/1658
i18n-simple
sponsorship-edits-nov2019
i18n
ipfs
blacklight447-ptio-patch-3
blog
remove-windows-icons
pr/1147
i18n-testing
add-beautify
Labels
Clear labels   
🔍🤖 Search Engines

   
approved

approved, waiting for a PR

  
dependencies

Pull requests that update a dependency file

  
duplicate

   
feedback wanted

   
high priority

   
I2P

The Invisible Internet Project (I2P)

  
iOS

   
low priority

   
OS

Operating Systems

  
Self-contained networks

   
Social media

   
stale

A label for stalebot if it gets added

  
streaming

Anything related to media streaming.

  
todo

   
Tor

Anything covering the Tor network

  
WIP

active work in progress, do not merge or PR (yet)!

  
wontfix

Issues or bugs that will not be fixed and/or do not have significant impact on the project.

  
XMPP

Extensible Messaging and Presence Protocol

  
[m]

Matrix protocol

  
₿ cryptocurrency

   
ℹ️ help wanted

   
↔️ file sharing

   
⚙️ web extensions

Browser Extension related issues

  
enhancement

   
software removal

   
💬 discussion

   
🤖 Android

   
🐛 bug

   
💢 conflicting

   
📝 correction

Correction of content on the website

  
🆘 critical

   
📧 email

   
🔒 file encryption

   
📁 file storage

   
🦊 Firefox

Firefox & forks, about:config etc.

  
💻 hardware

   
🌐 hosting

   
🏠 housekeeping

Anything primarily related to site cleanup.

  
🔐 password managers

   
🧰 productivity tools

   
🔎 research required

   
🌐 Social News Aggregators

   
🆕 software suggestion

   
👥 team chat

   
🔒 VPN

Virtual Private Network

  
🌐 website issue

*Technical* issues with the website.

  
🚫 Windows

   
👁️ browsers

   
🖊️ digital notebooks

   
🗄️ DNS

Domain Name System

  
🗨️ instant messaging (im)

   
🇦🇶 translations

Anything covering a translated version of the site

No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
enhancement
software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#135
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?