Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

TL;DR, someone who has gained access to your account can also download your account history.

It's like complaining that someone who "hacks" into your email account can download all your email.



E2E encryption of email by a client-controlled key avoids this problem.

The encrypted archive remains accessible, but actually reading it requires a key only the client holds. This neutralises most email account phishing attacks.


It's not like that at all.

Email history is a useful feature. You're at risk of unauthorized access to it in exchange for that useful feature. Anyone could theoretically offer a service without that feature, though there might not be demand for it. (then again, see mailinator.com)

Everything-history is a compliance feature. You're at risk of unauthorized access to it in exchange for compliance with the law. Offering a service without that feature would be illegal.

It's entirely fair to blame the increased risk on the law. The law's benefit might outweigh those costs, but pretending that the costs do not exist serves no one.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: