New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Email notifications should not include summaries from limited posts #4266

Closed
4ndyD opened this Issue Jun 28, 2013 · 19 comments

Comments

Projects
None yet
7 participants
@4ndyD

4ndyD commented Jun 28, 2013

At present, when someone else comments on a limited post that a user has made or commented on, while their email notifications are switched on, that user will receive an unencrypted email that includes a few sentences from the start of the latest comment, and using the first sentence of the original post in the email's subject line.

This presents a vulnerability to breach of privacy. Some people may still want that summary in their limited notifications, but only after providing D* with a public key to use so that they can receive it securely.

IMO this should be Murphy's-Law-safe, i.e. "if something can be done wrong, someone will eventually do it wrong", so ideally there should be no summary or subject for such notifications, merely a note that someone has responded, with a link to the relevant post. Otherwise, those who do need that privacy may be too worried about their contacts' unknown security measures to post some things.

There are plenty of examples of social networks and forum software that do not include the content of a private message in email notifications, and such a feature could even save a tiny fraction of server time & bandwidth by not having to fetch and write that data into emails.

@Flaburgan

This comment has been minimized.

Show comment
Hide comment
@Flaburgan

Flaburgan Jul 3, 2013

Member

I agree that we have a problem here. But what's the solution... ? Asking people to generate and upload cryptographic keys is far away of user-friendly...

Member

Flaburgan commented Jul 3, 2013

I agree that we have a problem here. But what's the solution... ? Asking people to generate and upload cryptographic keys is far away of user-friendly...

@4ndyD

This comment has been minimized.

Show comment
Hide comment
@4ndyD

4ndyD Jul 4, 2013

That's a solution, for those who want encrypted verbose notifications, but as I said, a far easier and more reliably secure option is to simply remove that content section of email notifications for limited posts (even simpler would be removing it across the board, including public posts, but that's probably going too far), and give them a generic subject line, possibly mentioning whose activity you're being notified of and whether it was on one of your own posts, instead of pasting the OP's first line.

4ndyD commented Jul 4, 2013

That's a solution, for those who want encrypted verbose notifications, but as I said, a far easier and more reliably secure option is to simply remove that content section of email notifications for limited posts (even simpler would be removing it across the board, including public posts, but that's probably going too far), and give them a generic subject line, possibly mentioning whose activity you're being notified of and whether it was on one of your own posts, instead of pasting the OP's first line.

@sjain1107

This comment has been minimized.

Show comment
Hide comment
@sjain1107

sjain1107 Aug 29, 2013

Contributor

A short summary of the issues #4342 and #4266:

This issue #4266 suggests that the email notifications received from limited posts should not contain any content, only a note that someone has responded (or commented) to the original post while #4342 suggests that the email notifications received from the public posts should provide the full content of the thread in the email itself and the user should be able to answer to the comments via email.

(Please correct me in case I have not perceived the issues properly)

Contributor

sjain1107 commented Aug 29, 2013

A short summary of the issues #4342 and #4266:

This issue #4266 suggests that the email notifications received from limited posts should not contain any content, only a note that someone has responded (or commented) to the original post while #4342 suggests that the email notifications received from the public posts should provide the full content of the thread in the email itself and the user should be able to answer to the comments via email.

(Please correct me in case I have not perceived the issues properly)

@4ndyD

This comment has been minimized.

Show comment
Hide comment
@4ndyD

4ndyD Aug 29, 2013

I can't speak for #4342, but that sounds about right.

4ndyD commented Aug 29, 2013

I can't speak for #4342, but that sounds about right.

@Flaburgan

This comment has been minimized.

Show comment
Hide comment
@Flaburgan

Flaburgan Aug 29, 2013

Member

We already have a key generated for each user. The ideal situation
would be to allow users to set their e-mail client to receive encrypted
e-mail. We could then send the total message in every use case.

Member

Flaburgan commented Aug 29, 2013

We already have a key generated for each user. The ideal situation
would be to allow users to set their e-mail client to receive encrypted
e-mail. We could then send the total message in every use case.

@sjain1107

This comment has been minimized.

Show comment
Hide comment
@sjain1107

sjain1107 Sep 4, 2013

Contributor

Is it possible to include a button, clicking on which will automatically generate a private key for a user or will ask a user to generate a private key for themselves?

Contributor

sjain1107 commented Sep 4, 2013

Is it possible to include a button, clicking on which will automatically generate a private key for a user or will ask a user to generate a private key for themselves?

@WebSpider

This comment has been minimized.

Show comment
Hide comment
@WebSpider

WebSpider Sep 4, 2013

Contributor

@sjain1107 the trick here is twofold imo:

  1. If d* generates the keypair, then how does the user know it is not compromised from the start? Does the user trust the d* pod, and more importantly, should the user ultimately trust the d* pod?
  2. If the user generates the keypair, we need a very userfriendly way to upload the public key, or refer to it, since making this unfriendly will make the solution less used
Contributor

WebSpider commented Sep 4, 2013

@sjain1107 the trick here is twofold imo:

  1. If d* generates the keypair, then how does the user know it is not compromised from the start? Does the user trust the d* pod, and more importantly, should the user ultimately trust the d* pod?
  2. If the user generates the keypair, we need a very userfriendly way to upload the public key, or refer to it, since making this unfriendly will make the solution less used
@Flaburgan

This comment has been minimized.

Show comment
Hide comment
@Flaburgan

Flaburgan Sep 4, 2013

Member

@WebSpider trusting your pod is the key of diaspora*. If you don't trust your pod, nothing is secure there.

@sjain1107 a user already has a private key. I don't know if we can use it with GPG.

Member

Flaburgan commented Sep 4, 2013

@WebSpider trusting your pod is the key of diaspora*. If you don't trust your pod, nothing is secure there.

@sjain1107 a user already has a private key. I don't know if we can use it with GPG.

@goobertron

This comment has been minimized.

Show comment
Hide comment
@goobertron

goobertron Sep 4, 2013

@WebSpider ,

For a user to upload a private key, I'd suggest a field in the Account settings page, 'Upload your private key'.

I'm not sure that trusting a private key from a pod would lead to any more privacy leak if that pod is 'bad' than does trusting that same pod with all the information you're putting into D* anyway - would it?

goobertron commented Sep 4, 2013

@WebSpider ,

For a user to upload a private key, I'd suggest a field in the Account settings page, 'Upload your private key'.

I'm not sure that trusting a private key from a pod would lead to any more privacy leak if that pod is 'bad' than does trusting that same pod with all the information you're putting into D* anyway - would it?

@jhass

This comment has been minimized.

Show comment
Hide comment
@jhass

jhass Sep 4, 2013

Member

I think everything beyond checking the various keyservers for a public key associated with the target mail address is overkill.

Member

jhass commented Sep 4, 2013

I think everything beyond checking the various keyservers for a public key associated with the target mail address is overkill.

@sjain1107

This comment has been minimized.

Show comment
Hide comment
@sjain1107

sjain1107 Sep 5, 2013

Contributor

What can be the most userfriendly way to upload/generate a public key for notification emails?

Contributor

sjain1107 commented Sep 5, 2013

What can be the most userfriendly way to upload/generate a public key for notification emails?

@sjain1107

This comment has been minimized.

Show comment
Hide comment
@sjain1107

sjain1107 Sep 5, 2013

Contributor

We need to send encrypted emails only for a public post.
The limited posts should not contain any content in the email notification.(encrypted or unencrypted).

Contributor

sjain1107 commented Sep 5, 2013

We need to send encrypted emails only for a public post.
The limited posts should not contain any content in the email notification.(encrypted or unencrypted).

@Flaburgan

This comment has been minimized.

Show comment
Hide comment
@Flaburgan

Flaburgan Sep 5, 2013

Member

We need to send encrypted emails only for a public post.

Public posts are.... public. No need to encrypted them, everybody can already read them. The encryption is only about private posts. If we decide to remove the content in the email notification for private posts, we don't need to encrypted anything.

Member

Flaburgan commented Sep 5, 2013

We need to send encrypted emails only for a public post.

Public posts are.... public. No need to encrypted them, everybody can already read them. The encryption is only about private posts. If we decide to remove the content in the email notification for private posts, we don't need to encrypted anything.

@sjain1107

This comment has been minimized.

Show comment
Hide comment
@sjain1107

sjain1107 Sep 6, 2013

Contributor

@Flaburgan
Well correct. The public post email notifications must be encrypted only in case the user wants to respond to the post activity via email itself. :)

Contributor

sjain1107 commented Sep 6, 2013

@Flaburgan
Well correct. The public post email notifications must be encrypted only in case the user wants to respond to the post activity via email itself. :)

@svbergerem

This comment has been minimized.

Show comment
Hide comment
@svbergerem

svbergerem Feb 11, 2015

Member

When someone comments on a limited post the subject still includes the beginning of the limited post.

Member

svbergerem commented Feb 11, 2015

When someone comments on a limited post the subject still includes the beginning of the limited post.

@svbergerem svbergerem reopened this Feb 11, 2015

@svbergerem svbergerem removed this from the next-major milestone Feb 11, 2015

@svbergerem svbergerem added this to the next-next-major milestone Apr 3, 2015

@svbergerem

This comment has been minimized.

Show comment
Hide comment
@svbergerem

svbergerem Apr 3, 2015

Member

Fixed by #5843.

Member

svbergerem commented Apr 3, 2015

Fixed by #5843.

@svbergerem svbergerem closed this Apr 3, 2015

@4ndyD

This comment has been minimized.

Show comment
Hide comment
@4ndyD

4ndyD May 30, 2016

When I get a private message from someone, an email notification of it still includes the subject of the PM in the subject line of the email. Does anyone else think this should be removed as well?

4ndyD commented May 30, 2016

When I get a private message from someone, an email notification of it still includes the subject of the PM in the subject line of the email. Does anyone else think this should be removed as well?

@svbergerem

This comment has been minimized.

Show comment
Hide comment
@svbergerem

svbergerem Jun 5, 2016

Member

@4ndyD Thanks for reporting this. See #6850.

Member

svbergerem commented Jun 5, 2016

@4ndyD Thanks for reporting this. See #6850.

@4ndyD

This comment has been minimized.

Show comment
Hide comment
@4ndyD

4ndyD Jun 5, 2016

@svbergerem Thanks, I wasn't sure if a new issue was justified.

4ndyD commented Jun 5, 2016

@svbergerem Thanks, I wasn't sure if a new issue was justified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment