Patreon LogoYour support makes Blue Moon possible (Patreon)

Suggestion Email Privacy

tsukasa

tsukasa

Pregnancy lover
Joined
Nov 2, 2021
Location
GB
As both a privacy and security advocate, and someone who keeps my roleplaying activities private, I would like the option to either encrypt my email notifications from this website using PGP, or allow emails to be sent without any content other than notice of an event occurring (message received, quoted etc). Unencrypted emails can be both read by and tampered with by anyone between the website's server(s) and the recipient.

I've had to disable as many email options on this website as possible, and it's causing me to miss notifications due to lack of a centralised location to check them. I can't always be on this website, but I always have access to my email app.
 
This site's mailserver uses TLS if your mail provider (or mail server, if you are running your own) supports it. This has been the case for nearly a decade now.

I can put PGP on the list of 'things to do' but it's a pretty low priority - for 99% of users, every communication, including e-mail, is fully encrypted. If you run your own mailserver, to force this, just require mails from my mailserver to elevate to TLS.
 
Vekseid said:
This site's mailserver uses TLS if your mail provider (or mail server, if you are running your own) supports it. This has been the case for nearly a decade now.

I can put PGP on the list of 'things to do' but it's a pretty low priority - for 99% of users, every communication, including e-mail, is fully encrypted. If you run your own mailserver, to force this, just require mails from my mailserver to elevate to TLS.
Click to expand...
Thanks for confirming this.

Is it opportunistic or forced TLS?

I noticed that the website uses TLS 1.3, AES_256_GCM, and P-384. Is the mail server running on the same server or at least with the same configuration? This is a high level of security which is one of the reasons I roleplay here and not on other sites which use HTTP without TLS.
 
Opportunistic. I could possibly switch to mandatory but I'm sure that would break for some people. If you are this paranoid, again, you can make sure your own mailserver is talking to mine via TLS.

Both the website and mailserver are now using similar configurations. That said it tends to lag behind the webserver because certain companies (Hotmail/Microsoft) tend to lag behind in implementing modern features. It took them years to implement DKIM, they're still on tls 1.2, etc.
 
Vekseid said:
Opportunistic. I could possibly switch to mandatory but I'm sure that would break for some people. If you are this paranoid, again, you can make sure your own mailserver is talking to mine via TLS.

Both the website and mailserver are now using similar configurations. That said it tends to lag behind the webserver because certain companies (Hotmail/Microsoft) tend to lag behind in implementing modern features. It took them years to implement DKIM, they're still on tls 1.2, etc.
Click to expand...
That's enough information for me to turn emails back on.

TLS 1.2 is enough (I don't *need* PFS) and I don't feel as if I'm being targeted to require DKIM in case of domain spoofing.

I use ProtonMail, so I can't imagine they use anything other than TLS 1.2 and/or TLS 1.3.

PGP would be a nice feature for E2EE, but it's enough just to know that you are using TLS at all and the source and destination servers are the only ones able to read the messages (I trust this site, so E2EE is just a want rather than a need, and I trust my email provider to not be able to read my emails as they state).

Thank you for the clarification. It's good to know there are sites which take this seriously and know what they're talking about.
 
Connections with ProtonMail:

Trusted TLS connection established to mail.protonmail.ch[185.205.70.128]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256

In any case, thank you for reminding me to review all this and future proof a bit further. : )
 
Vekseid said:
Connections with ProtonMail:

Trusted TLS connection established to mail.protonmail.ch[185.205.70.128]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256

In any case, thank you for reminding me to review all this and future proof a bit further. : )
Click to expand...
Thanks for checking. I thought ProtonMail would use only the latest and greatest due to their ideology and reason for existing; I'm glad to know that I was correct. I've turned emails back on and feel a lot more comfortable now.
 
You must log in or register to reply here.
Back
Top Bottom