Ask HN: How can you trust non open source, third party email clients?

17 pointsxeo848y ago17 comments

I might be over paranoid and correct me if wrong but as far as I understand, almost all the email clients out there either store your credentials or the access token to be able to send you push notifications for new emails.

Once they have the credentials/token, they have full control over your emails, what happen if they get compromised or they leak your data? Even 2FA will not protect you in this case since you already give them the auth token after a successful 2FA auth, or a specific app password.

Considering the email is used to reset almost all other accounts passwords, how can you trust a third party email clients? Am I missing something? Thanks.

17 comments

nvr2198y ago

I don't use non-open-source, third party email clients.

For G Suite (personal) - I use gmail web client.

For Office 365 (work) - I use Outlook.

For my own mail server - I use Thunderbird or forward to gmail.

bhhaskin8y ago

Both Outlook and Gmail are closed source, third party email clients. You might be able to peak at the front end, but you have no idea what's going on behind the scenes. Sure, from a security stand point you are most likely fine for most use cases, but Gmail dose scan your emails for advertising targeting reason.

FLCL8y ago

Gmail is closed source, but it isn't a third party from the you->google relationship.

2 more replies

nvr2198y ago

How is Outlook third party?

First party = me

Second party = Microsoft

Same with gmail client.

1 more reply

bogdweller8y ago

Thought I read they stopped that recently. I still wouldn't trust them though.

1 more reply

gumby8y ago

How do you trust someone else to manage your mail service?

How do you trust every line of an open source package without auditing it yourself?

In your hierarchy of risk/trust, this one is pretty small.

hdhzy8y ago

Exactly this. If one doesn't audit and build the software yourself they can't be sure what they are getting (remember we're still far away from reproducible builds for everything).

davelnewton8y ago

Is this rhetorical?

How can you trust any app that has access to your data?

quickthrower28y ago

Send / receive encrypted messages. Print out encrypted data. Type into computer you built yourself from individual transistors to do the decryption.

GoToRO8y ago

The same way you trust your surgeon. How do you know he will make you better and not kill you in an elaborate way?

bradknowles8y ago

How do I know you are a real person and not a figment of my imagination?

Can you prove that you exist?

j / k navigate · click thread line to collapse

Ask HN: How can you trust non open source, third party email clients?

17 pointsxeo848y ago17 comments

Considering the email is used to reset almost all other accounts passwords, how can you trust a third party email clients? Am I missing something? Thanks.

17 comments

nvr2198y ago

I don't use non-open-source, third party email clients.

For G Suite (personal) - I use gmail web client.

For Office 365 (work) - I use Outlook.

For my own mail server - I use Thunderbird or forward to gmail.

bhhaskin8y ago

FLCL8y ago

Gmail is closed source, but it isn't a third party from the you->google relationship.

2 more replies

nvr2198y ago

How is Outlook third party?

First party = me

Second party = Microsoft

Same with gmail client.

1 more reply

bogdweller8y ago

Thought I read they stopped that recently. I still wouldn't trust them though.

1 more reply

gumby8y ago

How do you trust someone else to manage your mail service?

How do you trust every line of an open source package without auditing it yourself?

In your hierarchy of risk/trust, this one is pretty small.

hdhzy8y ago

Exactly this. If one doesn't audit and build the software yourself they can't be sure what they are getting (remember we're still far away from reproducible builds for everything).

davelnewton8y ago

Is this rhetorical?

How can you trust any app that has access to your data?

quickthrower28y ago

Send / receive encrypted messages. Print out encrypted data. Type into computer you built yourself from individual transistors to do the decryption.

GoToRO8y ago

The same way you trust your surgeon. How do you know he will make you better and not kill you in an elaborate way?

bradknowles8y ago

How do I know you are a real person and not a figment of my imagination?

Can you prove that you exist?

j / k navigate · click thread line to collapse