Fri 6 Sep 2013 1:41PM

Both private and public post email notifications should be encrypted.

SJ Sakshi Jain Public Seen by 130

According to issues #4266 and #4342, the email notifications received from limited posts should not contain any content, only a note that someone has responded (or commented) to the original post while the email notifications received from the public posts should provide the full content of the thread in the email itself and the user should be able to answer to the comments via email.

The best way would be to encrypt both public and private email notifications.
1. In case of private posts, the content will be displayed as well as remain safe in the email notifications.
2. In case of public posts, the user will be able to respond to the activity on his/her posts via email itself.

An important point to ponder would be to make the implementation user friendly.


[deactivated account] Fri 6 Sep 2013 3:03PM

Encrypt with what key? The user would have to upload a public key that matches a private key they own. (It doesn't make sense to use the keypair that was generated for them on the pod, because a non-private private key is as good as compromised.)


Jason Robinson Fri 6 Sep 2013 7:22PM

I don't see the point in hiding public post comments as they are public anyway? If someone is going to hack your email to get them - wouldn't it be easier to just look at the post?

For private posts if people want we could strip out the content (though personally I don't see why - if you are using email that is less secure than your diaspora pod you are doing something wrong), but encryption would be a bit tricky as rekado said. There simply is no way to do it user friendly as email clients vary so much.


Sean Tilley Sat 7 Sep 2013 3:54AM

I just think it'd be easier to strip the content of all notification emails out, providing just a link to the post instead, with generic "new comment" or "new like" statement. That way, they wouldn't have to be encrypted, and would be utterly useless to anyone that tried to dig through them.


goob Sat 7 Sep 2013 12:25PM

I think sending emails with some content (either the full post or a summary) for public posts and sending emails with no content for limited posts is the most simple solution, and should be easy to implement.

I'd say it would be a good idea to implement this asap so that any security concerns about limited posts have been addressed, and then we could discuss means of enabling content in emails concerning limited posts in the future. Encryption brings associated problems - user's email client has to be capable of such encryption, and quite likely many webmail clients aren't - and in any case if you say 'You must set up encryption on your email client in order to receive emails', 95% of users would run screaming and put their head in a bucket of water. The solution would need to be almost one-click in order for it to be manageable for all users.


Jason Robinson Sun 8 Sep 2013 1:23PM

+1 Goob's suggested solution


Faldrian Sun 8 Sep 2013 4:25PM

I like the direction goob is going into... I think this would be good:

Public posts:

All comments should be sent full-text. I want to read the whole thing in my mail client and do not want to log in just to "read more". It's annoing.

Private posts:

It's difficult. The "I don't trust email and don't want to leak information"-way would be to just send "new comment in [link]", without any other information.
That would be soooooooooo useless. I can't know what was written or if it's really necessary for me to open up diaspora to read it immediately, because I can't know if it's "lol" or something with a real message where I want to respond.

I think the purpose of mail notifications is to tell you what the response was and to give you the opportunity to decide, what you want to do. If you have no information, the only thing it says is "log in!". Diaspora is not a ad-driven network where you want your users to log in and spend as much time as possible on the website (viewing ads on facebook, google+, whatever).

We want to have a real smooth workflow with as few steps to reach the goal as there are needed.

It's difficult and the notification on private messages can't be full of information, so you can decide what to do, without also leaking information to servers in between.
Full encryption of the mail would solve this, but if you are responsible with your private key, it will be quite annoing. Every time you receive a notification mail, you have to enter your passphrase again (the passphrase cache times out after some minutes). So the easier thing to do is to just open diaspora instead of unlocking your key every single time...

What do I want? Just send the whole comment like in public posts. I don't care. I want diaspora to be as usable and fun to use as possible, so I can tell people about it without explaining, why some options are so restrictive and paranoid and lack the comfort they expect.

On a very different matter: If I submit a public key, just sign every notification there is. Costs not much and will put some more trust in these mails.


Michael Dagn Mon 9 Sep 2013 9:43AM

and what would encrypting public posts achieve?.

For private stuff encryption would be good .. but lack of support for any kind of encryption in email clients (especially on phones) would be a big problem.

Emails should be checked for some kind of token though, to prevent spam - maybe a special once-off reply address with a once-off token in it? (might be difficult for people not able to run their own mail servers though) ...or something that can be returned with the reply? .

once-off tokens I mean .. not anything to do with the diaspora keypair (I don't think that is something you would want to put anywhere potentially leaky)


Emmanouel Kapernaros Mon 9 Sep 2013 2:20PM

I think it is ok to strip all information from email, and just say "you have a new comment!". It is a few clicks away to the full content and I dont believe we should trade privacy for a few clicks of convinience.

I am a podmin and for the first 5 months I hadnt set a smtp server so my users didnt have email notifications at all because i am really concerned about gmail whatcing everything..


OpenLifeChallenge Mon 9 Sep 2013 3:55PM

I definitely think that private posts should only be notifying through e-mail but not contain any information. Public posts can contain the latest comment and the user can respond through e-mail.

However, not being a programmer myself, I would find it tricky to differentiate these two and rather just make the e-mail notify the user that there is something to check out.

I was personally annoyed when private messages and posts of any kind were "leaked" to my e-mail.


Pirate Praveen Mon 9 Sep 2013 7:36PM

Why can't we make it optional? For those who care about leaking private info by comments to limited posts can turn it off. We could even turn it off by default and include a line saying it can be turned on in the settings.


goob Mon 9 Sep 2013 7:53PM

For that to be of any use, it would have to be that I (for example) can switch it off for any emails sent to anyone else for any post I make or any comment I make on someone else's limited post, not only for any email that is sent to me. That sounds like a very difficult thing to code for.


Justin Moore Sat 14 Sep 2013 11:33AM

It all comes down to a trade-off between security or convenience. We can lean more toward convenience while risking security but in this case is it worth it? How many users would miss the ability to read a few sentences in an email when they will most likely go to Diaspora directly anyway? Finding a middle ground between convenience and security in this case is I think a waste of effort.

Going for the more secure route in this situation and disabling content in emails completely is the better option. Not only is it the easiest to implement but also the most secure for everyone.


Maciek Łoziński Sat 14 Sep 2013 11:41AM

Maybe a we could allow a summary of post in email only when someone has an ability to decrypt emails and will upload encryption key to the pod?


Flaburgan Sun 15 Sep 2013 1:31AM

Why can’t we make it optional? For those who care about leaking private info by comments to limited posts can turn it off. We could even turn it off by default and include a line saying it can be turned on in the settings.

Because if we do that, the user has no way to know if his message will be sent or not, because you can't know the settings of the other users.


Sakshi Jain Sun 29 Sep 2013 11:18AM

@goob's idea has got the max support, so I summarized it this way: https://docs.google.com/spreadsheet/ccc?key=0AkEfkreOFIUzdHA1OEtpbVdZOGtYcW5TY2RZU1BpZWc#gid=0
Is this what everyone agrees on?
I am not sure about private messages. I can work on it later if I am able to cover this much target :)


goob Sun 29 Sep 2013 11:24AM

Could you post your summary here? That's on a Google document, so I don't want to click the link as I prefer not to have any interactions with Google.


Jonne Haß Sun 29 Sep 2013 11:34AM

Removing everything to later add it again doesn't make much sense to me.


Sakshi Jain Sun 29 Sep 2013 12:35PM

@goob I have attached it here.


goob Sun 29 Sep 2013 12:43PM



goob Sun 29 Sep 2013 12:45PM

I would simplify it thus:

Private post: show a link (no text)
Public post: show a summary and a link.

Only one step needed!

There are some difficult technical issues to solve regarding encryption of emails, so I think for now we should concentrate on removing private posts from email notifications. Keep it simple!


Sakshi Jain Sun 29 Sep 2013 12:54PM

If everyone agrees, I'd be happy to implement @goob's idea.


Poll Created Sun 29 Sep 2013 1:20PM

show post summary in notification email only for public posts Closed Sat 5 Oct 2013 2:01PM

As @goob suggested:

Private post: show a link (no text)
Public post: show a summary and a link.


Results Option % of points Voters
Agree 86.4% 19 ST JH T JR F G DM F EK SVB SJ N M S E FT V A MP
Abstain 0.0% 0  
Disagree 13.6% 3 F S M
Block 0.0% 0  

22 of 274 people have voted (8%)


faust twi
Sun 29 Sep 2013 2:21PM

in fact i would prefer common posts be encrypted as well because i still didn't find nice gmail alternative.


faust twi
Sun 29 Sep 2013 2:22PM

in fact i would prefer common posts be without text as well because i still didn't find nice gmail alternative.


Sun 29 Sep 2013 7:58PM

No surprise that I agree...


Mon 30 Sep 2013 10:22AM

There is no point in a e-mail-notification if it doesn't contain information that I can base the decision "open diaspora now to reply, or ignore" on. So there MUST be the relevant text in the email.


Mon 30 Sep 2013 10:23AM

There is no point in a e-mail-notification if it doesn't contain information that I can base the decision "open diaspora now to reply, or ignore" on. So there MUST be the relevant text in the email.


Fri 4 Oct 2013 7:55AM

I think the full text in the public message could be nice.


Fri 4 Oct 2013 4:42PM

I like/use the text preview to see just by checking mail, if there happens something important or not. Disabling this feature would force me to ALWAYS have to check at D* webpage, which is timeconsuming.


Faldrian Mon 30 Sep 2013 10:24AM

I like what the original description of this proposal is saying.


Flaburgan Fri 4 Oct 2013 6:53PM

@matthiasm we can't let the email notification in plain text: it will be visible to everyone on the internet. If someone comment or send you a private message with a password for example, it is a real security leak.


OpenLifeChallenge Sun 6 Oct 2013 6:33AM

Finally! Hope this will be implemented soon as I have been waiting for this for a long time. I really hope that private messages won't leak in e-mail notifications any longer, is that included as well?