New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: Add txt-record encryption #251
Comments
I would be open to implementing this if @niftylettuce is open to merging the PR.
Or, limit the number of encrypted emails to ~10 or so. |
The challenge that I see here is that the final text string for the end user would need to be encrypted string and not a hash. And hence if the user tries to encrypt a large amount of text, the final encrypted string would also be larger. |
Hmm, good point.
|
That seems needlessly complicated. The trade off of encrypting your email address is that you accept the 120% character overhead and have one email per txt entry. We don't need unbreakable encryption so much as a little obfuscation to slow down the SPAM bots crawling the dns records. Having more than one entry per txt or more than one txt per entry makes management way too much of a hassle. One email per line allows commenting and easy management. Using a simple chacha20_poly1305 with a 12 byte nonce and 32 byte key yields sufficiently small b64 strings. This of course is symmetric encryption so we would need a asymmetric layer or an api that returns the encrypted string so the key remains secret. Additionally the nonce shouldn't be reused like it is in the examples. Example:
ChaCha can provide authentication of the non-encrypted comment and key identifier such that only changing the comment changes the encrypted string.
Really long emails still fit, this is only 192 characters so there is still room to grow.
|
@zmcandee You're right! |
Just wanted to follow up here - tentatively planning to give everyone Enhanced Protection concept of this encrypted hash that correlates to our database (while still supporting legacy Free plan), and instead all paying users on Enhanced Protection will get SMTP support (total replacement for Gmail). |
This plan sounds amazing! |
This would be amazing. Would look forward to this, as the service, in general, promotes privacy. Would be nice to have the encryption email to protect from spam for free, and offer other services to the paid users. |
Well it's been more than a year now since this issue was created. If something isn't done soon, we'll be back to square one. |
We are adding this support in the near future, it is still planned, however we are working on SMTP and IMAP support right now 😄 |
Is there any news about this? I hoped “near future” would be in less than 3 months. Thanks for your efforts. :-) |
@titanism : And what does IMAP support refer to? I know what IMAP is, but have not seen any reference on your website to you implementing IMAP, so I am curious to see how it will work. |
If the amount of time it would take to implement this is preventing the roll-out, how about giving free users the option to obfuscate their email with ROT13? In the future, when there is more time, it can be replaced with an asymmetric algorithm. But for now, it at least makes the spammers jump through one more hoop. |
We're very focused on getting SMTP ready for release right now, but we're commenting just to let you know we've seen this and will look at it again in our roadmap soon. |
What's "soon" in your roadmap, as this seems to have been "near future" or "soon" a few times. Currently shopping around for this sort of service where I'll likely be mixing some free and some paid domains due to differing requirements. |
Read the room. No commits in over a year makes this abandonware. I think most people have moved on. |
We're incredibly active @zmcandee and we are adding PGP support soon (and this TXT encryption concept as well for non-paying users). IMAP support will be released today. Please check commit history at https://github.com/forwardemail/forwardemail.net. |
@zmcandee This repo is being merged with https://github.com/forwardemail/forwardemail.net FYI - please use that repo moving forwards, we will update this once we are ready. |
Also in case it's not obvious - or if you haven't read https://forwardemail.net/about lately:
|
As an alternative to keeping the forwarding email addresses safe in the API database, provide a public key for encrypting the TXT records. Obviously this isn't perfectly secure but it will add a reasonable size hurdle for anyone looking to just collect easy addresses to SPAM and it removes the storage burden from your server. To protect your revenue stream you could rotate the key quarterly making it a hassle for large customers to re-encrypt all of there addresses and/or leave it as an undocumented feature.
How I would implement:
{recordPrefix}-enc=[comment]#<key_id>#<encrypted_entry>
getForwardingAddresses
validRecords
The text was updated successfully, but these errors were encountered: