Ask HN: How can you trust non open source, third party email clients?
I might be over paranoid and correct me if wrong but as far as I understand, almost all the email clients out there either store your credentials or the access token to be able to send you push notifications for new emails.
Once they have the credentials/token, they have full control over your emails, what happen if they get compromised or they leak your data? Even 2FA will not protect you in this case since you already give them the auth token after a successful 2FA auth, or a specific app password.
Considering the email is used to reset almost all other accounts passwords, how can you trust a third party email clients? Am I missing something?
Thanks. I don't use non-open-source, third party email clients. For G Suite (personal) - I use gmail web client. For Office 365 (work) - I use Outlook. For my own mail server - I use Thunderbird or forward to gmail. Both Outlook and Gmail are closed source, third party email clients.
You might be able to peak at the front end, but you have no idea what's going on behind the scenes. Sure, from a security stand point you are most likely fine for most use cases, but Gmail dose scan your emails for advertising targeting reason. Gmail is closed source, but it isn't a third party from the you->google relationship. Umm, what? You are trusting them with the contents of the mail -- they don't even need your credentials. They are a third party between you and your correspondent. Hmm you are right on that one. How is Outlook third party? First party = me Second party = Microsoft Same with gmail client. No, first party is you, second party is the person you're talking to. They're a man in the middle. They have access to your contacts, your emails, everything--they're a third party in the middle of your comms. OK so I guess since I use third party email servers this question doesn't really apply to me. I will say when I have sensitive data that needs to be shared via email I use PGP but other than that I have enough trust in Microsoft and Google... Misplaced? Maybe. My point was less about whether or not they should be trusted, but that unless you're running your own email server, it's a third party, by definition :) Thought I read they stopped that recently. I still wouldn't trust them though. I think they don't do it (or don't do it as much) for paying customers (G Suite) and the recent thing was including G Suite for Nonprofits/Education in that group. How do you trust someone else to manage your mail service? How do you trust every line of an open source package without auditing it yourself? In your hierarchy of risk/trust, this one is pretty small. Exactly this. If one doesn't audit and build the software yourself they can't be sure what they are getting (remember we're still far away from reproducible builds for everything). Is this rhetorical? How can you trust any app that has access to your data? Send / receive encrypted messages. Print out encrypted data. Type into computer you built yourself from individual transistors to do the decryption. The same way you trust your surgeon. How do you know he will make you better and not kill you in an elaborate way? How do I know you are a real person and not a figment of my imagination? Can you prove that you exist?