Both private and public post email notifications should be encrypted

According to issues #4266 and [#4342] (, the email notifications received from limited posts should not contain any content, only a note that someone has responded (or commented) to the original post while the email notifications received from the public posts should provide the full content of the thread in the email itself and the user should be able to answer to the comments via email.

The best way would be to encrypt both public and private email notifications.

  1. In case of private posts, the content will be displayed as well as remain safe in the email notifications.
  2. In case of public posts, the user will be able to respond to the activity on his/her posts via email itself.

An important point to ponder would be to make the implementation user friendly.

Note: This discussion was imported from Loomio. Click here to view the original discussion.

Encrypt with what key? The user would have to upload a public key that matches a private key they own. (It doesn’t make sense to use the keypair that was generated for them on the pod, because a non-private private key is as good as compromised.)

I don’t see the point in hiding public post comments as they are public anyway? If someone is going to hack your email to get them - wouldn’t it be easier to just look at the post?

For private posts if people want we could strip out the content (though personally I don’t see why - if you are using email that is less secure than your diaspora pod you are doing something wrong), but encryption would be a bit tricky as rekado said. There simply is no way to do it user friendly as email clients vary so much.

I just think it’d be easier to strip the content of all notification emails out, providing just a link to the post instead, with generic “new comment” or “new like” statement. That way, they wouldn’t have to be encrypted, and would be utterly useless to anyone that tried to dig through them.

I think sending emails with some content (either the full post or a summary) for public posts and sending emails with no content for limited posts is the most simple solution, and should be easy to implement.

I’d say it would be a good idea to implement this asap so that any security concerns about limited posts have been addressed, and then we could discuss means of enabling content in emails concerning limited posts in the future. Encryption brings associated problems - user’s email client has to be capable of such encryption, and quite likely many webmail clients aren’t - and in any case if you say ‘You must set up encryption on your email client in order to receive emails’, 95% of users would run screaming and put their head in a bucket of water. The solution would need to be almost one-click in order for it to be manageable for all users.

+1 Goob’s suggested solution

I like the direction goob is going into… I think this would be good:

Public posts:
All comments should be sent full-text. I want to read the whole thing in my mail client and do not want to log in just to “read more”. It’s annoing.

Private posts:
It’s difficult. The “I don’t trust email and don’t want to leak information”-way would be to just send “new comment in [link]”, without any other information.
That would be soooooooooo useless. I can’t know what was written or if it’s really necessary for me to open up diaspora to read it immediately, because I can’t know if it’s “lol” or something with a real message where I want to respond.

I think the purpose of mail notifications is to tell you what the response was and to give you the opportunity to decide, what you want to do. If you have no information, the only thing it says is “log in!”. Diaspora is not a ad-driven network where you want your users to log in and spend as much time as possible on the website (viewing ads on facebook, google+, whatever).
We want to have a real smooth workflow with as few steps to reach the goal as there are needed.

It’s difficult and the notification on private messages can’t be full of information, so you can decide what to do, without also leaking information to servers in between.
Full encryption of the mail would solve this, but if you are responsible with your private key, it will be quite annoing. Every time you receive a notification mail, you have to enter your passphrase again (the passphrase cache times out after some minutes). So the easier thing to do is to just open diaspora instead of unlocking your key every single time…

What do I want? Just send the whole comment like in public posts. I don’t care. I want diaspora to be as usable and fun to use as possible, so I can tell people about it without explaining, why some options are so restrictive and paranoid and lack the comfort they expect.

On a very different matter: If I submit a public key, just sign every notification there is. Costs not much and will put some more trust in these mails.

and what would encrypting public posts achieve?.

For private stuff encryption would be good … but lack of support for any kind of encryption in email clients (especially on phones) would be a big problem.

Emails should be checked for some kind of token though, to prevent spam - maybe a special once-off reply address with a once-off token in it? (might be difficult for people not able to run their own mail servers though) …or something that can be returned with the reply? .

once-off tokens I mean … not anything to do with the diaspora keypair (I don’t think that is something you would want to put anywhere potentially leaky)

I think it is ok to strip all information from email, and just say “you have a new comment!”. It is a few clicks away to the full content and I dont believe we should trade privacy for a few clicks of convinience.

I am a podmin and for the first 5 months I hadnt set a smtp server so my users didnt have email notifications at all because i am really concerned about gmail whatcing everything…

I definitely think that private posts should only be notifying through e-mail but not contain any information. Public posts can contain the latest comment and the user can respond through e-mail.

However, not being a programmer myself, I would find it tricky to differentiate these two and rather just make the e-mail notify the user that there is something to check out.

I was personally annoyed when private messages and posts of any kind were “leaked” to my e-mail.

Why can’t we make it optional? For those who care about leaking private info by comments to limited posts can turn it off. We could even turn it off by default and include a line saying it can be turned on in the settings.

For that to be of any use, it would have to be that I (for example) can switch it off for any emails sent to anyone else for any post I make or any comment I make on someone else’s limited post, not only for any email that is sent to me. That sounds like a very difficult thing to code for.

It all comes down to a trade-off between security or convenience. We can lean more toward convenience while risking security but in this case is it worth it? How many users would miss the ability to read a few sentences in an email when they will most likely go to Diaspora directly anyway? Finding a middle ground between convenience and security in this case is I think a waste of effort.

Going for the more secure route in this situation and disabling content in emails completely is the better option. Not only is it the easiest to implement but also the most secure for everyone.

Maybe a we could allow a summary of post in email only when someone has an ability to decrypt emails and will upload encryption key to the pod?

Why can’t we make it optional? For those who care about leaking private info by comments to limited posts can turn it off. We could even turn it off by default and include a line saying it can be turned on in the settings.

Because if we do that, the user has no way to know if his message will be sent or not, because you can’t know the settings of the other users.

@goob’s idea has got the max support, so I summarized it this way:
Is this what everyone agrees on?
I am not sure about private messages. I can work on it later if I am able to cover this much target :slight_smile:

Could you post your summary here? That’s on a Google document, so I don’t want to click the link as I prefer not to have any interactions with Google.

Removing everything to later add it again doesn’t make much sense to me.

@goob I have attached it here.