"Embrace, extend, extinguish" all over again. I am appalled at how many people use Gmail, giving up their privacy, control over E-mail, and leading to an overly centralized system where our mail is controlled by 2-3 companies at most (about 30% of my spam comes from Google servers, they pretty much ignore abuse reports, and I have no way to block it, because they are "too big to fail").
Now we will get a slowly introduced proprietary encryption scheme that will pretend to be "open", but will be carefully controlled so that it is slightly broken for everyone except Google. Several years down the road we'll wake up in a world where people will be annoyed that you can't receive their E-mail and will tell you to "just use gmail".
Replace "Google" with "Microsoft" and "Gmail" with "Outlook" and it's the 1990s all over again.
+1 for fastmail, been using them for a few years now and haven't any complaints. Have many domains with them, wildcard emails are easily configured so that every service that I subscribe to gets a unique email address.
One minor issue is their JMAP[1] protocol if you want to automate email sending - its intention are good just that no one else supports it.
Easy cancellation, doesn’t go crazy on you if you have a problem with credit card, super fast and light ui, can use your domain so you don’t get locked in
Not the OP. I have been happy so far with Proton Mail over the last 3 months. Moving my logins took some time, but I am pretty happy with Proton Pass for now and their other tools.
The only dilemma that I have now is whether to use my own domain name or proton.me, pm.me, etc. I currently use the latter.
Reducing the number of emails in my Gmail inbox to zero was a happy day for me. "Do no evil" my ass.
As a data point and reminder, running your own E-mail server works just fine, in spite of FUD being spread around sometimes. I've been doing it for the last 25 years or so. Stick to Ubuntu LTS releases, use postfix for SMTP, dovecot for IMAP, and SpamHaus for spam filtering[1], and you'll be fine.
[1] these are becoming less and less useful, as most spam these days goes through Google, Microsoft and Amazon, and these companies couldn't care less about abuse reports, as you can't block them because they are too big.
Not OP but I switched from gmail to fastmail in 2019 because at the time they were the cheapest option that provided unlimited email aliases and masked email. Masked email feels great, I feel like I’m in control of the communication. I can turn it off at any point
The market is FULL of hosted providers. Every single one has its ups and downs.
I’d like to take a moment to acknowledge the technical knobs that Google Workspace and MS Office 360 provide over mail routing. Clearly they have enough large customers with in-house IT staff that demand this level of control and “the rest of us” get the benefit. Once you leave their platforms it’s easy to be disappointed. I can’t say that their platforms are good just technically feature rich; Google’s insistence on silently discarding “duplicate” messages is infuriating but other platforms will have a different set of problems.
If you don’t need enterprise control… Lately, I’ve been on MXroute.com, mostly because the team seems dedicated to trying to make something good. It’s not polished yet. They are opinionated. It’s designed for you to point your MX at them and check your mail via IMAP and send via Authenticated SMTP, that’s it, nothing more. Sure, they have extra features that will work but clearly that’s not their focus.
iCloud+ is also worth looking at and is often underrated. Many folks already have a paid iCloud+ account. Here, you can just turn on “Custom Email” as a set it and forget it option.
While I’m writing non-sense, I’ll ask what others are doing for inbound mail control and spam filtering. Prior to moving to MXroute, I was using SpamStopsHere that offered incredible flexibility and control. It was acquired by Zix and then dismantled.
> I am appalled at how many people use Gmail, giving up their privacy
The article is literally about cross-vendor E2E email encryption. I mean, we all understand that you mean to invoke the Standard HN Litany Against Google here. But surely you at least should nod to the fact that the linked article stands as a point against your position, no?
I think he has a point. Slack and discord used to have IRC and XMPP, which made the decision to switch seem safer in light of the issues we experience today (holding backlog hostage for a fee, advertising, a/b tests). They timed the depreciation of these bridges so that it had minimal impact on their sales due to the existing network effects and captive audiences (employees, mostly).
We have seen this played out over and over and over again. It’s tiring, and it would be great for more people to be aware of these market capture tactics to make them less effective.
Slack and Discord aren't Google though? Not understanding the point here. You can use this argument against any product from any manufacturer, it seems like. Are you arguing against interoperability in general? Or taking an absolutist free software position that proprietary tools are never acceptable? Doesn't seem to me like that was the position upthread I was responding to.
The point we are both addressing has to do with a behavioral pattern exhibited by companies with the same incentive model over the past 30 years. Not a re-summarization of an article by one of those companies.
Thunderbird is not something one can recommend to a non-techie friend as a replacement for GMail. At least the last time I checked on Android, it required additional tuning for pushes, it worked poorly when there was too many messages in inbox (which is what almost everyone coming from Gmail has), didn't provide text formatting.
I don't know about "the best", but I'm very happy with Fastmail. It has a very nice UI, it has contacts and calendar, uses open standards, and their privacy policy is fine.
What UI features do you consider important? I feel that email UI is largely standardized, and the main differentiating factor is speed (and Gmail is definitely not fast).
OTOH, what Gmail does with filtering promotional crap (spam, tbh) is decent, but I haven't compared against other mail service providers, so I can't give a comparative opinion.
I switched to Fastmail when I degoogled, and I've been very happy with it. I genuinely feel that its UX and feature set are better than what I was getting from GMail.
another vote for fastmail, I got my own domain and been slowly changing my email eveywhere away from gmail. No need to do it all in one go. I barely touch my gmail account anymore, feels so freeing!
Do you mean a self-hosted webmail app? Or a native/multi-platform native email client?
Personally I think Gmail UI is meh - but I no longer use email that much - so terrible UI/ux and no proper quoting/threading support isn't all that problematic.
"send end-to-end encrypted (E2EE) emails to anyone, even if the recipient uses a different email provider" but the video shows Gmail asking the recipient to authenticate. How does that work? If a Gmail user sends an email to my self-hosted server, there is nowhere to authenticate me to.
And it means either Gmail or the actual email stores decryption keys, so what is the threat model in which E2EE is useful here?
The only "advantage" I see is that now recipients must manually archive these "encrypted" emails if they want to keep access to them in the future (so most of them won't). That would be consistent with Google's strategy with AMP's editable emails.
They are saying the truth: those emails are "technically" encrypted.
Just nowhere private on the sender side since they won't even keep the keys private.
Now much less private on the receiver side since they have for "reasons" to login into a gmail hosted server and give them data like their IP address and permit other things like browser fingerprinting.
Fantastic, from the title I almost believed they'd be adding private messaging as done by other email providers almost 30 years ago. But not yet.
This is just Google going after those proprietary “end to end encrypted” email services healthcare and other places use. Technically speaking they don’t accomplish anything but from a compliance perspective they seem to satisfy regulators.
To me this looks strictly worse than if they just used s/mime with some magic to integrate in the Gmail client for ux.
As I read it[1] - Gmail users are given a hidden s/mime key pair, possibly with secret key stored in a hw token/on device.
I can only assume that when mailing an external user without guest/Gmail account, Gmail will generate a (temporary?) key pair for the recipient, encrypt the message under temporary public key of the recipient - then when recipient creates the guest account - either generate a new key pair and re-encrypt or assign the key pair held for the user? To allow Gmail to decrypt the mail in the browser? As well as implicitly trust the sender key for verification?
I struggle to see how this is e2e in any meaningful sense?
When I log into a public terminal at my library - how will the browser access my keys?
I never liked the term "end-to-end encryption". I guess we can now say it's fully meaningless.
The one thing I've learnt in security after many years is there are no shortcuts. If you don't understand the basics, you can't have security. Things like "end-to-end encryption" are just trying to avoid teaching people the basics by using nice words.
People understand if someone has a copy of their front door key then it's no longer secure and they need to change the locks. So it should be simple to understand encryption too. But most interfaces try to hide away the existence of keys, which is the most basic principle of all. If you don't know where your key is, how can you be secure?
Authenticate where? How does the authentication prove that the intended recipient is the one who has clicked on the link and should be able to view? What happens if the email is forwarded with the link? What should one do to forward the email to someone without this encryption?
Organizations may need ways to store, archive and manage received email content from others.
I don’t understand what problem this solves for organizations and how.
Microsoft Outlook 365 has a somewhat similar feature where the email is just a link to hosted content on its servers (this kind of functionality isn’t new or recent on other platforms). It doesn’t require any authentication by the recipient. IIRC, the sender can also decide on the expiry of the content.
> How does the authentication prove that the intended recipient is the one who has clicked on the link and should be able to view?
You log in with a Google account associated with the recipient address. You prove you control the email by putting in a code Google sends you.
> What happens if the email is forwarded with the link?
They can't open it because they don't have access to the Google account associated with your email address.
> What should one do to forward the email to someone without this encryption?
Obviously, encrypted emails are not meant to be forwarded. Nothing prevents you from taking a photo though. Maybe copy and paste will work.
> Organizations may need ways to store, archive and manage received email content from others.
Organizations can't control how they receive information. It doesn't matter what they want in this regard. If a judge orders them to do something about it, that's for the judge to figure out.
> I don’t understand what problem this solves for organizations and how.
It keeps messages private. You don't see why organizations in e.g. health care, law, or the military want increased privacy of messages in a way that is super easy to use? And where recipients can't accidentally forward sensitive messages? A lot of this is determined by compliance requirements too.
I have used a similar service. Anytime you want to access the link, you must enter a code sent to your email. So if you forward the link, and the person to whom you forward it click the link, they need you to also forward the code to them.
The demo gif looks so weird. So you send someone an email, and (if it's not a gmail) it asks them the log into some mini gmail looking thing to view the actual message?
> preserving enhanced data sovereignty
As in you need google in order to view any of your data?
> end-to-end encrypted
Ah yes end (googles server) to end (also googles server) encryption. Very useful.
Maybe I'm misunderstanding but this genuinely seems completely pointless at best. It's middleman to that same middleman encryption solving the last mile delivery problem by not sending the actual message.
I assume the point here is to check a box in some big corporate's matrix of required features before they'll move to Google Workspace. Nobody really cares whether its really end to end, they just need some to say the magic letters E2E and they can tick it.
Any idea what those are exactly? Does it only work for recipients on teams with SSO? Or is this just gating who can start these supposedly e2e encrypted email threads?
Looks like recipients can be anyone but would be forced to create a guest account if they don't have one. Which sounds like Google meditating key exchange? Which isn't really e2e encryption at least for the initial message.
An ad company that has been creating ads for years based on what is in your email, is telling us emails will now be encrypted eh? Why do I have my doubts
How so? You get an email with a link from a GSuite user, you need to put your, I guess, own mail provider user and password and get redirected to a mini-gmail website where you can see the email sent, that can be blocked for copying or removed by the sender as admins can already do in GSuite?
How can this be critical for compliance. It's not real E2EE because there are no keys exchanged, and when the other party downloads the attachment, it can be stolen almost the same way an email attachment could.
It also open the doors to yet another phishing attack
I mean, it just is. I'm not the one coming up with compliance rules.
But it can't be intercepted with any kind of MITM, it can't be read in case of a data leak, and it can't be forwarded accidentally. These matter.
It doesn't matter if it's "true" E2EE (which has different requirements in enterprise anyways), or that the other party can still take a photo of the email or whatever. It still provides tangible benefits.
And it doesn't open up anything new in phishing. I already get emails like this from health care providers, asking me to open the email contents on their site. Obviously you need to figure out if the URL is legitimate, the same way you always have.
All I want from Google Workspace is a single-user email account tied to my domain name. Instead, I have an overly complex system where I need to grant my own phone permission to watch YouTube videos. It would be nice if they had a more basic version.
"Embrace, extend, extinguish" all over again. I am appalled at how many people use Gmail, giving up their privacy, control over E-mail, and leading to an overly centralized system where our mail is controlled by 2-3 companies at most (about 30% of my spam comes from Google servers, they pretty much ignore abuse reports, and I have no way to block it, because they are "too big to fail").
Now we will get a slowly introduced proprietary encryption scheme that will pretend to be "open", but will be carefully controlled so that it is slightly broken for everyone except Google. Several years down the road we'll wake up in a world where people will be annoyed that you can't receive their E-mail and will tell you to "just use gmail".
Replace "Google" with "Microsoft" and "Gmail" with "Outlook" and it's the 1990s all over again.
Valid concern. I have been decoupling my dependency on Google for quite some time now
What is your email solution?
I was looking at ProtonMail. Now FastMail seems good too. So, wondering what is the best option between each.
+1 for fastmail, been using them for a few years now and haven't any complaints. Have many domains with them, wildcard emails are easily configured so that every service that I subscribe to gets a unique email address.
One minor issue is their JMAP[1] protocol if you want to automate email sending - its intention are good just that no one else supports it.
[1] https://www.rfc-editor.org/rfc/rfc8621.html
Fastmail is perfection.
Easy cancellation, doesn’t go crazy on you if you have a problem with credit card, super fast and light ui, can use your domain so you don’t get locked in
Not the OP. I have been happy so far with Proton Mail over the last 3 months. Moving my logins took some time, but I am pretty happy with Proton Pass for now and their other tools.
The only dilemma that I have now is whether to use my own domain name or proton.me, pm.me, etc. I currently use the latter.
Reducing the number of emails in my Gmail inbox to zero was a happy day for me. "Do no evil" my ass.
> What is your email solution?
As a data point and reminder, running your own E-mail server works just fine, in spite of FUD being spread around sometimes. I've been doing it for the last 25 years or so. Stick to Ubuntu LTS releases, use postfix for SMTP, dovecot for IMAP, and SpamHaus for spam filtering[1], and you'll be fine.
[1] these are becoming less and less useful, as most spam these days goes through Google, Microsoft and Amazon, and these companies couldn't care less about abuse reports, as you can't block them because they are too big.
Not OP but I switched from gmail to fastmail in 2019 because at the time they were the cheapest option that provided unlimited email aliases and masked email. Masked email feels great, I feel like I’m in control of the communication. I can turn it off at any point
I use Protonmail. Gradually switching my logins over, but it takes ages.
The market is FULL of hosted providers. Every single one has its ups and downs.
I’d like to take a moment to acknowledge the technical knobs that Google Workspace and MS Office 360 provide over mail routing. Clearly they have enough large customers with in-house IT staff that demand this level of control and “the rest of us” get the benefit. Once you leave their platforms it’s easy to be disappointed. I can’t say that their platforms are good just technically feature rich; Google’s insistence on silently discarding “duplicate” messages is infuriating but other platforms will have a different set of problems.
If you don’t need enterprise control… Lately, I’ve been on MXroute.com, mostly because the team seems dedicated to trying to make something good. It’s not polished yet. They are opinionated. It’s designed for you to point your MX at them and check your mail via IMAP and send via Authenticated SMTP, that’s it, nothing more. Sure, they have extra features that will work but clearly that’s not their focus.
iCloud+ is also worth looking at and is often underrated. Many folks already have a paid iCloud+ account. Here, you can just turn on “Custom Email” as a set it and forget it option.
While I’m writing non-sense, I’ll ask what others are doing for inbound mail control and spam filtering. Prior to moving to MXroute, I was using SpamStopsHere that offered incredible flexibility and control. It was acquired by Zix and then dismantled.
infomaniak has served me well. Free mailbox with domain name, Thunderbird as my interface but their webmail is fine too.
> I am appalled at how many people use Gmail, giving up their privacy
The article is literally about cross-vendor E2E email encryption. I mean, we all understand that you mean to invoke the Standard HN Litany Against Google here. But surely you at least should nod to the fact that the linked article stands as a point against your position, no?
I've seen to many companies call things "open", when they are decidedly not "open" — Google's Android comes to mind, or OpenAI.
I don't see an RFC defining that "cross-vendor E2E email encryption" as a standard, so calling it "cross-vendor" is just fluff at this point.
I think he has a point. Slack and discord used to have IRC and XMPP, which made the decision to switch seem safer in light of the issues we experience today (holding backlog hostage for a fee, advertising, a/b tests). They timed the depreciation of these bridges so that it had minimal impact on their sales due to the existing network effects and captive audiences (employees, mostly).
We have seen this played out over and over and over again. It’s tiring, and it would be great for more people to be aware of these market capture tactics to make them less effective.
> Slack and discord
Slack and Discord aren't Google though? Not understanding the point here. You can use this argument against any product from any manufacturer, it seems like. Are you arguing against interoperability in general? Or taking an absolutist free software position that proprietary tools are never acceptable? Doesn't seem to me like that was the position upthread I was responding to.
The point we are both addressing has to do with a behavioral pattern exhibited by companies with the same incentive model over the past 30 years. Not a re-summarization of an article by one of those companies.
What's the best Gmail alternative wrt UI features?
Not a clue about what you're seeking. I'm using mailbox, and thunderbird as a client for my devices (android, windows, linux and macos).
It works. For E2EE, I have GPG setup on all of my devices. It costs me a little over €1/month for paid account as I use my own domain.
The experience has been good, and something I absolutely advocate for and promote.
Thunderbird is not something one can recommend to a non-techie friend as a replacement for GMail. At least the last time I checked on Android, it required additional tuning for pushes, it worked poorly when there was too many messages in inbox (which is what almost everyone coming from Gmail has), didn't provide text formatting.
I don't know about "the best", but I'm very happy with Fastmail. It has a very nice UI, it has contacts and calendar, uses open standards, and their privacy policy is fine.
What UI features do you consider important? I feel that email UI is largely standardized, and the main differentiating factor is speed (and Gmail is definitely not fast).
OTOH, what Gmail does with filtering promotional crap (spam, tbh) is decent, but I haven't compared against other mail service providers, so I can't give a comparative opinion.
Good conversation threading first. For the rest it may just be that I'm used to it but I find it generally much easier to read than, say, Outlook.
Do you like how gmail does threading? It’s flat threading and incorrect ordering is why I will not use gmail’s web interface.
I use the Spark Mail client for that reason.
Fastmail finally made their android client work offline too.
I've had a good time with them so far and am a happy customer. You can add as many domains you want and just easily leave if you're no longer happy.
I switched to Fastmail when I degoogled, and I've been very happy with it. I genuinely feel that its UX and feature set are better than what I was getting from GMail.
another vote for fastmail, I got my own domain and been slowly changing my email eveywhere away from gmail. No need to do it all in one go. I barely touch my gmail account anymore, feels so freeing!
Thunderbird
Do you mean a self-hosted webmail app? Or a native/multi-platform native email client?
Personally I think Gmail UI is meh - but I no longer use email that much - so terrible UI/ux and no proper quoting/threading support isn't all that problematic.
> introduced proprietary encryption scheme that will pretend to be "open"
You could say the same about Signal, how is signal more open than Gmail.
This signal? Is proprietary?
https://signal.org/docs/
https://github.com/signalapp/libsignal
Signal doesn't officially allow third party apps, unlike emails where you can use whatever app/server you want.
This is a classic "whataboutism"-style argument: derail the discussion by asking "but what about...".
Setting aside whether what you wrote is true, we are not talking about Signal here.
"send end-to-end encrypted (E2EE) emails to anyone, even if the recipient uses a different email provider" but the video shows Gmail asking the recipient to authenticate. How does that work? If a Gmail user sends an email to my self-hosted server, there is nowhere to authenticate me to.
And it means either Gmail or the actual email stores decryption keys, so what is the threat model in which E2EE is useful here?
The only "advantage" I see is that now recipients must manually archive these "encrypted" emails if they want to keep access to them in the future (so most of them won't). That would be consistent with Google's strategy with AMP's editable emails.
The threat model seems to be "there are other email providers beside Google. How can we change that?"
Not necessarily a threat model that benefits you
> If a Gmail user sends an email to my self-hosted server, there is nowhere to authenticate me to.
They'll probably just force external recipients to create a Google account and verify control over the independent email address...
Exactly this. No different from if someone shares a Google Doc with your email address.
And it makes sense. It's the logical way to prove you have access to the email account.
But that's not end-to-end encryption, that's a pastebin with a login
MITM.
This is likely about regulatory compliance. Many industries require encryption and transit.
In other words?
> The only way that would work if Google could decrypt the message!
They are saying the truth: those emails are "technically" encrypted.
Just nowhere private on the sender side since they won't even keep the keys private.
Now much less private on the receiver side since they have for "reasons" to login into a gmail hosted server and give them data like their IP address and permit other things like browser fingerprinting.
Fantastic, from the title I almost believed they'd be adding private messaging as done by other email providers almost 30 years ago. But not yet.
This is just Google going after those proprietary “end to end encrypted” email services healthcare and other places use. Technically speaking they don’t accomplish anything but from a compliance perspective they seem to satisfy regulators.
> end-to-end encrypted emails
> without the hassle of exchanging keys
> access the encrypted message via a guest account
Feels like shifting the goalposts and trying to brand a new working definition of E2EE
Can't you read the faq before comment? The "guest account" is hosted on IdP, not necessary google.
https://support.google.com/a/answer/14757842
To me this looks strictly worse than if they just used s/mime with some magic to integrate in the Gmail client for ux.
As I read it[1] - Gmail users are given a hidden s/mime key pair, possibly with secret key stored in a hw token/on device.
I can only assume that when mailing an external user without guest/Gmail account, Gmail will generate a (temporary?) key pair for the recipient, encrypt the message under temporary public key of the recipient - then when recipient creates the guest account - either generate a new key pair and re-encrypt or assign the key pair held for the user? To allow Gmail to decrypt the mail in the browser? As well as implicitly trust the sender key for verification?
I struggle to see how this is e2e in any meaningful sense?
When I log into a public terminal at my library - how will the browser access my keys?
[1] https://support.google.com/mail/answer/13317990?sjid=1138879...
Looking at the screenshot, this is another recipe for disaster.
A pop-up where you need to authenticate with credentials...
I'm sure no-one will abuse this.
It is not end-to-end if Google has your key.
Well they did go to the trouble of using the date April 1st in the gif!
It don't.
The "Assured Controls" add on put keys on smartcard / hsm not owned by google.
I never liked the term "end-to-end encryption". I guess we can now say it's fully meaningless.
The one thing I've learnt in security after many years is there are no shortcuts. If you don't understand the basics, you can't have security. Things like "end-to-end encryption" are just trying to avoid teaching people the basics by using nice words.
People understand if someone has a copy of their front door key then it's no longer secure and they need to change the locks. So it should be simple to understand encryption too. But most interfaces try to hide away the existence of keys, which is the most basic principle of all. If you don't know where your key is, how can you be secure?
Authenticate where? How does the authentication prove that the intended recipient is the one who has clicked on the link and should be able to view? What happens if the email is forwarded with the link? What should one do to forward the email to someone without this encryption?
Organizations may need ways to store, archive and manage received email content from others.
I don’t understand what problem this solves for organizations and how.
Microsoft Outlook 365 has a somewhat similar feature where the email is just a link to hosted content on its servers (this kind of functionality isn’t new or recent on other platforms). It doesn’t require any authentication by the recipient. IIRC, the sender can also decide on the expiry of the content.
> How does the authentication prove that the intended recipient is the one who has clicked on the link and should be able to view?
You log in with a Google account associated with the recipient address. You prove you control the email by putting in a code Google sends you.
> What happens if the email is forwarded with the link?
They can't open it because they don't have access to the Google account associated with your email address.
> What should one do to forward the email to someone without this encryption?
Obviously, encrypted emails are not meant to be forwarded. Nothing prevents you from taking a photo though. Maybe copy and paste will work.
> Organizations may need ways to store, archive and manage received email content from others.
Organizations can't control how they receive information. It doesn't matter what they want in this regard. If a judge orders them to do something about it, that's for the judge to figure out.
> I don’t understand what problem this solves for organizations and how.
It keeps messages private. You don't see why organizations in e.g. health care, law, or the military want increased privacy of messages in a way that is super easy to use? And where recipients can't accidentally forward sensitive messages? A lot of this is determined by compliance requirements too.
I have used a similar service. Anytime you want to access the link, you must enter a code sent to your email. So if you forward the link, and the person to whom you forward it click the link, they need you to also forward the code to them.
Headers incl. subject are still not encrypted. We've already had that tech 30 years ago.
> We've already had that tech 30 years ago.
S/MIME? Yeah; the tragedy is no-one could figure out a user-friendly UI/UX for the whole thing.
The tragedy is that they seem to have wrapped s/mime in some property nonsense to get this to work (see bottom of):
https://support.google.com/mail/answer/13317990?sjid=1138879...
the ms implementation of smime was pretty good and just worked
(quite something for microsoft)
The demo gif looks so weird. So you send someone an email, and (if it's not a gmail) it asks them the log into some mini gmail looking thing to view the actual message?
> preserving enhanced data sovereignty
As in you need google in order to view any of your data?
> end-to-end encrypted
Ah yes end (googles server) to end (also googles server) encryption. Very useful.
Maybe I'm misunderstanding but this genuinely seems completely pointless at best. It's middleman to that same middleman encryption solving the last mile delivery problem by not sending the actual message.
I assume the point here is to check a box in some big corporate's matrix of required features before they'll move to Google Workspace. Nobody really cares whether its really end to end, they just need some to say the magic letters E2E and they can tick it.
Only available for Google Workspace: Enterprise Plus with the Assured Controls add-on.
I think this is just to compete with stuff like Mimecast.
Pretty sure admins can still audit emails even if they're E2EE.
Any idea what those are exactly? Does it only work for recipients on teams with SSO? Or is this just gating who can start these supposedly e2e encrypted email threads?
Looks like recipients can be anyone but would be forced to create a guest account if they don't have one. Which sounds like Google meditating key exchange? Which isn't really e2e encryption at least for the initial message.
Only the higher/highest tier Google Workspace users can send these kind of emails. Anyone can read them.
Those option allows storing private key on smart card.
An ad company that has been creating ads for years based on what is in your email, is telling us emails will now be encrypted eh? Why do I have my doubts
> that has been creating ads for years based on what is in your email
They stopped that a long time ago. Close to a decade ago IIRC.
I don't like cynical takes, even on BigCo like Google, but this totally feels like a "someone wants to get a promotion" type of project.
No, there is a real enterprise need for this, for compliance in certain sectors.
This is about the last kind of thing a company or engineer or PM would build just for fun.
This is a feature that will be genuinely used a bunch. Its use gets mandated, in fact.
How so? You get an email with a link from a GSuite user, you need to put your, I guess, own mail provider user and password and get redirected to a mini-gmail website where you can see the email sent, that can be blocked for copying or removed by the sender as admins can already do in GSuite?
What do you mean, how so?
This is a feature for the sending org, not the receiving org.
It's not something that could be done previously.
How can this be critical for compliance. It's not real E2EE because there are no keys exchanged, and when the other party downloads the attachment, it can be stolen almost the same way an email attachment could. It also open the doors to yet another phishing attack
I mean, it just is. I'm not the one coming up with compliance rules.
But it can't be intercepted with any kind of MITM, it can't be read in case of a data leak, and it can't be forwarded accidentally. These matter.
It doesn't matter if it's "true" E2EE (which has different requirements in enterprise anyways), or that the other party can still take a photo of the email or whatever. It still provides tangible benefits.
And it doesn't open up anything new in phishing. I already get emails like this from health care providers, asking me to open the email contents on their site. Obviously you need to figure out if the URL is legitimate, the same way you always have.
Thing is, with big corporations, cynical takes are usually the correct ones.
All I want from Google Workspace is a single-user email account tied to my domain name. Instead, I have an overly complex system where I need to grant my own phone permission to watch YouTube videos. It would be nice if they had a more basic version.