Quote:
Originally Posted by zimmermanfan
Mailfence requires an e-mail address for registration. This is flawed for several reasons.
* Creates chicken-egg problem. It's wrong to presume the user has e-mail service already. If the user does not already have an e-mail account, Mailfence blocks them from creating one. If they had one already, they might not need a Maifence account in the first place.
* If the user already has an e-mail account, then linking the two accounts defeats the purpose of having two accounts. It's bad identity management. Either way it's broken.
* I'll be the judge of whether I need a password recovery mechanism. It's less secure to supply an e-mail address for password recovery because if the other e-mail account is compromised, the adversary can attack the mailfence account by simply requesting a password reset.
* Even if an adversary has not compromised the password recovery account, sending tokens in the clear via e-mail is also prone to attack.
It's essential that disclosing a password recovery e-mail address be optional (or non-existent). Since this is a mandate, I'm out. I will not be registering on mailfence or advocating it to others until this is fixed.
|
Dude, just use a throw-away (anonymous) email account like 'yopmail', or an intermediary forwarding account like 'e4ward', or whatever. If you are that picky, maybe you should stick to using TAILS to get a super secret (agent) email provider on the Darknet.