← Back to context

Comment by slau

2 years ago

Your username is not a secure part of the authentication process. In most companies, people’s username is easily guessable, or even public information.

I feel you’re making a very massive issue out of something that is… not?

Yes, sharing the full headers of your emails will reveal some information, potentially even personally identifiable information.

12 comments

slau

Reply
k_roy  2 years ago

I think you are missing the point by a mile.

Their whole spiel is about "privacy first". https://www.fastmail.com/privacy-first-company

I don't even use my @fastmail.com address. I have like 6 domains that I use for various things, and a single domain for one-time/throwaway/order emails via 1Password integration.

I just verified every time I send an email, my main @fastmail account is attached in every email.

I don't care about people knowing my email, but security isn't the point or even the concern.

If I'm using an alias, I don't want account A associated to account B, especially for a service I'm paying for to keep my email out of the hands of Google.

  • slau  2 years ago

    I was mainly responding to OP’s claim that this is “a security leak”. Likewise, from OP, I mainly understood that this was only an issue when giving a third party the headers of emails you have received.

    However, you (and other commenters) appear to be indicating it’s also in the headers of all sent emails?

    I’ve been using Fastmail for nigh on a decade, however if this turns out to be true, I may accelerate my migration towards Migadu.

  • wrboyce  2 years ago

    How did you verify this? That isn’t the issue being reported, the header is attached to your inbound mail.

throwawayfm  2 years ago

It is. I'm using custom domains, but my username email is private and NEVER used or known.

  • rlpb  2 years ago

    > ...but my username email is private and NEVER used or known.

    This feels like an architectural flaw to me. If it's supposed to be private, then why is it available to send to on the public Internet, in a way that you are now therefore sensitive about?