Email addresses are impossible to live without and yet, despite years of technological advance, can often be just as tricky to live with.
Most people often still have only two email addresses, one for work and a personal address, and they are often sitting targets for spammers, scammers and nuisance emailers in the digital equivalent of ‘we know where you live’.
At the weekend Mozilla announced that it is testing an experimental service called Firefox Private Relay that it thinks will offer an appealing solution to this issue.
Installing as an extension, Private Relay will let users generate a random, temporary email addresses at the click of a button, explains Mozilla:
When a form requires your email address, click the relay button to give an alias instead. We will forward emails from the alias to your real inbox.
From the point of view of both the user and the service being subscribed to, this email address will work like any other except that:
When you’re done with that service, you can disable or destroy the email address so you’ll never receive any more emails from it.
Better still, should that service suffer a data breach, the email address will reveal nothing – for example the user’s name or initials – about the user behind it. It might also make accounts more secure by turning the normally guessable email address into something genuinely random.
But don’t email services already offer email aliases?
In fact, they’ve been around for years but they tend to be very clunky to set up and use.
For example, in Gmail it’s possible to register multiple email addresses (assuming nobody else is using them), link each to a primary account, and then simply change the ‘from’ line when sending emails.
It’s also long been possible to create a temporary Gmail alias by adding a ‘+’ symbol (yourgmailaddress+xyz@gmail.com).
It’s not clear that many people bothered. Apart from being a nuisance to set up, neither approach solved the fundamental problem that users still had to manage emails sent to these addresses using the dated concept of filtering. They couldn’t just be turned off.
The innovation behind Firefox Relay is that instead of the user managing email aliases, the service does it for them. Because creating one is as easy as generating a random password, all users need to worry about is whether they should turn them off.
This makes a lot of sense but there are some obvious pitfalls. For instance, if you sign up for a service using a Firefox Relay email alias, turning it off impulsively will make it difficult to reset your password if you get locked out. It’s not clear yet how easy or difficult it will be to make, or undo, that mistake.
Anyone interested in testing or using Private Relay can install the extension and add themselves to the testing wait list. They’ll also have to have to log into their Firefox account.
Microsoft Edge
Meanwhile, Microsoft continues to beef up its Chromed Edge browser, extending its SmartScreen security layer to cover file downloads in contexts such as ClickOnce or DirectInvoke apps in dev version 84.0.495.2.
SmartScreen’s been around for some time as a browser layer (and even a Chrome extension) that checks web addresses to make sure they’re not scam websites. That’s also been true for file downloads, but it seems that ClickOnce (a way for apps to install with minimal interaction) and DirectInvoke (an app that opens or installs from a URL) were not covered in the new Edge until now.
From version 83, users also get Automatic Profile Switching, a convenient way to keep home and work browsing data in separate silos. Introduced with the appearance of the new Edge last summer, this can now detect when users have navigated to a work website and switch automatically.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Cassandra
They’ll also have to have to log into their Firefox account.
And there’s the rub; Firefox will have a complete list of all your aliases (and possibly of other matters related to using their browser) – that’s “gold” to data acquisitive companies. We may feel Mozilla is the “most data trust worthy” mainstream browser supplier now, but situations can change if, just for instance, they are based in a jurisdiction with a dangerous capricious leader who may by edict change the rules – purely in the name of “National Security” – but possibly to get back at organisations that “offer encryption”.
Divide and rule has to be a good watchword (watch-phrase?). There are other email aliasing operations (which will integrate into browsers) and which seem to provide similar benefits.
I have noted however that some organisations are rejecting sign-ups from emails with aliasing domain names! Presumably to us this is a red-flag that said organisations have an unhealthy interest in our PII rather than merely in our custom.
John E Dunn
One answer to that charge is that all you describe is already possible when you sign up for an email account – using a relay service is hardly less secure or private than simply having individual accounts with a commercial providers (the Yahoo mega-breach, for example), most of which are based in the US.
As for the rejection of email aliases, that should only happen if they suspect the alias is being used in a dubious way, for example for spamming. Assuming Mozilla finds a way around Firefox accounts being abused for aliases, the chances of a provider blocking aliases they know are legitimate will seem like a small risk.
Vendata
I agree Cassandra, it fixes one problem, but creates another, doesn’t it?
The user acquires increased flexibility as the tethering of their lives to email addresses is relaxed, but all that unencrypted email data is then routed via the servers of a third party: Mozilla.
Today’s goodwill, technical and legal controls mean nothing next week at the hands of hackers and jurisdictionally-greedy governments, who will now have one more interception point in the communication chain which is available to target.
Zach
There are already good, open-source, and cross-platform alias services like SimpleLogin or 33Mail. It doesn’t sound reasonable to me that Firefox wants to create something similar that’s tied to Firefox ecosystem. The only benefit I can see is indeed to acquire user data that seems to be against Firefox goal.
Paul Ducklin
How can it be reasonable for the products you mention (which are both commercial services using a freemium model) to be in the “mail alias” market but not for Firefox? By your argument, perhaps Firefox shouldn’t be in the browser market given that there are plenty of other open source browsers out there?
Cassandra
It’s trying to avoid data agglomeration.
Firefox either does, or has the ability (in the future?) to gather details about our browsing history. We all hope that it maintains is current ethos, but we have seen other software suppliers fall to different owners or to change policies when suitably leant on by a leader citing “My Country First” “National Security” or “Aliens have no rights”.
Third party email alias suppliers are subject to take over and government pressure as well, but (unless Mozilla have been very lax in their add-in policing) they do not have my browsing history (other than probably logins using aliases). And if you use the aliasing service without using an add-in – you create further distance.
Divide and rule has to be a good watchword (watch-phrase?) and would seem to be a sensible option for the consumer rather than “all eggs in one basket”? It is not a perfect strategy, but in a data-acquisitive world dominated by some very data greedy corporations and surveillance hungry states, any reasonable strategy has to be worth considering?
(The same might apply to password managers. Just how much do you want dependent on your Firefox login – or would you rather not have one? Do I want to see browser-independent password managers squeezed out? Memories of the arguments that Internet Browsers were like file browsers and should therefore be part of the Operating System might also apply? Is Netscape forgotten?)
Paul Ducklin
I hear you, but “whether you trust Firefox” is a question, in a free market economy, that you should ideally be allowed to decide for yourself. The OP suggested it was “unreasonable” for Firefox to offer this service, apparently because other companies had done it first. That’s what I found puzzling – it sounded peculiarly close to a plea for some sort of restraint of trade against Mozilla.
I don’t use Mozilla’s password manager, at least in part for the reasons you state – “divide and conquer”. For example, I use different providers for my personal email, my search, my browsing and my DNS. Quite how much extra security that brings me is open to debate, but I am pretty confident it doesn’t *reduce* my security overall – and it’s only possible because there’s choice and competition in the marketplace.