Closed jaekwon closed 10 years ago
jaekwon
commented
10 years ago Thunderbird/Enigmail does support the #<hash>@<host> address format.
Now we need to test on some common email providers. Gmail does support the # prefix. What else do I need to test?
jaekwon
commented
10 years ago Scratch this. If the user forgets the pound, the address belongs to somebody else. What if we don't allow the user to enter hash addresses at all, and only allow them to enter token name addresses?
dcposch
commented
10 years ago Requiring them to always use a token is an interesting idea. I think it's very reasonable.
I was using Tor yesterday for the first time in a while to read news about the silk road shutdown. I was amazed at how bad the first step in the user experience is. Say you want to go to the hidden wiki... you search "hidden wiki url", get a bunch of spammy sites advertising onion urls, some of which work, some of which are "mirrors", etc. Of course any of those mirrors could just be a censored version, or a MITM that uses JS+Flash to track users, or anything like that.
Pseudo anonymous addresses that you can't memorize------such as Bitcoin addresses, Onion URLs, and our own Scramble hash addresses----have inherent difficulties.
We'll have to consider our UI choices carefully to help our users overcome them.
On Fri, Oct 4, 2013 at 4:38 PM, jaekwon notifications@github.com wrote:
Scratch this. If the user forgets the pound, the address belongs to somebody else. What if we don't allow the user to enter hash addresses at all, and only allow them to enter token name addresses?
— Reply to this email directly or view it on GitHubhttps://github.com/dcposch/scramble/issues/33#issuecomment-25737129 .
jaekwon
commented
10 years ago Cool. Here's what I'm thinking: I'm going to rewrite my addr_resolution branch to reflect this updated wiki page:
https://github.com/dcposch/scramble/wiki/Name-Resolution-&-Public-Key-Fetching
The client & server will use the token address. The hash address will get deprecated, and the only places where the hash show up will be (0) in the user table (1) near the address in the client (i.e. in the contacts list) or (2) when fetching public keys, when the client already knows the public hash for an address.
Currently a hash address looks like this:
44ljb4mt7rbo3fue@scramble.ioThe main problem with this is that should we start accepting
<token>@scramble.ioas a valid address, it isn't clear whether the addr name is a token or a hash for tokens of length 16 chars.We could reject tokens that look like hashes, but there is still a human security issue: what if I create a token that looks like somebody else's hash address? Perhaps my token (username) is
44ljb4m7rbo3fue. Did you catch that? It has 15 chars instead of 16.For this reason I suggest changing the hash address to
#<hash>@scramble.io, whenever we roll out<token>@scramble.iosupport.So you can either email me at
jaekwon@scramble.ioor#44ljb4mt7rbo3fue@scramble.ioThe pound is technically a valid email address starter, but we should field test it using thunderbird/enigmail & various email providers. I'll be happy to test it out.