544 comments

[ 4.6 ms ] story [ 342 ms ] thread
I realized that recently after Gmail locked my account for using email outreach software.

I restored it but automatically had to start thinking about a backup plan where I’d have to point my MX records away from Gmail to something else immediately in order to prevent email downtime.

> for using email outreach software.

I hope they ban people sending bulk email too... You should send that stuff from your own server or MailChimp etc.

Why is it okay to send bulk mail from service X or Y but not from service Z?
Gmail doesn’t do anything to manage unsubscribing from an email list, so if you were sending email blasts from there, chances are there wasn’t an unsubscribe link. Mailchimp and related marketing services automatically wrap each email with an unsubscribe button for their own reputation sake.
I didn't understand what that meant, is it basically euphemism for almost-but-not-techically-spam emails many startups and "personal brands" send out?
I would suspect; GSuite seems fine with being a SMTP relay for low-volume transactional emails and regular business communications, and nothing more.
I only ever use "sign in with" for throaway stuff I don't care enough about to register an account - if it's in any way important I setup an account, and add whatever form of 2FA I can.
I really wish 2fa was implemented in convenient form everywhere. There are ton of sites that just force me to use SMS.
I wish more supported WebAuthN - it's so much lower friction than OATH TOTP or SMS. I've got everything on 3 yubikeys (including OATH TOTP) and I feel much safer than when I just used Authy
(comment deleted)
To add to this: Never use a @gmail.com address, buy your own domain and pay the $6/mo to get a Google GSuite with your name@fullname.com address instead. If Google locks your account, you can now move your email hosting to another provider and won't lose access to your entire digital world.

Be aware that doing this now means your DNS provider and domain registrar become vectors for hackers to take over your email account, so make sure these are companies your trust and your access to these accounts is as secure as possible (ie strong unique passwords and app-based, not SMS-based two-factor authentication)

Yeah but they’ve still got your emails.
For that you have this:

https://takeout.google.com/

You can export all your email in a single .mbox file.

This might not work if your account is suspended, but if you set up email forwarding to an alternative address (e.g. to protonmail) that might still stay active so you can transition your addresses.

I wonder if Google lets you Takeout if they’ve locked your account…
They do now (although you only have 7 days to do so I think).

It also depends on the reason for the block - if for example they suspect you of having illegal content (child porn) in your Gmail, you aren't allowed to takeout it.

That's great news. Facebook and Twitter don't (Facebook as of a few years ago, Twitter as of this year), as I learned the hard way.
If you are in the EU, GDPR says they have to.
The GDPR (in Article 15(4)) states that the right to obtain a copy of your personal data should not ‘adversely affect the rights or freedoms of others’. This means that when responding to an access request, the controller should consider the rights of third parties, such as their data protection rights, trade secrets, or intellectual property rights such as copyright. This could arise, for example, where your access request relates to a record containing both your personal data but also the personal data, trade secrets, or intellectual property of others.

A balancing of rights exercise would need to be conducted by the controller to balance your right of access your personal data as against the identified risk to the third party that may be brought about by the disclosure of the information. The GDPR notes that these considerations should not result simply in a refusal to provide all relevant information, but the controller should endeavour to comply with the request insofar as possible whilst also ensuring adequate protection for the rights and freedoms of others.

Google doesn't let you Takeout when you don't allow Google to track your browser. It will give an error to "please use a device you regularly use" even if you can see in your account that there are no other active sessions that you could possibly make use of. I tried a few hours later with the session still open but no dice. Guess I'll have to find a human to talk to at Google in order to get my data pursuant article 15, GDPR.

I have very little hope indeed that they will let you do a takeout without finding a human to talk to when your account is locked.

For what it's worth, Facebook does let you do this. You login, get a message your account was banned for no apparent reason, and that you can download a copy of your data. Unfortunately it's broken (screenshot: https://dro.pm/a.png) but hey, there was an attempt.

Use a third-party client that grabs the emails locally.
Well, at least you don't lose everything. Worst case you lose access to a few emails you got in the time between begin locked out of your Google account and when you set up another email provider, and assuming you configured IMAP and use something like Thunderbird or K-9 as an email client (which I highly recommend) you should have a copy of all your email on your device (seriously don't use the Gmail app on Android, they even display ads in your email categories.

I like GMail for their spam filtering power, and I honestly believe spam to be email's biggest weakness, and the reason people don't host their own. It certainly scares me, the thought of being flooded with thousands of spam emails daily, or the chance that my own emails would be falsely marked as spam since I'm not part of the major providers or because I did not configure it correctly. Don't know how this can be solved though, email itself is too permissive, and too "tweakable".

There are alternatives to GSuite -- for instance, Fastmail. Or even the old PObox.com service which has been around since the 90s and is really cheap (Fastmail have bought it now, I notice).
Also, many registrars offer a managed email service.
Fastmail is very good. The web client is pretty simple, but feels so darned responsive (as in fast) compared to what I was used to from GMail. And spam is so far a non-issue.
Or, host your own on your own metal, to avoid depending on any third party. Alternatively, if you are ok with semi-dependence on a third party, get a $5/mo Linux VPS, and host your E-mail there.

With your own Linux instance, you can host whatever you want, have full control, can host other services too like www, git, whatever, and have the assurance that you're not going to suddenly lose access because AI-BOT-204432 decided you violated some obscure terms of service. I've been doing this for close to a decade now (exim + dovecot for E-mail), and it works great. Back in the 90's, this used to be the default. How did we end up in this world where we so utterly rely on 3rd parties for such everyday critical Internet services?

> How did we end up in this world where we so utterly rely on 3rd parties for such everyday critical Internet services?

The same way we ended up in a world where we so utterly rely on 3rd parties for such everyday critical services as growing our food and fixing our cars. There's too many things to do for everyone to do them all on their own.

> How did we end up in this world where we so utterly rely on 3rd parties for such everyday critical Internet services?

For email? Because Google and Microsoft broke SMTP federation in the name of "anti-spam".

It's practically impossible to get Google, especially, to reliably deliver your email anymore if you aren't an actual email service provider.

There's this thing called principle. It's not that we do something because we believe it's going to work. We do things out of principle because doing the right thing is the only rational alternative; because, if everyone held the same principles, then the problem would be snuffed of oxygen.
$6/month doesn't sound like much... Till you realise you'll probably have this setup for 20 years, and suddenly it's $1200. That's a lot to protect against a thing that will probably not happen (account being banned)
It's insurance, a waste of money most of the time, and extremely good value for money very occasionally
I pay for gsuite for myself and a couple of my domains. Call it $12/month, because you'll want to setup two accounts:

* The admin-user.

* The daily/real-user.

In my case I have my real account "steve@steve..", and "admin@steve" which is the gsuite administrator. I only login to make changes to the domain setup, never to send/receive email.

It's annoying to have to pay for that second user, but I feel happier with the privilege separation in place.

Why not me@steve, iam@steve, thisis@steve, thereal@steve or any of the other variants?
I've been using name@name.tld for a long time now, I realize the repetition reads a little oddly but I've never cared enough to switch to anything else.

I guess I should have started using forname@surname.tld to make it all nice and neat, but I've no desire to change now.

I find it strange to send someone an email and address it to "me". Autocompletion may also help when typing steve instead of "thereal".
I'm a boring person. I even use my full name for kevincox@kevincox.ca
Are you actually the owner of steve.com? Because I've been ordering Dominos pizza with the email steve@steve.com for years.

Edit: nevermind. I see you own the .net tld. I've definitely used that to order pizza too. Sorry about that.

Couldn't you use @example.com?
That's a really good idea! I'll try it next time.
example.com is good because it is explicitly reserved for this purpose and has no MX records.

Although very occasionally a service will check for MX records, but that is incredibly uncommon. My go-to email for public WiFi is fuckoff@exmaple.com and have only been denied once (<1%)

I prefer webmaster@whatever site i'm on

A fair number of places will deny that, but I like to think it sends a message. I'm not sure how many, if any, domains still have a working webmaster@ address though.

I registered steve.org.uk in 1999, and steve.fi last year.

(I moved from UK to Finland, so I checked the .fi version on a whim. Luckily it was due to expire a few months after I checked, so I setup a script to register it the moment it became available.)

> That's a lot to protect against a thing that will probably not happen (account being banned)

$1,200 is a lot of money, but... anyone aged 23+ is older than Google. 17+ is older than GMail.

It is an illusion to say we know what will or will not happen to Google over the next 20 years. We don't know how entrenched the tech giants are over decades because we've never had anything like them before.

This is a problem that is obviously not going to happen in the next 12 months. But if a person don't control their email address, they shouldn't be using it for anything that it would really hurt to lose.

> It is an illusion to say we know what will or will not happen to Google over the next 20 years. We don't know how entrenched the tech giants are over decades because we've never had anything like them before.

Realistically we have little control or have any clue on what's going to happen a few years out in almost every aspect of life.

Look at Kodak (the photography company). They were around for over a 100 years, then digital photography came along to disrupt their market and they pretty much disappeared in a few months.

Kodak and Google aren't that different as being a company that offers a service that tons of folks use(d). Kodak used to be "the" place to buy film and get photos developed.

I'm all for controlling your own email (even tho I'm guilty of not doing so), but I think even if you controlled your own email, you'll still be victim of the company you're using maybe going out of business in the future. I wish nothing but success for Fastmail or any other email service that lets you control your email, but if they go down then you're in the same position as Google going down while using gmail.

>Look at Kodak (the photography company). They were around for over a 100 years, then digital photography came along to disrupt their market and they pretty much disappeared in a few months.

Kodak was well aware of digital photography, arguably one of its pioneers. What killed Kodak was cellphones. Kodak was too dependent and attached to making cameras and camera-related equipment. Most people did not need separate cameras once cellphones came along (even the 'dumb' models have a camera), so Kodak had nothing relevant to sell... Doubtful Google could be so stupid. Maybe if the Feds separate gmail from Search there'll be problems?

>I wish nothing but success for Fastmail or any other email service that lets you control your email, but if they go down then you're in the same position as Google going down while using gmail.

Keeping all your mails locally is not difficult if you use a mail client rather than a web client. Copying to a local folder every once in a while is a one/two click operation in typical clients.

$1200 of 20 years? I spend more than that on milk.
There are other options available. I personally don't use it, but Zoho Mail is free with paid plans starting at $1/mo.
I use the free hosted Zoho for a domain.

I had an incident a few weeks ago, where my mailbox lost about 1 weeks worth of messages, and were not retrievable.

I have used them for over 5 years, and this is the only negative incident.

Tbh the biggest benefit I see in such setup is the freedom of directing your email wherever you want. I wanted to quit Google 4 or 5 years ago and just having to redirect my domain to a private host rather than having to change my email address entirely is the one thing that made it possible
You don't need gsuite to both send/receive from a custom domain on gmail.

Takes a few minutes extra messing around with settings I guess but they offer the service for free, I can guarantee this.

You can do this without paying as well. If your DNS provider supports email forwarding you can use that (if it doesnt you can use improvmx free tier) and use gmail's inbuilt smtp server to send emails using your own domain.
Only issue with not using GSuite is that you won’t be able to DKIM sign those emails, although just SPF might be sufficient.
You can also use Gmail as POP3/SMTP client for your e-mail account at other provider.
This is what I do, and it works well.
Ya but then you can’t use googles SSO right?
yes, you have to use your *@gmail.com for SSO in this case
This is such excellent advice that I wrote a detailed step-by-step instruction guide for people that don't know how to do precisely that:

https://sneak.berlin/20201029/stop-emailing-like-a-rube/

It even has special instructions about how to secure the domain registration and DNS accounts. :)

(Don't use G Suite, though.)

I have attempted to read two articles on your site. As I am a privacy-focused person the articles were of interest to me. Both times I haven't gotten past reading the opening sentences when an obnoxious pop-up appeared asking for my email address. It seems ironic that someone publishing articles on privacy advocacy would be so keen to collect my email address. This practice also creates a real miserable experience and I have simply closed the page immediately both times. If someone is interested in subscribing to your newsletter why not simply provide a link for them to do so at the end of an article?
(comment deleted)
An email address is public information not private. You can have as many as you like for different purposes.
Email addresses are not public in general. They are not supplied to every site you visit automatically, and should not be manually supplied to every site you visit either. Whether it's a unique per-site address or not, it only makes sense to give it to people/organisations you want correspondence from. Therefore, sites that ask for it when you start reading an article seem really sketchy.
Yes, asking for an e-mail for site-update-sending purposes is very sketchy. That's what RSS is for, just publish a feed like a good netizen.

And indeed, your site does have a RSS feed, so what's with the e-mail address collecting? Rude!

Thx for that. Great help for many of us.

But why referring to Protonmail and using Fastmail for yourself?

I use different services for different things. I have 3 email accounts at FastMail and 6 at ProtonMail. Also, some of it is inertia: I've hosted the MX for sneak.berlin at FastMail for several years (and have prepaid some time into the future), and have only been using ProtonMail for about one year (and the HOWTO article is recent).

The fact that FastMail might be subject to the new Australian crypto key escrow law[1] is a little bit worrisome, and I may not continue to use them in the future depending on how that plays out.

For things where surveillance is less of an issue, I prefer being able to use a plain IMAP client, which ProtonMail does not support. Their current iOS client is pretty lame, for example (although their web client is better, and I understand that their next major release will improve things a lot across the board). I mention the IMAP issue in the article.

[1]: https://parlinfo.aph.gov.au/parlInfo/download/legislation/bi...

> The fact that FastMail might be subject to the new Australian crypto key escrow law

FM is saying it doesn’t affect them, as they are not a secure provider and can already give any information out upon lawful requests.

Do you disagree with that?

This is exactly how I understood it. But maybe I'm wrong?
Fastmail’s specific response: https://fastmail.blog/2018/12/21/advocating-for-privacy-aabi...

That in short, the A&A bill is about breaking end-to-end encryption, which Fastmail has never had anything to do with. It’s scary-sounding legislation, and I reckon it’s misguided at best, but it honestly doesn’t affect all that many businesses [note I’m saying businesses rather than people; many affected businesses will be among the largest ones, serving consumers], because end-to-end encryption of communications is uncommon, because it’s so frightfully inconvenient for all parties involved, because now the server is necessarily dumb and the client has to do a lot more work, and things like searching are typically just altogether broken because you’ll need the full index on the client to do a search.

(And specifically of the domain of email, I wouldn’t trust first-party encryption; if you care about governments accessing your data, first-party encryption such as ProtonMail offers is almost equivalent to no encryption if you can’t verify the code that is running, since that party may be compelled to backdoor the code to steal your password. This is one of the many reasons that Fastmail has never implemented PGP, ⅌ https://fastmail.blog/2016/12/10/why-we-dont-offer-pgp/.)

Thx for your detailed feedback. Appreciate it.

So your advice would be to go with Protonmail all the way, as you wrote it within your blog?

Really good article, could you share it as a hn submission by itself? Would love to see a discussion around it
Lately I try to avoid submitting my own website, per the HN guidelines discouraging promotion (the one exception is when I find a submission to be time critical). I only link to my own site in threads where it's directly and precisely relevant, such as this one.

If you found it valuable, you should submit it yourself. I'm not interested in the accumulation of updoots, feel free to get 'em. :)

I'd rather other people decide what subset of my writing is relevant to HN, as I'm no good at it: I'm too close to the work. (I only write about things I care a lot about.)

I don't care that much for the upvotes either btw

But the article is very well written and would be a shame if we didn't got other opinions here in HN, kudos for you, already added it to Pocket for later

Will try to get it rolling then

Nice. I'd highlight that conceptually, there are two entirely separate concerns here:

1) the front, if you so will - the emails which you give out and to which people (or algos) send you stuff

2) the back, where you receive and read your emails.

For many people, for example:

1) abc@gmail.com

2) gmail.com web mailer, or gmail app on mobile, or native OS app on the computer

You suggest a complete revamp:

1) catchall at own domain: anything@mydomain.com

2) one (or several) protonmail/fastmail accounts

But it's worth highlighting that people can get many benefits already by

1) catchall at own domain: anything@mydomain.com (as you explained)

2) keep whatever you're using now.

Just forward 1) to 2). Then you can start handing out the new email.

I'm definitely not a power user, but I see and understand the issues.

But for someone like me, if I take all this advice, there is still the aspect of trusting the domain registrar, maintaining a personal email server, hosting, CloudFlare, etc. etc. I have just shifted some risk of offending Google to some other risks of 3x more companies that I have to remember how to deal with now.

So what difference does it mean to me, average user, that I just stick with Google and don't misbehave, versus open myself up to having to deal with 3 other manual processes and companies to remember? It's turtles all the way down.

You see the dilemma for the average user.

For those that don't want to pay, Yandex allows you to set up a number of emails using your own domain for free.
The only thing worse I can think than having Google read your email is having Yandex read it.
The issue here isn't privacy but independence from a specific provider. If privacy is an issue as well then you should be using encryption as emails are not private.
It doesn't have to be fully trusting or not at all, there's different levels. I think using a provider you trust more (In my case Fastmail vs. Google) is a fair tradeoff. Fastmail has a pretty straight forward business model that makes sense to me so I feel like they don't have a reason to scan my emails for ad purposes or else.

Of course if you are worried about some nation state looking into your emails you should encrypt them and use whatever provider.

Depends on where you are. If you're in the US, sure, there is at least the theoretical possibility of legal protection against misuse. If you're elsewhere, they're not very different, and Yandex at least doesn't already have a million other data points about you to connect with this and build a bigger picture about your life.
If you aren't in the US, then Yandex is probably safer.
Russian companies cannot refuse data requests from the Russian government. American companies can.
(comment deleted)
My problem with the get your own domain and DNS is its far more likely I become incapacitated and become unable to pay or manage it than getting locked out of gmail or outlook mailboxes.
Is it? You can register for 10 years at a time and then keep that topped up, as well as setup autopay pointed at a bank account with as many years of funds as you'd like. At some point the likely limiting factors shift to other things. Even the most reliable longest lasting registrars could in principle go out of business or get bought, but then again Google could decide to radically alter or discontinue services at some point too (as they indeed frequently have), or get broken up or who knows. 10 years is quite a while. And while nothing about business dealings is completely certain, someone paying for a domain a revenue generator with potential for more, so even if a registrar was acquired they'd have strong incentive to try to roll over existing accounts barring active objection.

I don't know your personal circumstances of course, different people may very reasonably make different calculations. But I have more trust in a quality registrar and my bank then in Google under the most likely scenarios where I'd still care (long comas aren't impossible to come out of, even multi-year, but chances of just partial recovery plummet after even a month or two let alone full recovery). I think Google being capricious or making a mistake is a bigger concern, if only because there is almost zero chance of recovering from it (basically have to know a well placed Googler or manage to go viral or be a big enough presence to get their attention). Domains and finance in contrast are both full of competition and portability.

If you are doing all that, why use Google at all? Just to get the broken GSuite variant of Google?
As long as you don't want to use any Nest products, which now insist that you have a gmail.com address as apparently hosted domains are for business only.
There have been a ton of products where Google didn't initially support that but eventually added it. Maybe Nest will one day.

Obviously their sign-in/account infrastructure creates technical impediments against making their products do what they want. They should really fix that.

It appears to have been a deliberate choice, and one they have justified on several occasions.

That's not to say you're wrong, but it would be a turnaround at this point.

yep, noticed that too. i'm getting nagged to use my gmail login. what a virus.

i will add that it's possible to create a google account WITHOUT gmail,

https://support.google.com/accounts/answer/27441?hl=en

maybe that's sufficient for nest.

Hmm, thanks, I'll have a look into that. The objection to nest using "Google for Domains" or whatever they changed it to these days seems to be to do with the domain admin having access to everything. Which would be just fine for me, as I'm the only one that uses the domain.

Hopefully signing my address up that way, when it's already a domain account, won't b0rk all sorts of other things :/

Once you have your domain, you can use Zoho create emails for your domain for free. They don't offer IMAP/POP3 access in the free tier though.
Or register a domain with Gandi and they provide a free email service to you. Only two free accounts (with "unlimited" aliases), but that should be sufficient for most personal uses.
> app-based, not SMS-based two-factor authentication)

How does that work when using an email client and connecting to the server and using SMTP and IMAP?

You generate one password per client (i.e. app-based).
How does the client identify itself during the SMTP or IMAP transaction?
It uses the password that you generated for it. I don't understand where the confusion is.
The confusion seems to be about logging into your account on the web versus using a mail client like Outlook or Thunderbird.

Pick a service that lets you use a long password and a security key (like Yubikey) or authenticator (Google, Authy) to log in.

Most services will then let you generate a specific password for an email client. I would assume that behind the scenes that the service is restricting what ports that password can be used on, etc.

> I would assume that behind the scenes that the service is restricting what ports that password can be used on

Assuming it's a device accessing the service over IMAP and SMTP that can access multiple networks, restricting by IP and/or port won't really help. As I noted in my other reply, it's easy enough to script access to the account if have the password and there's no real association between the application and the credentials that are used for access.

I don't understand how that's any more secure than just using a strong password for the account. At some point, you're going to have to make that password accessible to the client. Plus, it's arguably less secure because the account now has multiple valid passwords that will work for authentication, and, based on your description, there's nothing that prevents someone from using the exact same password over a netcat session from accessing the account.
I meant using TOTP (app-based) two-factor authentication for securing your DNS provider and domain registrar accounts. The reason for not using SMS-based two-factor authentication is that it is not very secure https://techcrunch.com/2016/07/25/nist-declares-the-age-of-s...

I'm not aware of two-factor authentication for SMTP or IMAP.

> I'm not aware of two-factor authentication for SMTP or IMAP.

This could be achieved using a client side TLS certificate along with a username and password. I know that Postfix and Dovecot support it.

Has anyone else noticed random popups on 3rd party websites asking for google sign in? I even used firefox when it happened:

https://imgur.com/a/JC52lBV (lequipe.fr)

https://imgur.com/a/VSM3Uk9 (reddit.com)

https://imgur.com/a/KpVCYBL (medium.com)

Yeah. Reddit is especially really intrusive and annoying. I feel like they just don't want people to use their site anymore. Whenever I open new Reddit, my memory and CPU usage goes up so badly.
old.reddit.com.
Use a browser plugin like this to always use the old site: https://addons.mozilla.org/en-US/firefox/addon/old-reddit-re...
Doesn't work on Firefox Android. I never go to Reddit by typing URL; I go to Reddit because I follow a link to it.
There's a rich ecosystem of incredible third party reddit apps on android, as an alternative. Reddit is really unpleasant to use on the mobile web, even without the dark patterns.
The plug-in redirects to old Reddit automatically when following links, so if it worked for you that would not be an issue.
And if you're signed in you can opt out of the new site (Preferences > Opt out of the redesign)
Uniqueness of browser plugins creates unique signature specific to user.
This together with RES and Shine makes it really pleasant actually. In fact, I think you don't need to visit old.reddit.com for RES/Shine to work. CPU/MEM usage is off the charts though (has gotten much better).
Same here, it's painfully slow and I click their search results only when I don't know where else to look. Given reddit's sheer size and popularity in quite a few countries, I wonder how many MWh and CO2e the new version uses and causes.
Also battery degradation.
Reddit website unusable on mobile, it cuts all images in half for me (Nokia 3.1 and Samsung A51), and it's just laggy. I use RedReader from F-Droid instead.
Yes, it also loads forever, hides half the comments, constant pop-ups telling you to use the app instead, cannot read some (non-quarantined) subs without logging in, no NSFW without logging in, back button is broken, frequent error in loading pages...

On the desktop it still usable with old.reddit.com.

But honestly it's probably for the best, less time wasted.

They can't even manage to get their video player to work. Even your local news web sites, which ten years after YouTube still couldn't manage to consistently get a video to play in the browser, have figured it out by now. But Reddit? Nope. Requires me to hit the play button 3-4 times in order to start the video, stops randomly in the middle of the video, and "re-play" never works. I mean, we're almost in 2021! Developers, if you can't figure it out, just give up and embed YouTube.
My favourite bit is when it starts replaying (with full volume) after I've scrolled halfway down into the comments.
Yes, they've been showing up all over the place. Even on EBay.

I suspect some bizdev people at Google just had a "great idea".

I assumed these were using some kind of iframe trickery.
Yes, and it bothers me a lot, even if it's in an iframe, that it has my real name from my Gmail account inside the unrelated third party pages. I do not trust Javascript iframe policies from preventing the host sites of exfiltrating my name from the Google signin frame. Javascript and browser exploits have a long history.

This uBlock Origin rule blocks the popups at least:

##iframe[src*="accounts.google.com/gsi"]

If there was a bug that let websites read from unrelated iframes then they could just open the iframes themselves.
X-Frame-Options and cookie access rules would help protect against that a layer beneath Javascript. I get your point that ultimately any security breach can escalate to full-on compromise of all personal data. I still find it playing with fire to have completely unrelated sites having my name inside an iframe.
I never see these. I wonder if it’s because I have ublock properly configured or because I block third party cookies or because I never sign in to Google on my main browsing profile.
I use Firefox containers at work but I was postponing doing the same at home because it takes a bit of work to create the containers, assign sites, troubleshoot some minimal issues, etc; and THIS made me finally do it.

I knew that I was being tracked, but that was a bit too "in my face" to ignore it.

Same here. Seeing that popup on medium.com with my google login identity was what finally prompted me to start using containers. Now google's domains are safely kept in their little box where they belong.

It's funny because there's nothing new about those login popups - I already knew conceptually that kind of thing was possible - but seeing your little avatar picture show up where it doesn't belong provokes a much more direct reaction than abstract knowledge.

I tried to create my own Google container, but could never get it work with Google Drive which caused an endless redirect so I had to give up.
It’s called onetap if anyone is interested.
Yes and it pissed me off because on mobile it pops up like 0.5-2 seconds late so if you're unlucky you go to click on something and it popups up under your finger and you've suddenly signed up and shared your info with a company you had no intention of ever signing up with.

I complained to Google. I have a GSuites domain and I don't want my users to be able to sign up via Google. No resolution. I suggest you all complain too

I semi worked around it by adding accounts.google.com to my ublock origin block list but about once a month I have to turn it off to allow me to log into Google.

Note: I'm not against google. I am against this auto-popup. The logical conclusion is you'll go to a page and get 6 of those popups or more. One to sign up with Google, one to sign up with Apple. One to sign up with Facebook. One to sign up with Linkedin, etc...

The design of that system by google is not a good design based on the idea that if everyone did it it would be bad. Google should top it. If I click "sign up" on the sight then let the site offer me "login with X" and don't contect X until I click "login with X"

Also I reflexively clicked ok out of laziness and annoyance without knowing what it was. Not quite a dark pattern but you certainly aren’t completely aware what it’s asking within the first second of seeing it.
aren’t completely aware what it’s asking

That is one example of a dark pattern.

This filter did it for me:

||accounts.google.com/gsi/iframe/select$subdocument

It blocks just the popups and not the login page itself. But Google may change their methods at any time to circumvent it, so your way is more robust.

> I semi worked around it by adding accounts.google.com to my ublock origin block list but about once a month I have to turn it off to allow me to log into Google.

This is where uBO's dynamic filtering[1] is useful, as it allows you to globally block `accounts.google.com`, and then unblock it only for specific sites by overriding the global block rule with a local noop rule.

* * *

[1] https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-qu...

Thanks for your work! A true friend of the internet.
> popups up under your finger and you've suddenly signed up

Happened to me as well. So i guess their plan worked. So glad they care about my privacy.

You can disable these annoying prompts by going to https://myaccount.google.com/permissions and disabling "Google Account sign-in prompts". Ideally it should have been user opt in but Google followed dark pattern here.
At the risk of stating the obvious -

This implies that Google already knows that it's you when it shows the sign-in prompt on some 3rd party website and they are already tracking you there even though you are not signed in. Lovely. Not that you'd expected anything else from Google.

Yes, the pop-up is for signing into the site with your already-signed-in Google account. If you're not logged in then you use the site's default login mechanism.
Obviously Google knows that you are logged in to Google when you are logged in to Google.
And Google knows that you are not logged in to Google when you are not logged in Google on these web sites.
Of course they do. It uses an IFrame request to the Google.com domain (so that the "host" website doesn't see any details before you login). Google can however see who you are because your auth cookies and what-not will be sent along with that Iframe request on whatever host website decides to use this pattern. See: Medium

A further issue with this is that Google knows you're on that website because the referrer and request headers will have that on the IFrame request.

Edit. I think I replied on the wrong post here.

Just to be totally clear, this is how tracking cookies work everywhere. The site you visit includes an iframe with an ID "X" that identifies itself, the iframe loads `trackingsite.com?id=X`, the request includes your cookies for that domain (or at least the ones that are allowed for an iframe request), now `trackingsite.com` logs a visit to Site X from the user holding Cookie Y.

There's a fundamental conflict between privacy and convenience, because I have to either allow no third-party cookies, which means no one can embed any authenticated content from a third-party context (think Disqus comments on a blog), or I have to allow third-party tracking. The middle ground -- allowing some third-party cookies but not others -- is a UX nightmare. Just trying to explain the situation to an average user, at all, is nearly impossible, much less interrupting every visit to every site with "Can I use cookies from {site 2} here? How about {site 3,4,5...112}?".

If you have multiple Google accounts logged in, you'll have to do it for each account. Why, Google, why???
I mean, the simple answer is because they're trying to spread the use of Google login, make it ubiquitous, so they can own all authentication mechanisms too as if owning everything else isn't enough.
I've been fiddling with ublock on how to disable this. would've never guessed about the settings in google account. this should've been disabled by default or an option on the pop-up to permanently disable it.
Hey, thanks for that.

Just confirmed this does seem to stop the annoying login popups from Medium, etc.

I tried to figure out how to disable that a few months ago but my google-fu was weak and it seemed like nobody knew how to do it.

No I haven't. Because whenever I sign in to Google I do so in a container. And I sign out and destroy tye container as soon as I am done.
This is a real problem. One would think that a respectable site would give us the option to recover via email, but that is not the case. I had this exact issue with Kobo yesterday, I'm forced to use Facebook login even though they have my email as a recovery option.
Really the dumbest, most confusing design I've ever seen to make a website seem like it knows who you are when you visit as a guest.

When I first saw it on Pinterest, it took me a moment to figure out what I was looking at as a web developer of 20 years. My girlfriend still didn't get it after I was explaining it to her. How does anyone else have a shot at arriving at "oh, so the site doesn't actually have access to this information that's being displayed on the site."

When I was younger, I thought good UX design was obvious, something all of us had intuition for as users ourselves. All you do is put yourself in the user's shoes and ask basic questions and use basic empathy. Of course, now being in software for so long, I realize it's one of the rarest and most unrecognized skills.

If you empathize with normal users, you realize they don't care the least about any of this. They want to use a convenient service to do things. To post pictures of themselves, to see what their friends and frenemies are up to, what's the new cool thing etc etc. Login should just work, nobody cares what is displayed where, and which site knows what. Normal people (outside the HN) bubble don't care about these things, like privacy and what data they share. It doesn't get them closer to the things they want to do online, that is post things and consume content.
The problem is that it doesn’t really work, because if next time they somehow log in with their email/Twitter/Facebook/Apple ID instead, it will make a new, totally unrelated account, and all their stuff will be mysteriously gone for no apparent reason.
The truth is you should not use Google login to Google services either. You get the service promise you pay for, none. If their secret algorithms decide that you are in breach of whatever ToS, they will lock you out. Not very likely for the average user. But more likely for HN reader who might experiment with programmatic access to the services or do other atypical stuff.

Yes, I need to move away from gmail...

"Never Use Google to Sign-In" he says it as he offers Google Sign-In through Disqus comment section on his blog.
If they had built their own comment section with Google login, that would be weird indeed. But if you just like Disqus comments (they certainly were hot when I actively blogged in 2012) and one of their login options is Google... I don't see the issue there unless they're really pushing you to use it.
Author said "If a website offers you to sign-in using Google (or any third-party service, say Facebook, Github, etc.), don’t use that feature." But he has Disqus comment section which offers login through Facebook, Twitter and Google. I would say that's little bit hypocritical.

The similar thing is when a politician says corruption is bad and next thing you know he or she is involved in corruption scandal.

Disqus offers you sign-in using one of aforementioned services but you don't have to use that feature. You can make an account normally and sign-in using email/passsword. The author says you should prefer the later, not boycott any service offering the former.
It’s ok to give advice and choice.
He's not offering Google Sign-In. Disqus does.
Isn't that obvious? Convenience always hat some kind of price tag, particularly a security related one.

I would have canceled my facebook account long ago if I had not chosen their login for a (unknown) number of service.

What would be a better alternative? Use same credentials everywhere? No, because it is just a matter of time it would leak out of one service. Use unique credentials for each service in local password manager? Nay, because most of us at least want to sync between desktop an mobile. Use something like Chrome's password manager? That bears similar dangers like those the article points out.

> What would be a better alternative? Use same credentials everywhere? No, because it is just a matter of time it would leak out of one service. Use unique credentials for each service in local password manager? Nay, because most of us at least want to sync between desktop an mobile. Use something like Chrome's password manager? That bears similar dangers like those the article points out.

I use BitWarden and it works pretty well on all my iOS devices and across major browsers.

Or do it but don't use your google account for your business. Especially, if the business could be considered by anyone as spam, anything to do naked bodies, terrorism, weapons and such
We went through a process of changing email domains recently and we use Google Sign In for many of our services. Switching emails over varied greatly between services. Sometimes it all just worked and my new email would sign in to my account and my email address on the service was updated automatically. Some allowed me to sign in fine, but I had to contact them directly to update the email address. A number of times I ended up having to go through recovery processes.

I guess at least if you’re using your own domain, you’d be able to repoint mx records to do the recovery.

I tend not to use it for my personal accounts, but honestly, Google Sign In for our work systems has generally been a good experience. Works well for our small team, anyway.

(comment deleted)
> "if Google (or third-party of your choice) locks your account for some reason, you will be locked out of all the services where you signed into using Google."

But if the account I'd use to sign in is my Gmail account, and they had locked that account, wouldn't I be locked out anyway?

Please explain it to me if I'm wrong (cause that happens often).

You'd be locked out of recovery emails, but not the service. You could potentially changed the email/username as long as you still had the login details.
We also offer multiple third-party signup solutions for our service in addition to "traditional" e-mail based signup. For every service we retrieve and store the users' e-mail address on our server (we also need that to e.g. send out invoices) and enable e-mail based login and password reset/generation by default (you can disable it or add 2FA), so your account will not be lost just because your OAuth provider blocks your credentials.
That's great, but I'd wager that a majority of users that use Google login are doing so @gmail.com, so their email address is also toast if their Google account is suspended.

I suppose you, as a site operator, are doing all you can do, though.

Won't the password reset link of a blocked Google user get emailed to their inaccessible gmail inbox?
I think it's to protect against the Identity Provider revoking access to the service you're dealing with rather than them blocking your account.

We saw this recently with "Sign in with Apple" and Epic Games, where Apple denied access to Epic and the accounts that did not share their actual email were effectively lost.

If Google blocks your account you clearly have done something wrong and rightfully so deserve to be deprived of any web service.

/sarcasm

This might sound like sarcasm to us but I've honestly heard people claim this with a serious face, as well as: "I'm not doing anything bad, so they'll never block me". Guess it's not a problem until it actually happens to them.
There were pieces of news about google accounts being blocked for being "associated" with an account that did bad things.

I think most were contractors using both their own accounts and the customer's accounts to put apps in the play store... which will associate you with random people that pay you to make an app, maybe forever?

Having an identity provider service intermingled with services by the same company and not differentiating between providing the identity service and any other service is the core of this problem.

Really sad that Mozilla Persona did not make it. To me this was promising solution for 'identity provider service'. This section of service should be heavily regulated since it hs a lot of power.

Also probably it should be paid for.

Not really, in a lot of sites even if you sign up with Google you then can do a simple 'reset password' with the email associated with your Google account and set a password.

The real solution to the problem would be a standadized passwordless local authentication for sites, I mean the site uses an API of the browser to auth the user, that way you don't need third parties to authenticate and you have everything in your PC. The W3C is working on it.

Same goes for Facebook Login, Twitter Login and Sign in with Apple
I'd argue, never use a third party service to log in, if you can.

I always use my email to sign up. If I can't register by email, there's a good chance I won't use that service.

It’s worth noting that you’ll get the same outcome if you register everywhere with a free Gmail/iCloud/whatever account. The only sure way you won’t lose access is to set up your own domain and use a decent email provider that allows to use it (Yes, ironically even Google Workspace/GSuite).
I usually use it for random websites, but not for services I use everyday
Good point, but if Google suspends my account I've got bigger things to worry about than the dozens of sites I've used once or twice a year.

Paying for your own domain also comes with its own troubles. If you're not using Google (or some other service) as your mail forwarder, good luck being able to email anyone. Stealing you custom domain is also a real possibility, and negates your investment in Gmail 2FA.

How could my domain be stolen? :O
Social engineering attack on your domain registrar, court order, choosing a domain controlled by a dodgy registar.

There's actually quite a few ways.

> court order

I don't think that's a "real possibility". It isn't impossible, yes, but very unlikely.

- does you registrar have physical office? is it in a country with legislation friendly towards the country you're based in?

- does your registrar send Auth-Info code over email in plain text?

- did you enter real contact and residence data when registering the domain including public WHOIS database?

This is only a fraction of the attack vector.

> does you registrar have physical office?

Yes.

> is it in a country with legislation friendly towards the country you're based in?

It's in the same country.

> does your registrar send Auth-Info code over email in plain text?

Of course not, that would be a big red-flag.

> did you enter real contact and residence data when registering the domain including public WHOIS database?

I have no idea what a public WHOIS database is, never registered anything there. For the registrar I've entered my real contact and residence data, should I've not?

I mean the contact details specified at the registrar and returned over the WHOIS protocol. Depending on the nature of a conflict the entity returned by the WHOIS requests might be considered the owner of the domain.

Unfortunate phrasing on my side:) Actually there exist scammers reaching out to well known mailbox names and requesting a fee for an entry in "WHOIS database".

Your real world mailing address is published in WHOIS ("who is") by default, often you have to pay the registrar extra to keep it private, which is admittedly a total scam. You could use a fake one, but then it eliminates a way to verify you own the domain.

The WHOIS client is in most distros, try it out.

Thanks :) I've tried it out and it only showed my registrars contact details.
Phishing or bribing an employee at a domain registrar. Phishing you to get your password and then bribing or social-engineering someone at the phone company to forward your SMS-based 2FA codes to them. Waiting for you to forget to renew your domain and then registering it.
> Phishing or bribing an employee at a domain registrar.

Okay? I don't think anyone would go to that trouble.

> Phishing you to get your password and then bribing or social-engineering someone at the phone company to forward your SMS-based 2FA codes to them.

Seems unlikely, I never log into my registrar's website. I do often have to enter my Google password though!

> Waiting for you to forget to renew your domain and then registering it.

It's auto-renewing.

It often surprises people what effort someone will go to to steal their identity.

Consider that you have a github account. You might be in the supply chain for a bit of code someone needs to read or backdoor to attack a company that you've never heard of. Github is a harder target though.

The scary ones are the real estate funds redirectors. They just need to be in your inbox for a little bit and boom, hundreds of thousands of $ gone because people don't take the time to re-verify bank account details by in person.

So many different ways domains are stolen. Or you lose your domain: UDRP, social engineering at the registrar, hack into the account at registrar, the email you use on whois record isn’t valid anymore, you have auto renew turned off and it doesn’t renew.
If anything happens to you which prevents you from renewing your domain, e.g. you are detained or in a coma, then it's probably gone as well unless you have a lot of credit on your registrar account.
Most domain registrars support autorenew with a credit card.
Most credit cards have an expiry date
Running a mailserver is something that doesn't just work out of the box, but it's not true that it's impossible to run a relatively reliable email service. Takes a bit of work, for sure. But it's the best and biggest federated network we have at the moment. Your custom domain can be secured by 2FA as well, if one is using a reputable registrar, and you can legally own it. So even if it's stolen, there is recourse.

I really don't enjoy this giving up on online sovereignty, just because of the convenience and some quasi-monopolists.

And I say that as someone who has very few accounts at any online-services (if avoidable, I'm not a fundamentalist, after all I am posting here right now) and runs mailserver (and cloudstorage and more). So I'm aware it's not all rainbows and unicorns, and I appreciate this is something that takes the skills and time that not everyone is willing to invest. Nor should they.

But one's own "domain" (in the DNS and also the territorial sense) is something that enables some freedom in a world where power is increasingly being concentrated und surveillance is becoming so ubuquitous.

> it's not true that it's impossible to run a relatively reliable email service

Good thing I didn't say that then.

Running your own email service isn't hard, even with setting up DKIM and anti-spam and so on, though it is time consuming. It is much harder to make sure people will receive your mail and it not be in their junk mail. I'm still seeing lots of email to mailing lists, with impeccable message content, ending up in spam based on mail server reputation or content similarity metrics. If you're running an organisation that can be very costly. If only a fraction of your recipients mark you as spam you'll get lots of misses.

Handcrafting your own internet stack is very libertarian, but it doesn't scale to anyone without access to deep tech expertise. Even governments decide they can't run mail any more. And I would argue that this isn't something you can fix about email. The problem is that the next system isn't federated at all -- it's balkanised and monetized: WhatsApp/Messenger, iMessage, Duo, Telegram, etc etc.

You don't have to run your own server, you can use a services that will (1) have a better privacy policy than Google and (2) supports custom domains as a built-in feature. Like Protonmail for example.
Remember OpenID? Yes, that's what it was for, OAuth wasn't never meant for signing in other websites who just want your mail or something... Of course, all these big tech corps quickly dropped OpenID, they don't want people to control their online credentials or identity...
Really, I think OpenID died because it didn’t see significant enough adoption. I remember the user flows being a bit clunky, which certainly didn’t help.

With OpenID, basically everyone used a third party ID provider, and so you were just as dependent on that provider as with OAuth. Did you actually self host OpenID? If so, that’s a lot to ask of each person in the world. If you didn’t self host OpenID, I don’t think you had much “control of your online credentials or identity.”

If OAuth was never meant for signing in, then putting Auth in the name was a funny choice. You add the qualifier “websites who just want your mail or something”, but I’ve never seen a single mailing list sign up that used OAuth.

> Did you actually self host OpenID? If so, that’s a lot to ask of each person in the world.

You could pay someone to host it with reasonable guarantees they won't delete your account on a whim and no recourse.

Or you can use a free service that you somewhat trust with your own domain, so you can point the domain to another provider if you need to. Almost no technical knowledge required for that.

> If you didn’t self host OpenID, I don’t think you had much “control of your online credentials or identity.”

Same for email, which is what identity relies on instead of OpenID.

And self-hosting OpenID is much easier than email: you just need domain + LAMP (or equivalent), and don't have to deal with DKIM, SPF, being blacklisted from Gmail/Hotmail, ...

> You could pay someone to host it with reasonable guarantees they won't delete your account on a whim.

Each user having to find a hosting provider and pay them... it seems like a non-starter. Think about the non-technical people in your life. That solution would only help the very few people who both understand the details of OpenID, and care about the possibility of losing account access at a deep level. Most people have other important stuff going on in life, so good luck convincing them to adopt self-hosted OpenID at greater cost (and effort) to themselves.

This is even assuming that the hosting provider also acts as a domain registrar so each person doesn’t also have to figure out how to buy and own a domain name, to truly own their OpenID, because that would either make this solution much less meaningful in terms of control (with no custom domain), or make it that much harder.

> Same for email, which is what identity relies on instead of OpenID.

I’m not here to argue for self hosted email. There are many email hosting providers that make it relatively easy for you to bring your own domain name... but this is irrelevant. Signing in with an email and password continues to work even if the email account has been suspended. So, it’s not the existential threat that the article is concerned about.

I think the more realistic solution for users is the new FIDO2 standard that will hopefully see adoption soon.

I think Google has done a similar thing on Android, but Apple has for sure made every (up to date) iPhone, iPad, and Mac able to act as a FIDO2 Platform Authenticator.

Even if the user signs up via OAUTH, websites can give the user the choice to sign in via FIDO2 on each device. At that point, users could sign in from those devices even if their Google account were suspended, giving the website a chance to help the user migrate their account authentication.

The FIDO2 flows seem very user friendly, but... the standard is so new, broad adoption remains to be seen.

That is why basically every implementation provided a big "Log in with Google" button. It was basically no effort to implement (it just fills in the Google OpenID URL) and solves the problem of the people who don't have enough distrust in Google to self-host.
Has there been any retrospectives or published thoughts around why OpenID failed? Ideally a extensive, impartial report would be nice to read through.

While it's easy to blame big technology companies for the failure of open standards, there might be other reasons behind it (as well as companies trying to prevent it from succeeding)

OpenID failed because you had to sign up to an OpenID provider and then copy and paste some weird URL from there into websites you wanted to use.

Why would anyone bother with that hassle when you can just put in your email address (that you already have & know) and a password.

In contrast, OAuth succeeded because most people already have a Facebook / Gmail / Github account, which meant that sign up just becomes clicking a single button which is easier than email signup.

OpenID was more difficult than email signup, whereas OAuth is easier.

Having a DNS-like system that resolved an individual's email address to an OpenID provider (or more than one?) might've been a good idea.
OpenID hasn't died at all - it's just used in a different context. We implement this now for SSO in corporates to unify fragmented IAM scenarios.

Accepting any domain as an OpenID IdP is not likely to be a feature of publicly facing sites, as they still provide the ability to create / register / use these accounts for spam and other unwanted abusive purposes.

Sadly everyone wanted to be an OpenID provider, very few wanted to be a consumer of OpenID.

Neither Google, Facebook nor any of the other major Internet sites where ever going to allow you to authenticate using a 3rd party.

OAuth is exactly the same. You can't log in to Facebook using your Google account.
That’s not strictly true, once you’re signed up, you can usually login using your email address if you need to.
> Never Use Google to Sign-In

Never Use Google.

You beat me to the punch. I fully abandoned Google and Facebook over two years ago. No regrets.
Sincerely interested in knowing how you did this. Any guide is appreciated. Thank you :)
I also think it can be the other way round too. Like I use this amazing app called Smart youtube player that works best if you sign in with your YouTube id. Now this app breaks some rules like skipping ads which may voilate their Tos which can put your account in jeopardy also.
I was forced to use sign in with google for dnd beyond as they don't support byo-email address (!), only google, twitch, apple, and yahoo.

We need a name and shame site for websites that can't be bothered to write a back end database for the 3 columns needed to store emails, salts, and hashes.

2FA, reset your password, making sure that password emails gets through, preventing login enumeration, preventing dictionary attacks, etc.

Those are just the things off the top of my head, it's not just three columns

Rate limiting is also a big one.
That reinforces the point of the article, but is semi-orthogonal to my point.

Convenience strikes again. They use the google third party sign in since a big company like dnd can't be bothered to implement 3 columns plus your nice to haves.

And they are nice to haves, arguably obvious and easily upgraded to required table stakes, but not _required_ to implement email-based sign in. The first three of your listed iftems are also effectively mitigated with a password manager.