Hmm, so the e-mails are routed through their infrastructure and then ( presumably ) some form of magic is injected and delivered to the recipient.
Upon opening, the content 'fades-out' and fade.li assure us that they delete the content from their systems.
/me tries with disposable account
Aha, it renders the mail content as images. A bunch of basic HTML with the GIFs inline, I used wget to pull them down but the metadata is corrupted. I'll poke at them...
Aha2: animated GIF. Frame-by-frame 'writing' of the e-mail, then blanking-out. Presumably they delete the GIF from their server when it has been served once.
Yes, but if you don't display the image, there's no get, so when you put it on a new tab, that's one get, and from there you can save it from the browser, which isn't no more additional get.
Freemium model appears to be allowing this else downloading can be easily stopped from wget and other downloaders. ofcourse screenshot is the option. ;)
You can't easily stop wget. It's impossible to distinguish between Firefox accessing the image, and wget / curl / whatever accessing the image with Firefox's user agent string (and changing the user agent string in these utilities is just a simple flag)
> You could get clever by testing on the server whether the other headers are consistent with the User Agent (e.g. Accept).
Those headers can vary from machine to machine even when using the same browser. So you'd have a huge amount of testing, plus the big risk of braking legitimate requests. I just cant see how you could pull that off successfully.
> But yeah, ultimately it's a losing game because you're trusting the client not to be compromised.
Totally. Even if your solution did work, it's trivial to break again as you just add the appropriate headers to wget / curl as well as changing the user agent string.
For added fun, somebody please go and register unfade.li, if you forward a mail there, it OCR scans the image and sends you back the text.
P.S. sending email as images is one of the most stupid ideas that seems to keep cropping up. It's not in any way making it impossible to get at the email, but it just makes it extremely inconvenient to reply inline, or for differently abled people to read your mail.
Which cannot be opened in SumatraPDF (the only reader I'll install since it's open source) for some reason. Besides, an image is a lot easier to share, plus I don't need a reader.
Not a plugin but a windows program (don't know if it works on win7, I run linux now) called faststone capture can move the scrollbar and take screenshots. The current version (7.6) is paid:
fades away via direct url (http://content.fade.li/selcouth/119a1902d...) too? but still if people can save it, they need new slogan and/or new algos because it's still being on the record.
Seems like an interesting concept. It's easy to complain about the ability to screenshot/save the .GIF file; any application that tries to do this, such as SnapChat, will suffer from the same problem as there is always a way to circumvent services like this. They appeal because of their fun factor, and not a supposed ability to be ethereally secure.
Cool idea, well executed. Has obvious flaws & security issues but it could be a bit of fun.
Anyone else find the landing page a little bit overwhelming for such a small app? All the pictures of people having a great time seem a little over the top?
What apps like this do is create social pressure on people to not copy things. If you use SnapChat it is obvious that you want the communication to be treated with more "sensitivity" than a Facebook post.
The common complaint that it is impossible to self destruct data is obvious to most people. If it is technically impossible to make something un-shareable then the only thing you have left is social convention.
Everyone's pointing out that these can be saved and they address this in their FAQ. It seems the purpose is not to stop the other person viewing the message more than once on their end (snapchat-ish) but to stop emails being recorded by email providers/governments.
EDIT: Looking through their privacy statement:
"Hence messages are to be sent at the risk of the user. Information such as messages, time, date, name of the receiver and sender are also logged by us.
We also collect and use aggregated or de-identified information."
IANAL but that looks to me that they are storing messages?
"Hey, could you resend that? I opened it and then had to switch to another tab for a few seconds, but when I got back the message was already 90% gone"
I did not realize you could setup a MX record for a wild-card subdomain. It would seem like there are lots of applications for that setup - how come it's not something I've seen dome more?
Good point. I thought this trick was the most clever thing here. Making all email addresses instantly accessible as a sub-domain of fade.li.
As far as ideas, I'm actually thinking the complete opposite. Going on record - like an 3rd party service that proves that you sent an email to a person at a certain date and time in case of a later dispute. e.g.
this is probable the worst idea I've seen emerging from the Snowden leaks aftermath.
It's not secure, it's not accessible and I fail to see how it protects privacy of defeat surveillance in any way, actually all your emails are now belonging to another third party, namely fade.li.
47 comments
[ 0.21 ms ] story [ 185 ms ] threadUpon opening, the content 'fades-out' and fade.li assure us that they delete the content from their systems.
/me tries with disposable account
Aha, it renders the mail content as images. A bunch of basic HTML with the GIFs inline, I used wget to pull them down but the metadata is corrupted. I'll poke at them...
Aha2: animated GIF. Frame-by-frame 'writing' of the e-mail, then blanking-out. Presumably they delete the GIF from their server when it has been served once.
Here's one ( safe for work! )
http://imgur.com/jS2cvMr
But yeah, ultimately it's a losing game because you're trusting the client not to be compromised.
allows you to replay a request, complete with all cookies and the exact same headers.
yeah, aware this isn't what's wanted here, single request image etc etc ... but relevant.
Those headers can vary from machine to machine even when using the same browser. So you'd have a huge amount of testing, plus the big risk of braking legitimate requests. I just cant see how you could pull that off successfully.
> But yeah, ultimately it's a losing game because you're trusting the client not to be compromised.
Totally. Even if your solution did work, it's trivial to break again as you just add the appropriate headers to wget / curl as well as changing the user agent string.
First rule of piracy people, if you can read, see or hear it then you can copy it.
> Your email's content is encrypted using banking-grade algorithms (256 AES) and securely stored on our servers.
> No traces.
> We were also growing tired of news about privacy issues and claims of government reading our emails behind our backs… it all seemed very Orwellian
It feels like you're kind of suggesting these things are actually secure.
2) Options on the right "Show Original"
3) Copy the URL that goes like: http://content.fade.li/selcouth/... to a new tab
4) Save image as
5) ...
6) Profit!
For added fun, somebody please go and register unfade.li, if you forward a mail there, it OCR scans the image and sends you back the text.
P.S. sending email as images is one of the most stupid ideas that seems to keep cropping up. It's not in any way making it impossible to get at the email, but it just makes it extremely inconvenient to reply inline, or for differently abled people to read your mail.
http://www.faststone.org/FSCapturerDownload.htm
but an old version (5.3) that always worked well for me is free:
http://www.portablefreeware.com/?id=775
Anyone else find the landing page a little bit overwhelming for such a small app? All the pictures of people having a great time seem a little over the top?
Also I am supposed to trust (yet) another third party who hasn't got a neck in the game to keep my privacy?
Sorry I don't get it.
The common complaint that it is impossible to self destruct data is obvious to most people. If it is technically impossible to make something un-shareable then the only thing you have left is social convention.
EDIT: Looking through their privacy statement:
"Hence messages are to be sent at the risk of the user. Information such as messages, time, date, name of the receiver and sender are also logged by us. We also collect and use aggregated or de-identified information."
IANAL but that looks to me that they are storing messages?
"Hey, could you resend that? I opened it and then had to switch to another tab for a few seconds, but when I got back the message was already 90% gone"
As far as ideas, I'm actually thinking the complete opposite. Going on record - like an 3rd party service that proves that you sent an email to a person at a certain date and time in case of a later dispute. e.g.
youremail@google.com.prove.it
It's not secure, it's not accessible and I fail to see how it protects privacy of defeat surveillance in any way, actually all your emails are now belonging to another third party, namely fade.li.
oh and the emails and not even self destructing.
Use openGPG instead.