47 comments

[ 0.21 ms ] story [ 185 ms ] thread
wow how they guys doing it.. text came and go in few seconds. I am using gmail.
Hmm, so the e-mails are routed through their infrastructure and then ( presumably ) some form of magic is injected and delivered to the recipient.

Upon opening, the content 'fades-out' and fade.li assure us that they delete the content from their systems.

/me tries with disposable account

Aha, it renders the mail content as images. A bunch of basic HTML with the GIFs inline, I used wget to pull them down but the metadata is corrupted. I'll poke at them...

Aha2: animated GIF. Frame-by-frame 'writing' of the e-mail, then blanking-out. Presumably they delete the GIF from their server when it has been served once.

Here's one ( safe for work! )

http://imgur.com/jS2cvMr

It renders it as an image which fades and they seem to only allow one get for.
Yes, but if you don't display the image, there's no get, so when you put it on a new tab, that's one get, and from there you can save it from the browser, which isn't no more additional get.
Yep, you can also check the original email and download the image directly.
Freemium model appears to be allowing this else downloading can be easily stopped from wget and other downloaders. ofcourse screenshot is the option. ;)
You can't easily stop wget. It's impossible to distinguish between Firefox accessing the image, and wget / curl / whatever accessing the image with Firefox's user agent string (and changing the user agent string in these utilities is just a simple flag)
You could get clever by testing on the server whether the other headers are consistent with the User Agent (e.g. Accept).

But yeah, ultimately it's a losing game because you're trusting the client not to be compromised.

neat tool: chrome developer tools > network > rightclick a resource > copy as Curl > paste on command line

allows you to replay a request, complete with all cookies and the exact same headers.

yeah, aware this isn't what's wanted here, single request image etc etc ... but relevant.

OH! You wonderful wonderful man!
handy, ain't it? :)
> You could get clever by testing on the server whether the other headers are consistent with the User Agent (e.g. Accept).

Those headers can vary from machine to machine even when using the same browser. So you'd have a huge amount of testing, plus the big risk of braking legitimate requests. I just cant see how you could pull that off successfully.

> But yeah, ultimately it's a losing game because you're trusting the client not to be compromised.

Totally. Even if your solution did work, it's trivial to break again as you just add the appropriate headers to wget / curl as well as changing the user agent string.

The title itself is a paradox and any IT person should see that.

First rule of piracy people, if you can read, see or hear it then you can copy it.

The tone suggests this is playful, which is fine, since this is in no way secure. The FAQ has a few misleading claims though

> Your email's content is encrypted using banking-grade algorithms (256 AES) and securely stored on our servers.

> No traces.

> We were also growing tired of news about privacy issues and claims of government reading our emails behind our backs… it all seemed very Orwellian

It feels like you're kind of suggesting these things are actually secure.

Kinda "Snapmail". Kinda brilliant.
1) Open email in gmail (do not press display images)

2) Options on the right "Show Original"

3) Copy the URL that goes like: http://content.fade.li/selcouth/... to a new tab

4) Save image as

5) ...

6) Profit!

For added fun, somebody please go and register unfade.li, if you forward a mail there, it OCR scans the image and sends you back the text.

P.S. sending email as images is one of the most stupid ideas that seems to keep cropping up. It's not in any way making it impossible to get at the email, but it just makes it extremely inconvenient to reply inline, or for differently abled people to read your mail.

Alternatively take a screenshot.
it scrolls trough the lines, so screenshotting that is difficult.
There are a few plugins for FF available that capture the whole screen. Not sure of any quirks though.
Menu File -> print -> print to file. You just got a nice pdf. No need of extensions.
Which cannot be opened in SumatraPDF (the only reader I'll install since it's open source) for some reason. Besides, an image is a lot easier to share, plus I don't need a reader.
(comment deleted)
I have a sudden urge to send an email to dowhile@fade.li.fade.li
This will just email dowhile@fade.li in the end.
Seems like an interesting concept. It's easy to complain about the ability to screenshot/save the .GIF file; any application that tries to do this, such as SnapChat, will suffer from the same problem as there is always a way to circumvent services like this. They appeal because of their fun factor, and not a supposed ability to be ethereally secure.
Cool idea, well executed. Has obvious flaws & security issues but it could be a bit of fun.

Anyone else find the landing page a little bit overwhelming for such a small app? All the pictures of people having a great time seem a little over the top?

Finally, DRM for email!
And it works with MSIE6, too!
it also works with most of the mobile browsers.
This kind of defeats email as a medium doesn't it?

Also I am supposed to trust (yet) another third party who hasn't got a neck in the game to keep my privacy?

Sorry I don't get it.

What apps like this do is create social pressure on people to not copy things. If you use SnapChat it is obvious that you want the communication to be treated with more "sensitivity" than a Facebook post.

The common complaint that it is impossible to self destruct data is obvious to most people. If it is technically impossible to make something un-shareable then the only thing you have left is social convention.

Everyone's pointing out that these can be saved and they address this in their FAQ. It seems the purpose is not to stop the other person viewing the message more than once on their end (snapchat-ish) but to stop emails being recorded by email providers/governments.

EDIT: Looking through their privacy statement:

"Hence messages are to be sent at the risk of the user. Information such as messages, time, date, name of the receiver and sender are also logged by us. We also collect and use aggregated or de-identified information."

IANAL but that looks to me that they are storing messages?

But with minimal effort, they can be, but it would have to be somewhat targetted attack against this particular service.
Incoming:

"Hey, could you resend that? I opened it and then had to switch to another tab for a few seconds, but when I got back the message was already 90% gone"

I think most people so far are missing who the target audience is.
and who are they? Serious question.
I did not realize you could setup a MX record for a wild-card subdomain. It would seem like there are lots of applications for that setup - how come it's not something I've seen dome more?
Good point. I thought this trick was the most clever thing here. Making all email addresses instantly accessible as a sub-domain of fade.li.

As far as ideas, I'm actually thinking the complete opposite. Going on record - like an 3rd party service that proves that you sent an email to a person at a certain date and time in case of a later dispute. e.g.

youremail@google.com.prove.it

this is probable the worst idea I've seen emerging from the Snowden leaks aftermath.

It's not secure, it's not accessible and I fail to see how it protects privacy of defeat surveillance in any way, actually all your emails are now belonging to another third party, namely fade.li.

oh and the emails and not even self destructing.

Use openGPG instead.

I am going to apply for job positions using fade.li.
Is there any effort put into preventing this being used for harassment? I can already see the death threats and scare tactics this will be used for.