Hacker News new | past | comments | ask | show | jobs | submit login
Firefox Relay (firefox.com)
352 points by charlieirish on Jan 25, 2021 | hide | past | favorite | 174 comments



IMO if you're really concerned about anonymity and securing your email from credential-stuffing, and willing to pay for such a service (I used to pay for 33mail), it's easier to just buy a domain and route * to your inbox.

It won't get banned by some services, you have complete control over the domain and account, you can send email from any address you wish, you can sign up for domain-wide haveibeenpwned alerts by verifying domain ownership via TXT records, and you don't have to worry about the service going out of business in 2 years.

After going through my password manager last year and changing as many logins and emails as I could, I've found several services that have sold my email address to third parties and one that was hacked. It's a relief to know I don't have all my proverbial email eggs in one basket.


> IMO if you're really concerned about anonymity and securing your email from credential-stuffing, and willing to pay for such a service (I used to pay for 33mail), it's easier to just buy a domain and route * to your inbox.

I've been doing this years and I usually use the domain I'm signing up for as the address. Beware tho some people get really confused by how email works. I was requesting quotes for a home improvement project and I've had employees at these companies think I was either friends with the owner or that I hacked their email.


It gets super awkward when you have to read the email aloud. My optometrist spent five minutes trying to explain that they wanted my email when they tried to transfer a prescription from Warby Parker.

"My email/username for Warby Parker is 'warbyparker.com@...'"

"No, they need your email, not theirs."

"..."


I solved this by only including a unique prefix of the website, like "warby@example.com".


"oh, so you're an employee?"

Got asked that once after specifying sixt@mydomain when renting a car


"Sure, I'll take the employee discount."


Forget about that, way too advanced!

I had a customer support on the phone insisting I was not giving them a valid email. “It should have something like @gmail.com or @yahoo.com”.


I have a "in-person catch all" address which is a different variation of my name @ my domain than my main inbox. Even that is enough to trip up the occasional hotel counter staff or similar when my name is in the domain rather than gmail/yahoo.


There's no real need to use a name that actually matches the sender. Choose a random word; it's easy to identify later -- from the first mail to your inbox from that address.

You'll still be able to filter on it, or know if anyone sold your address for spam, or be able to abandon the address if you need to.


> it's easier to just buy a domain and route * to your inbox

There is the caveat of the domain getting into the wrong hands, if you look long enough down the road. What if you die, or simply can't afford to renew the domain well into the future? I know if I could look down from heaven after I die and saw someone re-registering my dropped domain, I would be furious!

Then there is the issue of even when you're alive, you could simply refuse to renew for whatever reason and the domain is suddenly someone else's.

MarkMonitor and Epik are the only companies that I know of that can safeguard against this. Epik has so called 'forever domains' and ensure the domain stays active well into the future.


I gave this some thought and decided it's actually worse with gmail. If google decides they don't like me, they can kill my email and I would lose access to pretty much everything.

But if my custom-domain email provider closes shop, I can at least take my domain with me.

You have a point though, I should just prepay for the next 10 years of my domain, and set myself a reminder to renew in 9 years :-)


Renewing a .com for the maximum 10 years in advance is a bit of a trap, because to transfer the domain to another registrar you have to buy at least one additional year... which you can't do if you're already at the 10 year limit. If your registrar pulls a GoDaddy and you want to move away you might find yourself having to wait up to a year.

There might be similar caveats with other TLDs but I only have experience with .com


Good point. I'll make sure to keep mine registered 9-years out from now on.


"pulls a GoDaddy"

I think we are at the point that a noun becomes a verb to say how good or bad (Godaddys case) something is!


It's just a domain, man, chill, don't let it drag you down. Why should you feel so strongly about transient things? It's just a name...


They have a point though, when you rely on a domain you’ve gotta be cautious. If I buy your domain when you forget to renew it I can then do password resets against any accounts you used an email on that domain with.


It would be nice if web services offered an option to disable this misfeature per account, or better yet offer to upload the user's PGP key and encrypt all outgoing email with it, incl. the password reset email.


I think Facebook (surprise surprise) offered a feature like this. I no longer use and don't know if my memory serves me right.


do you have more info on the 'forever domain'? Are they actually guaranteeing the domain forever or is it just as long as Epik exists?


> do you have more info on the 'forever domain'?

https://www.epik.com/forever/


It is probably a non-issue but one downside is that if people realize that you are doing this they can just pick a new "user" and reach you even if you have blocked their original address.

It would be interesting to do something like this with signatures. You could generate new addresses "on the fly" by picking a prefix and signing it. Then you can use this email and it can't be modified in a way to generate a new valid email.

For example you could have walmart-oaiua83n@yourdomain.example and they couldn't just change it to goodcompany@example.com.


I do this with my email, and it's definitely a non-issue. The problem is not people but processes - automated spam and the like.


Agreed. I do this and even without any good spam filter, my spam is down to at most 2 a week. The reason behind this is that most companies that exchange data use email/phone number as a unique key.

(I use fastmail to host. This is the only reason I can't use Hey yet.)


I would do something like that but with a simple rule/cipher that can be computed mentally and is not completely obvious at first look. Like a shift cipher of the first two characters of the name:

wolmart.yq@example.com

w+2 = y and o+2 = q


I was thinking that you would have a browser extension or bookmarklet but yes, you could definitely get away with something simpler.


How on earth is that anonymous? All of your emails are on the same domain, and nobody else is using that domain. As soon as I see an email @jamesboehmersdomain, I know that it belongs to jamesboehmer.


You're right, it's not 100% anonymous. But my name's not in the domain, and I use WhoisGuard with my registrar. It's reasonably effective, cheap, and a low effort way to deflect the bots and identify suspicious activity.


This could be more easily done by simply signing up for gmail with an address that doesn't contain your name.


7786655's point was that the custom domain is not perfect anonymity because if someone knows who owns the domain, then they know the owner of every email. If someone discovers my pseudonymous gmail account, then the same problem exists. But perfect anonymity was never my goal.


You buy some cheap domain for this purpose. Certain TLDs go for real cheap (~$2/year).


I wouldn't tie my entire digital identity to whatever's cheapest if I could avoid it.

In my case I use my CC TLD. I'm in a generally stable nation that follows the rule of law and the administrator of the CC TLD has all sorts of processes in place that I have access to as far as regaining control of the domain if it's inappropriately transferred, making appeals, etc.

The extra $10 or so a year this costs is very much worth it to me as basically a form of insurance.


What TLDs are those?


https://tld-list.com/

Sort by cheapest renewal.

For example, you can register and renew a .feedback domain for $1.49 a year.


like Hamuko said, there are domains like .party, etc that are cheap. However, some sites won't take them. My main junk account is a wildcard .party domain. It'll work with mosts sites, but the odd one won't take them. I ended up registering a .com that goes to the same inbox to get around these.


Another issue is that unless one also gets a new IP address for the mail server, it might be possible to associate the real domain with this "anonymous" one.


My experience with email in general has been so exhausting. This year I finally set up a new email address at a custom domain (with * catchall), but what I've found is that I'm afraid to give it to anyone. Right now I'm using it to communicate with like 3 people and it feels so nice.

I may use the * in the future for custom emails for groups of concerns (jobs@domain or applications@domain, hn@domain, banking@domain), but I'm worried it will just add to the heaping mental overhead I already experience when working with email (what was my address I use for this again...?, etc). I can't help the feeling that it's just a matter of time before it starts to look like my original email account where even unsubscribing from things seems like a labor of Sisyphus, but this time with the added noise of it going to an email naming system I've lost control of.


with my catchall, I use one address per site. If they sell it off or whatever, I block the old one, update it on the site (e.g. hn2@blah.net)

They're all tucked away in your password manager anyway, so there isn't any effort or tracking needed.

I've had this system for about two years now and have yet to receive any junk mail with the new domain.


I do the catchall thing too, but Migadu has an API for creating aliases... I think it'd be pretty cool to create a little script to generate random aliases and keep track of them.


Sending email from your own domain is anything but easy. You need SPF, DKIM and DMARC at minimum. Are you going to host your own mail server? No one will accept your emails. Will you use sendgrid or postmark or SES? Enjoy having your emails (especially in the beginning) randomly end up in spam folders or worse completely quarantined (no bounce, nothing in spam folder) for various large institutions using MS Forefront.

Sending email is complicated.


Owning your own domain name for email and running your own email server are two completely different discussions. The first is recommended while the second is not.


This sure was the case before, and I'm likely in my own bubble when I say this. I think many spam filters are nowadays very good. SPF+DKIM+DMARC setup makes a huge difference. I have a small server that occasionally sends emails, and I never had a problem with emails ending up in spam.

The IP reputation matters a lot, followed by the content itself. I don't think email recipient servers downright mark all lesser known senders as spam.


I send only transactional emails (confirm email and so on, no newsletters, you can't say I'm spamming people - I suck at follow ups) and while Gmail and other free email providers work just fine, it's the institutions where you start with negative reputation it seems and have to work to earn the right to send email to users who asked for it


Using your own private domain does not give you the same level of anonymity. Your domain name becomes a globally unique identifier that companies (and once leaked, anyone) can use to fingerprint you activity online.

(Source, I run https://owlmail.io and this is a common question.)


Are you guys looking to launch a premium plan? Or how else do you plan to stay alive?


Yes, I will be launching paid plans.


I do something like this too except the aliases are manually created. I went one step further and made an optional learning period for addresses so anything from a previously unseen sender address after x days is dropped. I also added an optional lifespan to the address so it is only valid for Y days.


I have a similar setup, but use it on a subdomain, e.g. *@sub.example.com

This makes it harder to just randomly spam <anything>@example.com because you need the subdomain, which is what spammers do - just randomly generate local parts that might exist. info, john, sales, etc.


This is a good way to get a ton of spam from bots who try every word @yourdomain


I'm use a catchall-domain for 10 years or so, never got any botspam like that. Only think I got sometimes was spam to info@domain, and this can be easily ignored.

Do those bots really exist? I would think the TLD I use is just not interessting enough for them, but it's from a big country.


Yes, they did exist. I stopped using catchall because of them. It's not as common these days, looking at my postfix log. Though some large spammers were shut down a few years ago. I saw a sharp 60-70% drop in spam volume when that happened. So maybe someone who was doing this dictionary search gave up or was shutdown too in recent past.


I have this regularly. My catch all gets emails from a bot that tries common first names at my domain, but sometimes really weird ones as well, seemingly random such as a23ssaaaa@example.com


I like the way Fastmail handles this. Your normal email is user@domain.tld, and you can configure the service to also treat emails to <anything>@user.domain.tld as having been sent to you.

I have never seen bots try random addresses on a subdomain.


This is exactly how I use Fastmail. Every newsletter/new account has a dedicated email address that is an alias to my primary fastmail address, based on a custom combination.

That way, it’s super easy to know which service is actually either spamming me, or leaked my email address.


How do you configure this? I assume I need to create a catch-all alias for this to work. I added *@domain.tld but when I send an email to test@user.domain.tld, it bounces.


This is an interesting reminder... I've been using catch-all on @mydomain for at least 15 years, and I went through a phase where I'd get a lot of random strings @mydomain. I set up dummy honeypot@mydomain accounts and added a lot of crap as aliases so they'd get tucked away in a disabled account. (I also do that with any "valid" email addresses that start to get spam.) It was a pain in the butt, but it also stopped quite a while ago. With newer domains, I tend to see stupid common ones like "info", "postmaster", etc. getting spam, but haven't seen the random gibberish ones.


Do people not already get their primary inboxes flooded with spam anyway? I've found my email provider's spam filtering pretty good anyway, it hasn't been an issue.


The age of your email address is a big factor. Both my work and personal (custom domain) addresses have been active for over 20 years. I’d say 85-90 percent of what I get in my inbox is spam, despite Google and Microsoft “ML filters” in place.

Most of this is “tech salesperson” spam or corporate newsletter type stuff. But they bought my email address, and are sending unsolicited mail, so I report it all hoping to harm their reputation with Google and Microsoft.


You can still have spam filters and block lists.


> route * to your inbox

This is a terrible solution. Updating aliases takes a few seconds, you can even shorten this time by creating a simple script adding the new alias and updating the aliases db.


What's bad about it? Been doing this for more than a year now and I've not encountered any problems. I've had catchall emails for every domain I own for 20 years or so and the worst I get is cold sales emails to info@ and sales@.

If I want to block an incoming address it's a few clicks away, I've just never needed to because spam filtering works pretty well. Perhaps that might change some day and I'll switch to a whitelist approach.


Sending email reliably is a nightmare.


What do you use for email hosting?


I'd rather not say. I imagine it shouldn't matter though. Plenty of email providers allow custom domains and configurable routing.


And what happens when FireFox decides to drop this option 1-2 years into the future? I reckon they'll give time to change the email address on all the pages one used it for, but still...

nvm, it's in the FAQ:

"What happens if Mozilla shuts down the Firefox Relay service?

We will give you advance notice that you need to change the email address of any accounts that are using Relay aliases."

Note that one cannot reply using this service (yet). So the whole anonymity is gone as soon as one wants to contact some service without disclosing the real address (?)


Howdy. I'm the tech lead on Relay. We're working on replies right now:

https://github.com/mozilla/fx-private-relay/pull/770


While you're here, can you test the relay dashboard (where you can create aliases) on Firefox for Android 84.1.4 ? The scroll is incredibly sluggish, I don't know what scroll effect you added but please have a look. It's a bit unfortunate for a Mozilla service ^^ I can provide you a screen capture if needed.


Can you file that here so I don't forget?

https://github.com/mozilla/fx-private-relay


> And what happens when FireFox decides to drop this option 1-2 years into the future?

The same thing if any other company did it. That said, I do hope they'll offer an option to pay for more email relays which could also ensure its viability. Having 5 relays for free is nice, but I'd personally use a unique address per service.


I'm probably going to use it for "throw-away" email. As in, I just need to receive a link right now so the service think they have my real address, after that the alias might as well be trashed.

The only thing I'm worried is that this domain will soon be blacklisted by services (especially those I don't want to give my email address to).


For that use case you can just use a temporary email provider like temp-mail.org which are harder to blacklist since they have a lot of random domains.


Firefox Relay seems easier to use, thanks to the one-click generated emails by the browser extension and the fact that the emails arrive in your actual inbox. But I agree that the domain is going to land on all the blacklists -- I hope they implement alternative domains for this reason.


Yep I often use "ten minute mail" for this too.


I do miss Firefox Send.


Same. I have been using Tresorit Send [1] and Visée's (developer of ffsend CLI tool) Firefox Send instance [2] in the meantime. Visée is also looking for donations [3] to support hosting of that instance.

[1] https://send.tresorit.com

[2] https://send.visee.com

[3] https://gitlab.com/timvisee/ffsend/-/issues/100#note_3763163...


The correct URL for the Firefox Send instance is https://send.vis.ee/


Thanks for mentioning Send and ffsend!

Yeah, the instance is available at: https://send.vis.ee/


https://news.ycombinator.com/item?id=25524472 is certainly not a complete replacement, but most of the time I used it locally so that would work.


I miss it too, it was so convenient. I use https://transfer.sh instead.


It's nice that they are being transparent about it.


Founder of Owl Mail [https://owlmail.io] here. It's easy for me to promise Owl Mail will not shut down without significant advanced notice (hopefully that never happens, but if it does I will provide a clear transition plan for all users).

As a token of confidence, I've moved all ~150 of my online accounts (including all banking, financial, and healthcare accounts) to Owl Mail – it needs to exist for my life to operate smoothly.


From your home page I get the impression you only support having generated @owlmail.io email addresses. Is that accurate?

Does your system track which online service gets which email, or do you track that yourself in a password manager?


1. Yes, only @owlmail.io domains for now. But, Owl Mail will allow for custom domains soon.

2. An upcoming feature will enable the creation of sender 'allow' and 'deny' lists for each Owl Mail address (With default sender 'allow' lists for top sites). Currently I track my account credentials in a password manager. A browser extension is also on Owl Mail's roadmap.


You usually don't need the address you registered some account with to change account email to something else.

Services usually just verify you control the new email address.


Just a proper email provider that offers this features. Fastmail, GMX, ...


Will be added to the list of domains people cannot use to sign up for accounts. In my experience, this only works on small sites.


In my experience it is the other way around.

Big name websites generally have enough users that email "just works". Smaller websites are more likely to use misguided measures such as a bad email validating regex (hello to anyone with a non-standard TLD!), only allowing gmail, or blacklisting domains like these.


One time email domains and email forward services are usually blocked, there are very long block lists for such domains.

From my personal experience it is best to have a secondary email account on a provider that is usually not blocked (like gmail), to keep your primary email account clean.


+1, and ironically I remember seeing both "must use Gmail" and "must not use Gmail" in the past...

The only correct to validate email addresses is to just send a message there and see if the user can click the confirmation link.

Chances are that would be the next step in any signup flow anyway, so why introduce this artificial middle step of "validating the email address"?


> use misguided measures such as a bad email validating regex

Ever heard of Magento? They have that built in, at least in version 1. But it's a fixed list with "valid TLDs", anything not on that is not accepted when registering.

Feels strange, when you can't register on your own shop...


I use a .dev domain for my main email address, and I occasionally encounter sites that don't accept it as valid. Even worse, sometimes I could create an account but then something would be broken, such as when I could log in to Best Buy via their mobile app, but not their website (or vice-versa—I can't remember for sure). I'm assuming I get hit both by incomplete whitelists and ill-advised blacklists.


I have a .family TLD as my primary address that gets refused because of bad regex half the time and consigned to spam the other half :(


I've always been extremely annoyed by these attempts to "detect fake email addresses/accounts".

People can have more than one email address, so if your goal is "one account/offer/trial membership per real person", email ain't the way to achieve that, period.

Even worse are sites that disallow registering via "freemail providers" and require you to "use your ISPs or employer's". (Haven't seen this one in a while, but it definitely used to be a thing.)


The goal isn't to have one account/offer/trial per person, the goal is to ward off bots and spammers who are going to misuse your service. Since they know they are doing that and they know they could be held liable for what they do, they use sketchy disposable email addresses.

My sites and apps have a blacklist and we don't allow email accounts from those. It's just me running this thing. If I had the security and engineering workforce of even a mid-sized tech company, I wouldn't have to do this. Alas.


Agreed. Sites will just say, "relay.firefox.com" email address are not allowed. By definition they know it's not your real email address


Only if Firefox makes it easy and free to create unlimited addresses and/or disposable address.

I use owlmail.io for hundreds of accounts (major sites included) and haven't had an issue.


I encourage you to instead try out https://forwardemail.net. I'm launching our browser extension and our SMTP service very soon. It's completely open-source and free. No logging either. We're the only service that doesn't write emails let alone logs to disk nor store any metadata.

You can use unlimited custom domains and create disposable aliases on the fly as well!

(I'm the creator, lmk any questions!)


Should always use two or more of such services in a cascade to generate a mix network for true anonymity. Wait: The E-Mail forwarder would actually need to remove the To: fields to support this...


the future was here: https://www.mixminion.net/


Hi niftylettuce – I'm working on something similar – Owl Mail [https://owlmail.io].

I've discovered some cool new products in this thread and Forward Email looks great. I'm glad there are other people out there working on solving this problem!


> “ Unlike other services, we do not keep logs nor metadata, never read emails, and are 100% open-source.”

So how do you prevent abuse?


I created tools such as https://spamscanner.net and use ARC + ARF.


I'm familiar with DKIM and SPF, but haven't come across the acronyms ARC or ARF before?


Super easy to set up, thanks!


Awesome! Just signed up for the free plan and looking forward for this browser extension.


I assume emails @relay.firefox.com will be banned from every form in a week or two, the same way @yopmail.com is?


My thoughts exactly. I've even run into sites that don't allow tutanota


That was the very first thought that popped into my head.


I generate long completely random aliases also for other reason: to help with phishing detection.

I store aliases in DB along with a short description of to whom they were issued, and some extra flags. My mail client then highlights emails sent to these aliases in green color and shows their description instead of the alias itself in the "From" column of the message list.

I always give random aliases to online services, eshops, shipping companies, etc. These private aliases will never receive SPAM, or phishing, unless leaked by the company.

Anything that looks like a transactional email from some service, and is not sent to private alias, just gets deleted right away. It's not even worth opening, no matter how good it looks.

And I can keep my phishing guard up on much lower volume of green emails. It also makes whitelisting transactional email easier, without allowing random SPAM to the Inbox, because filtering based on the "shared secret" per company delivery address will allow in all important email from the company, regardless of how or from what address it was sent.


Can you share your script for that?


Services like this usually get banned by a lot of websites for various reasons. One solution could be to rotate domains from time to time, but I doubt they gonna do this.


Firefox is a bit like Google. They roll these out and then a year later they kill them. Looking at you Firefox send. So I'll pass.


To be fair to Firefox, the only reason there is such a high rate of churn with their services is that they are trying to preserve their mission in the face of competition with Big Tech giants like Google. The more you support Firefox, the more likely it will be that this service will stick.


> Firefox Send

What a letdown to see this service so quickly retired.


Here is the list of permission the extension requires:

- Access your data for all web sites

If even the browser vendor can't do better than requesting access to everything I'm not surprised that we end up with extensions being sold and abused (for their permissions).


(Relay tech lead here)

Yeah, the all_urls add-ons are always concerning. We have an issue filed to move that to optional_permissions instead, but need to get the UX right:

https://github.com/mozilla/fx-private-relay/issues/252


I would like to see these extensions only activating when I click them on toolbar.

Most extensions I could consider are only needed for few pages.


As a developer, I can say that this is maybe possible, but not easy. Because so many things have to be hardcoded in the manifest, the code and UK gets complicated and messy quickly if you try to workaround to provide both ways.


> Firefox Relay supports email forwarding (including attachments) of email up to 150KB in size

> Any emails larger than 150KB will not be forwarded.

I'm not sure what to think of the size limitation. I wonder what percentage of emails are under that.


They probably going to remove this restriction as part of payable services.


I have been using AnonAddy[0] for this, with great results. I initially used Firefox Relay, but switched to get more than 5 aliases. AnonAddy also recently added support for replies.

[0] https://anonaddy.com/


Discovered AnonAddy (which my friends and I call AnonDaddy) last week and I'm in love. The reply function works perfectly. I cannot stop suggesting it to people.

Unfortunately HackMD rejects the anonaddy.com TLD, so I've had to use my "real" address there, but so far everywhere else it works fine. A clever friend realized you can register a new github account with an anonaddy address and use that to connect to HackMD. Smart.

Great service. Free tier is great. Will probably end up paying and adding my own domain for the odd site that rejects theirs.

The only feature I'd like is greater bandwidth allowance per month on the lite plan. Current limits are 10MB per month free tier, 50MB on $1/mo lite tier, and unlimited on Pro. But fair enough.


Seconding the recommendation.

One of the best things about AnonAddy is that it allows you to create aliases on the fly. So, I hardly even need to visit their website, browser extension or anything.


I thought support for replies was available for a long time. Happy SimpleLogin [1] customer here, which has a pricing similar to that of AnonAddy's highest tier.

[1] https://simplelogin.io


Looks like it came out Feb last year[0], so it has been out for awhile. I just learned about it recently.

[0] https://anonaddy.com/blog/sending-email-from-an-alias-and-up...


This looks great. What I couldn't easily find for any of these services was a comparison with just using a catch-all address. I already have that in place. What sold SimpleLogin and AnonAddy for you?


Ages ago I used "Bigfoot"'s free email forwarding for life. Which turned into a subset of email with limitations, fees, ads, and eventually shutdown.

Later I had my own domain, and did the address-per-site thing. Which was an absolute nightmare to undo when I sold the domain (grepping thru the raw self-hosted mbox and logging into and changing my email on hundreds of sites), although it was a great excuse to get going on using a password manager.

At this point I could use "plus addressing" at Fastmail (e.g. amazon+me@domain.com), but I find the endeavor pretty pointless. My spam is low, and I never once found it especially valuable to be able to identify or isolate an offending domain.

I don't expect that Firefox will go "full Bigfoot" on this one in terms of ads and fees but shutdown is a PITA risk. I would personally only use this kind of stuff for genuine one-offs where anonymity is paramount (read: probably not at all).


Another option for an email relay service is the venerable Spamgourmet[0]. I'm a long time-user (a decade at least) and according to the site "Your message stats: 11,298 forwarded, 27,539 eaten. You have 172 spamgourmet address(es)." I haven't had too many problems with the service, mainly the problems are with third-parties that block the spamgourmet.com domain but there are alternate, more obscure domain names that can be used (such as @xoxy.net IIRC).

There are plusses and minuses to SG, but it's free as in beer and if your Perl and ops chops are in good shape the code is available for self-hosting. The hosted service does not support bringing your own domain but has other nifty features that might appeal to HN power users. Worth a look if you're in the market for this kind of thing.

[0] https://www.spamgourmet.com/index.pl


Since Firefox has partnered with Amazon(SES) to filter spam, does it mean that Amazon can read our emails too?


(Relay tech lead here)

It's in the privacy policy (https://www.mozilla.org/en-US/privacy/firefox-relay/), but yes - the emails are sent thru Amazon SES in plaintext.

We have kicked around the idea of enabling + preserving E2EE emails thru Relay, but ... it's tricky.

https://github.com/mozilla/fx-private-relay/issues/360


I've set something like this up with Google Domains + Gmail for free (well, the yearly cost of the domain, but yeah)

I was able to set up alias emails in my gmail & have all emails from a particular domain forward to my domain as well.

Then went with a password manager & changed all my email addresses to my own domain with specific relays (amazon@ netflix@ etc etc)

Works really well for ~12/year!


This gives you the benefit of disable-able email addresses, but not the benefit of privacy. Those companies (and once leaked, anyone) can use your custom email domain as a fingerprint for your online activity.

(Source, I'm the creator of Owl Mail [https://owlmail.io] and this is a common question.)


Interesting. Curious: how is that any different than if owlmail gets leaked?


If you give your personal email address to hundreds of services online one of them is bound to sell or leak your email.

By using Owl Mail (or Firefox Relay, etc.) addresses everywhere, you reduce your attack surface to one security fastidious company.

And, even if Owl Mail (or Firefox Relay, etc.) were to experience a data breach, at least it would greatly increase the effort required to match emails to your identity.

To really protect yourself, use a double relay!

  External -> Relay 1 -> Relay 2 -> Your Inbox
Then you will have some serious resilience :D


Oo, I like that! Really good point there.

Also, I think one thing you should look into as a natural evolution is promoting the use of auto-generated, secure passwords unique to each relay address.


How is Owl Mail funded?


There will be paid plans.


I like the idea. But relay.firefox.com could have been shorter, I suppose it doesn’t matter here because the extension is supposed to roll you a new one and paste it in. But I’d like a service with a shorter domain for reading to people over the phone or at a store, double especially when it’s a throwaway anyhow.


If domain succinctness is your dream, have a gander at Owl Mail [https://owlmail.io].


In particular, the two dots after the @ are probably going to be blocked by many validation regexes.


Is this something similar to https://simplelogin.io/? If it is, simplelogin is a self-hostable solution. If you're really worried about privacy, this would cut out the possibility that Mozilla might be reading your messages.


I installed the extension. Turns out you only get 5 aliases which makes it kinda useless.

Also, it seems to forward to the address associated with your firefox account (which could end up at a mailprovider you don't want the relayed emails to go to)

I'll stick with my own *@sub.example.com forwarding setup in stead.


Cool, the source is available: https://github.com/mozilla/fx-private-relay

Edit: I've previously claimed it to be open source. But there's no License currently that would indicate that.


Source available, at best, not open source. Licence is missing in both the code and in the terms page [0] unless I am going blind.

Edit: if I am going blind, I am not the only one [1]

[0] https://www.mozilla.org/en-US/about/legal/terms/firefox-rela... [1] https://github.com/mozilla/fx-private-relay/issues/773


package.json lists it as MPL at least: https://github.com/mozilla/fx-private-relay/blob/18d491db346...

Hopefully they make it clearer


You're right. I've updated my comment accordingly.


(Relay tech lead)

Oops, thanks for catching that. We'll add a LICENSE file.


I built Owl Mail [https://owlmail.io] to solve this same problem. I think you will find Owl Mail a fast and easy to use alternative to FF relay.

Congrats to FF Relay – more products in this space will be a win for better privacy online :)


Why can't Mozilla launch a freemium email service is beyond me.

Free email with Firefox domain. Paid with custom domain.


From wikipedia:

> In 2006, the Mozilla Corporation generated $66.8 million in revenue and $19.8 million in expenses, with 85% of that revenue coming from Google for "assigning [Google] as the browser's default search engine, and for click-throughs on ads placed on the ensuing search results pages."

I don't think Google would like it.


This is most likely due to the enormous capital needed to start such a service. I suspect if they were successful it would be all-paid at first.


I'll pay Mozilla and based on prior discussion on HN, I'm sure a lot of people will pay Mozilla for a paid email service just because of their reputation.


I don't know. It's so easy to just create a random Gmail address and forward email from it. Maybe this makes it easier, but Gmail is one of the few Google products that I feel pretty confident will be around for a long time.


One still has to enter a mobile number to sign up for that Google account. But the larger difference is, that account would still be a standalone email address, which just happens to forward to your main Gmail address. But Firefox Relay (and similar products, like AnonAddy and SimpleLogin) are alias services. The idea with these services is to create addresses that can be immediately blocked, if they get into the hands of spammers. I am a happy SimpleLogin customer, and have made as many as 200 addresses. AnonAddy is a great start too, for those that need unlimited addresses. Both allow responding from those addresses, while AnonAddy's count is less.


Yandex Mail [0] is a better choice for this than Gmail. It also asks for a phone number to validate, on sign up. But there's a box you can tick which says something like "I don't have a mobile phone" and then you can validate with a Captcha instead

[0]https://mail.yandex.com


Ah, okay. Those are fair points.


There's a self-hostable alternative called Inboxen (https://inboxen.org/) I haven't gotten around to setting it up yet, unfortunately.



The concept is similar. But Apple only provides this feature on sites that impliment "Sign in with Apple". Firefox Relay allows you to create these relays on the fly, ad-hoc to put into any email field on the web (like sign up for my newsletter fields).


Is there something like this privacy oriented for phone numbers?


I've looked into building this for phone numbers. The main problem is that phone numbers are expensive to own.

All the solutions that exist "rent" you numbers temporarily so that prices are reasonable.


That's nice and convenient, Mozilla, but Firefox the browser is an essential piece of software at this point. How about focusing your precious cash on that?


Essential, but maintaining a browser in the face of enormous competition from Google and Microsoft is tough. If you support Firefox with these new endeavors, you are helping preserve the browser as well. Since times are changing, Mozilla must either adapt or be out-competed.


How, exactly?

I'm happy to donate to Mozilla. If the money is spent on FF.


It's the same logic by which NGOs send physical mail and even small gifts like greetings cards and personalized stationery encouraging people to donate again:

That's not what I'm donating to an NGO for, but if doing so nets them more donations usable for their causes in the end, that's something I can get behind.

If Mozilla can find ways to generate additional income that also align with their values and don't put them into conflicts of interest, I can get behind that. (The management isn't exactly known for frugality and excellence in resource allocation though, so I'm taking it with a grain of salt.)


Good luck when this service goes down. But otherwise: Sounds great!

Questions:

1. Is this new?

2. Why just 5 relays? How can I get more?

3. Is something like that available from 1Password? Would be a great addition.


1. No, been around for over six months. Possibly longer, but I got access sometime between June and August.

2. That may be a good questions for developers at #firefox-relay:mozilla.org (Matrix room)

3. It has come up in a few tweets in the past, but 1Password does not seem to have any plans for now. I use SimpleLogin browser extensions, and 1Password neatly picks up that alias address from my signup form.


Might be worth checking out Owl Mail [https://owlmail.io].

A few bonuses:

• Larger attachments, 5MB + some wiggle room depending on the message size.

• Replies (single and multi-party) in beta.

• More addresses (a generous free tier, paid plans on the way).

• Fast and simple UI.


So, the same idea that is https://sneakemail.com ?

(happy user for like 12 years?)


Limited to 5 aliases? GTFOH, even AnonAddy offers more than that...


Looks similar to Bigfoot in the late 90s&2000s


So this is like a VPN but for email?


Where's the pricing page?


I don't consider my email to be valuable enough to be hidden. I don't use email at all other than to do very mundane tasks.


I once saw a comment on an auction on a yellow commode someone was advertising. It read "No thank, I am looking for a blue one".

Your comment made me think of that.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: