Hacker News new | comments | show | ask | jobs | submit login

> It's important to treat the wider non-technical community with respect and as adults capable of making their own judgements and not as kids who need to be scared into safety.

I think the technical community gets particularly worked up over email security for the same reason that many scientifically literate people get violently angry at the anti-vaccination crowd. Being lax about vaccination requirements can compromise herd immunity, just as allowing other people to hand over their email credentials can potentially compromise my email security if I ever have to communicate with them.

In this case, I think the technical crowd is largely justified in their outrage. Even though any adult should be able to exercise their own judgement, they're not making their decision in a vacuum. Their decision affects others, so those who care have a vested interest in encouraging them to choose wisely. There's a negative externality at play here.

Emails should (admittedly they're often not) be treated like postcards, they're not secure. They'll go over the wire in plaintext, they'll be read in public, etc.

Most businesses which actually require secure messaging will tend to use self-hosted web based email (like most banks do), encrypted messaging (Salesforce Chatter, Reuters Messenger) or secure virtual deal rooms.

That's a straw-man. LinkedIn is attacking the human side of information security, not the technical side. They're going after email today because it happens to be everywhere.

Tomorrow's communication system could be leagues more secure than email, but if we don't put LinkedIn in their place now, we're signaling to them that they're welcome to try the same thing tomorrow (perhaps using PGP keys instead of login credentials). Even the most secure cryptosystems are worthless if you can convince a small subset of users to hand you their keys to the castle.

Obviously email today is pretty terrible and should be treated like a postcard, but it's the principle that I'm getting upset about. I don't want LinkedIn conditioning my mom and dad into thinking that it's reasonable to hand over your login credentials, because it most definitely isn't.

I agree that oauth is a better solution, but more broadly on this issue account/password sharing is pretty common in the business world because many services don't support multi-user access to accounts.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact