Envelope next to time stamp of when a reply was posted?


#1

Never seen it before, isn’t clickable, is only on one post which doesn’t seem to have anything else special about it.

What is that?


#2

someone replied by email.

It’s a badge, I don’t have it.


#3

Someone replied to THAT post by sending the poster a PM?

That makes a lot of sense…thanks!


#4

Not a PM, an email reply to BB.


#5

How does one do an email reply to BB?

Does that mean the person sent or received an email, thanks to the receiver’s address being on the profile page? But how would the website know that?

Apparently I am now more confused!


#6

You can reply by email to the “you got this comment” email the site will send to you.


#7

And so then there’s a marker on this site that you did that off-site?

The more you know…thanks!


#8

I don’t know about the mark but I replied at least once before from my mail client. I actually wouldn’t want the marker. Poor opsec!

Update for Autocorrect madness.


#9

It’s not so much a security issue as a notification that because the reply was sent via email, it may have been delayed from the time the commenter actually replied (as emails sometimes are).


#10

I replied to this via email!!!


#11

I didn’t think you’d think of it as a security issue. That’s where my brain lives.


#12

Using it without knowing what it did would be poor opsec, maybe. It does serve a function though, on BBS.
What is your threat model in which knowing whether you replied via web or email blows your opsec?


#13

Still nobody with the champion badge eh?

https://bbs.boingboing.net/badges/27/champion


#14

This site is served over SSL. Theoretically, I can type a reponse here or send a private message without it being man-in-the-middled because of it. Email responses have no such protections.

So “knowing,” probably not so much but the act itself…


#15

Right. I thought you were referring to the marker showing up. Sending an email response very well could be bad opsec, but that’s on you, not the site. (Which I’m pretty sure we are both in agreement on.)

Seeing that posts are public anyway, aside from possibly altering a post, I can’t see much detriment. Maybe in the case of a lounge post, but still…


#16

Well, it gives insight into workflow, which is data exposure. :slight_smile:


#17

Not just that but email formatting is often… messed up. Because email. So putting the icon on the message tells you

Please forgive any formatting or typo weirdness, this was sent via email, probably by someone on a hurry on a mobile device.

See above @enso


#18

Dude, any time I type anything here on my phone, directly on the site, my error rate goes up 1000% because I have 45 year old eyes, big thumbs, and I’m usually walking at the same time. :slight_smile:

I’m not complaining. I didn’t even know the badge existed as it didn’t used to (I’ve replied by email in years past but only got the badge today).


#19

Right. Because Security hasn’t been my job for literally decades :wink:

I get what you are saying though, security from the perspective of BBS vs personal security are different. Easy fix though, just don’t use the feature.


#20

The real question is can I SMTP relay spam another user’s reply to a message by pretending to be whatever email address they’ve registered under if I figure it out? Is there a code in each message sent to a user that has to match (I haven’t looked at the headers or the reply to address to check).

If so, I could probably get a problematic user thrown off by pushing their envelope a little bit when impersonating a reply…