Protect IID

Protect IID

Protect your privacy with single-use email addresses

5 followers

Visit website
Learn to Protect your Internet Identity. Single-use email address is a generated email address that is used only once when signing up for a service. It makes impossible for attackers to predict which email address was used for which service.
Protect IID gallery image
Protect IID gallery image
Protect IID gallery image
Protect IID gallery image
Protect IID gallery image
Launch tags:EmailPrivacyTech
Launch Team
OS Ninja
OS Ninja
Explore and Learn Open Source using AI
Promoted

What do you think? …

Patrik Krupar
Robolly
Maker
Hello Hunters, I made Protect IID inspired by the recent Jeff Bezos National Enquirer scandal, "Collection #1" Data Breach and tweets by @levelsio (https://twitter.com/levelsio/sta...). The idea is to start treating email addresses that you use when signing up for a service similarly as passwords. They should be unique, generated and used only once. You store them with your password inside a password manager. I've gathered all the information about single-use email addresses and published in on the Protect IID page. You'll learn how they work, how to set your own with a few clicks and you can download an official Protect IID Chrome extension that generates single-use email addresses for you. If there's something you think is missing or you know how to explain something more clearly, please, let me know! :)
Aaron Bailey
@pkrupar Thanks for the helpful site. You've inspired me to put this into practice. Curious -- how would this approach have helped the Bezos situation?
Patrik Krupar
Robolly
Maker
@aaronbailey Glad you asked, check this blog post speculating how the National Enquirer probably got the pics: https://blog.erratasec.com/2019/....
Aaron Bailey
@pkrupar thanks... so lesson learned: if you start dating someone new, require they use 2FA and single-use email addresses. 😅
Chad Whitaker
Product Hunt
@pkrupar Very nice! You should add a setting that includes the current domain name in the generated email address. For example if I where to signup for Product Hunt it would generate something like: producthunt-3ef144b32a@example.com Grabbing "producthunt" from the current url, www.[producthunt].com and follow it with the random generated string. The email spec allows for up to 64 characters on the local part, so only include the first 32 characters of the domain should be safe. This allows you to quickly see if a company has sold your user info. Being able to see to domain name in the address will reveal its origin.
Patrik Krupar
Robolly
Maker
@chadwhitaker Great idea, Chad! I'll add it today.
Christophe Thomas
https://10minutemail.com/ do the same job and it's easier to use in my opinion
Josh Levine
Enabling a catch-all address can be problematic since spammers often buckshot thousands of emails to addresses generated by adding common-left-side-of-`@` words to the domain. To control inbound access effectively you want to keep a database of generated email addresses and only let though emails sent to valid ones. Having the database additionally lets you terminate an address if it starts receiving spams. Finally, if you also store who you gave the address to in the database, you can be the first to know when a corporate data-breach happens, or when a friend gets tricked into clicking on a fake GMAIL login. I've been doing this for the past 20 years and can't imagine why GMAIL and everyone does not do it also. https://wp.josh.com/2013/03/14/s...
Alexandra Persea
@josh_levine Very good points! That is exactly what we've done with Burner Mail
Jasper van der Meij
Interesting idea. Is NameCheap the best domein registrar for that? Or are there other ones that are more 'private'?
Philipp
@jvdmeij It depends on your domain extension. They have different rules for what information has to be public in the domain records or if it can be obfuscated. You'll have to decide for yourself if it's good enough from the registrar point of view for you: https://www.namecheap.com/about/... The good side effect of GDPR is that in this case you get free Whois privacy (obfuscated details in the public whois database) for free now.
Firlefanshans
One issue is that you'll likely fall afoul of spam detection algorithms/ml systems, as spammers are currently the only group that currently generate random email addresses.
Nikiara Purmambietova
@firlefanshans do you use an Spam protector filter?
Philipp
@firlefanshans @nikjara You don't have to run one yourself but most "systems" like ecommerce backends, mail providers will run them and it may be caught up within that. The annoying part is that usually you don't know if your email didn't arrive which could be a problem for things like transactional emails.
Sam Eckert
Great project 👍! Would love to see a Safari function as well in the future!
Philipp
How does it help in the case that erratasec.com listed? If you use your own domain couldn't you just lookup the domain in the dump and then they'd get the "secret" part of the email? You'd just have to get some of the bigger dumps that aggregate smaller dumps and then not much would change.
chris
@tehwey the "secret" part would be a different, randomly generated "string@" username for each login. it essentially adds another redundant security layer to using randomly generated passwords (which people should also be doing). in the theoretical instance on erratasec, the mistress is reusing email addresses and passwords - errata (and Protect IID) are just suggesting this method an additional security layer for protecting accounts.
12
Next
Last