Using Firefox's HTTPS-only mode I've noticed that a huge number of companies send emails with HTTP links. It appears at though a lot of these are marketing redirects for click tracking. This is bad, we need these services to support HTTPS!
@kevincox ...or to stop rendering links in e-mail, since they have only bad security properties. Send them the way of remotely-loaded images, except also take away the option to let you load them.
@LionsPhil I'm not convinced. Links are a critical feature of my email usage.
@kevincox They're also a critical feature of phishing attacks and privacy-intruding tracking.
You could hypothesize about a world of digitally signed e-mail and an allowlist of recognized legitimate businesses by the megacorp that produces your MUA which lets them link to their own first-party domain, but this already fails at the first hurdle because nobody has ever made digitally signed e-mail actually work.
@kevincox Think of it like Safe Browsing, but for e-mail. It's even easier, because no human sends e-mail any more; it's just a legacy root-of-identity layer for account signups and fallback for notifications if the appropriate app is not yet installed.
Except that all signed e-mail is a disaster. Perhaps there should be a replacement built around modern secure distributed/federated system design. I'm sure adding another competing system will solve it.