How about a signup flow where the user sends the first email? They send an email to signups@example.com (or to a generated unique address), and receive a one-time sign-in link in the reply. The service would have to be careful not to process spoofed emails though.
Another approach is to not ask for an email address at all, like here on HN.
Oh god. Tell me you've never dealt with those in real life without telling me lol
Usually the very best you can do IRL is "probably fine" or "maybe not fine" and that's just not good enough to justify blocking customers. Email is an old tech and there's a lot of variation in the wild.
It sounds appealing at first because it flips the trust model... instead of the service initiating contact the user proves control of their email up front That feels cleaner and arguably more robust against certain classes of abuse
But from a UX standpoint its a nonstarter
Youre asking users to
- leave the site/app
- open their email client
- compose a message or at least hit send
- wait for a reply
- then come back and continue
Thats a lot of steps compared to enter email -> click link. Each additional step is a dropoff point especially on mobile or for less technical users. Many people dont even have a traditional mail client set up anymore, they rely on webmail or app switching which adds even more friction
It also introduces ambiguity
- What exactly am I supposed to send
- did it work
- What if I dont get a reply
From the service side youre trading a simple well understood flow for a much more complex inbound email processing system with all the usual headaches (spoofing parsing delivery delays spam filtering)
In practice most systems optimize for minimizing user effort even if that means accepting some level of abuse and mitigating it elsewhere. A solution that significantly increases friction... no matter how principled...just wont get adopted widely
So while the idea is interesting from a protocol design perspective its hard to see it surviving contact with real users
I think the main UX obstacle is that it is unfamiliar – no-one does signups like that currently. But the flow does not need to be quite as bad, if you use "mailto:" links. In the happy case:
- user click on the link
- their email client opens, with the To:, Subject:, Body: fields pre-filled
- user clicks "Send"
- a few seconds later a sign-in link arrives in their inbox
Disagree. The UX would be pretty similar. Click a mailto link which opens the email client with to, subject and body precomposed. Click send. Server receives mail and the web page continues/finishes the sign up process. No need for an email reply.
It’s different, but it’s not crazy.
Ok, and a lot of -- maybe most -- people won't have their mailto handler set up correctly. I don't even know if I do on my current laptop and I have email old enough to vote
Ignoring the fact that mailto won't work for most people (it opens my Mail app which i never used), "different" is enough to make your conversion rate tank. It'd be unreasonable for anyone in charge of making product decision to go with that
Amidst all the age verification and bot spam going on, anonymous private/public key proof of identity could work: the newly signed up service must pass a challenge from the mail server to prove the user actually intended to sign up. Though I guess that would be basically the same thing as the users server initiating the communication. Really, just an aggressive whitelist/spam filter that only shows known senders solves it too, but as I understand part of the attack is having already compromised the mail service of the target. Having a third decoupled identity provider would resolve that, but then that becomes a single point of failure…
> If a bot creates an account with someone else’s email, the victim gets one email, if they ignore it that’s the end of it. The welcome email and everything after it only fires once the user verifies.
As a user, I would prefer no welcome email at all.
Yeah, thats part of why I hate "login with SERVICE". The big benefit would be not spamming me, but they always insist on getting my email.
There was a time were you would have to select "sign me up for your newsletter" then you had to uncheck it. Then you had to check to not get an email and now you don't even get that choice.
And lately? You have to go dig through your email because you can't set a password (looking at you Claude), so you can't filter email.
Yes, correct. When I clicked the link I was already welcomed by the welcome page (which is, for the most part, welcomed). But then why send me another email further welcoming me? I already feel welcomed! And don't give me any of that "because it works" BS (even though that is what you are going to say).
(cuu508, "you" in this instance does not mean you)
I am doing leatherworking as well as woodworking. No idea if it is possible to actually make money with this¹, but damned if I'm not giving it a go just to have skills in an area where AI is not a threat for the coming decade. At the very least these crafts allow me to make things which do not exist and cannot be purchased off the shelf.
1: I mean, it is, certainly. I'm just not sure if I can make money by making leather gear.
By this logic, all malicious JavaScript (obvious example is cryptominers I guess, assuming no JS sandbox escape) is C&C, yeah? As it "instructs site visitors" to do something harmful locally?
If you need to be on the site it’s not a botnet and there is no C&C server coordinating the attack. It‘s just the JS on the site that makes the attack.
Why? I did not visit the site to participate in a DoS attack; yet my machine was coaxed into participating against my will. Whether this is happening in JS or a drive-by download or a browser 0-day is irrelevant.
That's entirely possible, but doing so reliably and safely is difficult and expensive enough that for a very long time Ukrainians were accepting the risk instead.
The risk appetite countries in existential conflicts have is quite different from what we're used to. For example, there are plenty of videos of Ukrainian soldiers angle grinding cluster munitions open to extract submunitions to put on drones, but that's not a strategy that western armies can rely on.
> We are all making a continual and ongoing grave error
> Blindly translating those centuries of laws into rigid, free enforcement is a terrible idea for everyone.
I understand your point that changing the enforcement changes how the law is "felt" even though on the paper the law has not changed. And I think it makes sense to review and potentially revise the laws when enforcement methods change. But in the specific case of the 55 mph limit, would the consequences really be grave and terrible if the enforcement was enforced by a robot, but the law remained the same?
Any law, including a speed limit, has unforeseen consequences. In my part of the world, there is a 4km stretch of the road with good visibility, low pedestrian traffic, and which takes you either 10 minutes to go through if you follow the limits, or 3 minutes if you drive at +5km/h.
Other than lost time (which compounds, but also increases traffic congestion, so those 10 mins might turn into 20-25), the fuel use and pollution are greatly increased.
Interestingly, there are speed cameras there, and enforcement is not done on these slight violations: without this flexibility, I'd need to ask for traffic lights to be adjusted so they work well for driving under speed limits, and that is slow and an annoying process.
But without an option to "try", I wouldn't even know this is the case, and I wouldn't even be able to offer this as a suggestion.
Whether that accounts for consequences being "grave and terrible", probably not, but very suboptimal for sure.
Yes about traffic lights pattern: 5 traffic lights along the way, each with ~90s wait time or only a zero or a single wait and then riding the "green wave". So not overstating the savings either.
OK, but that would be a consequence of the specific enforcement method, not a consequence the law becoming de facto stricter due to stricter enforcement.
Anyway. I come from the UK where we've had camera based enforcement for aeons. This of course actually results in people speeding and braking down to the limit as they approach the camera (which is of course announced loudly by their sat nav). The driving quality is frankly worse because of this, not better, and it certainly doesn't reduce incidence of speeding.
Of course the inevitable car tracker (or average speed cameras) resolve this pretty well.
For one thing, the speed limit is intentionally set 5-10mph too low, specifically to make it easier to prove guilt when someone breaks the "real" speed limit.
Speed limit is only a proxy for your braking distance in case of emergency braking (at least in most cases, but also a proxy for bad road conditions in others): the point is to ensure safety, and not a particular speed.
I've driven behind drivers driving 25km/h in a 40km/h area and not stopping for pedestrians at a crosswalk with right of way (if somebody jumped out elsewhere, they'd probably just run them over at 25 km/h), whereas I always do even if I am driving at 45km/h because my foot would be hanging over the brake near areas of low visibility (like intersections) or near crosswalks or with pedestrians near the road.
Your braking distance is largely a function of your reaction time (attention + pre-prep + reflexes), and your car performance (tyres, brakes) on top of the speed, and speed limits are designed for the less than median "driver". You obviously have most of those under your control, but the speed is the easiest to measure externally.
The obvious counter is that I could be even safer if I also drove at 25 km/h, but it would take me much longer, I'd hit many more red lights, so I might stop being so attentive because I am going "so slow" and taking so long (maintaining focus is hard the longer you need to do it).
However, measuring individual performance is prohibitively expensive if not impossible (as it also fluctuates for the same person, but also road and car conditions), so we use a proxy like speed limit that is easy to measure.
I put the "driver" in quotes: it is not just about ability (let alone perceived ability), but also about equipment (car braking power, tyre quality in relation to road conditions), attention and driving style. You can be reasonably and objectively above average just by having great tyres and strong brakes paired with average attention (which you can control too) and average style/ability.
I agree with that. However, by necessity speed limits need to be set, and enforced, based on vehicles and drivers that meet the minimum standards we set for roadworthiness.
Speed limits are a terrible proxy for actual risk, but the only reasonable way a government can implement anything tending towards "ffs stop killing each other whilst driving too fast for the conditions".
Another approach is to not ask for an email address at all, like here on HN.
reply