This was already happening, unfortunately. The user's mail agent is deemed untrustworthy (and so is the user), so every service which needs to send confidential data just turns your email into a notification with a link. There are so many of these, but often they are limited in scope. For sectors like healthcare you have companies offering this type of service to companies which need to adhere to security theatre standards such as ISO 27001, and because nations often have their own added requirements for specific sectors (think HIPAA in the US or NEN 7510 in the Netherlands) these services tend to remain focussed on single countries.

Then there are the national governments and things like insurance companies. All happily sending message notifications where you need to sign in to their own portals.

Securing email is too complex, so everyone builds their own secured portal thingy, and your mailbox has become a receptacle for notifications. Figuring out a solution would require cooperation, pragmatic lawmaking, and giving up those nice cashcows of moated portals, so it won't happen.

People in China could not open a url sent in Gmail. I happened to be in China, I tried to open the webpage and it worked, no firewall.

I hovered on the link in Gmail and Chrome told me left bottom it was just that exact url.

But when I opened the url it got blocked by the great firewall.

Why? Any link in Gmail secretly gets replaced by a link to Google that tracks you and then redirects you to the original link.

The most obnoxious thing about this I think is that Chrome shows the original link.

This is how all HIPAA "secure email" works. Outlook, Zoho, clinic comms, BECAUSE it lets you revoke email access.

If you want an opportunity in this space, it isn't actually encrypted emails, but possibly standardizing and streamlining such "message pointers" and address endpoint verification.

What happens if the sender's Google account ceases to exist for whatever reason? What if Google ceases to exist?

I know that there are a lot of HIPAA "secure email" solutions that also do this, but I don't want this to become more common practice then it already is...

The E2E problem has already been solved long time ago. We used to have Thunderbird with an OpenPGP extension and GPG keys.

Then there were a whole plethora of products were build around Lotus Notes Domino that provided a central place for securing outgoing E-mail using either S/MIME or GPG keys. All of this on premises. Then came the Cloud and obliterated these products. And for what?

edit: typos

Isn't this how banks send secure messages too? You can't send secure emails to arbitrary clients otherwise. PGP stands no chance of being adopted by regular users.

This is exactly how M365's solution works. Decrypts if the recipient is using MSN or EXO, otherwise punt them to a webpage.

I think one of the growing threats lately in the community has been over malicious client-side javascript, especially when the client handles end-to-end encrypted content (used on sites like Proton, MEGA etc.), so requiring users to trust Google with the contents of these client pages, and by extension the emails themselves, seems (in my opinion) to defeat the entire point of this feature.

Some work in this area has been done in the form of browser extensions that are used to verify signed assets delivered to the client:

https://github.com/freedomofpress/webcat

https://github.com/tasn/webext-signed-pages

https://github.com/jahed/webverify

https://github.com/facebookincubator/meta-code-verify

But unfortunately for now, none of these are seeing wide adoption and this remains an unsolved issue. It also does not require anyone to use known-good, audited and verified open-source components, meaning even if the client code is signed, it can still be malicious... there must be a greater reason to trust the code than just "trust me bro".

Doesn’t proton mail also do this for sending encrypted mail to folks with no encryption?

They ought to do pgp though

All the takes on this release miss one crucial point: if you want people to adopt E2E encryption, you must reduce friction. For users of Gmail, that means familiar elements and flow to their usual use of Gmail. If this lets even a handful of people use more secure messaging, it’s a win. For Google workspace-centric orgs it’s a good step in the right direction.

If you disagree, go set up GPG on a non-tech’s computer, tell them they need to use Thunderbird or some other helper app(s), and see if you can even go home before being asked to remove it all.

How does the E2EE happen if you're clicking a gmail link? One thought is the secret bit is tacked onto the anchor part of the URL, but the secret is in plaintext both on the senders sent email and on the recipient side.

email is dead, even gov's use chat clients with emoticons ;)

That email is your internet id and majority countries digital id too ? Who cares, things usually need to be so broken that even elected officials families report problems :) Then we can have some "plans" announced. EU is especially good at this - announcing (and pushing for more centralization no matter what is happening) and not fixing anything, eg. sane CPU's, when ? Rhetoric question because not in this decade...

This is how most commercial secure email products work.

how else are they going to push ads?

I guess minimal gmail for e2e is the tariff we have to pay for privacy and freedom. wink.

> I'm not going into how much this is not E2E, as this has already been proven

By whom? It looks like E2E to me. It’s just that both ends are controlled by the same entity.