Can Firefox Relay be trusted?

What do you think of the Firefox Relay service in terms of privacy and data security?
Is it a trustworthy service compared to addy.io and SimpleLogin?

Personally I place firefox relay into a similar bucket as Duckduckgo’s Duck Addresses. These services are more limited than dedicated services like Addyio or SimpleLogin, however both Firefox relay and duck addresses come with a level of polish and simplicity that would be greatly appreciated by less technically inclined individuals.

As far as trusting Firefox relay, well… If you trust Mozilla enough to use Firefox or Thunderbird I see no reason distrust Mozilla to run Firefox relay.

4 Likes

I thought Firefox Relay was just rebranded Mullvad?

It should be good enough by going with just the involved brand name.

I guess its for when you want to financially support both Mullvad and Firefox?

Edit: Firefox Relay

Firefox Relay is the aliasing service, like SimpleLogin. Mozilla VPN is, like you said, rebranded Mullvad.

2 Likes

I started out with aliasing using Firefox Relay. I grew out of it rather quickly, and now I’m two years in using Addy (formerly AnonAddy). My thinking at the time was as stated above: I have trusted Mozilla to run Firefox for 20 years; therefore, I can trust Mozilla to run Relay. This may not be a very scientific way to assert whether or not a service is trustworthy, but that was my logic behind the decision. My friend’s friend is my friend! But you need to ask yourself, what makes a service trustworthy to you?

What influenced your decision? What is AnonAddy better at in terms of trust?

I prefer Addy or Simplelogin for some reasons, but yes, I think Firefox has more than demonstrated they are a trustworthy organization.

4 Likes

Lack of trust in Firefox Relay is not the reason I switched to AnonAddy. I had my “aha” moment with Firefox Relay when I learned how aliasing works and how useful it can be. I could not get enough of it! I think Firefox Relay allowed only 10 aliases at the time. With AnonAddy, I now have over 250. The number of aliases I could have was the main reason I switched, in addition to having more advanced features like using my own custom domain.

I would have stayed with Firefox Relay if they offered the same, as a paid service of course. I wanted to support Mozilla by paying for a service I like. There was talk about a premium version of Firefox Relay at the time. But I could not wait to see it come to fruition. One man’s loss, is another man’s win. So I switched to an existing premium service that ticked off all my requirement boxes. I’m happy with my choice.

I was choosing between AnonAddy and SimpleLogin. I know I read many recommendations and good reviews for both. There was also a third service that’s almost as old as the web, but I don’t remember the name of it. Maybe someone here will remember? I think it has the word “spam” in the name, and something to do with cooking, like “chef”. That was not really a contender! It’s a free service, and the interface is very outdated. As I recall, that service is still active but it was not possible to create new accounts at the time I was checking it out. It’s been locked down to newcomers since the demise of its founder, in a brain tumor I believe. His brother is maintaining the service now. I read the story behind it. I’m only mentioning it here because it was very noble of him to offer this kind of service to the world, and I think we all owe it to him, because his service predates all of these modern day aliasing services that are now popping up.

In terms of trust, you could say that AnonAddy is open source. You can deploy it to your own server. This alone however is not what typically wins me over to start using a service or an app. I know I will never have the time to review that code, or the ability to fully understand it. This is often promoted as a benefit, but it’s a bit like a punch in the air. Just because everyone can see the code, doesn’t mean everyone understands it or has the time and inclination to review it.

To me, trust stems from track record. It’s like with people, because apps and services are the products of people. How long have you known him? How well do you know him? It takes time to build trust. I had 20 years to build trust in Mozilla apps, mainly in their Firefox browser. With AnonAddy, I had 2 years to build my trust in the service, and it has not disappointed me yet. I don’t host it myself. I am paying Will to host it for me, and in doing so, I support the project. I have seen AnonAddy evolve, and from one major version to the other, along with a name change from AnonAddy to Addy.

I am not paid to promote him or the service. But I have had the opportunity to interact with him and I think Will is a good guy. He is responsive, helpful, and very professional. If you ever run into an issue, you can count on him to help you out. So you really have that personal connection. Not like with those corporate bullies that have you run around like an idiot in a maze just to get a point across, and then wait and hope that they give you a helpful response. LinkedIn Support! Cough, cough! I have suggested improvements that he has implemented. I have come across a bug that affected the service negatively and he has addressed it within an hour. This is the way I prefer to build trust! Not by open sourcing alone.

You can read more about both AnonAddy and SimpleLogin here.

I see now that SimpleLogin was acquired by Proton AG in 2022. This was before I chose AnonAddy. But I think I read something about this already in 2021, possibly about their plans or intentions to acquire the service. This is another reason I chose AnonAddy over SimpleLogin. I wanted an independent, dedicated aliasing service, that was de-coupled from a big corporate mother-ship. By trusting SimpleLogin I would have had to trust Proton AG. I was not willing to dedicated myself to vetting yet another company on top of the service I was in the market for. Will was running the AnonAddy project like a solopreneur and I could more easily align myself with that, where I can have that personal connection, where your tech support also happens to be the man himself running the whole thing. No big company like Proton AG can compete with that.

I hope you find my perspective helpful in your own decision process. You can always try one thing, vet it, and then switch to something else. Personally, I don’t like to jump through hoops. I prefer to do the upfront research first, and then I typically stick to whatever it is I decide on using. I mean I have stuck to Firefox for 20 years or so, what else is there to say, you know what I mean? :slight_smile:

3 Likes

Using Firefox Relay without a second thought.
Either for pages I don’t trust (like FB, haven’t come around to delete that account, but Instagram is flagged for deleting. Eventually the rest will follow)
Or for “killing” accounts where I cant (because support does not answer) delete them… Just put a alias and some name. Like PeterPan or Golum Golumsen… :joy:

Thank you for your insightful explanation which has given a new way of thinking!

At the moment I’m considering addy.io and Firefox Relay and am wondering if either of these services can be used directly in Thunderbird. I’m referring to directly replying to emails received on alias.

I think it’s www.spamgourmet.com

Warning: if TL; then DR; :wink:

I almost had it! The name is Spamgourmet or SG for short. For more info, see the forum or the German Wikipedia article. There used to be an article on English Wikipedia as well, until someone decided it was a smart move to “merge it” with another article and not mention anything about Spamgourmet (effectively removing it). Spamgourmet was founded in 2000 by Josiah (Josh) Q. Hamilton according to Wikipedia (English and German). Although the founder (Josh) mentions the year 1998 on the forum while reminiscing about the early years of the Internet, in one of his last posts in 2018. If it was in fact founded in 1998, that would make it as old as Google! That really puts things into perspective. As I said, it predates most of the modern day aliasing services.

Yes, he had a brain cancer. It’s in the post from 2018 that I linked to above that he revealed that he was diagnosed with Glioblastoma Multiforme, the most aggressive form of brain cancer. In a 2019 post, he announced that Spamgourmet would be shutting down. In that post, he said that they stopped accepting new users a few months earlier, before August 2019 that is. So that didn’t happen after his demise, but before that.

His son, not his brother! His son is named after his, from what I understand. So he is also named Josh, but his username is Josiah rather than Josh on the forum. He introduced himself in a January 2020 post on the forum, and announced that Spamgourmet would stay up. In a February 2020 post he announced that his father, the founder of Spamgourmet, had passed away.

As I was tracing back my steps to find Spamgourmet again, I came across a blog post by Son Nguyen Kim, the founder of SimpleLogin. He confirmed that Spamgourmet was his inspiration for SimpleLogin. He wrote,

I learned about Spamgourmet via a friend who has been using the service for more than 10 years. Even though I couldn’t create a new account on Spamgourmet (the registration is closed), I only heard nice things about this service.

I never registered for Spamgourmet either, but I very much appreciate its legacy. If it was not for Spamgourmet, we may never have had SimpleLogin, and probably not AnonAddy or Firefox Relay either. It’s also very much alive, still. Just like its modern counterparts, Spamgourmet is open source. The code has been migrated from SourceForge to GitHub, and it is maintained, although it doesn’t seem to be actively developed anymore. It’s still actively used though. But no new account registrations have been possible since 2019 at least.

There are lessons to be taken from Josh when it comes to trust. With his deteriorating health, and in his last moments on Earth, he was worried about what to do with Spamgourmet, so that thousands of strangers online who were using the service that he built and he was offering for free, can continue to do so when he is gone. He was looking for someone who is trustworthy, willing and competent to be the steward of the project and to continue his work, or alternatively, to shut down the service elegantly, giving everyone enough time to migrate to another service.

Among other things, Josh wrote,

We’ve maintained a non-commercial, privacy centered approach that was much more common on the internet in say, 1998, than it is in 2018. I will never give up on it. Not getting caught up with financial concerns and over-recording and misusing data from our users has kept operating costs low and management fairly trouble free. It has also made spamgourmet pretty unattractive as an acquisition target, which is definitely part of the plan.

Source: bbs.spamgourmet.com • View topic - what's next

I’m working toward the least yucky way to shut down the spamgourmet service. Shutting down with as much warning as I can has become the best alternative.

I want to give everyone as much time to switch to a new service as I can - that’s my primary concern. If you haven’t been working on an alternative for your own use, now is a great time to start

As we get closer to shutting down, I plan to send a notice message to the spamgourmet user base (this will be the only email ever sent to the group of spamgourmet users). The user base is a much larger number than the bbs users or twitter followers, but I’m hoping that most spamgourmet users are inactive these days.

Source: bbs.spamgourmet.com • View topic - spamgourmet will be shutting down soon

This speaks volumes about his character. You don’t see that often these days. None of these big tech companies have that level of respect for their users. They can and do “pull the plug” on a service whenever they feel like it. Among them, I think Google is best known. This year, among other things, they have shut down Grasshopper, an app for learning how to write code. There is even a dedicated graveyard of dead Google projects, counting 293 at the moment.

I don’t remember how it is with Firefox Relay. But I can tell you it works with AnonAddy (just Addy from now on, I’m still getting used to the new name). So yes, with Addy, you can reply to whoever sent you an e-mail on one of your aliases. I do this all the time. Well… not very often, but often enough to know it works.

So for example, if your alias is u456t73r@joker.net and all your incoming mail on that address is forwarded to gnln0jb6@mailbox.org which is your main inbox address, then when you receive an e-mail from snowie@svr.gov.ru to the inbox, it will appear in the FROM: field as u456t73r+snowie=svr.gov.ru@joker.net and you will be able to reply to that crazy looking address. The TO: field will display u456t73r@joker.net because that’s the only address the sender knows. When you reply to the address in the FROM: field, your message will be sent to Addy (or to your own server if you self-host Addy), and then from there, it will be sent to snowie@svr.gov.ru and it will say u456t73r@joker.net in the FROM: field on the receiving side.

Phew! That took some time to type in, but I think I got it right. This may all seem scary and confusing if you’re seeing it for the first time. But a crazy address like the one you saw above, is not as uncommon as one might think. As I recall, Amazon uses so called “plus-addressing” when their “CS” (customer service) sends you an e-mail. So it will say something like cs-reply+blabla4yr987an@amazon.com. The use of equality sign is just something that Addy uses as a format, because you can’t have more than one @ sign in an e-mail address.

The local part of the address in Addy is a randomized 8 character alphanumeric string by default, but you can change it to UUID format for example, or set a custom and memorable name like alice@joker.net if you like. What features are available to you will depend on if you have a paid subscription or if you’re self-hosting, and more importantly, if you have your own domain name to use or if you’re using one of the shared domains. One or a few custom domains that you own, and pay for, will give you the most freedom of choice. This is one of the things that Firefox Relay could not do at the time I was using it.

Don’t make this put you off in using an alias service. Once you get a conversation started, you will not have to think about any of the formatting details above. Once you receive that first e-mail, you can start playing ping pong with that person, back and forth, like with any e-mail conversation.

You can even be the one to send the first message, using an alias address. Right from your e-mail client. Then you will have to pay attention to the formatting. There is a bit of a process to it. But what you basically do is you take the e-mail address that you want to send to, and you take your alias address, and you insert a plus sign followed by the address you want to send to, in-between the local part and domain part of your alias address, and then replace the @ sign with = sign in the address you want to send to.

I love examples! So let me give you an example. I usually do this in a text editor, it gives me the best control over what goes into the address field without some “helpful” auto-formatting ruining it for me. So you can do the same, use a text editor to compose the address. I will assume your alias is alice@joke.net and you want to send an e-mail to support@amazon.com (from bob@mailbox.org but this is irrelevant).

  1. Copy and paste support@amazon.com to your text editor.
  2. Copy and paste alice@joke.net to your text editor.
  3. Add some space between local and domain part of your alias address. This is not necessary but I find it more easy to visualize what goes where.
    It should now look like this: alice____@joker.net
  4. Add a plus sign right after the local part of your alias.
    It should now look like this: alice+___@joker.net
  5. Copy and past the address you want to send to, in-between the + sign and the @ sign, and remove any spaces at the same time.
    It should now look like this: alice+support@amazon.com@joke.net
  6. Replace the first plus @ sign with an equality = sign.
    It should now look like this: alice+support=amazon.com@joke.net
  7. Done! Now copy and paste the final address to your e-mail client.

It doesn’t matter if you use Thunderbird or another e-mail client. But as you can see, it’s a bit involved to get it right. But this also helps you memorize the format. Once you know the format, you can start a conversation by typing in directly in your e-mail client.

Also, if you have catch-all enabled, which is enabled by default, you can have new aliases created for you automatically, on the fly. I think this is the most common way to use the service. I think this is the coolest thing about it!!

Say you meet a new potential business partner, and you want to hand out your e-mail address where he can reach you, but you don’t know him too well and you’re afraid you will get bombarded with a ton of spam. Well, you don’t need to! You can give him an alias address, and you don’t even need to take a 5 minute break to reach out to your computer to create an alias for that purpose. You can literally talk the alias address into existence!! Whatever you say works! If you say spongebob@joker.net and it doesn’t already exist, and your new partner sends you an e-mail, the server will automatically create spongebob@joker.net and forward the message to your default forwarding address or inbox.

Thankfully, there are tools that can help you with this. First of all, there is an option in the Addy web app where you can type in or paste in the address you want to send to, and the alias address you want to send from, and it will compose the correct address you can use in your e-mail client. There is also the Addy browser extension you can use, with Firefox and other browsers. This one is handy when you just want to click a button to get a new alias address you can use to sign up for a new account somewhere.

There are also third party integrations of Addy, none of which I have tested myself, but I recall reading about BitWarden integration. This would help store and retrieve alias addresses to and from your password manager. If your login address looks like u456t73r@joker.net then you know you will need all the help you can get to remember that, or rather use a tool to retrieve that for you, because that looks like a proper password and that’s not something you want to be short and memorable.

Bingo!! :tada:

I saw your comment earlier, but I had “a little bit” more to say on the topic. :smile: So I took some time off to finish this later. But yes! Thank you! It is Spamgourmet. :+1:

Is this something you have used before? How do you know about it? I found it the first time I was looking into what alias service to replace Firefox Relay with. But I think I came across Spamgourmet for the very first time many moons ago. I didn’t think of it much back then. I didn’t know what it was. I thought it was just some guy’s “home page” as we used to call those personal websites back in the day.

4 Likes

I came across Spamgourmet more than 10 years ago, way before SL or Addy existed but like you I didn’t end to really use it for some reason. It was a real pioneer and free service.