Not encrypted in the sense of sending emails in plaintext (not over TLS), or not encrypted in the sense that anyone who received the email could read it?

This is my question as well.

Along these lines, ChatGPT's data export functionality is inexplicably only available via e-mail rather than direct download.

But they do send you a link with a 24-hour expiration timer, not an attachment.

That's good to know. Hopefully the link requires an account-authenticated session.

What difference does that make? Just curious since I thought of this as a viable safe idea to generate presigned s3 URL’s and send them by email to customers for a project..

Email isn’t a secure protocol.

This is a rather audacious statement, there is DANE (https://datatracker.ietf.org/doc/html/rfc7671) and MTA-STS (https://datatracker.ietf.org/doc/html/rfc8461)

rcme is right though, DANE and MTA-STS are still opportunistic, the sending party must support DANE/MTA-STS to use it. And even still, with both DANE and MTA-STS, you are merely "asking nicely" to use TLS, the sender may still ignore it and use plain text delivery anyway.

The reality is that email is not, and never will be a secure communication channel.

Disclaimer: I have a career in consulting on email hardening.

Feels disingenuous to blame email because a sever is configured to allow any sender to transmit plaintext data. If you're transmitting data you should protect with encryption, and don't use encryption, that's not emails fault. The same could be said about http. If you allow users to submit passwords in cleartext, you're the problem, not HTTP

That is kind of the point of this whole conversation. The products mentioned are sending information over a protocol which does not protect it, which is much like if their password form was HTTP. I don't see anyone blaming email, I see people blaming onedrive and (potentially) openAI.

"secure protocol" isn't a really definition of anything. What did you mean to say?

In terms of communication protocols, "secure" typically it means unauthorized third-parties can't read or modify communication data. Some examples include Hypertext Transfer Protocol Secure (HTTPS), Transport Layer Security (TLS), and Secure Sockets Layer (SSL).

emails are readable by any of the servers in between the sender and the receiver (which generally neither the sender or the receiver has much control over), and if any of those servers don't support encryption of the link between the servers, so can anyone who can read the network traffic between those servers. Emails also cannot generally be verified, and they can usually be tampered with. Really, any security property you might want is absent from email.

No, OneDrive doesn't upload/download your photos over unencrypted HTTP. That's what you're implying with the title of your post, right?

It seems you came up with a title that would generate the most attention and capitalize on people's hatred for the company.

OP isn’t clear in their messaging, but the linked article (https://answers.microsoft.com/en-us/windows/forum/all/i-rece...) is:

“Today I received an email from OneDrive <* Email address is removed for privacy *>. The message said, "Look back on your memories from this day." This email contained images of photos from my One Drive Backup”

So it seems Microsoft sometimes/frequently emails their users (thumbnails of, I presume) some of your photos.

None of the big players OneDrive, DropBox, iCloud are E2EE, so what did you expect?

OP is about sending the photos over an unencrypted channel, not that OneDrive unencrypted access to them. Normally when talking to a cloud storage service, the data will be encrypted in transit (and then again when at rest).

Not encrypted != not E2EE

Most online services are not E2EE, but almost all have E and that is expected and industry standard.

Encrypted or not, photographs are typically protected from view and not shared with the world. They are behind an authwall. Imagine if you are on Facebook and you upload a photo album. You share it with a group of friends. Do you expect Facebook to spray the content of those photos all over in public without your consent? No, same with OneDrive; my sharing options specify how I want the files/photos/content to be protected, and if OneDrive decides to frivolously ignore my sharing options, then that's a security incident, encrypted or not.

iCloud have mode to enable E2EE for almost all data called "Advanced Data Protection"

https://support.apple.com/en-us/HT202303

I believe iCloud can be configured to be E2E, but it is not E2E by default.

It is E2E in transit but not everything is encrypted at rest by default. Users now have the option for at rest encryption but you need to make sure that you store your encryption keys properly as there is no net to catch you.