Silk Road forums
Discussion => Security => Topic started by: MrImporter on August 20, 2013, 11:18 pm
-
With tormail down, I see alot of people asking about other providers. Besides RiseUp, I stumbled across this. It's a new start up company based out of Iceland. I'm hoping some of the more experienced members can chime in and give their thoughts on this new email provider.
Mailpile Link *CLEARNET*: www.mailpile.is
Article Link *CLEARNET*: http://techcrunch.com/2013/08/20/mailpile/
ARTICLE
Mailpile (http://www.indiegogo.com/projects/mailpile-taking-e-mail-back) is a relatively rare thing: a software project that looks certain to achieve its crowdfunding goal. The Mailpile Indiegogo campaign (http://www.indiegogo.com/projects/mailpile-taking-e-mail-back) is less than $5,000 away from its $100,000 target, still with 22 days left to run, so it’s clearly struck a chord with its close to 2,000 backers. Still, it’s not hugely surprising — given how timely this pro-privacy project is.
So what is Mailpile? It’s an open source webmail client designed to be run on the user’s own computer so they can retain control of their email data. Encryption is also built in, says its privacy-focused creators who are based in Iceland, with support for OpenPGP and S/MIME encryption and signatures. And there’s no ads. Its business model is to start with crowdfunding, and then aim to build a community of users around the software — with those who contribute $23+ per year getting a say in the long term direction of Mailpile. Which seems like a small price to pay for your privacy.
Free consumer webmail was a revelation when it blazed onto the scene, way back in the 1990s — you know, when Hotmail was actually cool. Now, around a decade or so on from that, the dream has arguably gone sour. Google’s lawyers were recently caught arguing that Gmail users have “no reasonable expectation of privacy (http://techcrunch.com/2013/08/14/yes-gmail-users-have-some-privacy-heres-what-you-can-expect/)“. Free of course means you’re paying in other ways — at the most basic level, with your privacy. Your correspondence will be data-mined to determine which ads to push at you so Google can monetise your use of its service.
Add to that, Google — and other webmail providers (Google is of course not the only privacy-infringer here) — are increasingly unifying privacy policies (http://techcrunch.com/2013/07/05/google-privacy-policy-draws-ico-ire/) across multiple products so they can build up an even more nuanced view of your digital activity to try and flog you more stuff (or flog data on you to other companies). The tech adage ‘if it’s free, you’re the product’ applies in spades here.
And then there’s the issue of geographical location. Gmail, Yahoo Mail, Outlook et al are all U.S.-based webmail providers, making them vulnerable to the NSA’s mass surveillance program (not that the U.S. is the only nation with heavy-handed security agencies (http://techcrunch.com/2013/08/19/uk-govt-destroyed-journalists-hard-drives-in-failed-attempt-to-stop-nsa-story/) right now, either). Recently two US-based encrypted email services, Lavabit and Silent Circle, shuttered their email services (http://techcrunch.com/2013/08/08/snowdens-alleged-email-provider-shuts-down-warns-against-trusting-u-s-companies/) to avoid having to hand users emails over to the NSA. It was a very public admission that hosted ‘secure webmail’ had effectively become an oxymoron.
“Soon we will be back to pen and paper,” wrote The Guardian‘s Editor Alan Rusbridger yesterday (http://www.theguardian.com/commentisfree/2013/aug/19/david-miranda-schedule7-danger-reporters), in a story describing how the newspaper’s offices had been visited by U.K. security agency officials who went on to destroy hard drives containing data leaked by Edward Snowden. Sure, you can argue that journalists investigating government surveillance programs should expect even less privacy than the average citizen. But the extent to which privacy in general is being eroded — through systematic surveillance of digital communications (http://techcrunch.com/2013/08/11/snooping-vs-leaking/), as governments co-opt consumer technology companies as their data-harvesting outposts — should be of serious concern to anyone who cares about the individual’s right to privacy. And the risks posed by a surveillance-obsessed state (http://en.wikipedia.org/wiki/Stasi).
So what’s Mailpile doing about all this? Firstly its creators are aiming to offer an alternative to the webmail behemoths to give users more control over their email data, remove ads from the equation and build in security features. Plus, if the platform gains traction, they hope to put pressure on the usual webmail suspects — to convince them there might be a reason to care about user privacy.
Consumer webmail’s main differentiator — aside from plentiful storage — has been the ability to access email from anywhere with an Internet connection. And that’s not something Mailpile users will have to give up. Its creators note that a user’s local Mailpile can be made accessible over the Internet “by using port forwarding or a tunneling service like PageKite (https://pagekite.net/)“, albeit you’ll need to be running it on a machine that’s normally switched on to ensure access (a Raspberry Pi (http://techcrunch.com/tag/raspberry-pi/) could work nicely for this).
They also note it is also possible to host Mailpile on a VPS — albeit, that means there is a risk of your data being access by others (e.g. hackers, VPS provider technicians, or via law enforcement subpoena of your VPS’ hard drive). ”For these reasons, most security professionals would strongly advise against storing your encryption keys or processing sensitive data on a VPS. But it really depends on your “risk model”, as the cryptogeeks like to say,” they note.
That said, they argue Mailpile hosted on VPS would still require an attacker to make a “dedicated effort” to get at to your data vs the “wholesale mass surveillance enabled by centralized proprietary web-mail”.
Current designs of the Mailpile interface offer a refreshingly clean-looking interface vs all the usual proprietary webmail clutter (see below). Plus they have some neat feature ideas in the pipeline, including the ability to browse photos that have been emailed to you like a photo album; a delay sending email feature; and inbound email sender verification.
The initial Mailpile client is being developed for Linux and Mac, but they are also planning to get it running on Windows once the project gets funded. Their goal is to get a stable first release of the software ready to go next summer. Donations to the project can start at $1, but $23 or more makes you an official member of the Mailpile community with a say in its development.
-
While interesting, I don't feel they provide any real new or innovative service. Rather, this just makes using and employing PGP in your already-existing email, easier.
In that effect, it is a glorious idea, and is wonderful in its creation, and I will likely support it for that reason.
It is not, however, a replacement for what tormail claimed to be.
What is missing in this world is an email provider who's retention only goes as far as I request it. If I want every message dropped as soon as whatever device I read it on receives it, I want it gone. I want it stricken from this planet like someone took a superconducting magnet and ripped the magnesium oxide from the platters itself.
Or, I want my data encrypted - I want the access to the data to be encrypted such that following a successful connection to even see that there ARE messages requires authentication, viewing any field requires ANOTHER authentication, to read requires ANOTHER authentication, and hell, to be complete, if any one of these steps is violated - burn it and turn it into ionized silicon.
Obviously that is a little ridiculous, but I'm not joking. I would love a service that let me configure it like that. Or one that would ionize the silicon it was stored on. Hell, I'd like a safe that does that too.
But, back on point. This is a good service proposal for those that have trouble using the client side aspect of security. We need that, as DPR has stated in his interview. It's only a first step.
Edit: I'd like to note that my first line implies that this isn't innovative. It is innovative on the client space. I was specifically speaking to it as a service. If it were a full service email provider, that'd be different... but it is merely a client.