Skiff: Various Privacy Failures(grepular.com) |
Skiff: Various Privacy Failures(grepular.com) |
ProtonMail can only guarantee E2E encryption without PGP if you are sending email to another ProtonMail user. I don't know if Skiff also offers this special kind of encryption. Either way, they should be more upfront about the level of privacy they can offer.
I had a read of Skiff's page on E2EE. It is very carefully worded and, from a skim read, is not upfront about the fact that un-PGP'd email sent and received through Skiff can be read by Skiff.
https://skiff.com/blog/end-to-end-encryption-email
Oh, one more thing. Skiff's SMTP server (inbound-smtp.skiff.com) is running on AWS in the United States which means it will be beholden to US warrants. Skiff does not have a warrant canary. Getting big Crypto AG vibes from this.
> All emails between Skiff users are end-to-end encrypted, including both subject and contents. External mail is encrypted with your keys on receipt, keeping it private.
Additionally, Proton Mail uses OpenPGP internally, so Proton-to-Proton messages are always protected by PGP. Even for external messages, contacts don't necessarily have to set up PGP encryption manually; the email client can do so, enabling the use of end-to-end encryption between different providers with minimal hassle.
I know some people do need more privacy and/or security. But a lot of people think they need the same but really, they don’t.
We've considered adding a E2EE comparison column as well (with the issues such as Proton rewriting your emails @ http://jfloren.net/b/2023/7/7/0 highlighted).
Privacy Guides Discussion @ https://discuss.privacyguides.net/t/forward-email-email-prov...
Unlike Skiff, Proton, and Tuta... we're _actually_ 100% open-source. Those providers that advertise as open-source really only open-source the front-end, when the back-end is the most sensitive part of an email service.
If you want security, you have to do it in house with competent people who understand your business domain. So when I see people with regular pen tests I know they don't really give a shit because they are doing minimal ass coverage.
But I'm pretty sure in this case the scope was bad. Like they coukd have had audits on "Do I use OpenSSL well?" and then misrepresent that all their privacy claims were audited.
Now it seems like Skiff conveniently didn't allow Trail of Bits to publish their reports, they are usually here: https://github.com/trailofbits/publications/tree/master/revi...
Disclaimer, I have used Trail of Bits service in the past (and 2 other auditors for an security campaign on a blockchain, cryptography + networking product).
I can’t speak to Cure53 but I feel like I’ve seen that name on a few failed cryptocurrency thingies.
A PGP encrypted email doesn't get "decrypted" when it's being transferred. That's the whole purpose of PGP encryption, to encrypt it before it even gets transferred or stored, which is what we do. If you set up a PGP key, use WKD, then your emails will be stored as encrypted (not only is your database encrypted with your password, but the emails themselves can be PGP encrypted this way), and any sender attempting to send to you will automatically have their message PGP encrypted to you, if it is not already (in case their mail client doesn't use WKD).
https://forwardemail.net/en/faq#do-you-support-openpgpmime-e...
I have an alias user@example.com which forwards to user@gmail.com
The idea is when user@gmail.com gets an email through the user@example.com alias, they can also reply to it and it will show up as user@example.com.
Simplelogin does this through a reverse alias, the reply to address is not the actual address, rather it's an alias for the reply-to address, so it can rewrite the message as if it came from the alias.
[1]: https://github.com/forwardemail/mta-sts.forwardemail.net/blo...
Also - you should note that we largely operate in-memory and don't store to disk any information or logs (unless essential, e.g. IMAP storage, or if they are error logs). We have all of this in our privacy policy and terms on our website. We are extremely transparent.