Rootshell: A new E2EE email service hosted in Iceland

Rootshell: A new E2EE email service hosted in Iceland(rootshell.is)

28 points by sc0rt 2 hours ago | 21 comments

sandeepkd 22 minutes ago |

Quick question for the author in case they are here

> encryption key is derived from the password > One can use the passphrase in case password is lost

What does this really means? is the password encrypted with these pass phrases instead of being hashed?

sandeepkd 18 minutes ago | |

nvm, looks like the encryption key is derived from password, stored on the server side encrypted with these passphrases

dpoloncsak 2 hours ago |

I know it's in it's infancy here, but if it's a solo passion project I'd consider open-sourcing it so the E2EE can be verified.

If you plan on launching this as a monetized project of some sort, I, as a potential customer, would suffice for audits but I'm sure they can get pricey.

I'll give it a shot either way, just my two cents

sc0rt 38 minutes ago | |

I'm just a new user like everyone else commenting here. I should have been clear about that with a comment in the original post, sorry. I think x.com/rootshell0 looks like they have an X account but idk

guessmyname 51 minutes ago |

> Key bundle missing — please try again

I’m trying to create an account to test this service. I get this error message, what does it mean? Why is the error message so short to the point where I (the user) don’t know what to do next? Why can’t software developers learn how to communicate better with their non-tech users? And this is coming from someone with a 30+ years career in software engineering.

edit: after hitting the button “I’ve saved my recovery phrase - continue” multiple times and getting the same repeated error message, it finally worked but then the API returned “error: Registration failed”. And at this point I give up. This is why many projects, even at Big Tech companies, fail: too much friction for new users, or too many features, or too many options to choose from.

ASalazarMX 2 hours ago |

I'd like to know more about the operator, besides them being from USA. Having the data in Iceland sounds great, but we should be wary of any new service designed specifically to attract confidential conversations.

sc0rt 45 minutes ago | |

Maybe x.com/rootshell0 is their X account? I wish I could tell you more.

sc0rt 47 minutes ago |

I am just a user who signed up for this same as everyone else here. I cannot answer any of the technical questions, but I did find an X account that looks like it is for this email server, x.com/rootshell0 Sorry I can't be more help!

mike-cardwell 1 hour ago |

You defeated https://www.emailprivacytester.com straight off. Which is more than most new email services. You seem to be relying on CSP entirely for this, but it works.

mike-cardwell 1 hour ago | |

You declare HSTS preload, but you are not in the preload list. You can not be added to the preload list at https://hstspreload.org/ because www.rootshell.is exists but has an invalid certificate.

Your MX TLS configuration supports various anon ciphers. These should be disabled.

Your DANE is broken. Try any of a number of freely available online validators.

daneel_w 42 minutes ago | |

I gave your service a test, seeing all buttons in gray, and could not figure out if the service was broken, if my browser was broken, or if my e-mail client (Betterbird) was doing something good. Then I remembered that I use LuLu[1] to deny it all network access besides reaching my private e-mail server. Not ideal, I've learned to live with the caveats, but I do suppose it really does get the job done of stopping in-mail tracking.

[1] https://objective-see.org/products/lulu.html

mike-cardwell 1 hour ago | |

Weirdly, if I click Load Images, all I get is a load more CSP errors and the image fetches don't happen.

mike-cardwell 54 minutes ago | |

I wasn't able to sign up for postmaster@rootshell.is, but I was able to get abuse@rootshell.is. You should be careful about what standard email addresses you allow people to take. I recommend you take abuse@ back from me and you should really have a strong denylist. I just asked an LLM for a list of things you should be blocking and it came back with the following. The cert validation ones seem particularly important:

RFC 2142 mailbox names (the core list):

postmaster@ — required by RFC 5321; mail systems expect it to always work abuse@ — for reporting spam/misuse hostmaster@ — DNS issues webmaster@ — website issues noc@ — network operations security@ — security/vulnerability reports info@, marketing@, sales@, support@ — business functions

TLS/certificate validation addresses (RFC 8552 / CA-Browser Forum):

admin@, administrator@ ssladmin@, ssladministrator@, sysadmin@ These can be used to validate domain control and issue certificates, so handing them to a random user is a real security risk.

Common automated/system senders people impersonate or that cause confusion:

noreply@, no-reply@, donotreply@ mailer-daemon@ — bounce messages (RFC 5321 sender) root@, daemon@, bin@, sys@ — Unix-style system accounts null@, devnull@

Brand/trust-sensitive ones worth blocking too:

billing@, accounts@, payments@ help@, contact@, service@ legal@, privacy@, dmca@ register@, registration@, signup@ The service's own name (e.g. [brand]@, team@, staff@, official@)

[edit] Re the TLS issue. You should set up a CAA DNS record and also check on crt.sh later to see if anybody managed to get a cert for rootshell.is if you didn't lock down the validation addresses

Bender 2 hours ago |

Nice, the more stand alone non corporate email providers the better. You have it on a good host. I've never tried to email from their CIDR blocks, curious how it works out.

MikeKusold 1 hour ago |

I thought this was going to be related to the excellent libghostty based iOS terminal client: https://github.com/kitknox/rootshell

nubinetwork 46 minutes ago |

Why is it called root shell?

guessmyname 39 minutes ago | |

Because it is a shell for the root user [1].

Or at least the app’s logo is the root user symbol: a number sign [2]

Normal users typically get a $ prompt, while the superuser (root) gets a # prompt [3]

[1] https://wiki.debian.org/Root

[2] https://en.wikipedia.org/wiki/Number_sign

[3] https://unix.stackexchange.com/a/291733

nubinetwork 6 minutes ago | | |

Yes, but its an email service... shell hosting died in the 00s with the advent of the VPS, I used to run one.

cryo32 1 hour ago |

I’m never hosting or dealing with any companies in Iceland. I had a run in with a hosting company there who was DoS attacking us from compromised nodes. I emailed them and they told me to get a letter from a local lawyer telling them to stop and they’ll look at it. In the end we contacted our DC provider and they dumped all traffic from their entire blocks.

A year later same attitude from a different one hosting a web site for Covid misinformation which was against their own AUP.

pixel_popping 2 hours ago |

Excellent! Simple and functional UI, Thank you for this.

ChrisArchitect 32 minutes ago |

Not to be confused with rootshell: macOS terminal emulator built with libghostty with powerful features https://news.ycombinator.com/item?id=48390029

paulnpace 1 hour ago |

Another company tried the Iceland root, and after growing steadily and without reporting issues (at least I never saw anything reported) just shut down one day.