
Own-Mailbox, the first 100% confidential mailbox - yannski
http://www.own-mailbox.com/
======
pjc50
It used to be possible to run your own SMTP server, inbound and outbound, from
home. This was so badly abused by spam that port 25 is blocked almost
everywhere.

Domestic systems tend to be in configurations that make it hard to accept
inbound TCP connections. You could serve SSL on a random port and open a port
using UPNP, and it will work _most_ of the time.

It's a difficult circle to square. The most trustworthy system is one you
administer yourself and manually inspect all updates, but in practice the
amount of work required makes that almost impossible. If you allow the OEM to
do updates they can compromise you. If you don't do updates you end up
vulnerable to exploits.

The "send a reference to the message not the message" technique was part of
DJB's "internet mail 2000" proposal:
[https://en.wikipedia.org/wiki/Internet_Mail_2000](https://en.wikipedia.org/wiki/Internet_Mail_2000)

~~~
chrissnell
Even if your home provider allows you to accept SMTP on port 25, you're going
to have a hell of a hard time with outbound delivery. The big mail providers
give very low reputation ranking to e-mails originating from consumer
connections. Even commercial connections w/ hosting providers need to be
"warmed up" for a period of time to get their sending reputation to an
appropriate level where they can expect reliable delivery without automatic
spam-boxing.

What I'd rather see is a company go into partnership with the big providers to
certify individual senders at home. The idea is that you'd put up some kind of
bond (a few hundred USD?) to help ensure that you won't be sending spam. In
exchange for your bond, the company vouches for your IP to
Google/Yahoo/Hotmail/etc and you're allowed to send your own email. After some
period of use w/o any spam complaints, you get your bond money back.

~~~
jsprogrammer
Maybe the big mail providers need to update their strategy regarding automatic
spam-boxing?

Most personal mail servers are not going to be sending mass emails. An
algorithm that auto-spam-boxes mail from domains it's never seen before (or
only receives a small trickle from) is ignorant.

~~~
vidarh
Most personal _mail servers_ won't, but most _sources of e-mail_ sending un-
authenticated e-mail direct to the target mail servers from consumer internet
connections _are_ spam these days because almost no consumers does that -
instead most e-mail sent that way come from malware.

An algorithm that auto-spam-boxes mail from address blocks used for consumer
connections or from "new" servers is not ignorant - it is taking into account
years worth of evidence that it is an effective counter-measure against spam.

I'm saying that as someone who would like to run my own home mail server, and
someone who is constantly battling to make sure our (100% opt in) bulk mail
servers at work don't get blocked by overzealous spam filters - I wish it
wasn't this way, but it is.

~~~
jsprogrammer
Do you have any data on the percentage of spam email sources (of all email
sources) that send 1-10 emails per day?

I'd expect that for a spam source to be effective, it'd need to send many more
messages. Some spammers may try to run many low-rate sources, but you could
likely do statistical analysis on the content of the messages to differentiate
the spam sources from the non-spam sources.

Further, allowing the occasional doesn't-look-like-spam-but-is-actually-spam
message (if such a thing exists), isn't the end of the world. The user can
mark it as spam and have the source blocked forever.

The real spam problem that needed to be addressed was mailboxes being
completely flooded with unsolicited messages. So flooded that it becomes
impossible to read or even find the legitimate messages.

~~~
msandford
> Do you have any data on the percentage of spam email sources (of all email
> sources) that send 1-10 emails per day?

Do you have any method by which all the different mailservers worldwide can
successfully collaborate to determine precisely how many emails a particular
mailserver sends per day?

You're proposing that mailservers with a low emails-per-day metric be trusted.
How is that metric established? How does everyone agree on it? Do we have to
implement a new protocol in addition to SMTP in order for this to be viable?

The most obvious response to this is "well each service provider can just
count the stats internally and use that" but it's a non-starter. That means
that Google with their, what, 1000 email servers (or more) now has to figure
this out. And every other service provider too.

Finally, given all the service providers out there, and the total number of
"consumer" internet connected computers, giving all the computers a free 1-10
email pass means that spam is back to the worst of 2000-2010 levels. Here's
some math:

There are 115mm households in the US
[http://quickfacts.census.gov/qfd/states/00000.html](http://quickfacts.census.gov/qfd/states/00000.html)

81% internet usage
[https://en.wikipedia.org/wiki/Internet_in_the_United_States#...](https://en.wikipedia.org/wiki/Internet_in_the_United_States#Access_and_speed)

That's 93mm consumer connections

Let's suppose that there are 20 big players in the mail provider category,
Google, Yahoo, Microsoft (hotmail, office365, etc), AOL, comcast, at&t, time
warner, etc. 20 seems like a good number.

Since these systems can't be made to communicate with one another easily about
the sent-count of every IP address in the world, they just do it locally. That
means that the virus that infected your computer and turned it into a spam-bot
gets:

10 free messages * 20 major providers * 93mm computers = 18 billion spams per
day

And that's just from the computers in the US. Once you take this global,
you're probably talking at least 100 major providers and 300-500 million
computers. Then you're talking something like a trillion spams a day.

Seems like a reasonable idea until you look at how it would actually be
implemented. Then it doesn't seem so great.

~~~
jsprogrammer
Modern spam filtering is not purely based on white/black-lists. Statistical
analysis of the content is performed.

You don't need to auto-spam-box sources that are sending low volume emails to
the same set of addresses, especially when the messages don't get categorized
as spam by the content analysis.

You don't need the kind of global coordination you are talking about. Further,
whitelists don't solve the problem. Under your scenarios, you can just as
easily receive low volume spam from millions of fake accounts at the big
providers. You're just relying on the provider to solve your spam problem.

~~~
vidarh
Sorry, but these claims just demonstrate that you have not operated a large
volume mail servers.

Yes, most of us _do_ need to automatically block such sources because content
analysis does not do a good job, and experience demonstrates that the vast
majority of such messages are still spam.

> You're just relying on the provider to solve your spam problem.

Yes, we are. And you should be extremely happy they put in the effort they do,
or your e-mail would be completely useless.

------
radiospiel
This looks very similar to what we built one year ago at
[https://kinko.me](https://kinko.me). And then we even managed to solve most
of the problems outlined in the comments here (Port 25 blocked, etc.) But our
crowdfunding campaign failed, and I have seen other campaigns with similar
topics and target audiences fail since.

Consequently I doubt that a relevant audience for that type of device really
exist -- even though I wished own-mailbox would succeed.

~~~
adventured
That's because they're all getting the target audience wrong.

"Personal email server" \- right there is the mistake.

If the consumer market is small, 8 times out of 10 you can bet that if you
adapt the technology appropriately - change the pitch, make a few feature
adjustments etc - there is an enterprise market willing to pay for the
solution instead.

~~~
radiospiel
Yes, and that's why we didn't call it that.. We had a box that "you just plug
in, reconfigure your existing email client and are ready to go." .. and still:
the privacy concerned end-user audience is a hard nut to crack, because you
cannot just sell a magic box - people want to know what is inside, but then
they shy away from too much tech.

~~~
GhotiFish
legitimately on both points I might add. If it's a black box, it could be
doing anything, if it's a rats nest, it still could be doing anything.

------
tptacek
How does transmitting an HTTPS link solve email encryption for people who
don't have PGP? The link is sent plaintext. Does the system require users to
register out-of-band somehow? That's how corporate email "encryption" systems
work (the "send an HTTPS link" approach is popular with financial firms).

The underlying approach this system uses --- webmail, but on a special purpose
box the user owns --- is actually sound. It seems like a pretty good
refinement of Mailpile.

On the other hand, they should tone the rhetoric down. I winced at "100%
secure".

~~~
jrnvs
There are several options, ranging from making the link one-time only to
requiring a captcha or password.

From TFA: ➜Can you explain more in details how Private Link Message (PLM)
works? Private Link Message (PLM) allows you to send and receive messages from
people who don't use GPG.

In order to send a message you can send a secret HTTPS link to your
correspondent. It will look like
[https://test.nospy.co/n3FVgtFwR2cp839nX6dkQGzGjF38bJ5VwiX86u...](https://test.nospy.co/n3FVgtFwR2cp839nX6dkQGzGjF38bJ5VwiX86uXY8kAD25wLJaDbjfz4.php)
.

The link is temporary: once clicked by your correspondent it is too late to
spy, the link does not work anymore.

You can also, optionaly, setup an expiration date for the link. If your
correspondent did not access the message before this date, it is too late to
read.

The link is filtered by a question. Depending on the level of surveillance you
think you are in, the question can be a simple captcha to avoid bots, a secret
question that your correspondent can answer but not the NSA, or a request for
a password previously exchanged with your correspondent, or no question at
all.

Your correspondent will have a web interface to answer your message privately.
You can also activate a permanent HTTPS interface for anyone to send you a
message privately at any time.

In practice a simple captcha will allow you to be safe from mass surveillance,
since only targeted surveillance can be done by human beings. On top of that
any spy will be detected, and have his IP address revealed. On our test, no
PLM has ever been spyed even with no question at all.

~~~
tptacek
Except for the option of a secret question (ie: a password), none of these
countermeasures seem useful. The one-time link in particular; an attacker will
collect the email, then spoof a replacement site containing the email to make
the surveillance mostly (or entirely, depending on how well the operator of
this email-in-a-box service configures TLS) transparent.

The idea that a captcha protects anyone from mass surveillance is probably
unworthy of discussion.

~~~
jrnvs
It's certainly not a watertight solution against targeted surveillance, but
why wouldn't it be effective against mass surveillance?

If someone were to open all these one-time links (and manage to fill in the
captcha's automatically), people would start to notice very soon when the
intended recipients complain and the Own-Mailbox interface shows that the
email-URLs were opened by some dodgy IP address.

~~~
nitrogen
Mass surveillance can probably be turned into mass MITM. As tptacek said,
intercept mail, alter link to point to attacker-owned server or account, proxy
messages via the original link. An intermediate Rails developer could put it
together with a couple of gems.

~~~
vidarh
However that requires a compromised client, a compromised cert, or a
compromised ca. While all of those are possible, they do substantially raise
the bar in terms of who may have the capabilities.

It's a classic tradeoff in terms of who you care about being secure against
and how badly you want it.

~~~
c22
If the client is compromised then the mitm can be performed on the client
itself. And barring that wouldn't the cert or the ca have to be compromised in
order to intercept the message at all?

~~~
nitrogen
If the original message is delivered via SMTP, it's supposedly fairly easy to
force unencrypted SMTP if you have a MITM. Then you can just rewrite the URL
in the message to a domain for which you have a valid cert, or rewrite it to
use http instead of https and intercept/proxy the http requests.

------
_asciiker_
The reason for SMTP servers being better off in a proper data-center is not
really due to port 25 being blocked at home, it's the entire infrastructure
that assures reliability, so if your power goes out or your home router
decides to die or your ISP is having issues, etc, you would start losing
emails right away.

EDIT: I understand SMTPs are resilient but it also depends on the type of
error they get back, even then it can't be expected that all servers keep
retrying for long periods of time or even handle triple bounces. So you
'could' start losing emails right away, is a better way of saying it.

~~~
jakobegger
Isn't SMTP actually pretty resilient to outages? Typically sending mail
servers will retry for hours (or even days) before giving up when a recipient
server is down.

~~~
bhauer
Yes, it is. Virtually all normal SMTP servers will re-try e-mail delivery
several times spaced over at least several hours before rejecting delivery
with a notification back to the sender.

I have run my own e-mail server for about 17 years, originally from my home
and more recently from a data-center where I have co-located my server.
Admittedly, when I had my mail server at my home, I would suffer outages long
enough to miss e-mails when I needed to do something as severe as work on my
home's electrical panel or move. But generally speaking, a momentary glitch in
network connectivity would not result in lost e-mail. Since moving my server
to a data-center, the only downtime I had was when I needed to replace a disk.

As the above paragraph suggests, I am _strongly_ in favor of people running
their own mail servers and moving away from the presently-popular centralized
Internet, back toward a decentralized model. This device isn't for me, and
probably isn't for several of us here, but it's precisely the kind of thing
I'd like to suggest to other people who would not otherwise be comfortable
running a mail server.

I know a lot of programmers who shiver at the thought of managing their own
servers, and I feel that's a regretful situation for the Internet at large. It
suggests two things: (a) many programmers fear servers, which I don't think is
healthy and (b) insufficient R&D has gone into making infrastructure easier to
manage. After all (a) is a rational fear given the state of the art in many
cases. It can in fact be quite difficult to set up a mail server (although
once setup, most are pretty hands-off). It should be much easier to navigate
through the settings and have a nearly out-of-the-box configuration that is
sane and avoids the most common pitfalls.

Aside: Incidentally, I found that even mainstream ISPs like AT&T will unblock
port 25 if you call them up and explain you are running your own personal mail
server. When I moved to AT&T country, they did exactly that with no questions
asked.

~~~
fche
"Since moving my server to a data-center, the only downtime I had was when I
needed to replace a disk."

By the way, there exist backup MX services - commercial or self-made, which
would give you 100% incoming-mail uptime but without having to move or copy
your server to a data center.

~~~
jlgaddis
Some hosts are doing away with backup MX hosts (including me/work) simply
because a) any sane sender will retry for a period of at least several hours
and b) sending via the backup MX is a common way for spammers to (attempt to)
increase the chances of their mails getting delivered (e.g., due to lack
of/decreased filtering on backup MX hosts).

------
pppp
Many ISP's including my own in the U.S. don't allow running servers from home,
especially SMTP.

~~~
Someone1234
Plus many spam blacklists have blacklisted entire IPv4 ranges as "residential
IPs" (meaning even if your ISP does allow SMTP (which many do not) then your
emails may still be blocked as "spam.").

Only way around all of this is to pay for a "business" internet connection
(with 500% markup for the same speed, single dedicated IP, and a pretty poor
SLA).

~~~
djrogers
I pay about $20-25 more for my business line than residential service, for the
same speed and 5 dedicated IPs. Yes, it's more, but it's not 500% more....

~~~
njloof
As a bonus, you can actually get 24/7 support!

~~~
timboslice
Unless you have Charter. Charter business support is open 9-5 _facepalm_

EDIT: (this was a few years ago, don't have charter business at the moment)

------
lisper
SC4 is in-browser encryption that works with your current email account:

[https://github.com/Spark-Innovations/SC4](https://github.com/Spark-
Innovations/SC4)

It's open-source and audited. Based on TweetNaCl. Feedback very much
appreciated.

~~~
dimino
Does this solve any of the in-browser encryption issues that are outlined in
these links [0][1][2]?

    
    
        [0] http://tonyarcieri.com/whats-wrong-with-webcrypto
        [1] https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/
        [2] http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/

~~~
lisper
I would say "avoids" rather than "solves." The issues raised in those posts
are real issues, but they mostly have to do with the question of whether or
not you can trust the server. With SC4, you don't have to trust the server --
or at least you don't have to trust _our_ server. SC4 consists entirely of
static files, so it's trivial to deploy from _any_ server, including your own.
You can even run it from a FILE: URL, though that actually turns out to be
less secure (SC4 takes special precautions in this case). So browser-based
crypto is far from ideal, but it can be better than nothing. In particular, it
can be the 80/20 solution with respect to security versus implementation
effort and deployment hassle.

If you want more details I'm happy to provide them.

------
nadams
A couple of problems as noted already that will make this a show stopper:

> Port 25 is blocked inbound on most residential accounts - preventing you
> from receiving email

> Many SMTP servers are configured to automatically bounce email from
> residential IPs - so sending would be a problem

The point of GPG is to make sure that the only person that can read the
message is the one you sent it to. Having a HTTPS site doesn't prevent the
random person from viewing the link and doesn't verify the user. Now - this
might be interesting if the web app that shows the email has as GPG library in
Javascript requiring the user to have GPG keys.

I think a better scenario is if keys haven't been exchanged - to send an email
with "Alice would like to communicate over secure email - please download and
generate a set of keys" with instructions on what to do. But I have no idea
how not to make it look spammy.

This is just hilarious:

> Why shouldn't I trust and use any cloud email service with JavaScript
> client-side encryption?

> Encryption is done in JavaScript, and therefore relies on browser's
> JavaScript engines, which 80% of the time [1] are proprietary software
> coming from Google, Microsoft, and Apple, most eminent NSA collaborators.

The author does know that Chrome is open source right (well I guess
technically Chromium but I hope it's based on the same code)?

> Why not use a raspberry Pi?

> Mainly because it cannot be trusted enough for this kind of application.
> [...] The Raspberry pi is provided with non-free software and the hardware
> needs non-free driver to work.

I've used Debian Linux on it before and didn't need to install third party
drivers?

~~~
mbrock
"Will make this a showstopper" for whom? You can't imagine anyone having any
use for this device?

You're wrong about how the device uses HTTPS links, as other people have
already pointed out elsewhere.

What's hilarious about the inherent impossibility of secure closed source
software? You "hope" Chrome is "based on" Chromium---what relevance does this
hope have for a factual discussion? And what about Microsoft and Apple? And
the many well-reasoned criticisms of browser-based encryption?

Debian's wiki page about the Raspberry Pi explains about the non-free software
required to even boot the device. You were probably using Raspbian, which is a
Debian derivative that includes the necessary binary blobs.

~~~
nadams
> You can't imagine anyone having any use for this device?

No home users would be able to use this - and that is who they seem to be
targeting their marketing towards.

> What's hilarious about the inherent impossibility of secure closed source
> software?

That you can't get around using closed source software/hardware. You have to
put trust into closed source software at some point - do you drive a car?

> You "hope" Chrome is "based on" Chromium---what relevance does this hope
> have for a factual discussion?

Like I said before - relating to security I hope certain systems like OpenSSL
and CAs are not compromised. I'm a realistic person and I assume they aren't.
Do you check and pin every SSL certificate you come across? How do you know
that you don't have a bad CA certificate in your store right now?

I'm not saying I have irrevocable proof that Chrome's code is a fork of
Chromium - but there are enough indications that suggest this[1]. I'm not
saying you should or shouldn't use Chrome - go use lynx if that makes you feel
better.

> And what about Microsoft and Apple?

What about them? I'm not saying they are perfect - but I'm also not totally
paranoid that I'm going to refuse them on the basis that I can't see their
code.

> And the many well-reasoned criticisms of browser-based encryption?

That's a loaded question if I ever saw one. Web applications like cryptocat
are bad because they send the keys with Javascript. I'm no security expert -
but something like this seems reasonable to me in the context of the use case
of this box [2].

[1] -
[https://code.google.com/p/chromium/wiki/ChromiumBrowserVsGoo...](https://code.google.com/p/chromium/wiki/ChromiumBrowserVsGoogleChrome)

[2] - [https://encrypt.to/](https://encrypt.to/)

------
phaer
* Reliability of ones Internet connection should not be much of an issue, because SMTP servers should retry to deliver a mail for several hours/days. Otherwise a secondary MX could be used as a backup for mails in transit.

* Policies of ones ISP are often a problem for something like this, you likely need a "business connection" for something like this.

* Dynamic DNS could be used for receiving, but you won't have much success in sending mails unless you have reverse DNS working and that requires a static IP as far as i know. Most users will only get a static IP for "business connections".

* I'd be really interested how the combine their usage of GPG with multiple client. Is there some sort of key management included? How does it work with Webmail/Roundcube? Is the same key used for desktop and mobile phones?

------
dlapiduz
It would make sense to add HTTPS to your website if you are promoting security
and privacy....

~~~
Touche
Why, the only thing I see on the page that could be compromised is the mailto:
link.

~~~
r1ch
Compromising a page doesn't necessarily have to alter existing content. It
would be easy to add a "Download Preview Build" link pointing to a trojan, add
links to a fake kickstarter, etc.

~~~
giancarlostoro
That sounds like altering existing content by adding new content btw.

~~~
nitrogen
Yes, a MITM can do that.

~~~
jessaustin
And could still do the exact same thing if they had TLS: get the page, add
crap, and serve the result (albeit without TLS).

~~~
3pt14159
You know, I've never really realized that before. It's actually a pretty huge
security hole for average users, no? There should be a way to explicitly
forbid non-encrypted connections on a DNS level.

~~~
lfowles
That's roughly the purpose of HSTS, but you need to have visited the site at
least once first (or in the case of popular sites, HSTS status of a site is
shipped with the browser.)

~~~
schoen
People who are encountering this for the first time might want to look at

[http://www.thoughtcrime.org/software/sslstrip/](http://www.thoughtcrime.org/software/sslstrip/)

for some of the motivation!

------
skrowl
This sounds pretty neat, until it breaks and you lose all of your email
because it has no offsite backup.

~~~
inglor
From the front page: "Optional P2P backup, so even if your Own-Mailbox is
offline temporarily you don't lose any email from your self-hosted addresses
as long as you maintain 70% up ratio." and "16GB storage, possibility to
extend memory or do backup via USB drive/HDD."

So really, it has both off and on site backup.

~~~
djrogers
That sounds more like an MTA availability backup, not a data backup
solution...

~~~
timboslice
I'm also wondering how the P2P backup works exactly?

As an example, if it comes with 16GB storage and my mailbox is 10GB, does that
mean other people's boxes would contain the full 10GB dump or just
pieces/blocks a la bittorrent?

------
h4waii
While I understand the team behind this is French, the broken English and bad
capitalization are haunting.

"rasberry Pi"

"Plug at your home"

"Through a webmail"

"Plug it in mini-usb to your computer"

"Will I get a root access"

Why not have somebody with English as their first language give it a look
before making it public?

~~~
jpkeisala
Be the sport and send them your suggestions. There was email address in
contact section. :)

~~~
laurent123456
To be fair the whole FAQ would need some work. I'm always surprised people
spent days or months putting together this kind of project, but wouldn't take
an hour or two for proper copywriting. The project being open source, I'm sure
they could even find someone to do it for free.

~~~
vacri
Documentation is difficult, and most people hate doing it. There's a lack of
people who want to do documentation in opensourceland, and when someone does
want to do docs, they _also_ have to really understand the product, or have a
senior dev work with them. Copywriting is easy for people who can write copy,
but it's difficult for most people.

------
darkhorn
What if the device is confiscated by police? At least Gmail doesn't give your
data to non-USA countries when you swear to your government.

~~~
groupmonoid
Are you sure about that?
[https://www.google.com/transparencyreport/userdatarequests/c...](https://www.google.com/transparencyreport/userdatarequests/countries/)

~~~
darkhorn
It says 0% for Turkey and no data for Bulgaria. Better than the USA.

------
dfar1
Its main feature is security, which is great for paranoid people. But what
happens when you are miles away from home and your internet connections to the
server goes down? How are you going to check your e-mail?

~~~
nvr219
You'd probably not use this for everyday email and just for specific
communication that must be kept secure.

~~~
TylerE
So why not just use regular email + actual encryption?

------
zekevermillion
If you're concerned about privacy, it seems the best method is still to cut-
and-paste encrypted envelope into regular mail client to avoid possible
vulnerabilities, both physical and software. The obvious problem with a self-
hosted server that you order from a company is that it can be intercepted or
otherwise compromised before it arrives at your home. Thus it is potentially
even more vulnerable than just pasting GPG encrypted message directly into
gmail client.

------
antrover
100% confidential? Nothing is 100% confidential if it's connected to the
Internet.

------
junto
> What about SSL certificates and authorities for HTTPS?

> Each Own-Mailbox will generate automatically its SSL key at first setup, and
> send to us the public part.

> Letsencrypt Certification Authority will be used , it is free and very easy
> to setup, and it will be handled automatically by your Own-Mailbox. Every
> Own-Mailbox will automatically ask for certification for its key indepently
> from us.

Interesting idea.

------
amelius
Are we going to buy physical devices now, for all the things we used to do in
pure software? How many devices will we end up with?

~~~
awhe
What do you mean? It sounds like you see a trend of unnecessary hardware
products. Which other physical devices are replacing "pure software"?

And isn't having a physical device (storage) particularly important in this
instance, for the purpose of securing your emails?

------
padm
Regarding hardware-assisted self hosting, there is
[http://internetcu.be](http://internetcu.be) which, among other things, does
email (and bypasses ISPs restrictions by bundling the "box" with a VPN and
providing static IPv4 and 6 addresses to each user).

It's some sort of "freedombox" [0] come true. It works out of the box, in a
plug and play fashion (and it's based on free hardware [1] and free software
[2]).

[0]
[https://en.wikipedia.org/wiki/FreedomBox](https://en.wikipedia.org/wiki/FreedomBox)

[1]
[https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXino-...](https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXino-
LIME/open-source-hardware)

[2] Debian, [https://yunohost.org](https://yunohost.org) ,...

------
Tloewald
The funny thing that most people who obsess over encryption forget is that
using tough encryption attracts attention, and all the encryption in the world
won't save you from simple workarounds
([https://xkcd.com/538/](https://xkcd.com/538/)) and ordinary surveillance.

The solution for all of us is to make ordinary communication more expensive to
break into rather than to go out on a limb with attention-getting
extraordinary measures.

I'd also have to say -- no offense intended -- that what I take to be a
central European accented voice-over advocating using a new security product
to avoid NSA surveillance doesn't fill me with confidence. I'm pretty sure the
NSA is at least well-intentioned.

I'd suggest your best pitch accent would be scandinavian or perhaps Australian
(not that the Australian government isn't horrible, but it's pretty harmless).

~~~
jdimov9
Can you clarify your "central European" remark? It comes off a bit
offensive...

And while you're at it, can you explain how exactly you imagine making
ordinary communication more expensive?

Last but not least, where in the world did you get the idea that the NSA is
well-intentioned?

~~~
Tloewald
I did not mean to offend, and apologize if offense was taken. I don't know
where the accent comes from and it's certainly not anyone's fault how they
speak English (and kudos for speaking English since I suck at languages). The
fact is, it seemed central (or eastern) European to me, and if I were trying
to sell (say) Americans or western Europeans on privacy products, anything
suggesting the former eastern bloc would not fill me with confidence. Make of
that what you will.

I refer to making ordinary communication more expensive _to break into_.
(Security is a _relative_ term; you simply make things more expensive than
who-ever it is surveilling you cares to pay. Good encryption is more expensive
to break than weak encryption which in turn beats no encryption.)

"The National Security Agency/Central Security Service (NSA/CSS) leads the
U.S. Government in cryptology that encompasses both Signals Intelligence
(SIGINT) and Information Assurance (IA) products and services, and enables
Computer Network Operations (CNO) in order to gain a decision advantage for
the Nation and our allies under all circumstances."

Have you got any information to suggest this is not what the NSA tries to do?

Michael Hayden's perjury in front of congress aside, I don't think people at
the NSA go to work, rubbing their hands together and evilly cackling about all
the civil liberties they're going to violate. Indeed, can you nominate anyone
who has actually been _harmed_ by NSA surveillance? To the extent it works, we
probably won't know about it for decades. Maybe never -- there are aspects of
WWII Sigint and cryptography that are still undisclosed.

Now, if you don't like the US and its allies (and there are plenty of reasons
not to, I won't deny that), sure -- that might tick you off. But it's not like
every other country doesn't act in its own self-interest. I believe that the
people in the NSA are attempting to honestly pursue its aims -- they may
differ on their opinions as to how best to do this.

~~~
programmernews3
The point was to show, where you get the idea is well-intentioned. Citing a
text from probably from the nsa.gov website is no argument for showing the NSA
is well-intentioned. Besides that, your citation show in my opinion the NSA is
not well-intentioned because it uses terms like "under all circumstances". Do
you think that when somebody tells you he would do SIGINT under all
circumstances is well-intentioned?

"Indeed, can you nominate anyone who has actually been harmed by NSA
surveillance?"

In the end we are all harmed by NSA surveillance or surveillance by other
secret services, because we have to waste or life time to protect our rights.

Concrete individual example are the German chancellor and French presidents.
The people of the Country are indirectly affected by such operations because
it attacks the integrity of the state.

But I emphasize that we should not look on the people on the top of the state
but on the common population. We are the victims of spying. Using the Internet
is for most people a tool to develop their personality. If your process of
developing your personality is under enduring surveillance (and you know it),
it is no free development of your personality. And we have a right to develop
our personality freely.

Besides indivdual effect surveillance has social effects like the chilling
effect, which is subverting freedom.

It's not only about surveillance but also about other operations like PSYOPS,
which has the aim to manipulate the public. Of course it's bullshit to think
it is well-intentioned because there is no legitimate reason to take such
influence on the public opinion.

Here are information about PSYOPS programs:
[http://boingboing.net/2014/02/25/nsa-and-gchqs-dirty-
trickin...](http://boingboing.net/2014/02/25/nsa-and-gchqs-dirty-
tricking.html)

We are also indirectly harmed because they are attacking protests groups which
we support.

What do you want to tell? That the NSA doesn't kill anybody? Asides from the
fact, that NSA's collected data is used for killing people without court
proceedings: Why should rogue powers kill people if they can reach their goals
with other (harmful) means?

~~~
Tloewald
I think you are being naive. All governments spy. Governments that don't spy
are doing a disservice to their citizens. And it is the job of spies to push
the envelope.

It would be nice to live in the land of milk and honey in an anarcho-
syndicalist commune, but in the mean time we have to be real.

Nothing Edward Snowden revealed should have surprised anyone on this forum.
Nor should the fact that everyone else is doing the same kind of thing
(indeed, usually with fewer protections for private citizens). The damage to
U.S. Largely comes from the idiotic belief that the U.S. Is somehow
exceptional in gathering intelligence by whatever means it can. We can argue
at the margins about, say, whether cell phone metadata should be held by the
provider or the government, but not tracking this stuff is actually
impractical so it comes down to whom do you trust more: Verizon or the U.S.
Government?

While it's good that Edward Snowden catalyzed awareness and debate over
privacy issues, all the "damage" to (for example) US business interests is
from the publicizing of NSA actions and not the actions themselves. It's not
like Russia (where Snowden now resides) is in any way more transparent or less
invasive than the U.S.

~~~
programmernews3
Firstly let us conclude that you accept that you're assumption that the NSA is
well-intentioned was proven wrong.

Secondly I want to tackle your straw man arguments. I think almost no one is
doubting, that (in general) all governments spy and Russia is more transparent
or less invasive than the U.S.

Besides that I want to tackle your thought, that no one should have been
surprised by Snowden revelations. Surely some details should have surprised
people. Of course everybody knew that secret services are spying and
compromise infrastructures in the Internet. The surprising part in my opinion
is the _extent_ and we have more or less detailed evidence. We are not talking
the fact that a secret agency is spying, hacking, disrupting or not, but about
the quality (and quantity) in which ways and by which means the agency is
working. Not only that, we are also talking about factual goals of such
agencies and weather this whole thing makes sense regarding the cost and
benefits.

In my opinion you relativizing the actions of the NSA, by saying: "Hey
everyone is doing the same!". Just because all secret services are spying
(doing the same in an abstract way) doesn't mean there are few agencies which
are actually exceptional in gathering intelligence. I'm talking about quality
and quantity again.

The NSA is one of the most powerful secret services. That's a fact. It has
probably the biggest budget, the most employees and the most resources in
contrast to the vast majority of other secret services.

So it's not about margins, whether cell phone metadata should be held by the
provider or the government. This is just a distraction from more important
questions like what's the point of such organization and do we really need it
to spent billions of dollars for... For what actually?

Last but not least: Is this really your argument, that the publishing of
Snowden-docs, which enlightened the people (which should be the real
souvereign), damaged US interests? What's your point? That the people should
have been remained dumb about the actions of their agencies, which are
actually legitimated by their power?

~~~
Tloewald
> Surely some details should have surprised people.

Of course. I'm actually surprised they were (a) only collecting metadata, and
(b) restricted themselves from collecting metadata on purely domestic calls,
and (c) that they actually had judicial oversight, even if it acted as a
rubber stamp.

E.g. there's far less concern about the fact that targeted drone strikes and
special forces assassinations (which clearly cause people harm) seem to occur
with far less oversight.

Don't assume I agree with all your assertions. You certainly haven't proven
anything. E.g. even if we accept that NSA spying on foreign leaders was
harmful to them, how does it make the NSA evil? I simply argue that the NSA is
basically well-intentioned.

Here's my argument in a nutshell so you can "prove" me wrong more easily
rather than flailing around with random "facts":

The NSA means well.

> more important questions like what's the point of such organization and do
> we really need it to spent billions of dollars for... For what actually?

Um, they spy on people. And they're really, really good at it. If you think we
shouldn't spy on people then that's fascinating, but don't pretend you don't
understand this simple point.

~~~
programmernews3
>> Surely some details should have surprised people. > Of course.
Contradiction. Either it should have surprised people or not. Now what?

(a) seems also a contradiction for me. In the one hand, your're saying they
spy on people and are really good at it and in the other hand you say, you're
surprised they were only collecting metadata. Is your definition of spying,
that no content is collected? However the claim that the NSA is only
collecting metadata is wrong. The PRISM program is one example that shows that
not only metadata are affected. The latest non-Snowden revelations concerning
French presidents clearly shows it's not only about collecting metadata. This
is a direct disproof about your claim assuming that you are not deny the
validity of the revelations. Are you denying the validity?

Regarding to (b): Isn't the NSA a foreign intelligence agency? So you assumed
although it's a foreign intelligence agency that it is collecting domestic
data+metadata?

What's the surprising part of (c)?

> E.g. there's far less concern about the fact that targeted drone strikes and
> special forces assassinations (which clearly cause people harm) seem to
> occur with far less oversight.

Sorry, don't get it.

> Don't assume I agree with all your assertions. So with some assertions do
> you agree?

> You certainly haven't proven anything. E.g. even if we accept that NSA
> spying on foreign leaders was harmful to them, how does it make the NSA
> evil? I simply argue that the NSA is basically well-intentioned.

You can't prove the intention of someone. But you can prove what someone does
or did. I showed you that the NSA is not only involved in spying, but also
involved in PSYOPS, which try to influence the public opinion. Again: One
agency decides to spread misinformation to destroy reputation of people or to
manipulate online discourse. Are such actions covered by your understanding of
freedom and democracy?

> E.g. even if we accept that NSA spying on foreign leaders was harmful to
> them, how does it make the NSA evil?

I argued before it is affecting the integrity of the state. In my opinion (I'm
no lawyer) it also violate the right of sovereignty of state. Breaking rights
is bad. I think it's better to not using religious categories like good and
evil, but rather of good or bad. Just because a person is a state leader,
doesn't mean she has no right to freedom, which legitimates to surveil her.
But this is no reason, that state leaders have to expect spying from other
countries.

Since I'm not talking about spying on foreign leaders, but spying on nearly
everyone it is bad because it destroy fundamental freedom and democratic
rights of people. If you're not convinced of freedom and democracy there is no
reason to discuss for you. In this case it would be well-intentioned for you
if you're country is illegally attacking another country, just because you're
country is telling you it is a defensive measure and in the interest of the
country.

Just for the case, that you understand me wrong: Believing in freedom and
democracy does not mean inevitably that you do not know there are rogues out
there who give a fuck about laws, freedom and democracy.

> I simply argue that the NSA is basically well-intentioned. What do you mean
> by "basically"? Are there cases where the NSA is not well-intentioned for
> you?

> Um, they spy on people. And they're really, really good at it. If you think
> we shouldn't spy on people then that's fascinating, but don't pretend you
> don't understand this simple point.

Firstly, I don't know what your problem is on perceiving that there are other
operations, which haven not something to do with spying such as PSYOPS. Or are
PSYOPS also spy-operations for you? Secondly, spying is not an answer to the
question. Spying is a mean. What's the end of this mean? Fighting terrorists?

> And they're really, really good at it. At least they were not good at
> preventing leaks.

> If you think we shouldn't spy on people then that's fascinating, but don't
> pretend you don't understand this simple point. Great that you're fascinated
> and you know the truth of a simple point. Tell me more about your "simple
> point".

Maybe I am all wrong. Maybe the NSA is an exceptional secret-service, which
differs from the SIGINT-departments of services like the Stasi, Mossad or
Sowjet/Russian agencies, which weren't/aren't well-intentioned. The
revelations showed me the opposite. Maybe you can explain why you are
convinced that the NSA is well-intentioned and why it's not naive to believe
it? I'm open for knowledge.

------
biturd
How are they going to receive mail? All blocks of IP's from any provider are
blocked, usually huge blocks, larger than /24 often. No one is getting to any
comcast users, they as do many others publish lists of their IP ranges so you
can block then in your server or use an RBL.

~~~
upofadown
From the FAQ:

>If your ISP provider is filtering email ports 25 going out you will have to
use a SMTP relay. If It blocks port 25 comming in you won't be able to have
self-hosted email address. Note that in both cases it won't prevent you from
having a fully confidential email address, and that these blockages will be
automatically detected and you Own-Mailbox will only propose configurations
that will work.

So from that I think that it can use the ISPs email server.

~~~
biturd
So basically, once you add the relay, you have made the devices most
compelling feature no longer a feature.

~~~
upofadown
The compelling feature is secure webmail. It makes no difference how that mail
gets from sender to recipient for that aspect.

------
kolme
I thought Posteo [1] is already 100% confidential? Please someone correct me
if I'm wrong.

[https://posteo.de/en/site/privacy_policy](https://posteo.de/en/site/privacy_policy)

~~~
lixardz
"We point out that it is possible, purely from a technical perspective, for us
to see your emails, address book and calendar data, if you have not encrypted
them." It would be illegal for them to view your email because of German Law
but from a technical standpoint it is possible. This other device is a pre-
configured mail server at your home that stores all your mail. The two things
are quite different. And this one I think if the software is opensource would
be more secure.

------
chinathrow
I see a small market for this: bundled with verifyable co-location space.

At home, it's simply not going to work unless they also offer a VPN service
for the ports in use. SMTP on an eyeball provider IP is simply dead these
days.

------
tiatia
Wow. I suggested this once (maybe even on HN):

Meta-data are also problematic. We are working on a solution for that, but it
won't be included directly in our first version.

It will probably come for free with updates. Our idea is that for every email
you send, your box randomly sends ten encrypted fake-emails, at random
moments, at ten random addresses. Recipients server automatically sees that it
is a fake email when it decrypts it, and automatically drops it.

------
tinco
I've been working on this exact idea on and off for almost a year now. Very
cool to see someone else working on it, they've some nice solutions for hard
problems too.

I don't really like the choice for RoundCube, but without decent funding or a
couple of expert web developers they'll be hard pressed to build something
better.

Also nice to hear they're also from Europe, it goes to show the U.S.
surveillance worries are very much alive here.

------
tarikjn
This only address the issue of government surveillance of email through
service provider backdoors. Since this would as well require auto software
update to be as user friendly as the video advertise, you might as well give
up the same amount of security for a service that is hosted in a liberty-
friendly nation and not have to deal with SMTP flagging and home power issues.

------
someITguyWI
I run my own mail server even though my ISP blocks port 25 OUTBOUND. I use
DynDNS's Mail relay service. Only costs about $20/yr. I never have have a
problem being flagged as spam or anything else. I can receive mail on port 25
INBOUND with no issues. I set my MX RR to my home IP and add a secondary to a
dynamic address, also through DynDNS. works great!

------
Tepix
If you want to set up something like this on your own hardware (not just
email, also owncloud, jabber, etc), check out sovereign
[https://github.com/sovereign/sovereign](https://github.com/sovereign/sovereign)

------
fallat
I, like everyone else in this thread, wanted to run an SMTP server from home,
only to realize port 25 was blocked.

Now I rent a VPS from DigitalOcean, and availability is like 99.999% and run
SMTP and other daemons no problem. I love it.

So go out there and find some cheap VPSs people! :)

------
mdevere
Newsletter subscription not working: "conection à la base de donnée
impossible"

------
vetras
I don't see anybody mentioning this anywhere. Why isn't there a wi-fi
connection option?

I'm aware of the security issues with low or none wifi secure networks, but
most folks (myself included) never have a cable around.

------
z3t4
The S in SMTP is a bit ironic. It's very hard to run SMTP now a days.

~~~
jlgaddis
You're correct, of course, but the "Simple" in SMTP is describing the
"Protocol" (though I suspect you know that).

------
xyclos
This looks like a great project. One thing I noticed about the website: There
doesn't seem to be a way to dismiss the video overlay. I had to refresh the
page.

------
lsiebert
I want to know if the code will be available for auditing.

Also, if these devices can be blocked by spam blocklists, then there should be
some way to use a vpn to handle this.

~~~
r0naa
I agree with you, I am not going to outsource management of sensitive data to
a third party just because they say that they are "100% confidential".

You can't trust anyone until they actually show you proof that they are:

\- Trustworthy \- Safe.

Both conditions require complete transparency on their infrastructure,
protocols and first and foremost data retention policy.

~~~
jlgaddis
> _" 100% confidential"_

They are also "100% secure". Nobody has ever claimed that and been wrong
before! /sarcasm.

------
sp332
How do you deal with key management? Specifically, what do you do if someone
doesn't remember their passphrase or loses their private key entirely?

~~~
rogeryu
You start over! Everything is gone, so what else can you do?! No joking, this
is a serious issue.

~~~
sp332
I know that's how PGP usually works, unless you have a backup somewhere. It's
the #1 reason I don't promote using it very much. I was hoping this team had
thought about improving that part of the user experience.

~~~
bkeroack
"Key escrow". The FBI/NSA were pushing for it way back in the mid 90s.

~~~
sp332
I'm not saying you have to give the key to anyone you don't trust. Just set up
a system where it's easy to recover the key with the help of someone you do
trust.

Also, I might have the wrong term. I was thinking of dividing the key into
multiple messages, say in a 2-of-3 system or something. Not just handing
control of your account to a 3rd party.

------
nblavoie
Getting the error "conection à la base de donnée impossible" which is
misspelled. Connection should be written "connexion".

------
fgtx
I'm getting the error message "conection à la base de donnée impossible" when
I try to subscribe to your page.

------
rbcgerard
literally no one i know uses public key encryption - so now everyone needs to
clink on a link to read an email from me? don't get me wrong I think this is a
cool idea, but it still doesn't address the core problem with all of the
encrypted email services/clients/etc., user adoption...

------
jagermo
Good luck. Kinko.me tried the same approach and sadly, there wasn't enough
interest to fund it.

------
based2
src: [https://linuxfr.org/news/own-mailbox-la-boite-mail-
confident...](https://linuxfr.org/news/own-mailbox-la-boite-mail-
confidentielle-qui-vous-appartient-vraiment)

------
tertius
Can we stop saying "from anywhere in the world." It's not 1994 anymore.

~~~
bx_
I think exactly the same when I read this.

------
kpcyrd
> The Own-Mailbox sends a HTTPS link to your correspondent, so that he can
> access the message in encrypted form. He can answer you using HTTPS
> protection.

So anybody who can read the unencrypted mail containing the link can access
and read the real mail?

~~~
daenney
Is reading a FAQ really that much to ask nowadays?

> The link is filtered by a question. Depending on the level of surveillance
> you think you are in, the question can be a simple captcha to avoid bots, a
> secret question that your correspondent can answer but not the NSA, or a
> request for a password previously exchanged with your correspondent, or no
> question at all.

> Your correspondent will have a web interface to answer your message
> privately. You can also activate a permanent HTTPS interface for anyone to
> send you a message privately at any time.

~~~
vehementi
When you're rushing to post snarky comments for internet points, reading past
the first 10% of the page can severely hinder your speed!

------
bechampion
Now i will keep hearing that music when i write emails.

------
brian_smith
This seems a lot like Looking Glass just without Tor.

------
exadeci
"You've allready Subscribed"

You might want to fix that

------
wgx
The newsletter signup form is broken :(

------
OceanPowers
A networked computer can never be confidential. Period. Full stop.

~~~
upofadown
What distinction are you trying to make here? Any system for secure
communications will eventually have to connect to some sort of communications
network. Are you saying that secure communications with computers is simply
impossible?

------
silverdream
No thanks...

------
hiimnate
> USB

Absolutely useless

------
itistoday2
Anything relying on HTTPS is not "100% confidential".

