
Webmail and Open Source - bpierre
https://blog.whiteout.io/2014/10/17/webmail-and-open-source/
======
lemcoe9
I generally stay away from companies that advertise their jobs using titles
like "JavaScript Junkie," "CSS Craftsman," "UI/UX Ubermensch," "Crypto Crack,"
and "DevOps Demigod."

Really?

~~~
lucaspiller
If they use that language for their job listings I'd assume their company
culture has a similar "bro" feel to it. It works both ways, you can take it as
a warning that you won't like it and only "bro" people will apply :-)

Edit: Just to be clear, I also agree it's a bit over the top.

------
quadrangle
I didn't look into this in detail, but I think the best system is on its way
independently via [https://www.mailpile.is/](https://www.mailpile.is/)

~~~
codexon
Is it just me or is the mailpile demo very slow?

------
tuneladora
FYI, [https://mail.whiteout.io/](https://mail.whiteout.io/) is returning a 503
error at the moment.

------
comex
Pretty weird that their homepage shows a screenshot of an iPad (only), while
the Product page indicates that iOS isn't actually supported yet.

~~~
dmix
I have a feeling you're just disappointed you can't poke into the code yet? :p

------
JetSpiegel
> The cool thing is that the IMAP/SMTP logic is still implemented completely
> in js on the client.

What's the point then? Why not just use Thunderbird/K9Mail/dunno what's the
Apple equivalent?

------
dugmartin
These same folks have also put a pretty nice set of open source mail libraries
here: [http://emailjs.org/](http://emailjs.org/)

------
hippich
For people interested in this - make sure to checkout out
[https://github.com/al3x/sovereign](https://github.com/al3x/sovereign)

I find it extremely easy to use. And it should be quite secure.

------
_asciiker_
"Whiteout Mail is the first email solution with end-to-end encryption based on
open standards"

\- Is this different than using something like Roundcube over HTTPS ?

~~~
ushi
Roundcube isn't shipped with PGP support. Their are some plugins though...

See:
[http://trac.roundcube.net/wiki/Dev_Encryption](http://trac.roundcube.net/wiki/Dev_Encryption)

------
mcav
We're using their EmailJS libraries for Firefox OS, and they've worked quite
well so far.

~~~
mike-cardwell
Any chance for PGP support on Firefox OS's email client? That's the only thing
stopping me moving from Android atm.

------
x1798DE
I'm a little disturbed by the thing about inbound e-mails being encrypted.
That's a "won't read your mail" not a "can't read your mail" solution. If I'm
counting on you to encrypt it before it reaches me, I'm basically counting on
you not to read it anyway, so it's just an inconvenience to me to have to
decrypt the PGP key. Such worthless solutions shouldn't be offered.

~~~
TheDong
It is not worthless.

It might be misadvertised, but there is value in encrypting data at rest even
if it's not encrypted in transit. The main benefit, of course, is forward
secrecy.

If the government would like to read ed's email and he's using this
technology, they can tap the wire or demand the mail host save an unencrypted
copy. However, the government cannot read ed's past emails because they're
encrypted.

Without this, anyone who compromises the server or takes out a warrant can get
all past and future emails, not only all future emails.

If you want a better solution, simply have everyone who emails you gpg encrypt
their messages. If your contacts aren't encrypting your messages there's
little an email provider can do other than receive plaintext messages and, in
rare cases like this one, encrypt them at rest.

~~~
mike-cardwell
Also, if somebody manages to get access to your email client, they can't just
issue email based password resets to get access to all of your other accounts,
because they wont be able to read the confirmation emails without your PGP
key.

~~~
x1798DE
I'm not really sure what attack you are envisioning here. If they have access
to your e-mail client, they should be able to just lift your account
credentials, allowing them to add a new PGP key to the key ring, then issue
all the password resets and, if you want, change the PGP key back.

~~~
mike-cardwell
Not sure why you think "knows username and password to access email" has to
mean "has permission to change the PGP key assigned to the account"

