Hacker News new | past | comments | ask | show | jobs | submit login
Skiff: Various Privacy Failures (grepular.com)
60 points by uselpa on Jan 14, 2024 | hide | past | favorite | 27 comments



I see Skiff also advertises itself as "end-to-end" encrypted. This is the same misleading advertising as ProtonMail is guilty of. Traditional email cannot be E2E encrypted because of protocol limitations. You can technically achieve E2E encryption if using PGP, but if the private keys are not in your control then it is effectively pointless.

ProtonMail can only guarantee E2E encryption without PGP if you are sending email to another ProtonMail user. I don't know if Skiff also offers this special kind of encryption. Either way, they should be more upfront about the level of privacy they can offer.

I had a read of Skiff's page on E2EE. It is very carefully worded and, from a skim read, is not upfront about the fact that un-PGP'd email sent and received through Skiff can be read by Skiff.

https://skiff.com/blog/end-to-end-encryption-email

Oh, one more thing. Skiff's SMTP server (inbound-smtp.skiff.com) is running on AWS in the United States which means it will be beholden to US warrants. Skiff does not have a warrant canary. Getting big Crypto AG vibes from this.


The product page is clearer (https://skiff.com/mail):

> All emails between Skiff users are end-to-end encrypted, including both subject and contents. External mail is encrypted with your keys on receipt, keeping it private.


That is however, quite specifically, not end-to-end encryption. The whole entire point of end-to-end encryption is that no intermediary gets to see the unencrypted content.


Regarding Proton Mail's encryption: Proton's servers don't hold your private key directly — it is generated client-side and stored encrypted with your password. You can also import your own keys: https://proton.me/support/pgp-key-management. That way, you can stay in full control of your keys.

Additionally, Proton Mail uses OpenPGP internally, so Proton-to-Proton messages are always protected by PGP. Even for external messages, contacts don't necessarily have to set up PGP encryption manually; the email client can do so, enabling the use of end-to-end encryption between different providers with minimal hassle.


Great read, I have seen this myself in the last 4-5 years with services surfing on the privacy wave - I mean, not just email, but also cloud drive. My conclusion, even regarding established privacy-focused email providers, is that it’s not worth the hassle, really. I use trusted and reliable email providers (according to me), and I just don’t use email for anything sensitive. That’s just right for me.

I know some people do need more privacy and/or security. But a lot of people think they need the same but really, they don’t.


Forward Email team here (https://forwardemail.net), we have a write-up and comparison @ https://forwardemail.net/en/blog/docs/best-quantum-safe-encr...

We've considered adding a E2EE comparison column as well (with the issues such as Proton rewriting your emails @ http://jfloren.net/b/2023/7/7/0 highlighted).

Privacy Guides Discussion @ https://discuss.privacyguides.net/t/forward-email-email-prov...

Unlike Skiff, Proton, and Tuta... we're _actually_ 100% open-source. Those providers that advertise as open-source really only open-source the front-end, when the back-end is the most sensitive part of an email service.


This is really nice, but the blog does not address the weakest link in the chain: what if you receive a warrant from the US government? The SMTP server would be able to collect inbound/outbound emails in plaintext.


@cedws I think one of us might be confused with the context here (?) TLS is just a form of encryption to establish socket connections. Please thoroughly read through our article and our source code.

A PGP encrypted email doesn't get "decrypted" when it's being transferred. That's the whole purpose of PGP encryption, to encrypt it before it even gets transferred or stored, which is what we do. If you set up a PGP key, use WKD, then your emails will be stored as encrypted (not only is your database encrypted with your password, but the emails themselves can be PGP encrypted this way), and any sender attempting to send to you will automatically have their message PGP encrypted to you, if it is not already (in case their mail client doesn't use WKD).


I think there is a miscommunication. I am not talking about PGP encrypted emails - sure, those can be decrypted client side. Plaintext emails, as the majority of emails are, will be received by your server in plaintext, minus transport encryption. How can you guarantee those will not be intercepted by authorities?


We use MTA-STS (for inbound AND outbound) with our mode set to enforce[1], to require senders to communicate with us only using TLS encrypted sockets. There is no legal precedence currently requiring software services to implement backdoors.

[1]: https://github.com/forwardemail/mta-sts.forwardemail.net/blo...


Sorry but does that actually address cedws' question about subpoena?


Our policies for law enforcement are publicly available at https://forwardemail.net/en/report-abuse#for-law-enforcement

Also - you should note that we largely operate in-memory and don't store to disk any information or logs (unless essential, e.g. IMAP storage, or if they are error logs). We have all of this in our privacy policy and terms on our website. We are extremely transparent.


Memory can still be observed. Encrypted content in memory cannot.


That is not true. You can upload a PGP key and all your email written to SQLite (IMAP/POP3) will be stored with your PGP key. Not plain text. SMTP is for outbound, IMAP/POP3 is for inbound.

https://forwardemail.net/en/faq#do-you-support-openpgpmime-e...


Here is the actual code in the back-end where we use your PGP public key:

Source code for PGP encryption for storage when you're connected (we only use your password in-memory, and never write it to disk on our side) @ https://github.com/forwardemail/forwardemail.net/blob/562a52...

Outbound email automatically checks for PGP key in case you didn't include the recipients (we use WKD): https://github.com/forwardemail/forwardemail.net/blob/562a52...

Your individual mailbox is a SQLite database file and is encrypted using ChaCha20-Poly1305 as well (using your password, which only you have access to; we only use it in-memory and don't write it to disk).


Right, but inbound emails over POP/IMAP will be TLS encrypted. You're saying emails are encrypted at rest, but they cannot be encrypted in-flight because it's forwardemail that holds the TLS private key.


Have you considered offering a bulk email service for folks who want to send newsletters? It looks like an interesting tool though it seems like you specifically ban that use case, even though it seems like it could be great for that.


Hi there @shortformblog - yes, we are releasing calendar, contacts, and newsletter support early this year.


This looks cool, but do you have any plans to support reverse aliases like simplelogin does? So users can reply from their emails even if an email is aliased, without having to add forward email SMTP settings.


Hi there @jacooper - we already support this via domain-wide catch-all passwords. We also support filtering such as you+filter@yourdomain.com.


No i meant it differently.

I have an alias user@example.com which forwards to user@gmail.com

The idea is when user@gmail.com gets an email through the user@example.com alias, they can also reply to it and it will show up as user@example.com.

Simplelogin does this through a reverse alias, the reply to address is not the actual address, rather it's an alias for the reply-to address, so it can rewrite the message as if it came from the alias.


Isn't this just advertising your own company?


That's not inherently bad if the comment is relevant and the relationship is made clear in the comment.


Interesting read. I will point out that having seen "security audits" done by top tier well known security companies, they aren't worth the paper they are written on. They are selling you a pen test script run, the output of which is farted into a document for the least amount of time they can expend on it.

If you want security, you have to do it in house with competent people who understand your business domain. So when I see people with regular pen tests I know they don't really give a shit because they are doing minimal ass coverage.


Disagree, their reputation is tied to their audit quality.

But I'm pretty sure in this case the scope was bad. Like they coukd have had audits on "Do I use OpenSSL well?" and then misrepresent that all their privacy claims were audited.

Now it seems like Skiff conveniently didn't allow Trail of Bits to publish their reports, they are usually here: https://github.com/trailofbits/publications/tree/master/revi...

Disclaimer, I have used Trail of Bits service in the past (and 2 other auditors for an security campaign on a blockchain, cryptography + networking product).


Really? That’s not my experience. I’m not denying companies are out there basically selling a rubber stamp like you say, but I’ve worked with sharp folks from Matasano and NCC Group who would go deep, learn from eng about system but also do blind red teaming, do physical pen tests etc. I think you’ll probably get what you pay for and get good results if you put in good effort working with them.

I can’t speak to Cure53 but I feel like I’ve seen that name on a few failed cryptocurrency thingies.


I was actually including NCC in that one...




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: