Skiff: Various Privacy Failures

60 points by uselpa 1 year ago | 25 comments
  • cedws 1 year ago
    I see Skiff also advertises itself as "end-to-end" encrypted. This is the same misleading advertising as ProtonMail is guilty of. Traditional email cannot be E2E encrypted because of protocol limitations. You can technically achieve E2E encryption if using PGP, but if the private keys are not in your control then it is effectively pointless.

    ProtonMail can only guarantee E2E encryption without PGP if you are sending email to another ProtonMail user. I don't know if Skiff also offers this special kind of encryption. Either way, they should be more upfront about the level of privacy they can offer.

    I had a read of Skiff's page on E2EE. It is very carefully worded and, from a skim read, is not upfront about the fact that un-PGP'd email sent and received through Skiff can be read by Skiff.

    https://skiff.com/blog/end-to-end-encryption-email

    Oh, one more thing. Skiff's SMTP server (inbound-smtp.skiff.com) is running on AWS in the United States which means it will be beholden to US warrants. Skiff does not have a warrant canary. Getting big Crypto AG vibes from this.

    • mweidner 1 year ago
      The product page is clearer (https://skiff.com/mail):

      > All emails between Skiff users are end-to-end encrypted, including both subject and contents. External mail is encrypted with your keys on receipt, keeping it private.

      • Doxin 1 year ago
        That is however, quite specifically, not end-to-end encryption. The whole entire point of end-to-end encryption is that no intermediary gets to see the unencrypted content.
      • protonmail 1 year ago
        Regarding Proton Mail's encryption: Proton's servers don't hold your private key directly — it is generated client-side and stored encrypted with your password. You can also import your own keys: https://proton.me/support/pgp-key-management. That way, you can stay in full control of your keys.

        Additionally, Proton Mail uses OpenPGP internally, so Proton-to-Proton messages are always protected by PGP. Even for external messages, contacts don't necessarily have to set up PGP encryption manually; the email client can do so, enabling the use of end-to-end encryption between different providers with minimal hassle.

      • lcof 1 year ago
        Great read, I have seen this myself in the last 4-5 years with services surfing on the privacy wave - I mean, not just email, but also cloud drive. My conclusion, even regarding established privacy-focused email providers, is that it’s not worth the hassle, really. I use trusted and reliable email providers (according to me), and I just don’t use email for anything sensitive. That’s just right for me.

        I know some people do need more privacy and/or security. But a lot of people think they need the same but really, they don’t.

        • forwardemail 1 year ago
          Forward Email team here (https://forwardemail.net), we have a write-up and comparison @ https://forwardemail.net/en/blog/docs/best-quantum-safe-encr...

          We've considered adding a E2EE comparison column as well (with the issues such as Proton rewriting your emails @ http://jfloren.net/b/2023/7/7/0 highlighted).

          Privacy Guides Discussion @ https://discuss.privacyguides.net/t/forward-email-email-prov...

          Unlike Skiff, Proton, and Tuta... we're _actually_ 100% open-source. Those providers that advertise as open-source really only open-source the front-end, when the back-end is the most sensitive part of an email service.

          • cedws 1 year ago
            This is really nice, but the blog does not address the weakest link in the chain: what if you receive a warrant from the US government? The SMTP server would be able to collect inbound/outbound emails in plaintext.
            • forwardemail 1 year ago
              @cedws I think one of us might be confused with the context here (?) TLS is just a form of encryption to establish socket connections. Please thoroughly read through our article and our source code.

              A PGP encrypted email doesn't get "decrypted" when it's being transferred. That's the whole purpose of PGP encryption, to encrypt it before it even gets transferred or stored, which is what we do. If you set up a PGP key, use WKD, then your emails will be stored as encrypted (not only is your database encrypted with your password, but the emails themselves can be PGP encrypted this way), and any sender attempting to send to you will automatically have their message PGP encrypted to you, if it is not already (in case their mail client doesn't use WKD).

              • cedws 1 year ago
                I think there is a miscommunication. I am not talking about PGP encrypted emails - sure, those can be decrypted client side. Plaintext emails, as the majority of emails are, will be received by your server in plaintext, minus transport encryption. How can you guarantee those will not be intercepted by authorities?
              • forwardemail 1 year ago
                That is not true. You can upload a PGP key and all your email written to SQLite (IMAP/POP3) will be stored with your PGP key. Not plain text. SMTP is for outbound, IMAP/POP3 is for inbound.

                https://forwardemail.net/en/faq#do-you-support-openpgpmime-e...

                • cedws 1 year ago
                  Right, but inbound emails over POP/IMAP will be TLS encrypted. You're saying emails are encrypted at rest, but they cannot be encrypted in-flight because it's forwardemail that holds the TLS private key.
                  • forwardemail 1 year ago
                    [dead]
                • shortformblog 1 year ago
                  Have you considered offering a bulk email service for folks who want to send newsletters? It looks like an interesting tool though it seems like you specifically ban that use case, even though it seems like it could be great for that.
                • jacooper 1 year ago
                  This looks cool, but do you have any plans to support reverse aliases like simplelogin does? So users can reply from their emails even if an email is aliased, without having to add forward email SMTP settings.
                  • forwardemail 1 year ago
                    Hi there @jacooper - we already support this via domain-wide catch-all passwords. We also support filtering such as you+filter@yourdomain.com.
                    • jacooper 1 year ago
                      No i meant it differently.

                      I have an alias user@example.com which forwards to user@gmail.com

                      The idea is when user@gmail.com gets an email through the user@example.com alias, they can also reply to it and it will show up as user@example.com.

                      Simplelogin does this through a reverse alias, the reply to address is not the actual address, rather it's an alias for the reply-to address, so it can rewrite the message as if it came from the alias.

                  • captainmisery 1 year ago
                    Isn't this just advertising your own company?
                    • azeemba 1 year ago
                      That's not inherently bad if the comment is relevant and the relationship is made clear in the comment.
                      • 1 year ago
                    • crimbles 1 year ago
                      Interesting read. I will point out that having seen "security audits" done by top tier well known security companies, they aren't worth the paper they are written on. They are selling you a pen test script run, the output of which is farted into a document for the least amount of time they can expend on it.

                      If you want security, you have to do it in house with competent people who understand your business domain. So when I see people with regular pen tests I know they don't really give a shit because they are doing minimal ass coverage.

                      • mratsim 1 year ago
                        Disagree, their reputation is tied to their audit quality.

                        But I'm pretty sure in this case the scope was bad. Like they coukd have had audits on "Do I use OpenSSL well?" and then misrepresent that all their privacy claims were audited.

                        Now it seems like Skiff conveniently didn't allow Trail of Bits to publish their reports, they are usually here: https://github.com/trailofbits/publications/tree/master/revi...

                        Disclaimer, I have used Trail of Bits service in the past (and 2 other auditors for an security campaign on a blockchain, cryptography + networking product).

                        • jitl 1 year ago
                          Really? That’s not my experience. I’m not denying companies are out there basically selling a rubber stamp like you say, but I’ve worked with sharp folks from Matasano and NCC Group who would go deep, learn from eng about system but also do blind red teaming, do physical pen tests etc. I think you’ll probably get what you pay for and get good results if you put in good effort working with them.

                          I can’t speak to Cure53 but I feel like I’ve seen that name on a few failed cryptocurrency thingies.

                          • crimbles 1 year ago
                            I was actually including NCC in that one...