New, Privacy-Oriented, FOSS Web-mail: Mailpile 116
New submitter Juggler writes "Mailpile, a new Free Software project out of Iceland, launched at the #OHM2013 hacker festival in Holland today. The talk's brief demo garnered rounds of applause and was followed by the launch of an Indiegogo campaign which, if funded, will allow them work full time on building a modern e-mail/web-mail client. The team's main goals are to address the usability issues that prevent non-technical folks from taking advantage of secure e-mail today, bring new life to FOSS e-mail development and provide a realistic alternative to keeping e-mail in the cloud."
antiquated system (Score:2, Interesting)
The real problem is that email is antiquated, are far more complicated than it needs to be. Instead of bolting a new face on it, make a better protocol.
More powe to them, but... (Score:5, Interesting)
Second, bringing the public at large into the fold. Noone will use an email system that can't be used to send email to all their friends and family, most of which aren't going to be switching anytime soon. One thing that might help is a system that automatically knows when the recipient is encryption-capable, encrypts when it is, but when it's not, inserts a warning message that their email is not secure and may be stored by third parties and governments-- essentially an advertisement for switching to a more secure email system. This would help us all educate our friends and keep them reminded every time they get an email from us as to the issues. It could help convince them that it's worth switching.
Re:antiquated system (Score:5, Interesting)
I've been considering a kickstarter for a new version of SMTP, while at least for the moment leaving IMAP alone. Specifically, the way headers are appended to mail in transit is unsupportable in a secure environment. The things I'm considering is that there doesn't have to be a flag day, you just need the vendors of several heavily used MTA's to support it as an option, then once 99% (or whatever number your company deems appropriate) of your email uses the new format you turn off the old.
This was poopoo'd in the past because there were 10s if not hundreds of thousands of email servers. Now people have pretty much stopped hosting most email and turned it over to google, yahoo, microsoft or one of the other major players. Therefore you're no longer faced with trying to get everyone to change things. You only need 5 major companies to change, and hopefully they're interested in the new protocol as well (nobody likes SMTP as it is, the question is can you get everyone to agree to some consensus of next generation email then move forward with it)
DJB's pull based email thing could be a part of this, maybe not the exact idea but something along those lines:
DJB's IM2000 (http://cr.yp.to/im2000.html). While I don't think all mail should be stored on the originating server, I think a mix could be used to provide more flexibility. Mailing lists could leave all the mail on the server, since a bunch of readers never read every message there isn't a point of exploding it out to thousands of mailboxes (except for reliability, and that could be gained by mail->nntp for public mailing lists)
Requiring domain keys could also be useful, since headers wouldn't be modified, just appended and signed.
If people are interested in crypto/privacy aspects, emails that aren't delivered but instead picked up by the recipients don't leak metadata like To, From.
It's probably best to approach this through the IETF, despite failures to make broad sweeping changes in the past, a new working group might be the best choice to get the interested parties involved.
Tangent here:
I also think that email clients need to be brought back and worked on. Thunderbird died because of two reasons: 1. Mozilla couldn't find a way to monitize it, and 2. Their biggest email competitor (gmail) and biggest contributor (google search) had already found a way to monetize email and thunderbird wasn't seeing significant updates at that point.
Other stuff I'd like to see in thunderbird:
Contact pictures on email (not something I think I would use, but nice for people used to facebook/twitter/etc). Integrated IM/Skype/Phone so you can effortlessly change the medium you're communicating through. Also the ability to send calendar events through IM or SMS would be nice.
Real synchronization. That includes plugins and every setting via a service like weave that is secure. This would also sync your passwords and gpg keys. Actually a generic weave-like framework that could be integrated with pidgin, thunderbird and other open source apps to sync across machines would be great. That would also fix major issues with pidgin's OTR.
So the reason I never kickstarted it is the same reason Mozilla doesn't work on thunderbird anymore. I have no idea how to monetize it in a way that would be long term sustainable. Users hate adds, they hate paying for software. Maybe an addon store, but that just means you're subbing the good development work to other people and then making the users pay to fix the things wrong with your app.
Not sure who the market is here? (Score:5, Interesting)
Given that the average e-mail user has already accepted that their communications aren't secure, I have a problem visualising how said average user can be convinced that a 'replacement' for traditional e-mail is any more secure than the existing offering, or if said security even matters.
First, there's absolutely no way you can build trust. What are you going to do? Tell them it's secure because of X, Y or Z? The point here is that your average e-mail user doesn't understand encryption, PGP keys or any of that. It just translates as blah, blah, blah; give us your e-mail so we can snoop through it just the same as the other guys do. Oh? You can read the source code and confirm that it's all legit? The average user can't read source code! These claims are all worthless.
Second, if there's already an acceptance that having your e-mail open for analysis somehow prevents your child from being blown-up at a bus stop, you're not going to be very fond of encouraging the adoption of a product that could aid terrorism, let alone use it yourself.
So, if you can't build trust, and your potential user base can be put off your product by the spectre of terrorism, then what's your business model? If the user can't be convinced they'll have any more privacy without the expense of a potential surge in terrorism, there isn't one. You can only preach to a choir that would already be using PGP, etc. if they cared enough to do so.
But you can't even get widespread adoption in the geeks! Most of us use cloud e-mail services, Facebook, etc. and just don't care enough, let alone would ever truly trust your product, regardless of how transparent you attempt to make it.
tl;dr: there are better uses for the developers' time here than building a baseball field nobody will ever play on.
Re:Not sure who the market is here? (Score:5, Interesting)
You can read the source code and confirm that it's all legit? The average user can't read source code! These claims are all worthless.
An answer to that is that even though only 0.1% of users can read source code, ...
Given this, it's quite likely that if an open source tool contains malicious code, and it is widely used, this will be revealed eventually. Of course there is no 100% guarantee. But this claim is far from worthless. You can have much higher confidence that an open-source tool does not have hidden snooping compared to closed-source, and this even if you can't or won't read the source code yourself.
Re:antiquated system (Score:5, Interesting)
Mail clients died because webmail is more convenient for most people. I had been using mail clients since I first got online but then I went on holiday and decided to just use Gmail for three weeks. I realized it wasn't that bad and never bothered to go back to Thunderbird.