[HacktionLab] Own-Mailbox: Self hosted web mail PGP/ HTTPS

yossarian yossarian at aktivix.org
Thu Sep 24 13:48:11 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Charlie, thanks for mentioning the crucial questions "who is the
attacker?", "what is the threat model?", and "is there a net gain or
loss in security for normal people?" These get lost way too often in
discussions like this.

I've recently set up a Seafile server in my house, it works really
well and I've been very happy with it as a kind of self-hosted Dropbox.

I need to test whether the claims of my new ISP, that email will work
off my home connection, are true. Then I could be in the market for
one of these little boxes too. If I need extra comfort, I can always
double down with GPG. Sam, if you try out one of these things please
report back, I'm very interested to hear about it.

What is PLM, anyway? My searches all come back with "Product Lifecycle
Management", which seems like not the right thing.



On 24/09/2015 10:10, Charlie Harvey wrote:
> On 24/09/15 09:13, Jim McTwanky wrote:
>> "100% confidential", "100% secure"
>> 
>> "*Own-Mailbox allows you to send and receive 100% confidential
>> messages even with people who don't use email encryption yet.*
>> For this purpose we introduce PLM, a new technique that allows
>> you to send a filtered and temporary *HTTPS link* to your
>> contacts. This link points to your private message hosted on your
>> Own-Mailbox."
> 
> Hi,
> 
> Point taken, nothing is 100% secure and its unfortunate to make
> such grandiose rhetorical claims in the context of security.
> 
> Still, I'd still say this will help frustrate mass surveillance
> efforts which seems to be the threat model they're protecting
> against. And be usable by mere mortals which is the audience they
> seem to be aiming for.
> 
>> So, it's relying on public key infrastructure i.e. putting it's
>> trust in a 3rd party the CA.
> 
> They're going to use lets encrypt, which is an initiative of the
> EFF and others https://letsencrypt.org/.
> 
> I'm more inclined to put trust in that effort than most other CAs,
> but they could in theory be rogue or compromised.
> 
> Either way, the cert is generated per device, so if you didn't
> trust letsencrypt, you could train people to verify the cert
> fingerprint or install your own CA into their browsers and
> self-sign.
> 
> The main point is this: while TLS isn't perfect (there's the CA
> problem and maybe more implementation attacks (as there might be in
> PGP or OTR implementations too) and you need to disable lots of
> ciphers), it does meet the goal of making mass surveillance a lot
> harder whilst being "usable by humans". And TLS also lets you have
> some nice things like forward secrecy.
> 
> I'm very interested to see if we can come up with a better idea for
> how to do the crypto on this sort of device. Thoughts?
> 
> Cheers,
> 
> 
>> 
>> No such thing as 100% secure. This is nowhere near.
>> 
>> Cheers,
>> 
>> Jim
>> 
>> 
>> 
>> 
>> On 23/09/15 23:16, sam at bristolwireless.net wrote:
>>> 
>>> This looks kind of interesting £52.10 inc P&P, they are just
>>> over halfway to crowd funding target, they need another 800
>>> people to back them to get it made.
>>> 
>>> I'm tempted to take a punt, what do people think?
>>> 
>>> https://www.own-mailbox.com/
>>> 
>>> "Own-Mailbox is a personal email server you can run in your own
>>> home, with strong privacy protection measures integrated at its
>>> core. It provides self-hosted email addresses, or connects with
>>> your existing email address. In both cases, you can seamlessly
>>> send and receive encrypted emails from anywhere in the world,
>>> through the Own-Mailbox webmail interface, through a smartphone
>>> app, or using external email software (such as Thunderbird or
>>> Outlook).
>>> 
>>> Own-Mailbox, is very easy to set-up and use - as easy as a
>>> GMail account.
>>> 
>>> Own-Mailbox automatically encrypts your emails using Gnu
>>> Privacy Guard, a strong encryption software. This is the same
>>> software that has been used by Edward Snowden (as shown in the
>>> movie citizenfour).
>>> 
>>> Own-Mailbox allows you to send and receive 100% confidential
>>> messages even with people who don't use email encryption yet.
>>> For this purpose we introduce PLM, a new technique that allows
>>> you to send a filtered and temporary HTTPS link to your
>>> contacts. This link points to your private message hosted on
>>> your Own-Mailbox."
>>> 
>>> 
>>> https://www.kickstarter.com/projects/1547898916/own-mailbox-the-firs
t-100-confidential-mailbox
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> 
_______________________________________________
>>> HacktionLab mailing list HacktionLab at lists.aktivix.org 
>>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>> 
>> 
>> 
>> _______________________________________________ HacktionLab
>> mailing list HacktionLab at lists.aktivix.org 
>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>> 
> 
> 
> 
> 
> _______________________________________________ HacktionLab mailing
> list HacktionLab at lists.aktivix.org 
> https://lists.aktivix.org/mailman/listinfo/hacktionlab
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWA/8bAAoJEEwDYjLzcqknerMP/iTYv8OK2VSDg75GtIwiwAJp
P+pHXgJi4nXCSuv8xFUSWWLS09nJvnrEayqUSB2F1aylsOKHH1WItygxCYsr78fk
WrrNNF5dfBvH0jG0TMhe32iDTLi37meqt433qq61gU6fX6OyZmNXH61CfsxsekbJ
HX2IWgZJEZhYlylelltPJgabmdOxm3/sSaeOBclt6dD+pZf4xKa8cFIVVK68Egb2
zMBbOs42FCin9OI1btmzwhrheepzLssYUs2lYA9Te2LgpqbXYxsv47uelaVsI8JQ
+NUiwpTRRyDoHSgRkFIvsQlQ5wVqd14xs6go3Y5G+vWO5GOgIk3KDxCiBExrPZi0
tOdKvUUEb4KYDMu6nq8YFCQoG2+DIPR/uOYUUYR5isIt9GCIFcVO5rjrZmZjlWpq
G8i0Ix2AlnwCcoMFpcmD9iiDDPc+7KSd0z2JqaBTczjv6y1tj9aZ7wz2p8H3qKj3
OHHAEEVYosEkiN6ed3kz92MJNl+ln5pFl/LawlWPX0fa+l4Us2kd90Y0Jfeq9XF6
HMFDf1biW0I2XnYYsmCI5KeAncyTKMGTU3rBoIzEt73ckx7v0XMCm651L6Pz0ssC
a1kGE8EA4WbDfW/7GyUZYc9PT7PlsCZCw8IXh7bVF6Qw4QFDoNMYGkyT1ta76nIL
OlIWGhfH9/Mkocfv/nrM
=iPFw
-----END PGP SIGNATURE-----

More information about the HacktionLab mailing list