Slashdot Mirror
Why Open Source Matters For Sensitive Email
Jason Baker writes Can you really trust your email provider? And even if you self-host your email server, can you really trust its security if you can't see the code? Over on Opensource.com, Olivier Thierry makes three cases for using open source to power your email solution: The power of numbers, the value of trust, and the importance of leverage.
Can you really trust your email provider?
Yes, because I'm not a paranoid idiot. If someone wanted to do something malicious with your email, they probably could anyway, because so much of the world's email servers transmit in plaintext, the provider (other than the choice of one that does encrypt when possible) is the least of my concerns.
Especially encryption code necessary to truly protect your email.
Jeez, what color is the sky on your planet?
We've seen over the last year many open source, power in numbers projects have critical vulnerabilities waiting to be exposed. Those defects were sitting there for years, yet being open source didn't magically fix them. I use many open source tools, but I've never inspected the code myself. Even if I did, I'm not going to be finding these hard-to-find defects that the people in the project can't find. I'm not going to implicitly trust an open source project just because it's open source. How do I know who's really contributing? At least if Apple is doing something naught with my iCloud email, at least in theory I can join a class action lawsuit and get a free download from iTunes. If the NSA is inserting nefarious code into an SSL project, there's really no recourse for action. Over the last year, I've learned that the key to internet security is that it doesn't exist. If there's something that really so sensitive, maybe you shouldn't email it.
Unless you're using encryption, it doesn't matter, since there are many points of 'interest" between the sender and receiver.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Sigh. Now somebody is going to bring up Ken Thompson's "Reflections on Trusting Trust" in 3... 2... oops, too late.
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
Since the person at the other end is probably using gmail, which at minimum is a far juicier target.
If you haven't studied the program for months or years, personally, can you really trust it?
There was no informational value at the linked page. All of those arguments have been made/refuted many times over the years. If you're actually worried about email security then a self-hosted open-source mail server isn't going to help you... you need to be using encrypted mail.
wait people use something other than qmail?
I think I setup qmail back in the y2k hubbub, and it's been running on the same dx66 processor ever since.
Open source is a source licensing model. It has no magic powers for creating secure solutions to anything.
Stupid headline: Why open source matters for sensitive email
Stupid headline: Why closed-source matters for sensitive email
Smart headline: Why security matters for sensitive email
Code audits for security defects can happen regardless of source licensing model.
Coders authoring a service, no matter how security conscious, and no matter how many eyeballs they have, will likely miss many exploitable defects.
Email was flowing through open source systems for DECADES before Exchange came out. Today, the vast majority of mail is handled by open source systems.
If you're accustomed to Exchange and want to get that same bloated feeling without the six figure license fees, there are many open source packages designed,for that. Examples include OpenChange, Open X-change, Zumbra, Citadel ...
Of course the vast majority of mail is handled more in the Unix philosophy, rather than one software package that thinks it's a file server (SMB), an MTA, an MDA, a groupware calendar, an IMAP server, and six other things it does poorly, the normal Unix way is if you want IMAP, you install a good IMAP server by clicking on or typing "dovecot". It doesn't have a buggy, insecure file server sticking the out the side that you never asked for.
If I was publishing an article talking about how huge numbers of eyeballs solves security problem I'm not sure that I'd choose to publish it the day after it was announced that the X window server code has had some serious security bugs for 25 years that have only just been discovered. Clearly open source code can have serious security holes that go unnoticed for a very long time.
If intelligent life is too complex to evolve on its own, who designed God?
Zimbra. There are probably others: five minutes of Googling will net you answers. Or install an IMAP mail server and a separate calendaring program on the same server, and your clients won't notice that they're two programs. Ports are just standard interfaces for standard APIs.
All of the packages I mentioned provide that. Not being tied to Microsoft's ecosystem, they can also integrate your Facebook, Twitter, rss, or other notifications.
No they all require me to use their mail client as well as their server to accomplish that. People use Exchange because it works with everything, having to change all your email clients just because you changed the email server makes that unfeasible.
Push email is easy if you are willing to have a custom client but that is what people are not willing to do otherwise Exchange would have been abandoned long ago.
Truly sensitive e-mails should be encrypted, so open source and other characteristics of the service do not matter.An ideal client would support zero knowledge multihop forwarding so that even sender/recipient metadata can not be analyzed.
You've got that backwards. Exchange is the one that requires proprietary clients (it just happens that the major smartphone vendors include proprietary ActiveSync clients out of the box). The others listed use standard IMAP+LEMONADE extensions (which admittedly isn't widely supported by desktop clients, because they generally don't need it).
If you are using email for sensitive material then you are ignoring decades of warnings from everyone with a clue about email.
Trust? Let me tell you about trust, there is no more trust...
You cannot trust Microsoft, or Google or anyone else with your mail for that matter. Every commercial mail provider and software maker is either already in bed with your adversary, or subject to your adversaries whim. For that matter, you cannot trust the 1.5 BILLION transistors in your CPU. But let's ignore that for now.
You CAN generally trust open source software for your MUA and MSA/MTA, and for your crypto.
You NEED crypto.
Then, you cannot send your encrypted mail through stupid commercial mail providers. It STILL exposes who you are mailing, from where, when, and the subject line, when your recipient was on to get it, etc, etc.
And you CANNOT use stupid "webmail' that says they will encrypt your mail for you, because you are either giving up your keys to them or letting them take control of your browser... exactly like the safe-mail.net debacle, you're going to get screwed.
So you both MUST use crypto AND use an anonymous Peer-to-Peer direct messaging service.
Think I2P-Bote, or ImperialViolet's Pond, or BitMessage... something where your message is sent directly over the anonymizing network straight to your recipient, or so that only they can see any part of it... NOT off to sit on some centralized server that will get subpoenaed and snooped and raided.
In summary, get this straight folks....
USE crypto AND use an anonymous Peer-to-Peer direct messaging service.
It is the ONLY way your messages will ever be private to only you and your correspondent over the wire.
Perhaps rename article. "An Example, Why marketers should not write articles"
What an absurd statement this is making. I like the one about "Trust is of utmost value". No, not at all and let me explain why.
If I use open source software I use binaries. I have no more faith in those binaries than any other piece of closed source software, there's no guarantee that the binary matches the source, even if the source is somehow magically free of bugs because as we all know open source is infallible.
Ok so there's the potential for me to do an audit. So I have the choice, I could sit down and decompile the binary and audit it against the original source code, or I could download the source code and compile from source. Which now raises the question:
"Who in their right mind would go to this much effort securing software used to send plain text data over unsecured servers scattered around the internet?"
Can you really trust your email provider? And even if you self-host your email server, can you really trust its security if you can't see the code?
Why not? They are companies with financial responsibility. If they want to keep their customers, I am sure they strive to do their job properly.
For most products that I buy, I do not have list of the ingredients or specific knowledge about their manufacturing process. However, if they screw up, I will certainly buy from another vendor.
It is that fucking simple. What's up with this open source verification paranoia these days?
My wife teaches in a school district using Zimbra mail a open source project. Been hacked twice and they had to shut it down twice because everything became so
corrupted. Open source has nothing to do with protecting information. Any email system gets hacked because of stupid users who open malware laced documents or files.
I am the prime author of CRM114 (the spam filter) and IT DEFINITELY GOT CHECKED BY SMART PEOPLE. There were at least a dozen people who would dependably read the code, and they'd find the pickiest things (luckily, not anything serious; thank you Valgrind!)
So, it's absolutely, demonstrably, provably (read the mail archive!) the case that at least SOME mail-oriented open source gets the all-orifices examination, and that examination is effective.
Whether or not security software gets the same thing, I can't say for sure, but I'd be surprised that it didn't. The recent set of security vulnerabilities only shows that old code didn't get the same care as newer code.
Captain Obvious submitted again.
Open Source matters for sensitive anything. In fact, I, and any professional I've talked to, would say if it's not FOSS or at least using a free open standard in data format, it's of no use for anything sensitive or mission critical. We've arrived at the point where critical systems that are not FOSS aren't even considered to be enterprise ready by a large portion if not even the majority of IT experts. Which is a good thing, IMHO.
For instance, anybody nowadays talking Unix and not thinking of a FOSS *nix but suggesting something other (exotic I guess you'd call it today) would be laughed out of the room. One of the reasons I find RMSes insistence on the GNU/Linux term a tad backwards - although he is right about most of the important things.
We suffer more in our imagination than in reality. - Seneca
I use Zimbra. I've used a variety of other mail and calendaring servers including Office365, Gmail for business, Novell Geoupwise and some proprietary stuff. Except for Groupwise (and this was 15 years ago at least) it all delivered mail and calendar services via standard protocols (imap, caldav or something else widely understood). I never figured out how to share calendars with someone in Office 365, which was a clunky and ugly beheamoth, even worse than Groupwise, but I digress: your server choice almost never impacts your client software, because email and calendaring use standards and are highly compatible. It's like web browsing: changing your server doesn't mean that your readers change their browser. Also, fuck Groupwise.
Now you're just completely making stuff up. How do you think email worked for the 25 years before Microsoft said "me to"?
You've got that backwards. Exchange is the one that requires proprietary clients
Where did I say Exchange didnt require proprietary clients? Im pretty sure if you go back and read it again you will find I didnt say that at all.
it just happens that the major smartphone vendors include proprietary ActiveSync clients out of the box
Right and since all these other alternatives use non-standard (ActiveSync is at least a defacto standard) push email mechanisms they are not included in any major vendors' email clients. This *is* the barrier to entry, that is precisely the reason that pretty much everybody still uses Exchange.
The open source community is a slow follower, it takes so long to produce a comparable solution that by the time it exists the proprietary one has already become the defacto standard. It is the same in almost every product category, proprietary industry comes up with something and then the open source community tries to come up with their copy of it, it takes forever to become usable and ultimately doesn't get widely adopted. There are some outliers but this is the general rule.
RFC 3501is the standard for imap, including PUSH. You call Exchange Activesync "a de facto standard" - IMAP is an ACTUAL standard, and it includes push.
Btw, you called it ActiveSync, but that's the name of an older,mostly unrelated protocol, used with a PDA cradle connected to the serial port. You're thinking of Exchange ActiveSync. The difference is kind of like York vs New York; similar names, totally different things.
Fyi, with each post you only re-emphasize how completely and utterly clueless you are about these things.
> It uses IDLE, which, given the amount of overhead, is not suitable for mobile devices which is why P-IMAP and Lemonade are in development
And wrong again. Per the current draft, P-IMAP devices are REQUIRED to support IDLE. SMS and WAP are optional. P-IMAP uses doesn't replace IDLE, it uses IDLE.
Also note Exchange ActiveSync uses a heartbeat protocol very similar to IDLE - with pretty much the same problems. The content of the packets are a bit different, the overall scheme is rather similar.
You're on Slashdot, not at the bowling alley. Here, some of us actually know a bit about this stuff. Some of us are even IETF members and help write the standards that you've apparently never heard of, much less read.