Why Open Source Matters For Sensitive Email

Jason Baker writes Can you really trust your email provider? And even if you self-host your email server, can you really trust its security if you can't see the code? Over on Opensource.com, Olivier Thierry makes three cases for using open source to power your email solution: The power of numbers, the value of trust, and the importance of leverage.

Paranoia abound

Can you really trust your email provider?

Yes, because I'm not a paranoid idiot. If someone wanted to do something malicious with your email, they probably could anyway, because so much of the world's email servers transmit in plaintext, the provider (other than the choice of one that does encrypt when possible) is the least of my concerns.

Re:Paranoia abound

[Dutch+Gun]

Even beyond that, e-mail can be encrypted client-side when necessary, meaning you don't have to trust anyone. There's no reason to trust your e-mail provider in the first place if the contents are truly sensitive. For everything else, e-mail should be considered about as secure as a postcard.

If you need to protect the metadata as well as the content, then e-mail shouldn't even be used for that sort of correspondence. E-mail has never been secure. It probably never will be either, at least not for what we consider "e-mail" today, because there's too much legacy crap that would break if we lock it down (at least if we are trying to secure metadata).

If we're OK with simply encrypting content as needed, then there are ways of building that sort of infrastructure into the system. We're seeing a lot of 3rd party messaging solutions that are using very good "trust no one" client-side encryption technologies and methods, such as What's App (now that they've integrated Open Whisper Systems security) or Threema.

Re:Paranoia abound

[Jack+Griffin]

And since we KNOW we can't trust our ISPs or Govt, then you may as well give up on using security as a requirement. And since there really is only one product in the Enterprise email/calendar/collaboration space worth a damn and it isn't open source, then this argument isn't worth having.

Open Source not a silver bullet

[i+work+on+computers]

We've seen over the last year many open source, power in numbers projects have critical vulnerabilities waiting to be exposed. Those defects were sitting there for years, yet being open source didn't magically fix them. I use many open source tools, but I've never inspected the code myself. Even if I did, I'm not going to be finding these hard-to-find defects that the people in the project can't find. I'm not going to implicitly trust an open source project just because it's open source. How do I know who's really contributing? At least if Apple is doing something naught with my iCloud email, at least in theory I can join a class action lawsuit and get a free download from iTunes. If the NSA is inserting nefarious code into an SSL project, there's really no recourse for action. Over the last year, I've learned that the key to internet security is that it doesn't exist. If there's something that really so sensitive, maybe you shouldn't email it.

Re: Open Source not a silver bullet

Also of import: what's the status of turnkey open source email packages these days anyway? What is out there that exchange admins can switch to that won't make them hack on features or make their users ask WTF they just did? That is the elephant in the room and the million dollar question.

Re:Open Source not a silver bullet

[Artifakt]

How do you know there's a real vat?

Re:Open Source not a silver bullet

[exomondo]

From a security perspective, even just having and being able to inspect the code is insufficient if you need top-notch security: you had better also be compiling that code yourself.

With a verified compiler no less. We have seen ever more sophisticated malware these days, certainly a malicious compiler could easily slip vulnerabilities into the binary.

Re:Open Source not a silver bullet

[BarbaraHudson]

How do you know there's a real vat?

How do I know YOU are real?

Re:Open Source not a silver bullet

[Dutch+Gun]

And even with being able to compile everything yourself, you're still at the mercy of the build chain and all of its dependencies (unless you audit/build them yourself too).

It seems a bit foolish to worry about purely theoretical security issues when we've got so many real ones to deal with. Ken Thompons' compiler infection demonstration was an interesting experiment designed to make a particular point, but I don't think it's wise to consider tool-chain hacking a legitimate threat, as we've never seen anything remotely like this in the wild, as far as I'm aware. And frankly, I question whether it's even realistically possible beyond a very simplistic demonstration.

At some point, theory has to give way to practicality, and you have to use some good judgment and common sense. Humans have to use a "chain of trust" at some point, because if you took the time to independently verify everything yourself (even assuming you had the expertise), you'd never get anything practical done. In fact, just about everything we do in our society at a high level of technology or craftsmanship ultimately requires relying on and trusting in others to assist you, at least to some degree. Security is no different. You have to weigh the probabilities of hypothetical threats versus limited resources to deal with those threats and do the best you can with the resources available. Diverting your attention on unrealistic threats will ultimately make you less secure, not more.

Re:Open Source not a silver bullet

[Yaztromo]

It seems a bit foolish to worry about purely theoretical security issues when we've got so many real ones to deal with. Ken Thompons' compiler infection demonstration was an interesting experiment designed to make a particular point, but I don't think it's wise to consider tool-chain hacking a legitimate threat, as we've never seen anything remotely like this in the wild, as far as I'm aware. And frankly, I question whether it's even realistically possible beyond a very simplistic demonstration.

First off, naturally the level of security I'm talking about would probably only be reserved for national governmental agencies intended to protect ultra-sensitive data. For them, that level of security is necessary, and they will spend the money and resources to audit and verify everything if necessary (which is why we have SELinux).

Additionally, the build chain comprises not only the compiler, but the standard libraries and any third-party libraries as well. If not verified, these could easily have unexpected code inserted into them, that compromises your product once linked against them. You wouldn't expect to see such compromised libraries "in the wild", as they would probably part of a targeted attack. This is hardly unprecedented; while not done at build time, Stuxnet uses DLL replacement on Windows to add extra routines to the operating system, which are used to inject code being uploaded into a PLC.

Again, most organizations don't care to undertake the kind of expense required to protect against such attacks; they use the chain-of-trust you describe. However, national security organizations do work at this level, and if you need that level of security, pre-compiled binaries, whether they come with source or not, is insufficient.

Yaz

Not really ...

[BarbaraHudson]

Unless you're using encryption, it doesn't matter, since there are many points of 'interest" between the sender and receiver.

Re:Not really ...

[Kjella]

Unless you're using encryption, it doesn't matter, since there are many points of 'interest" between the sender and receiver.

Yeah, for external mail no doubt. But for internal mail you probably wouldn't bother, then it's a pretty huge juicy target for sensitive information. Even when you're not passing the juiciest details by email like blueprints and source code there'll be tons of business information in attached presentations and so on.

Trust

[Michael+Woodhams]

Sigh. Now somebody is going to bring up Ken Thompson's "Reflections on Trusting Trust" in 3... 2... oops, too late.

Re:Fucking Clickbait

[BarbaraHudson]

What do you expect? The guy who wrote this is just a marketing troll.

Olivier Thierry is the chief marketing officer of Zimbra, and has more than 30 years of experience increasing market visibility and developing go-to-market strategies for high-volume software organizations,

Stupid article is stupid

Open source is a source licensing model. It has no magic powers for creating secure solutions to anything.

Stupid headline: Why open source matters for sensitive email
Stupid headline: Why closed-source matters for sensitive email
Smart headline: Why security matters for sensitive email

Code audits for security defects can happen regardless of source licensing model.
Coders authoring a service, no matter how security conscious, and no matter how many eyeballs they have, will likely miss many exploitable defects.

Re:Stupid article is stupid

[chromaexcursion]

Sadly this was posted by an Anonymous Coward. Few will ever see it. The default is to view at +1. cowards post at 0. Took modding for me to learn that.
It points out yet again people are mistaking open source with security.
You'd think after heartbleed a few would have caught on.

FOSS email LONG before Exchange, most mail FOSS

[raymorris]

Email was flowing through open source systems for DECADES before Exchange came out. Today, the vast majority of mail is handled by open source systems.

If you're accustomed to Exchange and want to get that same bloated feeling without the six figure license fees, there are many open source packages designed,for that. Examples include OpenChange, Open X-change, Zumbra, Citadel ...

Of course the vast majority of mail is handled more in the Unix philosophy, rather than one software package that thinks it's a file server (SMB), an MTA, an MDA, a groupware calendar, an IMAP server, and six other things it does poorly, the normal Unix way is if you want IMAP, you install a good IMAP server by clicking on or typing "dovecot". It doesn't have a buggy, insecure file server sticking the out the side that you never asked for.

X.org?

[nickovs]

If I was publishing an article talking about how huge numbers of eyeballs solves security problem I'm not sure that I'd choose to publish it the day after it was announced that the X window server code has had some serious security bugs for 25 years that have only just been discovered. Clearly open source code can have serious security holes that go unnoticed for a very long time.

Re:X.org?

[Neil+Boekend]

In that the main difference with closed source is that open source shows it's dirty laundry. Why do you think a closed source solution would not have flaws of similar severity?

All- OpenChange, Citadel, Zimbra .. + RSS Faceboo

[raymorris]

All of the packages I mentioned provide that. Not being tied to Microsoft's ecosystem, they can also integrate your Facebook, Twitter, rss, or other notifications.

Open source client does

[iamacat]

Truly sensitive e-mails should be encrypted, so open source and other characteristics of the service do not matter.An ideal client would support zero knowledge multihop forwarding so that even sender/recipient metadata can not be analyzed.

Email is not suitable for sensitive material

[dbIII]

If you are using email for sensitive material then you are ignoring decades of warnings from everyone with a clue about email.

Re:Paranoia is actually warranted these days

Trust? Let me tell you about trust, there is no more trust...
You cannot trust Microsoft, or Google or anyone else with your mail for that matter. Every commercial mail provider and software maker is either already in bed with your adversary, or subject to your adversaries whim. For that matter, you cannot trust the 1.5 BILLION transistors in your CPU. But let's ignore that for now.
You CAN generally trust open source software for your MUA and MSA/MTA, and for your crypto.
You NEED crypto.
Then, you cannot send your encrypted mail through stupid commercial mail providers. It STILL exposes who you are mailing, from where, when, and the subject line, when your recipient was on to get it, etc, etc.
And you CANNOT use stupid "webmail' that says they will encrypt your mail for you, because you are either giving up your keys to them or letting them take control of your browser... exactly like the safe-mail.net debacle, you're going to get screwed.
So you both MUST use crypto AND use an anonymous Peer-to-Peer direct messaging service.
Think I2P-Bote, or ImperialViolet's Pond, or BitMessage... something where your message is sent directly over the anonymizing network straight to your recipient, or so that only they can see any part of it... NOT off to sit on some centralized server that will get subpoenaed and snooped and raided.
In summary, get this straight folks....

USE crypto AND use an anonymous Peer-to-Peer direct messaging service.
It is the ONLY way your messages will ever be private to only you and your correspondent over the wire.