E-mail Solutions

After my previous post about how e-mail is broken I wanted to spend a few minutes talking about several of the alternatives out there and what the tradeoffs are between them. I will not cover all of them, since new ones crop up all the time and many of them have similar approaches.

Non e-mail

There are a whole bunch of systems coming out that are not based on the previous e-mail protocols, instead creating completely new systems that provide roughly the same kinds of capabilities, although with some tweaks or changes. My favorite of these is called Pond. It provides for almost all of the protections that you would expect from a sophisticated e-mail system. The main caveat is that you have to have exchanged credentials in order to communicate. This is both good and bad - good in that it's impossible to send spam and unwanted e-mail. On the other hand it becomes very hard to get into contact with another person without having another route of validation. Many of the other systems eschews the use of addresses or identifiers, and instead just use the public key as the equivalent of the address. Sadly this is not very convenient, but it does make it easier to keep secure.

There is a lot of promise in these kind of approaches, but because they are all uninteroperable with existing approaches the uptake is pretty slow. You have to switch to something completely new to get the benefits of these approaches. But the innovation that is happening in something like Pond is extremely exciting and show us the way towards what e-mail protocols could actually look like.

ProtonMail

ProtonMail is a web-based mail provider. They provide client side encryption in the browser. They don't seem to support interoperable encryption with PGP, only using their own encryption system. In general this approach is quite common. The encryption is done using JavaScript and served by the server. You have to trust the organization to not serve you faulty or malicious code that will steal your content or keys. Since the code is also proprietary you don't have the option of verifying that their encryption has been implemented correctly. Overall, for the future of secure e-mail, I think that the ProtonMail approach is exceedingly dangerous and not very useful.

GMail + End-To-End

A few months ago Google announced an alpha version of End-To-End, which is a Chrome browser plugin that is meant to make the process of encrypting while still using the GMail web UI easier for everyone. There have been several plugins like this around for some time now. The main difference is that Google is behind it and that it contains a new implementation of OpenPGP. However, there are several negatives - we are still doing crypto inside of a browser. Also, encryption using JavaScript is still problematic. Finally, End-To-End only supports creating keys and working with elliptic curves. This means that the tool has a natural tendency for lockin, since elliptic curves aren't compatible with baseline GPG yet.

Overall, these kinds of plugins make it easier to do encryption, but they do it in a very unsafe way. I'm skeptical.

MailPile

MailPile is a trying to solve the mail problem by building a much better Mail User Agent. It is based on running a Python server locally, with a user interface in JavaScript and HTML. They aim to work hard on the user experience of email and encryption and to make it as intuitive as possible. Of all the projects out there, I think this is one of the more interesting ones. They are thinking hard about the problems and trying to come up with new solutions that are still interoperable in the existing environment. We will see how far they get.

DarkMail

The DarkMail alliance (recently renamed DIME) has as a goal to fix many of the problems I talked about. However, their approach has so far not been very open and it's hard to see what they are actually doing. They are aiming for an architecture with both server and client side components, with upgradable protocols and so on. It might be an interesting approach but it's hard to say right now.

Summary

There are many approaches out there, but it seems not many people are combining thinking around fixing centralization and encryption while still staying inside of the current protocols. There are also a large amount of snake oil products coming out. Hopefully the situation will improve sooner rather than later.