Webmail and security and doing homework

Being without my primary computer has shown a small annoyance in my migration to decentralizing the digital elements of my life: e-mail.

I have four e-mail servers, if I count Google’s Gmail[en.wp]. On my primary computer I have a single e-mail client which connects to all four, but I am currently not using my primary computer yet still using all four e-mail servers. Each is an external service, each offers a webmail interface. Each webmail interface will happily slurp down e-mail from the other e-mail servers, which would allow me the convenience of a one-stop site rather like my primary e-mail client. But I do not trust any of my service providers as far as I can comfortably spit a dead (or live, for that matter) rat.

Each these service providers likely scans every plain text e-mail to build profiles of me and the people with whom I communicate. It is certainly the case that Google does so – I have had targeted advertisements on topics I have only mentioned online via e-mail; once it was a product at a store on the shelf *next*to* the item I was actually taking a picture of and sent, so they apply a fair bit of effort to this profiling via e-mail. IOW: my providers, even the ones I pay for the service, have proven they are not to be trusted and violate their own contracts.

from Rainloop.net

And I want to keep a firewall between them, so I do not reference e-mail address A when using e-mail address B, and vice versa. And of course I am  not going to use webmail C to read and reply to e-mails to A, B, C, and D. So I went out to test a bunch of self-hosted webmail applications.

Which led me to the apparently quite popular RainLoop webmail product. This webmail script has most of the things I am looking for – multiple accounts, reasonably secure, simple installation, low dependencies. One of my primary requirements is the ability to use PGP/GPG encryption, and RainLoop has it.

It also happens to be open source (AGPL 3.0), hosted on GitHub, a big but not required plus in my opinion. There is a plugin framework, themability/branding, etc. And there is a lovely self-updating functionality, which suddenly made me nervous.

Zero-day threat preventionSee, a program which is manually updated can become quite out of date, prey to exploitations which have already been repaired. But one which can be auto-updated is prey to an unscrupulous lead developer – or one whose own account is breached in some way. For all intents and purposes the person who develops a webmail application is being given access to your e-mail; all xe needs do is push an update which quietly logs your e-mail details in a way they can retrieve remotely.

Such a script needs a developer with a decent reputation, at least. Even though it is not appropriate, I would prefer xe be from a cultural group with a strong rule-of-law tradition, were schooled in their craft somewhere I can respect, and have a history of involvement with projects/companies I know and do not distrust. This is not the case for Timur Usenko, the apparent leading light behind RainLoop.

According to an unfortunate exchange between RainLoop and former employers/colleagues on GitHub, a small collection of statements are not disputed which give rise to concerns:

  • Timur Usenko resides in Russia.
  • Xe is an acknowledged expert with years of commercial experience writing code to interact with e-mail servers.
  • In xyr own time privately developed a new library, licensed under the AGPL, for working with e-mail servers which was later integrated with the employer’s product (and is still maintained by them as an open-source library)
  • As part of the above work, built an index implementation webapp which xe later developed into RainLoop.

None of the above describes any potential wrong-doing by Timur or RainLoop; if anything it spikes the argument from AfterLogic that they have any intellectual property claims. Quite the opposite. Since they claim strong similarity in design between their product and the index implementation webapp, and that index implementation must have come before their adoption of the library, the flow of technology was from Timur’s hobbyist project to AfterLogic rather than the other way around.

Despite this, Timur resides in a country which is by modern international interpretations a feudalist economy without the rule of law. Xe can no more protect xyr GitHub account from misuse by the government of Russia than xe can travel without the government’s assent. And that government is implicated in multiple events of e-mail server hacking; they have a rather proven history of interest in communications espionage.

Therefore the potential risk that RainLoop might suddenly develop, say, a penchant for logging pgp keys to some remote server (all pgp key handling is in browser-side js, so the user would have little chance of knowing or noticing) is greater than zero, and due to a lack of recourse to law there is little deterrent against such behavior so the risk is unacceptable.

And the test installation was deleted, with regret.

One Reply to “Webmail and security and doing homework”

Comments are closed.