The issue is that isn’t really E2EE. As soon as an email leaves Skiff’s system it no longer has E2EE. It is only E2EE while Skiff has it. Generally when people think of E2EE email they expect it to be E2EE on both ends, the recipient and the sender’s end point.
- I’m not a Proton Mail customer, but I can send an E2EE email to one of their users.
- I’m not a customer of Tutanota, but if one emails me with an encrypted email and provides the temporary password - say over the phone, I can make sure that email is E2EE when it leaves my browser.
Perhaps not with the same assurance as PGP, (for example Tutanota could in theory disable E2EE for a particular user), ie by changing the server side code so when a particular user sends me a temporary inbox link, there is no encryption.
If I am a Thunderbird user, Mozilla cannot be compelled in any way to target a specific user. PGP without forward secrecy still can provide the highest level of assurance because implementations don’t necessarily come from the provider. Key theft is basically impossible with a Yubikey.
For commercial providers even Proton wants to keep an encrypted copy of the private key, this is because of support requests they do not want to deal with. I accept responsibility that loss of my keys will mean a loss of my email.
The point I’m trying to make is that it is not accurate by any means to say “PGP is dead” or that it is “broken”, there are certainly improvements that could be made.
You really can’t know how many PGP users there are. It’s a decentralized protocol without reporting functionality. There are many implementations and many providers. I have run into Proton Mail (and occasionally Tutanota) users (outside of the privacy communities), but I’ve never run into a user of smaller privacy providers.
While this is important, it may not be as important as making sure the email body is encrypted on both the recipient’s server and your own. Email subjects can contain sensitive information and while there is Protected Headers for Cryptographic E-mail it’s unfortunately not widespread. Proton Mail for example doesn’t support it.
Email metadata is a lost cause, you’ll never be able to encrypt To, From, and that’s some of the most private data out there.
I would agree that is one of Skiff’s benefits, which I did mention above. For a small team that mostly keeps things internal that would be the strongest customer base, unfortunately by itself, it’s quite niche.
This doesn’t really help with incoming email from various sources or if you have to share something sensitive with an external user.
I’ve seen that on Telegram and Discord as well. The main concern is that Discord encourages users to hand out their phone number, and provides no E2EE on messages. While it could be argued there nothing is really private there, inevitably you’re probably going to field support requests from that source. Discord’s privacy policy is a bit opaque when it comes to collecting data for advertising, where it ends up, etc.
For user support I actually think a forum-styled system is better because bar of entry is low, and content can stay up there long term, and it certainly helps with SEO. Common go-to services for this are https://www.useresponse.com and https://uservoice.com.
They do, it was just something that I noticed. Might be worth adding that to the bottom of your page footer. This had no bearing on listing, but I thought it was worth mentioning anyway.
Okay, that wasn’t really obvious to me.
Just to clarify, I was not saying that VC funding is bad, or anything like that, only that it is cruicial to viability of a company to continue, especially during the early days. VCs do without a doubt want to see a ROI.
Yes I noticed that, and I figured as much. I do get that creating an email provider from scratch is hard because you basically have to provide what users of other services already have. Your competition is well resourced, Google, Proton etc.
Yes, I’m well aware they do that.
Are any of them public? I would be curious to take a look.