Skiff Mail (Email Provider)

Another big update: The Skiff Windows app is out today, and it’s completely open-source.

Any other feedback or progress on the pull request?

I don’t think a “web view” is really what people mean when they mean open source.

I would be keen to see ../../libs/skiff-crypto though .

I completely, completely disagree. It’s quite important to know what code you are running in a native app. Running a WebView is much safer than running an Electron app (Electronjs Electron : List of security vulnerabilities - these are only OPEN CVEs), or a poorly built native app.

I think the message that using a WebView as a core web component is bad is completely the opposite of what our security engineers and reviewers believe.

Skiff-crypto is here: GitHub - skiff-org/typed-envelopes: Typed AEAD Envelopes.

FYI, we released Skiff – About us - Read more and Transparency - Read more.

I’ve just published skiff-crypto directly in the skiff-mail repo: GitHub - skiff-org/skiff-mail: Private, end-to-end encrypted, wallet native mail..

Any other feedback for us? At this point, I’m pretty much at a loss as to why we’ve continued to be treated with hostility on the forum, when we’ve gone above and beyond to satisfy all criteria, adapt our product based on feedback, and work on our entire brand and public presence based on feedback.

Are the criteria you’ve set genuine? Do you have any real feedback for us? We’ve had a ton of organic adoption and support, so it’s continued to be so puzzling to see this hostility.

Hi, I’m a lay user, not a technical one. I have read all the discussion and find it sincere, serious and useful, without hostility.

As a lay user I was unable to find the external audit report on the GitHub link.

Perhaps the encouragement among those involved in the debate will diminish by pointing out the exact link in the document. This is a request that has been made many times.

I share the questions raised by other people in this discussion, and as a user of Skiff, the behavior of the company on this topic, at times, created me suspicions.

I would also like clarification on Sendgrid links in the email received after creating an account. It was an unpleasant first experience to see a link in the body of the email and another when passing the mouse over.

A request as a user: about how the external content proxy works in the email. It can be a useful addition. I couldn’t find enough information.

I thank Skiff members for improving the product.

I would also like to request the site in Spanish and Portuguese, it has been difficult to recommend the product to colleagues and family members when faced with a site only in English, even if the browser used indicates one of the languages mentioned above.

Thanks for checking on this, it’s really helpful! Couple notes:

• We haven’t published the full audit report. This is consistent in the industry - for example, Proton Mail does not publish full audit reports, but documentation that the audit was complete. This is exactly what we’ve done as well.
• We’re using Sendgrid to unsubscribe from the product updates right now. We’re actually switching it to an in-app toggle button this week.
• I know we need many more languages - it takes a lot of time, but we are committed to doing it soon.
• Anything in particular you are wondering about external content proxying? You can see it via network requests, but happy to ask our engineering team.

We are committed to making Skiff the best and most private email provider. I completely understand the frustration above creates more tension in this discussion than is necessary. The frustration on our part is not from the feedback - that part we benefit a lot from and can improve. The frustration comes from misleading or incorrect criteria. Check out the first post, where we actually went from this GitHub discussion (Skiff mail · privacyguides/privacyguides.org · Discussion #1363 · GitHub) to make a ton of improvements to be ready for PrivacyGuides because it’s very reputable.

So, after a year of making improvements and satisfying the criteria, it’s demoralizing to feel like the criteria change on every post, or that we are treated with different criteria (check out one comment on Notesnook (Evernote Alternative) - #46 by TorLover9 as an example). We have been coming at every conversation with good faith, but it takes so much time to deal with changing criteria or assumptions of bad faith.

I’m seeing links to audit reports on An Open Source Privacy Company | Proton

Privacy¶

We prefer our recommended providers to collect as little data as possible.

Minimum to Qualify:
…

• Must not be hosted in the US due to ECPA which has yet to be reformed.

As soon as possible I describe my doubts better. Thank you so much!

Perhaps criteria should be called minimum to qualify to avoid this confusion.

Skiff introduced a lot of new questions that were never an issue before, because others did already what we like to see or now do.

I can get the frustration from Skiffs team in spending a lot of time and still not getting listed.

The main requirement for listing is basically that it is the best option or equally as good. So Skiff got themselves in a competition with Tutanota and Proton which are highly dedicated companies who have been working on email security and privacy for a long time. Something that is hard to meet. Especially when using third parties for quite many things as we have seen in the above discussion.

The community here will keep comparing Skiff and hold them to the standards set by those two players because they are leading in this field. Anything Skiff does different that, we deem worse for privacy will therefore be an issue. There are many tools on the website that are not perfect, I name drop Nextcloud, which wouldn’t be listed if more profound options would be available. When this changes this also lifts the bar for them. Criteria are just a written out thing right now to explain why some thing didn’t get listed and others did. So yes this is very dynamic.

This is what I have been trying to explain many times to Skiff but the responses haven’t been understanding so far. I don’t easily give up.

I am new to the privacy space and have no technical background so most of what is discussed in this thread is over my head. I do appreciate the feedback from the forum members and the response from Andrew, it does appear both are operating in good faith.

Right now I am exploring my options for what I consider phase 1, getting away from Google/Microsoft. This means looking at an all in one solution like Proton Unlimited or piecing together a combination of Mullvad VPN + Skiff + ??. My plan is to use the free options of each for a few months to see which I like best from a user perspective and also learn more about each from the privacy perspective. This forum has been helpful for that. (I realize there are more advanced options including self hosting but that is something I plan on looking at down the road, baby steps)

I did have 2 questions about Skiff, either for Andrew or maybe a forum member could answer.

1. Can Skiff see the contents of my emails or files uploaded/saved to the drive? My threat level is minimal, just an average citizen who would like to keep his personal records secure and private.

2. My second question was about Firebase and Facebook flipper but see that those were addressed above. Runner up question, does Skiff track or keep logs of my location, IP address, or any other metadata that can be sold to brokers?

Sorry for the rookie questions but it would help me and possibly anyone else in my shoes who lurks this forum.

I totally understand. What area do you think is insufficient so far? I disagree that our responses haven’t been understanding - we’ve made a ton of updates and clarifications at every step on the thread.

1. No - nothing at all. Even file types are E2EE - plus folder names, all file/folder contents, Skiff Pages contents, and much more. See Transparency - Read more.
2. No. No IP address collection, no location collection, no metadata collection, and data is NEVER sold or shared. We’re removing the records of any Firebase/Flipper code, but they are both completely unused.

One other note: I was reviewing tests on Internet.nl, which seem to be used on other forums and threads.

Skiff: Website test: skiff.com (97%)
Mailbox.org: Website test: mailbox.org (89%)
Proton: Website test: proton.me (66%)

Anyway, I would like to know what more people are looking for!

Also, what third parties are you referring to? I don’t think we do, at all. The only ones mentioned in this thread are:

• Cloudflare + Hcaptcha for DDOS/bot protection - standard practice.
• Zendesk for customer support - quite common.
• Sendgrid for unsubscribe lists - this is changing to in-app today, but hasn’t been a big concern?

Isn’t Cloudflare only used for skiff.com ?

Cloudflare is not an analytics tool, it is a security, infrastructure, and CDN product and is used in that capacity.

I am postive about your replies this time @amilich

These two are also used by Proton at least (hcaptcha and Zendesk).

I know you don’t agree with me on this one. But I suggest you still:

• Get rid of the marketing company used for dmarc violation monitoring
• Update your articles on the website and ask for advice from someone that actually understands GDPR. (seek out to IAPP f.x.) I won’t be too harsh on this any longer, proton lately has also shown incomptetences when it comes to writing factual articles for marketing. It just does not look good on you.
• Remove the outdaded ECDHE-ARIA256-GCM-SHA384 cipher support from inbound-smtp.skiff.com. (yes tutanota still has AES256-GCM-SHA384 and also should be phased out.)
• Remove DH-2048 as key exchange parameter from inbound-smtp.skiff.com use secp384r1 , secp256r1 , x448 , or x25519 secp384r1 , secp256r1 , x448 , or x25519 instead.
• And I still hope although doubt you will: stop sending product updates to people who never signed up for it. I understand this has implications but that’s the consequence I think you should take. GDPR here in EU required many to drop sending marketing emails and companies have to collect consent ethically on beforehand. I don’t think this should be different for you.

Realized I should have replied to this also. This is indeed a good place to test and I would recommend to so so, however you now used the test for the website, not for email . Although surely both are relevant to you. The percentages are also a bit misleading and I don’t like them all too much cuz internet.nl values the usage of ipv6 very highly. If you do not support it it’s not so significant for security and privacy. Just focus on getting the rest all green like for proton.me unlike Skiff.

Fair points. Definitely still things to improve. But, isn’t Skiff at 85% vs. proton.me at 75%?