Is Skiff good from a privacy and security perspective? Recommended?

b_blog · June 7, 2023, 11:04pm

Wondering why Techlore, Privacy Guides and
The New Oil don’t mention or recommend it.

pixelated_Oaf · June 7, 2023, 11:12pm

The New Oil has a pretty good review up. Only thing I would add to it is that Skiff’s mobile app is a hit or miss when you use Orbot or any tor relay, not a deal breaker but something to take into account for threat modelling.

b_blog · June 7, 2023, 11:14pm

Thanks! I will check out that article.

radiance111 · June 7, 2023, 11:24pm

Skiff is recommended by The New Oil, you can see it on his website here:

You can also read here about the status of Skiff on the privacyguides forum:

It looks like a pull request is being drawn up now too:

github.com/privacyguides/privacyguides.org

Add Skiff Mail

privacyguides:main ← privacyguides:jonaharagon/skiff-mail

opened 01:33AM - 04 Apr 23 UTC

jonaharagon

+66 -1

Changes proposed in this PR: - Recommend Skiff Mail Obviously they don't m…eet our criteria yet, so this is waiting on the changes from https://discuss.privacyguides.net/t/skiff-mail-email-provider/11411/111, but I think those will eventually be made so I'll get started on writing this now.  - [x] I have disclosed any relevant conflicts of interest in my post. - [x] I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project. - [x] I am the sole author of this work. - [x] I agree to the [Community Code of Conduct](https://www.privacyguides.org/en/code_of_conduct/).

It seems that unlike other providers Skiff seems to want to cater more to it’s privacy conscious users, and Andrew Milich (CEO) is active on the privacyguides forum and is implementing a lot of changes suggested there.

Opinion

Although I personally find his behaviour a bit concerning as it seems like he wants to be listed on the website but I am not sure if he is actually that interested in user privacy.

Some things to consider

Based in the US
Doesn’t support open standards like PGP
It’s a new service so caution is sensible
Supports Web3 technologies Web3 Email
Fast rollout of features and applications
No formal audit has been released yet

Updates

Removed incorrect information about pricing and mail export

b_blog · June 7, 2023, 11:28pm

Ok. Wow. Thanks so much for all of that. I should have looked harder.

Lots to consider. Maybe best to stick with Proton Mail.

Henry · June 7, 2023, 11:30pm

On the Techlore front, worth visiting our criteria, notably:

1 - Open Source
Open source isn’t everything, but it adds a massive layer of transparency & oversight; open source services undergo a level of scrutiny rarely found in proprietary software. It’s worth acknowledging the importance of open source varies depending on the context: For example, open source cryptography is more important than a DNS service open sourcing their web app (which has little to do with the privacy/security offered by the DNS provider itself)

Skiff does a good job of dodging this, but only Skiff Mail is open source, none of their other core products are. This alone is likely something that will prevent anything that isn’t Skiff Mail from being listed until this changes.

8 - Passed the Test of Time
Services come and go. Developers come and go. Ideas come and go. We appreciate services that have a consistently good history in prioritizing user safety. We prefer services with 3+ years of mostly positive history as a starting point for passing the test of time. One thing is announcing a new messenger, another is maintaining one for 5+ years.

They’re fairly new. So nothing inherently wrong here, I’m just personally waiting to see more time under them and their products to develop. Techlore is ‘for the masses’ and it generally takes me time to feel ready recommending a new service that Mom/Dad/Sister/Friend will be able to use for the next 5+ years without yelling at me for the service shutting down.

9 - Audited & Trusted
Broadly, we do our best to list services that have been formally audited, and/or have a great deal of trust within the privacy & security community. Trust is ultimately subjective and highly personal - which is why we take a broader approach to evaluating what’s generally trusted by the community as a whole, in addition to analyses performed by experts.

AFAIK Skiff still hasn’t published their audit(edit: audits). They say they did one, but never published it. I don’t understand this whatsoever. I also think trust of Skiff is going to take time to build given it’s a VC-funded company that’s new to the privacy space with an oddly generous free plan that IMO doesn’t seem sustainable.

Highly personal take

I can’t stand the ‘Web3’ nonsense, it instantly makes me distrust a product when they’re prioritizing annoying ‘Web3’ stuff over staple features & trust. Similar to Brave in this regard, but at least Brave is open source and has developed enough trust to pull it off.

b_blog · June 7, 2023, 11:39pm

Thanks Henry!

Makes total sense now. Could have thought about it more. Was just wondering and curious about it and what the privacy peeps I respect and trust think about it.

amilich · June 7, 2023, 11:57pm

Hey Henry -

Generally fair assessment here but a few things to edit:

Open-source: Actually, we’ve open-sourced our cryptography completely, our editor, and skiff-mail. Our other products will be open-source within the next few months. Remember, Proton wasn’t even open-source for the first 1-2 years, and Skiff Mail has been open-source on Day 1. I don’t think we’ve dodged this in any way.

Also, our open-source code is actually designed to be useful - with NPM packages, Code Sandboxes, documentation sites, and more - which is much higher value than just putting up a GitHub repo.

I somewhat agree, but we’ve already reached about a million users and have quite substantial usage.
Completely disagree on this one. Skiff has done 3 audits - see Skiff – Transparency - Read more - and is doing another with Cure53. We don’t necessarily intend to publish them, which is consistent with a lot of products in the industry. VC funding doesn’t seem related - Proton, Tutanota, Brave, Bitwarden, and many other products you have recommended are completely VC funded. Not sure where the discrepancy exists.

Also, not sure what the wait is on PrivacyGuides. We’ve made improvements for over a year, and it seems like people just aren’t even active in responding to us anymore.

amilich · June 7, 2023, 11:59pm

You can export your emails
I don’t think it’s more expensive? Our Essential plan is only $3/month annually
We may not release an audit but have Skiff – Transparency - Read more and Skiff – Security Whitepaper - Read more available with copious amounts of info
I’ll work on making our next audit releaseable and we have a team member open sourcing Pages/Drive/Calendar now

Do you know what might be the blocker on the PrivacyGuides side?

radiance111 · June 8, 2023, 12:17am

Okay this incorrect I have amended it, but I went to check it again and just found a bug on the website, if you go to Web3 Email and you click on pricing it displays the old pricing structure not the updated pricing structure.

Amended this.

It’s quite important to be able to see the results of an audit in my opinion, I want to be assured that the inner workings of your infrastructure are secure. The other encrypted email providers have provided the results of their audits so it makes sense that you should supply yours as well.

InternetGhost · June 8, 2023, 12:23am

Personally I am excited to see Skiff in the mix because as products they look fantastic. On just a product level it looks like it fulfill my use case better than Proton does because it comes with more of those alternative products for Google Workspace.

From what I’ve seen I do think he and the team are credible. I think maybe the point of contention is that Privacy Guides is a valued resource and being there is effective as marketing. That’s not to say that Skiff is trying to get on there by whatever means NOR that Privacy Guides is just trying to promote certain products or services. Privacy Guides is recognized as a reliable resource, and Skiff wants to position itself as a reliable and trustworthy service. If I was starting a privacy-conscious company, I would definitely take Privacy Guides criteria as a goal or target and would love to be good enough to be listed there.

Fair question, but I don’t think talking about it here will move the needle over there.

Also, welcome to the forum! Cool to see you interacting with our community.

Henry · June 8, 2023, 12:24am

Hey Andrew I’ll DM you to get you a verified badge for Skiff, welcome to the forum!

I’m going to keep this pretty direct. Of these 4 products, only Skiff Mail is open source, correct? Just yes/no here. It’s great to see things slowly open up, but as of right now it appears only Skiff Mail is formally open source. (Unless I’m wrong?) There’s no vendetta here against Skiff, so once things become open source I’d love to re-evaluate. I voice these same opinions against Proton in my fairly critical review of them as well. We’ve used Skiff internally, but that doesn’t inherently mean we’re ready to recommend it on our site. Hope you can respect wanting to be patient & follow our own criteria to protect our audience.

My point was:

Don’t disagree on this at all, and very happy to see you did these. I updated my original comment to reflect that you’ve done multiple. However, all I said was:

Again, going to be direct. Your transparency page simply states the audits were completed. Not saying this is true, but how are we supposed to know there weren’t severe issues found in Skiff that are still being worked on? The entire point of an independent audit is to get an independent opinion on your service, which you have yet to supply.

Proton’s Audit, Public: https://res.cloudinary.com/dbulfrlrz/images/v1685439700/wp/securitum-protonmail-security-audit/securitum-protonmail-security-audit.pdf
Mullvad Audit, Public: https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf
Bitwarden Audit, Public: https://assets.ctfassets.net/7rncvj1f8mw7/4eMmA16Zz9MACTHOexlxx0/05f3ed75c04f7d6e086479279d82c733/2022_Bitwarden_Security_Assessment_Report.pdf
Signal Audits, Public: Overview of third-party security audits - Wiki - Signal Community
KeePass Audit, Public: https://joinup.ec.europa.eu/sites/default/files/inline-files/DLV%20WP6%20-01-%20KeePass%20Code%20Review%20Results%20Report_published.pdf
IVPN Audit, Public: https://cure53.de/pentest-report_IVPN_2022.pdf
etc.

I hope the audits have been helpful for you and your team internally, but they’ve supplied little to no value to the community until they’re published.

I think VC funding & business models/trust/how each company does it really comes down to personal preference, so going to just say agree to disagree on my end. I do want to reiterate these things are legitimate issues I’d be bringing up with any other service in your position. So I hope you understand this is not anything personally against your service from my end

amilich · June 8, 2023, 12:52am

I don’t know why that pricing page is still up, it might be cached via Cloudflare Pages. We definitely need to get it taken down because it’s very confusing!

amilich · June 8, 2023, 12:59am

You’re correct that only Skiff Mail as a full product is open-source. I think it’s a very reasonable guideline to only recommend open-source products, I’m just clarifying that we’re working on it. We have no holdups at all with open-sourcing, but it has taken time to do well - we want to make it runnable, have NPM packages that other people can use, have contribution guidelines, have licenses people can use (we released libraries MIT), etc.

I definitely don’t see usage as intertwined with reviewing Skiff at all - merely that as I as a longtime Techlore fan would love to have Skiff reviewed, maybe once we open-source all the products.

On audits, we also don’t have any issues publishing them. We haven’t had our auditors prepare reports for publications, and the main thing we want to do is just improve all the known product limitations. For example, we just added Yubikey support, blocking remote content, and other user-facing things that could come up in an audit. Definitely no critical issues - we even had Skiff audited before our first beta release to make sure the software was safe.

Anyway, I do think within some time our products will be fully open-source, with public libraries for other to use, and we’ll have an audit available.

AureliusPublius · June 8, 2023, 2:59am

Thank you for the helpful and clarifying posts here, Skiff is a very polished product already and a lot of us really appreciate it and it’s unique contribution to the privacy space.

Backfield3779 · June 8, 2023, 8:29am

I don’t think this is completely true. I know Proton and Bitwarden have taken some investements, but Tutanota has never done that. And claiming that these services are “compeletely VC funded” is just plain wrong. For Skiff this might be true, but certainly not for these other services.

PrivacyFounder · June 8, 2023, 8:44am

When app for linux distros?

amilich · June 8, 2023, 9:22pm

Are you sure? I see funding round info here - Tutanota Company Profile: Valuation & Investors | PitchBook.

I don’t understand your point. VC funding is the same across all of these companies: Shares in the company are exchanged for funds used to develop products. Customer funds then make it possible to keep developing products. That’s true of every product on that list, right?

amilich · June 8, 2023, 9:23pm

I hope soon. We are working on it. Just fewer development tools for going from web to Linux than on Windows/macOS right now. For example react-native-macOS and react-native-windows are available as development frameworks. Electron works but I’m not sure if we will start using Electron

Backfield3779 · June 8, 2023, 11:12pm

Yes, it seems you’re right. I was always under the impression that Tutanota had never taken any outside investments, but even then it was back in 2015 and nowadays, they aren’t doing that anymore.

The potential issue that I see with VC funding is that if the company relies very heavily on it, it might mean that the investors get to dictate the direction that the company should take as well as make it possible that the company won’t survive in the long run if they cannot make themselves any profit.