Opinions about Skiff Mail?

Especially how it compares to ProtonMail.

Skiff promises 10GB space and search also through the content of the email.

Thanks!

Their server and most part of their software are closed source. Only the UI and some libraries such as search modules are OSS. I am not against Closed source software but I am against false marketing. No windows or Linux client means the vast majority of people will be using the web interface and the server could technically decrypt the messages hence breaking their promise of end-to-end encryption.

I would stick with Protonmail or Tutanota and use Gmail/Dropbox with Cryptomator.

@suzie is using Skiff AFAIK. Maybe she can give some opinions.

Out of curiosity, would you mind elaborating on how and why would the server be able to break their E2EE? Especially, where do you see the danger here? As in, what are the red flags for you that their service might not be secure and/or private? I am interested in learning more about how to ascertain this from a quick look at the service from your point of view as a security researcher.

This will provide you the necessary details.

2 Likes

Basically in simple words the web servers can serve you anything they want and you couldn’t verify if you are seeing what you want. This means they can serve a malicious js under a court order to steal your credentials hence breaking their e2ee promise.

1 Like

The issue extends to all webmail services like Protonmail, Tutanota etc.
Proton acknowledges their shortcomings though.

2 Likes

Fantastic. Thank you. I will make sure to read through the paper when I have some spare time.

This makes sense to me. And exactly as you say, this could happen with any e-mail provider. Does the same apply to e-mail desktop clients, too? If I am not mistaken, if your e-mail client is a FOSS desktop client (and not receiving JS from the server), you yourself can verify what is being sent between the server and the desktop client. If it is just encrypted messages only you can decrypt on your device, it could potentially mitigate this issue, no?

1 Like

No. The contents inside the app are static providing you with e2e. I recommend you never use web client of anything that advertises as being e2e and always use the apps.

2 Likes

That sounds good. Thank you for the information. I have learned something new today :heart:

Hmm, I think I like this as a middle ground between using cloud-based services while not doing everything in a browser. If encryption is involved, it’s like to be important to you and may not even be used that often, so it’s better to have it sync with a cloud-based service and use the web app in a pinch.

1 Like

We are trying out Skiff Pages for some non-sensitive video production documents because it is one of the few end-to-end encrypted document providers with real-time collaboration support, but I don’t think any of us are using Skiff Mail. We’re also still on the fence with Skiff in general, it’s still pretty new and they’ve made a lot of questionable software decisions (notably everything they’re doing related to Web3) so… Don’t take any of us using it as an endorsement either, we’re still evaluating options.

Skiff Mail does not look too promising at the moment for anything besides collaborating with other Skiff users, the lack of any sort of interoperability in terms of end-to-end encryption is disappointing (compared to say, ProtonMail’s encryption which is compatible with any other PGP service/client). I would probably stick to a more traditional private email provider:

2 Likes

Thanks for the feedback. Yea, open source is the requirement of trust. Im not into promises.

Would be great to hear more about the questionable software decisions and your take on those. :slight_smile: