Fork me on GitHub

Burned Out and Happy?

Posted by Bjarni Rúnar on 6 April, 2019

Dear Mailpile Users and Backers,

I just wanted to post a short note, to explain why development has been so slow for the last year - or longer. The long and the short of it is, I'm burned out, and this has been the case for quite some time.

I care deeply about this project, but it really is too big for one person and I haven't successfully built a team to support me. That's not to discount the contributions and efforts of our community, but at the end of the day I've been the one responsible for keeping the ball rolling. I review the pull requests, I respond to issues, I file the tax returns, I try to spend your donations wisely... and I write most of the code. Doing this well is a lot of work!

This responsibility, combined with frustration over how slow progress has been, has really worn me down. When I'm feeling down, I'm not very productive, leading to a vicious cycle of feeling bad about a the lack of progress and then becoming incapable of making progress as a result.

It's not good.

It took me a while to realize what was going on, to realize I was burned out.

There is also a money dimension here; although I cannot say thank you enough for all the donations and support from our community, the fact is that Mailpile has not been able to pay me a decent wage for my work, ever. I know my value on the job market, and I've been underpaid since day one. That was my choice and I don't regret it; but it's still become harder and harder for me to justify. I have a family now and I've drained most of my savings trying to get 1.0 out the door.

So, I'm giving myself a break and focusing on other things for a while.

I've gotten a (part-time) job working with the fine folks at ISNIC, I'm working out regularly at the pool and I'm spending more time with friends and family. Life is good!

Now that I've accepted and embraced my burnout, I'm actually feeling pretty happy. Identifying a problem is the first step towards a resolution, and I'm already well on my way with steps two and three.

So to be 100% clear: Mailpile is not dead!

Far from it, I'm way too proud of this app to just walk away and let it die. But for now, Mailpile has been demoted to a part time job at most, and a beloved hobby at worst. Considering how unproductive I had become, you may not even notice any difference...

Finally, if reading this gives you the urge to help out, here are a few things you can do for me and for Mailpile:

  1. Use Mailpile! It's not perfect, but it's pretty great.
  2. Tweet or toot what you like about it... I'm listening!
  3. Help make our Community Discourse a useful, welcoming place.
  4. Donate: As always, I'll do my best to spend it wisely.

Thanks for reading!

-- Bjarni


Community Discourse: Launched!

Posted by Bjarni Rúnar on 15 February, 2019

Hello Mailpile world!

We have launched a new site for community discussions about Mailpile: community.mailpile.is

The site runs the excellent Discourse software, which means it's primarily an accessible web-based discussion forum, but it can also be used as a mailing list for those who prefer such things. Our Discourse was set up by a kind member of our community, Greg Sutcliffe. Thanks Greg! And thanks Ásta for helping me launch the site properly.

The purpose of the site is to give people a searchable, "on the record" venue to discuss Mailpile, provide feedback, exchange tips and tricks - and get support. The forum is brand new and pretty empty at the moment, so please feel free to post something and start a conversation!

For more ephemeral discussions, we still have #mailpile on Freenode, and for bug reports we have GitHub Issues. The Community site is for everything else.

Including discussions about our blog posts!.


Progress Report: events, packages, 1.0

Posted by Bjarni Rúnar on 27 October, 2018

Hello world! How are you?

I'm writing this, sitting on a bus in Luxembourg, realizing that we have been very quiet for quite some time. Our last posts were in May, first a report on the results of our first round of desktop package usability testing, quickly followed by a statement on how the EFail flaw impacted Mailpile.

Since then we may have been quiet, but we have not been idle:

  • Many, many bugs have been found and fixed
  • The first round of our desktop packaging project is complete, we have packages and very basic desktop integration for both Windows and the Mac
  • Mailpile's multi-user Apache integration (Multipile) has been simplified and reworked
  • Mailpile's internal (in-memory) master security key is now protected against memory corruption
  • Mailpile is now compatible with Autocrypt Level 1, but not yet fully compliant
  • I attended the OpenPGP e-mail summit in Brussels

I would like to publicly thank Alex and Pétur for their hard work on the Mailpile Desktop packages, and in particular for how they took delays and slow responses from my end graciously and in stride.

Read on to learn a bit more about the OpenPGP E-mail Summit, our CCC plans, the state of the desktop packaging work, and of course the elusive 1.0 release.

The OpenPGP Summit and 35c3

Last weekend I visited the Mailfence office in Brussels, to attend the annual OpenPGP E-mail Summit.

The OpenPGP E-mail Summit is one of my favourite community events. Just two days long, it is an informal event focused on getting people from the world of e-mail encryption to exchange knowledge and collaborate.

This year there were (by my rough guesstimate) about 50 people from over 20 projects present, including Phil Zimmermann himself, the creator of PGP. I was very happy to meet him and shake his hand. We ended up having about 20 different sessions, discussing topics ranging from key server management, to user interfaces, to updating the OpenPGP standard itself.

Notes from all the sessions have been published.

There was also a dinner and plenty of socializing, the value of which is not to be understated. Meeting people face-to-face almost always makes collaboration online easier and more productive.

For Mailpile, the main outcomes of the summit were the following:

  1. There seems to be potential for partnerships with 2-3 other businesses in the OpenPGP space, which we look forward to exploring further.
  2. The Web Key Directory specification is still evolving in ways which may require we re-evaluate how we use it in Mailpile.
  3. Mailpile will aim for Autocrypt Level 1 compliance, soon! Our aim is to get a member of the community to review and confirm our implementation at the 35c3 conference. We have a volunteer to perform the review.
  4. I have a voucher and will be representing Mailpile at 35c3. Come say hi!

It was a productive weekend!

When will Mac and Windows packages be available?

If you've e-mailed me asking this question; my apologies for not answering. I haven't replied, because I don't know! If I did, our download page would just say so.

There are three main tasks we need to complete before we make the desktop packages available to the wider Internet:

  1. A short private beta, to reassure ourselves the packages don't have any blindingly obvious bugs.
  2. Launch a Discourse forum, so our users have a venue to help each other out.
  3. Finish our "build robot" so packaging becomes an automated process without any human bottlenecks.

I am not going to commit to a time-line for getting this done, but this work is all in progress and won't take forever. This year? This year.

It's worth mentioning that some important tasks have been postponed and will not be blocking the availability of packages - so these packages will not be "Mailpile 1.0". But they're close.

So, what about Mailpile 1.0?

Our current release is 1.0.0rc4, tagged and pushed earlier today.

At times it feels like we're chasing the tortoise from one of Zeno's paradoxes, always getting closer but never able to catch up. For every issue we close, others are opened...

But in spite of that, my to-do list for the elusive "Mailpile 1.0" release really is starting to get shorter and the issues that remain are not as complex as the ones we've resolved. I've updated the GitHub Milestone to reflect the current priority issues. It's not a long list, mostly relatively minor bugfixes.

The two big items left on my 1.0 roadmap are:

  1. Fully implement Autocrypt Level 1
  2. Implement easy remote access (PageKite and Tor Hidden Services)

The former is necessary for an interoperable and complete implementation of "PGP for everyone", and the latter is needed so people can access their Mailpiles remotely - in particular to access their Mailpile from their smart-phones.

Again, I'm not going to make any promises about when these will get done.

But this mini roadmap is still worth sharing, because if you liked the vision behind Mailpile and those two issues aren't critical for your use-case... then maybe Mailpile is already ready for you. Maybe!

One-point-oh is an important label, but it's not everything.

Mailpile is already a great e-mail client. Give it a try!


PGP Security Alert

Posted by Bjarni Rúnar on 14 May, 2018

Dear Mailpile users,

The EFF have publicized advice from a group of security researchers, who claim there is a serious problem with PGP encrypted e-mail. Users are advised to disable automatic decryption of e-mail and exercise caution or avoid decrypting e-mails entirely until the vulnerabilities have been addressed.

Second (and 3rd) Update

The actual research is now public.

As far as I can tell, Mailpile is [mostly] not vulnerable to these flaws and the table of tested mail clients in the paper itself is misleading in that regard. This is unfortunate.

There are some exceptions though, see below.

Why is Mailpile [mostly] not vulnerable?

Because of defense in depth.

  1. Mailpile does not display HTML content by default
  2. Before displaying HTML, Mailpile cleans up malformed and incomplete tags.
  3. When displaying HTML, Mailpile does not load remote content by default.
  4. Mailpile respects the GnuPG error messages which warn of invalid data.
  5. Mailpile never sends auto-replies to incoming mail.

The direct exfiltration attack is completely thwarted by #2, and would be mitigated in any case by #1, #3 and #5.

The CBC/CFB Gadget Attack is mostly thwarted by #4, and would also be mitigated in any case by #1, #3 and #5.

As far as I can tell, most Mailpile users will not be vulnerable to EFail. Don't let the red mark in the PDF deceive you! Also, it's worth mentioning that this isn't a lucky accident - this is a direct validation of how we approach security.

Part of that approach is simply taking these things seriously. If anyone disagrees with my analysis or finds other flaws in Mailpile, we want to know about it and will do our best to remedy things as quickly as possible.

Wait.. mostly? When is Mailpile vulnerable?

Mailpile is vulnerable to the CBC/CFB Gadget Attack in the following cases:

  1. Something is obsolete, either:
    1. Mailpile is configured to use an out-of-date version of GnuPG, or
    2. The encrypted data being exfiltrated is so old that GnuPG doesn't expect and require it to have a Modification Detection Code (MDC).
  2. And:
    1. The user manually displays HTML and loads remote images, or
    2. The user has previously enabled HTML and images for the sender

In practical terms, this means even if you are running up-to-date software, then old content (messages that are 10-20 years old, or more) could potentially be stolen - but only with a bit of social engineering, and only if you still have the keys on your keychain.

The risk is more serious if you have configured Mailpile to use an obsolete version of GnuPG - use of GnuPG 1.4.x is still relatively common, and our tests suggest it is probably vulnerable. In this case more recent messages may be at risk, but the social engineering is still required for attacks to succeed.

Fixes addressing both of these attack vectors have been pushed to our GitHub repository and will be included in our next release candidate. They are already present in our nightly Debian packages.

First Update

Further details have emerged.

Werner, the lead developer of GnuPG, claims that the flaw has to do with an interaction between HTML mail and GnuPG error handling in common e-mail clients and PGP plugins.

If this is indeed the case, most Mailpile users are not vulnerable since HTML messages are not rendered by default - and even when HTML is rendered, loading of images and other remote assets are also disabled by default.

If you would rather take the EFF's advice, in spite of Werner's update, our original advice is included below.

Disabling Automatic Decryption

This advice is obsolete! It is preserved here for historic reasons.

Within Mailpile, the way to disable automatic decryption is as follows:

  1. In the web interface, visit the Settings page
  2. Open the CLI
  3. Run the following command: set prefs.index_encrypted = false

This will disable automatic decryption of incoming mail. However, manual decryption (decryption when messages are read) will still work and it is advisable to not read any encrypted mail until we know more about the attack and whether Mailpile is actually vulnerable.

If you absolutely must read encrypted e-mail, we recommend taking your computer offline before doing so, so as to prevent network-based side channels from leaking sensitive key material.

To re-enable indexing of encrypted messages, perform the same steps again, except set prefs.index_encrypted = true at the end.

What is going on?

What follows is idle speculation. Please take it with an appropriately sized grain of salt!

I don't know what is going on. However, I trust the EFF. They would not be advising we disable such an important tool unless it was of critical importance. The implications of the advisory, are that automatic e-mail decryption can leak details of your private key material back to a malicious attacker. The mechanism is unknown, but the common denominator in the EFF's list of vulnerable e-mail clients is use of GnuPG - which Mailpile also relies upon. My guess, is that there is a flaw in GnuPG which allows attackers to craft encrypted messages that force GnuPG to leak key material back over the network to an attacker.


See updates from myself and Werner above. The situation is not as bad as it first appeared - in fact, it appears Mailpile is not vulnerable to this problem.

All the same, because we take these things seriously, I have filed issues in our issue tracker for follow-up work and proactive improvements: #2072, #2073, #2074, #2075, and #2077.

We will post updates as more information becomes available.


Older stuff

Some Tweets

we are back in the virtual office after co-working in Reykjavík! We are already incorporating the awesome input from our usability study and looking dorky doing it! (as we should)
More soon! /okta twitter.com/MailpileTeam...
@MailpileTeam, Thu, 03 May 2018 18:34

Second day of co-working in person for the #Mailpile team :) Reykjavík may be cloudy, but team spirits are up as we user-test installers today!
#Mailpile4Win #returnoftheMac #okayIwillStopwiththeHashtags
@MailpileTeam, Tue, 24 Apr 2018 11:43

Halló Reykjavík residents!

#Mailpile is doing a small usability test tomorrow Tuesday (real Smol!) and we are a couple of folks short. Are you in Reykjavík, using email, free tomorrow afternoon and interested in privacy? Send us a DM for details!
@MailpileTeam, Mon, 23 Apr 2018 10:54

Wuddyah look at that! The first in-person meeting of the Mailpile Team!

We will be hanging around Reykjavík the next days - so ping us if you want to come say hi! twitter.com/MailpileTeam...
@MailpileTeam, Mon, 23 Apr 2018 10:42

Don't panic: Our website is temporarily unavailable as we migrate to a beefier VPS.

In other news, we successfully hired a couple of clever people to help with our Windows and Mac packaging. Work has begun!
@MailpileTeam, Tue, 13 Mar 2018 16:19

Its Friday afternoon in some parts of the world - your inbox is hassling you & you drift off to better future where you have an email client that is a search engine & a personal webmail server that has email encryption built in!
Help us build that future! http://mailpile.is/jobs
@MailpileTeam, Fri, 09 Feb 2018 15:43

Iiiitttt´ssss "Hump Day" everybody!
Did you know that Mailpile is still looking for developers? we would luurv to get Mailpile out to as many as possible, make it accessible for most! Join us to package for Windows and MacOS! http://mailpile.is/jobs
@MailpileTeam, Wed, 07 Feb 2018 15:46

Hey developers! We are still looking for you <3 so much so that we have extended our deadline for MacOS and Windows developers to Feb. 14th <3 <3
Ping us for questions - more info here: http://mailpile.is/jobs
@MailpileTeam, Thu, 01 Feb 2018 12:00

The Mailpile Team is back after being dormant for a while and we are looking for developers to help us Mailpile out for more people to use! Check out http://mailpile.is/jobs for details
@MailpileTeam, Mon, 29 Jan 2018 09:57

We are hiring!

We are looking for Windows and Mac OS developers to help us get Mailpile 1.0 in the hands of as many people as possible.

Check out https://www.mailpile.is/jobs/ and spread the word!
@MailpileTeam, Mon, 22 Jan 2018 21:25

Oh, hi! We're not dead. In fact, we're in the process of hiring a project manager to get the ball rolling a bit more visibly again. More news soon.
@MailpileTeam, Thu, 16 Nov 2017 00:21

Have you tried the Mailpile Debian 1.0rc1 packages? We're looking for feedback on what works and what doesn't.
https://www.mailpile.is/download/linux.html
@MailpileTeam, Mon, 21 Aug 2017 10:45

As announced at #SHA2017, we now have a first release candidate for Mailpile 1.0. Linux (deb) packages are here: https://www.mailpile.is/download/linux.html
@MailpileTeam, Wed, 16 Aug 2017 16:30


top

Please do not send mail to aardvark@mailpile.is