Private Email Servers are not an Exercise in Futility

Why run private email?

The thread started off in exactly the place you would expect in any security conversation. To any security professional, the notion of binary designation of “secure” and “insecure” is misplaced. Every security conversation must start against the backdrop of a threat model. Threats can be adversarial agents (malicious individuals or organizations), natural phenomena (hardware failure, software failure, natural disasters), or even self-originated (the user threatening themselves, accidentally of course). And they correctly start from this idea.

Honeypot Effects

First, there is a “honeypot effect” where the value of compromising central email infrastructure outpaces the effectiveness of countermeasures. This is a point that @relyt29 misses in the following tweet:

Government Demands

Secondly, by rounding up all of this sensitive data into a central location, it becomes increasingly enticing for governments to extrajudicially pressure email providers to assist them in endeavors of government interest. Since the providers often do not have a tremendous incentive to resist, they often comply even at times when they don’t need to for expediency’s sake. Ultimately, no one besides yourself will be a better steward of your own interests and, by extension, privacy.

Violations of Trust

Finally, there are risks related to violations of trust. As it stands today, Google has the capability to read 100% of your GMail emails at any time for any reason. By policy, there is presumably a process that gates which code and human eyes can view your conversations, but policies change somewhat frequently and verification of adherence to such policy is essentially impossible. In addition to that, even if you believe that the people running these large organizations represent your interests today, the turnover in any organization cannot ensure that those values are resilient. With Sergey and Larry stepping down last year, this is not just a hypothetical: Google has entered a new era. With the increasing incidence of public companies choosing their shareholders over customers when those interests diverge, these violations are becoming obvious to everyone, and rightfully deserve attention and open up the opportunity for creative destruction.

Okay, but is it Realistic?

Enough about why we should try and run private email servers. I imagine that by now, if you are not convinced it is at least marginally valuable, you may just not be the audience that will benefit from the rest of this discussion. And while we are confident that you will change your mind at some point, you can skip the rest of this post for now.

Constant Uptime

Configuration Hell

As it turns out one of the near universal problems with server software is that their configurations can be maddeningly detailed, to the point where even an expert may not know deeply what every configuration option is for. For this reason, one of the design goals is that while you should be able to retain most if not all control over the configuration options, you should be able to run the software without having to input a single configuration option. We have spent significant effort refining this experience and it works quite nicely.

Static Addresses

The above concerns apply to pretty much all server software, but there are some additional issues when dealing with email specifically. One of these is that you need some sort of static address to which people can send emails. If you don’t have this, no one can know how to reach you, and you may as well pack it in. Typically, ISP’s don’t give consumers dedicated IPv4 addresses unless they are requested. When they are requested, you typically have to pay a lot more than you want for the privilege. @relyt29 gives names two options here:

Counterparty Security

This leaves us with the last main point that @relyt29 talks about:

Conclusion

I’ll end this where @relyt29 and Start9 Labs agree:

Leave a comment

x