Skiff.com E-mail’s Varied Privateness Failures

2024-01-14 13:40:35

I got here throughout Skiff.com on a Hacker News submission. They declare to offer a “Privateness-first end-to-end encrypted electronic mail” service. Because the creator of the Email Privacy Tester I like to check electronic mail suppliers and shoppers once I first come throughout them.

A Dangerous Default

One of many first issues I seen after signing up for a free account with Skiff, is that they’ve the usual “Block Distant Content material” possibility which just about all electronic mail suppliers and shoppers have, however that the choice is disabled by default. This default didn’t strike me as matching their “Privateness-first” declare. If privateness is vital sufficient to be the very first thing you point out in your web site, then blocking distant content material ought to be enabled by default.

I mentioned this on the Hacker Information thread, and the CEO of Skiff, Andrew Milich, responded. He had two responses: “privateness targeted mail suppliers supply this as an possibility however don’t allow it by default”. I’d be stunned if that’s the case for privateness targeted mail suppliers, however I haven’t accomplished a survey. But additionally, “Mainstream mail suppliers don’t even have it as an possibility”. That’s simply flat out false, and I’m undecided why he thinks it. Loading distant content material (or not) is a regular possibility out there from almost all electronic mail shoppers and suppliers and has been for many years. Additionally… Who cares what different mail suppliers do? If “Privateness-first” is your primary promoting level, do issues which might be “Privateness-first”, don’t simply copy your rivals.

A Leak within the Webmail, OSX and Home windows shoppers

Anyway, I proceeded to check their webmail consumer by way of the E-mail Privateness Tester to see if it had any bugs. What I found was that in case you have “Block Distant Content material” enabled, they show placeholder pictures the place the distant content material could be, as is regular, and the way in which most different shoppers work. Nonetheless, what’s completely different in Skiff’s case, is that they nonetheless fetch the distant content material within the background. To their credit score, they do proxy the requests in order that your IP handle isn’t uncovered, similar to GMail does, however electronic mail open data remains to be uncovered. This utterly defeats the primary goal of blocking distant content material and isn’t how some other mail suppliers that I’ve examined through the years work.

I took this again to the identical Hacker Information thread. The CEO of Skiff responded that what I used to be saying was “patently false disinfo“. Uncertain of why he refused to even entertain the concept of the bug, I pointed him to a device the place he may confirm this himself (E-mail Privateness Tester). I acquired the weird response that he examined it and located it labored the identical as Tutanota. I examined Tutanota’s Webmail and no it doesn’t. Tutanota doesn’t have this bug, and in contrast to Skiff, places “Privateness-first” and defaults to blocking remote content.

At this level, I figured he doesn’t perceive the issue, which is okay. What will not be positive is the problem being dismissed as “disinformation”, reasonably than being forwarded to someone on his staff who may have the ability to perceive, diagnose and repair the issue. I created a screencast and uploaded it to Youtube, displaying the bug in motion.

I additionally examined the OSX and Home windows shoppers they usually behave in the identical method.

IP Deal with Leak, on iOS

After testing their iOS consumer on my iPhone, I found that it’s even worse than the opposite shoppers. To start with, the “Block Distant Content material” setting was not synced throughout so I needed to apply it a second time. However the primary drawback, though they try to dam distant content material from loading on the iOS consumer while you allow that setting, they fail to take action when that distant content material is loaded through one of many following html tags:

<p model="content material:url('http://TRACKING_URL/')"></p>

<p model="background-image:url('http://TRACKING_URL/');"></p>

And of their failure to stop that loading, in addition they fail to proxy it, that means that not solely is the truth that you’ve gotten learn that electronic mail uncovered, however your actual IP handle is uncovered to the sender too. Given Skiff’s lack of curiosity in my earlier report, I didn’t hassle reporting this bug to them straight. I haven’t examined their Android consumer. Should you’re utilizing it, I counsel testing it your self.

Notifying their customers?

Assuming they finally repair these bugs (who is aware of?), it will likely be fascinating to see in the event that they electronic mail their customers to alert them to their potential publicity. Given the angle of their CEO to date, I’m guessing they may simply brush these points below the rug and never inform their customers. Maybe they may point out it on a webpage someplace which nearly all of their customers wont see, to allow them to declare their customers have been knowledgeable. Show me flawed Skiff.

A Non-public Method to permit Distant Content material

One of many issues the CEO stated to me within the thread relating to blocking distant content material was “There isn’t a foolproof method to load any distant content material with out presumably exposing electronic mail open data”. I corrected this, and didn’t get a response. It’s completely doable to load distant content material concurrently hiding electronic mail open data. You’d do that by fetching and storing the distant content material on the level of supply, for all electronic mail. I don’t know of any suppliers that do that, however it’s actually an answer to the issue and one which I hope suppliers begin to use in the future. Definitely suppliers who declare to be “Privateness-first”. If all suppliers began doing this, it could drastically cut back the power of senders to trace electronic mail; they’d need to depend on customers clicking hyperlinks containing distinctive ids.

Safety Audits

In line with Skiff’s Transparency page they’ve undergone and are present process 4 safety audits:

Cure53 Aug 2023 (Upcoming)
Path of Bits July 2022
Path of Bits Feb 2022
Tom Ritter (Safety Guide) Jan 2021

They don’t present any additional data, so we actually do not know what was truly examined as a part of these audits, nor what the outcomes have been. I can solely assume they haven’t had their webmail consumer or desktop apps audited to make sure that they’re working as meant; even fundamental testing of the “Block Distant Content material” operate would have proven an issue. Safety Auditors, take word: Should you’re testing one thing associated to electronic mail, E-mail Privateness Tester exists, and it’s GPL-3, so you’ll be able to even host your own version.

MTA-STS

I additionally examined in the event that they help MTA-STS. Right here, they’ve accomplished half a job. They help it for inbound mail, however not outbound. I confirmed this by disabling the promoting of STARTTLS on my MTA, to their hosts solely, and testing in the event that they nonetheless delivered mail to my handle (which has MTA-STS arrange on it). Here’s a log of them delivering mail to me over a TLS secured connection earlier than I made the change, adopted by a log of them delivering mail to me over a non-TLS connection after I made it:

2023-08-25 18:06:51 1qZbCq-00000C-0T <= mike.cardwell@skiff.com H=outbound-smtp.skiff.com [35.166.143.94]:47782 I=[172.19.0.3]:25 P=esmtps X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no SNI="mail.grepular.com" S=2612 id=c4588db9-741e-4c6d-a1d4-490432f7cdc6@mail.skiff.com

2023-08-26 15:37:49 1qZvM8-00000A-TS <= mike.cardwell@skiff.com H=outbound-smtp.skiff.com [35.166.143.94]:36226 I=[172.22.0.4]:25 P=esmtp S=2568 id=f1f681b6-0161-45a0-834c-1ab8f8b86361@mail.skiff.com

Come on, end the job Skiff.

DMARC and Spoofing

I examined in the event that they help DMARC by sending an electronic mail to my Skiff handle from an IP outdoors my SPF allow-list, and and not using a DKIM signature. In line with my DMARC file, they need to have rejected the e-mail, however as a substitute of rejecting, they handled it as if I specified “quarantine” and positioned it within the Spam folder. I can’t see from the skin if failing DMARC will at all times result in a message being filtered into Spam, or in the event that they merely deal with it as simply one other Spam indicator. Hopefully, an electronic mail which fails DMARC will at all times go into the Spam folder at the least. The principle drawback is, this electronic mail was spoofed, and there may be nothing within the UI to point that was the case, to the reader.

Abstract

The existence of bugs is to be anticipated, however the angle of Skiffs CEO in direction of them being reported will not be. All he wanted to say to me was, “Thanks for the report. It’s not purported to work that means. I’ll get someone to look into it”. Due to this fact, I might advocate you not belief this firm along with your knowledge. You by no means know what official privateness/safety bug reviews they’ve dismissed up to now, or will dismiss sooner or later. I’ll replace this weblog submit if I turn into conscious of them fixing any of those points.