Is this secure email?

Linuxnoob124a4

New Member
Joined
Jan 1, 2022
Messages
28
Reaction score
2
Credits
238
Can you guys give me an opinion on The Helm. https://thehelm.com/
The service offers physical hardware that stores your emails to run an email server out of your home.
It is actually secure from the Helm itself spying?

Here is their technical write-up, I will post the steps below:


Here are the steps for Helm’s network architecture to work end to end:

1. When you buy a Helm, a gateway (AWS EC2 instance) is spun up with an Elastic IP. A hosted zone with DNS records, including a PTR record, is established in Route53 for the gateway. The Elastic IP enables a Helm in your home to be easily addressed from anywhere in the world.

2. After you receive your Helm and begin setup, it connects to your router over WiFi or Ethernet. Your Helm then establishes an outbound VPN connection (IKEv2) to the gateway.

3. The combination of an iptables configuration on the gateway and the VPN connection between the gateway and your Helm routes packets between your Helm and the internet.

4. Using this VPN connection, your Helm fetches Let’s Encrypt certificates for your domain.

5. Client-to-server and server-to-server TLS sessions terminate on your Helm, not the gateway. Packets for these TLS sessions travel their last mile over the VPN connection between the gateway and your Helm. Thanks to the Let’s Encrypt project, this architecture is viable and adheres to our design tenet of knowing as little about our customers as possible. We strive to ensure that all inbound and outbound traffic routed through the EC2 instance is using TLS with these certificates from Let’s Encrypt.


Here's some description of their software from their website:

Helm's operating system is Linux. We create our own build/distribution using Yocto.
Yocto
Yocto is an open source project we utilize to create our own custom minimal Linux distribution.
Docker
Helm utilizes Docker to run most of its services.
Nextcloud
The Nextcloud File Sync and Share project powers Helm Files for sync, share and photo backup.
Postfix
Helm utilizes Postfix for sending emails with SMTP.
Dovecot
IMAP services for accessing and syncing email across devices is provided by Dovecot.
Duplicity
Duplicity is an open source project specializing in backup.
Strongswan
For the VPN connection to the security gateway as well as for the VPN service offered by the Helm, we utilize the Strongswan open source project.
OpenLDAP
User management and authentication, email addresses and alias management are managed using the open source OpenLDAP project.
 


KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
4,543
Reaction score
4,208
Credits
36,463
If you want greater certainty, get a VPS, use encryption, and run your own mail server - being sure to use end-to-end encryption. Of course, anyone opening your sent emails can just as easily share them with anyone they want.
 

BoringZombie

Active Member
Joined
Apr 1, 2021
Messages
219
Reaction score
112
Credits
1,495
I had trouble before deciding what email service to use, but email itself isn't 100% secure, nothing with technology is 100% secure. You will just have to pick your poison.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
4,543
Reaction score
4,208
Credits
36,463
nothing with technology is 100% secure

^THIS - which is why I said 'greater' certainty. A secure computer is one that won't power on and has no RAM or disk drives still in it. It should probably also be buried and encased in concrete. There are ways to record the sound your keyboard makes to figure out what it was you were typing, if you want the whole spy vs spy thing. Heck, there are JavaScript libraries that will let you detect how someone types and we all type with just a little bit of difference so that it's kinda like a fingerprint. (I have spent way too much time on Slashdot.)

All this for what? So you can get spam at a new email address?

I compartmentalize. I've got an email for all occasions. I have dozens of 'em that have been accumulated over the years. Some of 'em are older than some forum members!
 
OP
L

Linuxnoob124a4

New Member
Joined
Jan 1, 2022
Messages
28
Reaction score
2
Credits
238
If you want greater certainty, get a VPS, use encryption, and run your own mail server - being sure to use end-to-end encryption. Of course, anyone opening your sent emails can just as easily share them with anyone they want.
With the VPS encryption route, this prevents the VPS from getting any information itself?

Do the random people sending me email from other domains have to do encryption work on their end though? I know protonmail to protonmail is encrypted. But from poopinggrass.com to protonmail is not.

Any VPS you can recommend? Preferably accepting crypto pay
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
4,543
Reaction score
4,208
Credits
36,463
You would be encrypting your drive itself, so nobody else *should* gain access that way.

People sending email in plain text (rarer and rarer these days) would still be susceptible to a MITM attack. Your emails could be automatically sent securely as well as adding a layer of personal encryption.

It's a pain to configure, but once you're done it's not too hard to maintain - so long as it is just a few addresses. Once you get past that and start worrying about things like mass spam filtering it can get pretty complex, but just a few addresses isn't bad - just be sure to bitbucket your wildcard address.
 

gvisoc

Well-Known Member
Joined
May 29, 2020
Messages
282
Reaction score
314
Credits
2,804
is there any way to know if any of these platforms actually do zero knowledge service? like protonmail claims to, but they seem like a CIA honeypot
If it’s for that, desist. The fact that they implement X, Y or Z security pattern doesn’t exclude them from abiding to the laws to the extent of their capacity, which is exactly what is behind your “CIA honeypot” way of describing it.

Even if you implement your own service with encryption, you will have to respect the laws and the warrants.
 

BoringZombie

Active Member
Joined
Apr 1, 2021
Messages
219
Reaction score
112
Credits
1,495
is there any way to know if any of these platforms actually do zero knowledge service? like protonmail claims to, but they seem like a CIA honeypot
If the CIA wanted to find you regardless of the email provider you use, they will. The government will break laws to find what they want. If the email provider doesn't comply then they will no doubt break into their systems if needed. Nothing will stop a large government entity from getting what they want if it can be retrieved in anyway. Not just the government but it can be individuals or a group of people working together to gather information on someone.
 

BoringZombie

Active Member
Joined
Apr 1, 2021
Messages
219
Reaction score
112
Credits
1,495
is there any way to know if any of these platforms actually do zero knowledge service? like protonmail claims to, but they seem like a CIA honeypot
If you want you can do what I do to try to limit emails people or companies don't have about you.

I use a few Microsoft emails for things like professional uses, financial, etc... Things that companies and the government would already have on many anyways. Also have one email for gaming since it's connected to Microsoft, and one for development because of a few Microsoft services I use.

Everything else like contacting people, forums, website signups, social networks, things like that I use https://simplelogin.io/ aliases that are redirected to my Mailfence address.

And I use ProtonMail for their recovery.
 

gvisoc

Well-Known Member
Joined
May 29, 2020
Messages
282
Reaction score
314
Credits
2,804
Personally, I think that using your own personal domains is worth the money and the effort, and getting better privacy with simplelogin.io for the undersirable places is a very good recommendation.

Once you have a personal owned domain you can flip it over to any other email hosting provider if you stop trusting the current one, without having to boil the ocean updating everyone with your new address. Think of it as if you were porting your phone number to another carrier.

Also, you can have a number of aliases on it (different handles @ your domain), so if one of them gets burnt, you delete it and all emails will bounce back to the spammers.
 

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
4,095
Reaction score
2,848
Credits
29,576
Encryption with TLS means that it is encrypted during transport from the sending mailserver to the receiving mailserver, the connection starts unencrypted and then switched to STARTTLS if both mailservers support TLS. After transport the mails are store as plaintext files, if you are wanting to encrypt those it's going to get very complicated. So you better option then would be to use PGP but not everyone uses PGP, everyone receiving mail can look up the smtp headers so mail in itself is not even privacy friendly.
 
OP
L

Linuxnoob124a4

New Member
Joined
Jan 1, 2022
Messages
28
Reaction score
2
Credits
238
If it’s for that, desist. The fact that they implement X, Y or Z security pattern doesn’t exclude them from abiding to the laws to the extent of their capacity, which is exactly what is behind your “CIA honeypot” way of describing it.

Even if you implement your own service with encryption, you will have to respect the laws and the warrants.
While I do appreciate your time and replies, I believe you misinterpreted my reply. I am not breaking the law, if I was I wouldn't be posting on a forum like this asking noob questions. Wikileaks shows the true extent of the the CIA's rampant mass murder and tyranny. Despite me being a law abiding citizen, it's assumed the government and big tech like google will try to spy because they are rotten. I am not trying to break the law... it's the CIA, NSA, and deep state that break the law and constitution. That's why we are on a linux forum.

I believe we got distracted from the question about zero-knowledge proofs. Is there any way to actually know if they are doing it?
 

gvisoc

Well-Known Member
Joined
May 29, 2020
Messages
282
Reaction score
314
Credits
2,804
There are several ways.

You can check their source code on their repositories and / or (if it's not opensource) in the developer tools of your browser as it fetches an encrypted inbox and decrypts it within the browser, as they claim it to do.

You can also check their documentation and if they run third party audits on their systems.

As with pretty much everything that doesn't run in your computer in a transparent way, security and privacy are a matter of trust, public scrutiny and transparency.
 

BoringZombie

Active Member
Joined
Apr 1, 2021
Messages
219
Reaction score
112
Credits
1,495
While I do appreciate your time and replies, I believe you misinterpreted my reply. I am not breaking the law, if I was I wouldn't be posting on a forum like this asking noob questions. Wikileaks shows the true extent of the the CIA's rampant mass murder and tyranny. Despite me being a law abiding citizen, it's assumed the government and big tech like google will try to spy because they are rotten. I am not trying to break the law... it's the CIA, NSA, and deep state that break the law and constitution. That's why we are on a linux forum.

I believe we got distracted from the question about zero-knowledge proofs. Is there any way to actually know if they are doing it?
There's already been many whistleblowers, employees, etc.... that have provided proof and verified what we have known. And yes, Google/Big Tech, NSA, CIA, and other government entities US based and in other countries are involved in spying.

It's not like they are sitting back in their chairs spying on every single person, not unless you're on a high profile watch list. The data they have about you is stored in databases. If you use technology and access the internet like everyone else they already will have some form of information about you.
 
OP
L

Linuxnoob124a4

New Member
Joined
Jan 1, 2022
Messages
28
Reaction score
2
Credits
238
Personally, I think that using your own personal domains is worth the money and the effort, and getting better privacy with simplelogin.io for the undersirable places is a very good recommendation.

Once you have a personal owned domain you can flip it over to any other email hosting provider if you stop trusting the current one, without having to boil the ocean updating everyone with your new address. Think of it as if you were porting your phone number to another carrier.

Also, you can have a number of aliases on it (different handles @ your domain), so if one of them gets burnt, you delete it and all emails will bounce back to the spammers.
Gotcha, thanks do you have a VPS you recommend or place to start on this?
 
OP
L

Linuxnoob124a4

New Member
Joined
Jan 1, 2022
Messages
28
Reaction score
2
Credits
238
There are several ways.

You can check their source code on their repositories and / or (if it's not opensource) in the developer tools of your browser as it fetches an encrypted inbox and decrypts it within the browser, as they claim it to do.

You can also check their documentation and if they run third party audits on their systems.

As with pretty much everything that doesn't run in your computer in a transparent way, security and privacy are a matter of trust, public scrutiny and transparency.
Ok makes sense. So if Protonmail really did not have zero-knowledge data, then random members of the privacy/coding community would have already been vocal about this in it's open source phone app right? I don't understand how a website on a browser can be open source though.
 

brickwizard

Well-Known Member
Joined
Apr 28, 2021
Messages
1,546
Reaction score
1,153
Credits
11,577
only one comment, Proton Mail is a Swiss based organisation and subject to Swiss privacy laws.
 
OP
L

Linuxnoob124a4

New Member
Joined
Jan 1, 2022
Messages
28
Reaction score
2
Credits
238
You would be encrypting your drive itself, so nobody else *should* gain access that way.

People sending email in plain text (rarer and rarer these days) would still be susceptible to a MITM attack. Your emails could be automatically sent securely as well as adding a layer of personal encryption.

It's a pain to configure, but once you're done it's not too hard to maintain - so long as it is just a few addresses. Once you get past that and start worrying about things like mass spam filtering it can get pretty complex, but just a few addresses isn't bad - just be sure to bitbucket your wildcard address.
Ok I am confused on this issue. When you send protonmail to a NON-protonmail person, it gives you the option of an encryption password. Doesn't this mean by default, most email across different domains is NOT encrypted? Like protonmail to randomsite.com?
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!


Top