➜When will it
be available?
The Alpha version for Raspbery pi (rev 2 and 3) is available, but you need to apply in order to test it.
The Beta version for Raspbery pi should be available in November or December 2016.
If the project has sufficient success we will do a crowd-funding campaign to mass produce the standalone hardware, in Early 2017.
➜Why a physical
box?
Having a physical box under your control and hosting your email server, is essential in order to allow you to protect meta-data thanks to the tor network,
and to allow you to encrypt emails safely while still being able to read and write them from anywhere in the world.
➜Should I
trust any cloud email service with JavaScript encryption on the client-side ?
These services cannot be fully trusted, because they still give power to companies to spy on you.
Why is it not secure?
1-Encryption is done in JavaScript, and therefore relies on
your browser's JavaScript engines, which 80% of the time
[1] are proprietary software coming from
Google, Microsoft, Apple, and most eminent NSA collaborators.
2-The JavaScript code may be changed at any time by the email
service provider. So except if you check the JavaScript code sent to
you each time before entering your password (which is impracticable),
you leave the email service provider the possibility to retreive your private password at any moment, without you even necessarily knowing it
(since you don't check it).
There is allready the example of the company Hushmail, who gave decrypted emails to the fed, thus proving that they had the power to do it.
[2]
➜What format will
my self-hosted email address have?
Your email address will be like
[email protected] . The
domain name name.omb.one will belong to your
for free for life and will automatically point to your Own-
Mailbox, even when you change IP.
You may also use your own domain name, then your address will
be like surname.name@yourdomain .
➜Will I get a root
access via SSH on my Own-Mailbox?
Of Course!
By default ssh will only be accessible from local network
though, for security reasons.
➜Why Free Software
and Open Hardware is important?
Because it gives everybody, the possibility to check in details,
that the Own-Mailbox, does exactly what it claims to do
without needing to trust us or anybody else. You have as much data
as we have on the product, nothing is hidden.
This is an important condition for your Own-Mailbox to be yours not
ours, and for you to be in control.
➜Where is hosted
the webmail?
On your Own-Mailbox at home.
➜ Is Own-Mailbox designed to protect against Mass surveillance or targeted surveillance?
Own-Mailbox is designed to protect citizens against mass surveillance.
It is not designed to protect them against targeted surveillance, especially when a lot of money (sometimes hundreds of thousands dollars) and energy is spent for the targeted attack of one single individual. Those intensive targeted attacks can combine both virtual and real world means, and would never be used against a usual citizen.
It does not mean you cannot use an own-mailbox to protect yourself against an intensive targeted attack, or that it is not useful in that case, but you would need to know are doing, and be really careful both on-line and in the real world, because targeted attacks can use any means, even some that you would never think of.
Note that a targeted attack can only be done on a very limited number of people in the world, and therefore is very different from mass surveillance.
➜Is it possible to use a
raspberry Pi, instead of the Own-Mailbox Hardware?
Yes, we will sell pre-formatted SD cards, and the image will be available for download.
➜What about SSL
certificates and authorities for HTTPS?
Each Own-Mailbox will generate automatically its SSL key at
first setup and certify it thanks to Letsencrypt.
➜How do you
handle port forwarding? What If email ports are blocked by my ISP?
We do not do port forwarding. We use tor hidden services, which allows easily to run servers, even on a filtered connection, even if it does not have a static IP address, and even if it does not have any public IP at all.
➜What if my IP has a bad reputation, or other email providers classify emails coming from my IP as spam?
Emails that need to be sent out of the tor network, will be relayed through our tor proxy server. So the reputation of your IP address is irrelevant.
Only the reputation of our tor proxy server matters.
➜How can I check
the software embedded in the box I receive corresponds to the source code, you
give?
The software in the Own-Mailbox, is contained into a microsd
card. You can easily open the box, and get the microsd card in order to check
the software image, or even change it with your own version.
➜Can I build and
assemble my Own-Mailbox myself?
Yes! The circuit is open-hardware and can be soldered at home. The
casing can be 3d printed.
➜Where are
located my private keys? Where and when are they generated?
Your private keys (GPG, SSL and Tor) are located on your Own-
Mailbox at your home. You can make copies to a USB key thanks to the USB
port.
Your SSL key is generated at first setup.
Your Tor key is generated at first setup.
Your GPG key is generated when you create a new email
account.
There is absolutely no way for us to have access to your
private keys.
➜Does Own-Mailbox
heat up?
No. You can put your Own-Mailbox under a comforter during a week,
it won't overheat.
➜What processor
is there into Own-Mailbox?
The processor used is Allwinner A13 with 256 MBytes of Ram. It is an ARM processor running at 1Ghz.
We chose it because it is low power, does not heat, and is easily hand-solderable and allows
anyone to make a Own-Mailbox at home.
➜Can I import
existing GPG key, or export the one used by my Own-Mailbox?
Yes, through Https!
➜Is it safe to keep the webmail login interface protected by a simple password?
Yes because web interface can implement the following measures:
1)When a IP address fails ten attempts to login in a row it is banned for 24 hours.
2)A ten seconds delay must be respected between two Connection attempts even from 2 different IP address.
3)In case of large amount of missed attempt to login the user is immediately warned so that he can change his password
This makes Brute Force attacks almost impossible. In comparison breaking data encrypted with a simple password, is a lot easier,
because it does not require to interact with any server to make attempts. Everything can just be done locally: just try a password
and see if it decrypts intercepted messages.
So using a simple ten characters password for a web authentication is safe, but it is not for encryption.
➜What about software updates? What distribution du you use?
Our system is based on Debian, you will benefit from security updates of Debian.
You will be able to easily upgrade in the administration panel, and you will be warned when a security update comes up. No update will be done without your consent, or your initiative.
➜Will it be possible to host several Own-Mailboxes behind the same internet connection?
Yes!
➜Will it be possible to have several email addresses on the same Own-Mailbox?
Pierre Parent.
Romain Kornig.
