61

Why would anyone like Edward Snowden rely on 3rd party services like Lavabit or Hushmail to host his email?

I mean it's very easy to set up a self-hosted email server. What you need:

  • Rent VPS (even better: home server) & Domain (May take up to 2 days, who cares..)
  • Set up Firewall (20 min)
  • Secure SSH (10 min)
  • Install and set up Postfix & Dovecot (1 hour)
  • DKIM, SPF, DMARC, DNSSEC, DANE & co if you want. (1 hour - 2 hours)
  • Secure everything again and test (30 minutes - 2 hours)

Isn't such a setup "more secure" than relying on a 3rd party email service?
Why do so many security experts (i.e. cryptologists & co.) not host their own email?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Florian Schneider
  • 1,073
  • 2
  • 9
  • 11
  • 41
    If you follow all your steps, then you also create a single point of failure, and shout to the world exactly where your email is hosted. – schroeder Jul 02 '15 at 21:48
  • 32
    Emails servers are also a pain to administer. It would be trivial to DoS the server with mild traffic. – schroeder Jul 02 '15 at 21:50
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/25524/discussion-on-question-by-florian-schneider-why-no-self-hosted-email-snowden). – Jeff Ferland Jul 04 '15 at 17:00
  • 7
    Two hours for DKIM and pals??? That's like running a marathon in two hours! Very, very few people do that and those that do have trained for years. – bishop Jul 04 '15 at 23:52
  • 3
    By the way: why you need an domain for it? you could also simply address a mail to xxx.xxx.xxx.xxx@user.TLD – Zaibis Jul 06 '15 at 10:55
  • 2
    Also saying "Secure everything again and test (30 minutes - 2 hours)" Would be the same as saying "Developing the required code (20 minutes) QA it for any possible test case (additional 20 minutes)" The point is: You can't test anything. And something will remain untested what some one else coudl reveal. So better rely on some one who has already pluged his holes for years or even decades. So it is given there are a lot less unpluged leaks as if you start it from scretch. But even there it could be risky. But on an complete different scale then the do it your self scale. – Zaibis Jul 06 '15 at 10:59
  • 1
    This is exactly how "perfect" heists end up in prison. They always think they have have thought of everything. But they rarely do. – Agent_L Jul 06 '15 at 11:34
  • Let's not forget that there is no privacy in email, no matter where it originates or terminates, no matter how it is encrypted: it must necessarily traverse threat theaters over which you have no control. http://www.groklaw.net/article.php?story=20130818120421175 – bishop Jul 06 '15 at 13:05
  • 1
    @bishop What is a `threat theater`? A collection of potentially unsecured hosts/routers/switches? – RJFalconer Jul 06 '15 at 16:47
  • 1
    @RJFalconer Any network that an adversary has, or could have, compromised, legally or illegally. – bishop Jul 06 '15 at 16:55
  • Why not host your own email? Because it doesn't actually improve security. If you care about email security (and you should), you'd use end to end email encryption, i.e. PGP. – Lie Ryan Jul 10 '15 at 01:04

6 Answers6

73

Rent VPS (even better: home server) & Domain (May take up to 2 days, who cares..)

How many ISPs do not provide law enforcement access to their sites and to the systems they provide for their customers?

And with a home server: lots of sites explicitly deny access to their mail server from a "home" IP address (these are known address blocks), in order to fight spam. And even if you manage this: are you home all day or are you sure to detect any kind of break-in? Please note that you are not up against the average burglar.

Secure everything again and test (30 minutes - 2 hours)

What you've described might help to protect your privacy against Google etc (at least the emails). Against the NSA it is probably not sufficient. If they really want to own you they can send clever phishing mails with malware, use malvertising to attack you, simply break into your home, and much more.

Why do so many security experts (i.e. cryptologists & co.) not host their own email?

Security is a very wide field and I'm sure lots of crypto experts probably have no idea of how to set up and properly secure a mail server. Also lots of mail administrators have no idea of deeper cryptography. They are all experts in their own field and they are not able to know everything. This means they either learn to be expert in another field and have less time for their own field, or they have to find a way to outsource such tasks to somebody they trust.

DKIM, SPF, DMARC, DNSSEC, DANE & co if you want. (1 hour - 2 hours)

These are definitely not easy. You have to find first somebody who lets you do DNSSec with your own domain. Most ISPs or even dedicated DNS providers don't. And to have DKIM, SPF, or DANE you either need to use your own DNS server with all the problems (need primary and secondary for availability etc) or have again to find a provider which lets you set all these records up. These short times you give are definitely not realistic for somebody who is doing this for the first time.

psmears
  • 900
  • 7
  • 9
Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Lavabit did this too, so does it really matter? At least Google / Hushmail / [Other-3rdparty-Mail-Provider-Here] can not read your email. Also what about a home server? Nobody could access that as easy as a VPS. – Florian Schneider Jul 02 '15 at 21:57
  • 18
    @FlorianSchneider: I think you should state more precisely what kind of attacker do you want to fight. If you just want that the provider does not read your mail self-hosting is an option. If you need to fight the NSA it is probably not that simple. – Steffen Ullrich Jul 02 '15 at 22:03
  • 1
    It isn't about me. It's about Snowden for example. Why do these security experts rely on a 3rd party service? They could easily (more or less) have set up a system that is more secure. I don't understand that. – Florian Schneider Jul 02 '15 at 22:05
  • *Regarding your recent edit:* »simply break into your home and much more« – They can do that everywhere. They did this with Lavabit. What's the difference between their home and Lavabit's server location? Could Snowden not have set up his own secure server rack? I mean security *is* is job. Why does he rely on a 3rd party for such private data? – Florian Schneider Jul 02 '15 at 22:11
  • @FlorianSchneider: I think you ask the wrong question. If the mail itself is encrypted (with PGP or S/MIME) and not only in transit then the security of the mail server itself would not that be important. Granted, one could still get the communication partners but not the content of the mail. – Steffen Ullrich Jul 02 '15 at 22:13
  • 14
    @FlorianSchneider: apart from that - being a security expert does not mean you know everything possible about security and that you have the knowledge and time to administrate all your own systems. Security is a very wide field today and probably nobody knows everything there so you often source some work out to somebody you think does a better job with it. – Steffen Ullrich Jul 02 '15 at 22:19
  • If you transmit your emails in clear text then all this acts are useless , all a attacker needs to do is capture your network traffic ( e.g backdoors on routers , ISP ) if you transmit it encrypted properly then none of this actions are needed – Freedo Jul 03 '15 at 03:40
  • @Freedom: There's a difference between encrypting the mail transport (eg SMTP over TLS) and encrypting the message itself (eg PGP or s/MIME) - and you can have one, the other, or both, with different security implications in each case - but in all 3 cases the emails are transmitted encrypted. – psmears Jul 03 '15 at 20:26
  • @SteffenUllrich: Re DKIM/SPF: To be fair, these two only require TXT records, which most DNS providers support. DANE I agree is a different matter :) – psmears Jul 03 '15 at 20:28
  • @Freedom: to be more specific: PGP and SMIME are end-to-end encryption while TLS is hop by hop. In the last case the mail is available in clear text at each mail server in between, even if it is send encrypted between the mail servers. – Steffen Ullrich Jul 03 '15 at 20:29
  • Yeah i know that they are different things , but the use of encryption will make all this effort useless right? It does not matter where your email is stored or transmitted. This is the point the OP is missing and nobody talked about encryption that's why i wrote my answer – Freedo Jul 03 '15 at 20:37
  • @psmears: Yes, DKIM and SPF use only TXT records but I would not suggest that the settings you need to use are intuitive. And DKIM also needs changes to the mail server so that the mails get signed and I would not consider this setup trivial. – Steffen Ullrich Jul 03 '15 at 20:38
  • 2
    @Freedom: if you use only TLS (i.e. hop by hop) it matters a lot if all servers in between are trusted and secure. Also you definitely need DNSSec because otherwise the MX record could be spoofed. And of course all mail servers need to do secure TLS which proper validation of the certificate etc. This is currently not the case. For real security your only option is to use PGP or SMIME, where the mail itself is encrypted and not only the transport. – Steffen Ullrich Jul 03 '15 at 20:42
  • @Steffen yeah it happens to me that i was a little mysterious on my last comment. I agree that the only option is PGP/SMIME . But i would add more things on top of that as well for ultra sensitive messages ( e.g different keys for each message and person , delete the keys after) i wouldn't want to keep a email that can make you get hit by a bullet on your head anyway. And the OP ideas are dangerous because they create a false sense of security – Freedo Jul 03 '15 at 20:51
  • @FlorianSchneider Google DOES read your emails: http://www.theinquirer.net/inquirer/news/2340003/google-admits-its-reading-your-emails-because-advertising and http://www.theguardian.com/technology/2014/apr/15/gmail-scans-all-emails-new-google-terms-clarify – algiogia Jul 06 '15 at 08:19
  • Oh man, if securing everything took 30 minutes to 2 hours, I'd be out of a job. – forest Dec 12 '17 at 01:30
49

As someone who has actually done this for a couple of years, I can tell you that it's not nearly as simple as you're describing and it doesn't offer the security properties you want.

In summary:

Why do so many security experts (i.e. cryptologists & co.) not host their own email?

Because it takes enormous amounts of time and specialized knowledge to do it properly, it's not much more secure in general (it's actually less secure in some circumstances) and there are better and easier solutions readily available

How much time do you need?

Your initial time estimates are very optimistic, even assuming you're a knowledgeable system administrator with lots of experience on the task.

To give you a quick idea, a popular book that covers one of the most popular MTAs spans around 500 pages.

That's just for the MTA. In the real world you'll also need an MDA with POP/IMAP, spam filtering and probably a authentication server.

You're also neglecting the continued effort needed to keep the system healthy and secure:

  • Monitoring machine and service health (are there OS updates? Is the service running and responding? Are you running out of disk space?)

  • Monitoring logs, diagnosing errors (are there ongoing DoS attacks? is someone brute-forcing SMTP auth? Why are logins not working?)

  • Security-related monitoring (Did tripwire alert you because of a OS update or a intrusion? Were there any security advisories of your OS this week? What about all the other software running on the machine?)

Unless you're happy having your messages severely delayed occasionally (or lost, in the worst case), there's a lot of other things that are also needed to reliably provide email (backup MX, failover and storage redundancy come to mind). A single home server probably won't be enough if your connection drops and you need to respond to a email urgently.

How secure can it be in the best case?

You didn't specify your thread model very clearly, but it seems you're concerned with a state-sponsored actor that is interested in accessing your email in particular. The setup you've described will not prevent that. As an example, there's strong evidence that the Heartbleed bug has been extensively used before its public discovery. If you were a sufficiently interesting target running a email server, compromising it would have been no problem at all. A sufficiently well-funded adversary will have the capability of compromising any practical security system you can devise.

Self-hosting also has the severe disadvantage of exposing much more information about you, if your system has few users. Your ISP can trivially tell when you receive or send an email, and with which providers you communicate.

Of course, that's not to say the self-hosted model is useless against other threat models. It prevents disclosure of your email to your service provider and helps you stay secure were a massive security breach to occur, since it's a isolated system. It also prevents silent coercion (lawful or not) of the provider. Some of these problems can be partially mitigated by using a competent provider in a country with strong data protection laws.

Are there better alternatives?

If you need security with this threat-model in mind, there are better and easier solutions, as Snowden has said himself:

Properly implemented strong crypto systems are one of the few things that you can rely on.

PGP is unrivaled against this particular threat model, as you don't need to trust any server or provider at all.

Compared to maintaining a email server, PGP is actually quite easy to use and understand.

Community
  • 1
loopbackbee
  • 5,338
  • 2
  • 22
  • 22
  • 1
    To lose mail you have to *accept* it and then lose it in a disk crash or something before delivering it. If your server is merely down (for less than a few days) you won't lose legitimate mail, you'll just get it later than you otherwise would. You'll miss out on a lot of spam, though, since spammers don't bother with compliant queueing and retrying :) – hobbs Jul 03 '15 at 21:48
  • @hobbs Indeed; that's the entire principle behind email greylisting, and why it works so well for blocking spam at minimal risk of blocking legitimate traffic. – user Feb 03 '16 at 12:47
18

When you send emails in your scenario, you announce the IP of your custom, private email server. Every recipient, and any interested party, now knows you use your own email server and where it is.

This results in a one-to-one mapping of this server and your connection to it. If a government agency wants to track you down, all they need to do is to look for traffic to your server, and they know either where you are or what services you use to try to hide your location. Or, as an alternate option, the government agency could simply ask your server hosting company to suspend your server and wait for you to call support.

Not to mention the administration hassles. Downtime, spam, traffic headaches, redundancy, server patching, log analysis, all of these kinds of things are managed by a team of professionals dedicated to your security 24/7 when you use an email service.

schroeder
  • 125,553
  • 55
  • 289
  • 326
11

There speaks someone who has never run their own email.

You don't mention an inbound antispam solution. DKIM and related techniques are for authenticating your own mail as not spam and making it deliverable. (Deliverability is the main barrier against home hosting: most providers block port 25 and many mail recipients block all ranges known to be ADSL). But if you don't have inbound antispam you'll drown in spam, and none of the existing solutions are really turnkey.

Your times are best-case for an experienced sysadmin who's set up all those pieces before. For someone who hasn't it may take a lot longer. You need to tolerate the risk of silently losing mail until you're sure it's all working.

And your times are one-off. You need to track versions and advisories for all those pieces and be prepared to drop everything as soon as a vulnerability is announced. Obviously if a key vulnerability is announced while you're asleep you could be compromised before you wake up.

pjc50
  • 2,996
  • 12
  • 17
  • 12
    Having previously run my own personal email server, I stopped when I realised it was turning into a full time job in and of itself. – Bill Michell Jul 03 '15 at 10:29
  • 12
    @BillMichell +1 - I was young and so optimistic. My own e-mail, my own domain, my own settings - it was going to be wonderful. Until I had to get my IP whitelisted, and then a HDD failed, and then the providers internet dropped, and then the spam really started... – Dan Jul 03 '15 at 11:12
  • Ah – a kindred spirit – Bill Michell Jul 03 '15 at 11:53
  • I receive my own mail on my home server, but send using my ISP's outbound. Totally agree deliverability is the big issue with outbound. – Peter Cordes Jul 03 '15 at 19:33
  • @DAN : Just also don’t fully trust providers. I have hard times *(like many others who lost all their data without receiving prior notice)* with the previous [e‑mail main provider](http://ifrance.com/) of the country.  I’m seeing Googles and their services like Gmail are violating local privacy codes/law and they are essentially maintaining with lawayers so the country could wake up one morning with Gmail blocked by ISPs. – user2284570 Jul 03 '15 at 19:52
  • @user2284570 yeah, it's a good idea to always have a local copy of your email (e.g. synced via imap) and assume that all cleartext email is subject to search by the security services. Only PGP or S/MIME can solve the latter. – pjc50 Jul 03 '15 at 22:13
  • @pjc50 : No and with the closure of Geocities, the point was I was a beat disappointed about cloud hosting data safety ᴠꜱ self‑hosting data safety. – user2284570 Jul 03 '15 at 22:21
11

Short answer, it's not the easiest solution.

" it's very easy to set up a self-hosted email server"

You are wrong, the rest is wrong because it's based on this. I assume you imply it's easy to set up a safe server (otherwise, what's the purpose of it all?). Your laundry list of what you need is long, and not even so it is complete.

It's much easier to send and receive encrypted and signed email and not worry about the transmission. You could even rely on gmail or hotmail to transmit the encrypted messages.

Quora Feans
  • 1,881
  • 1
  • 12
  • 20
5

I'm not a expert, but since nobody said the magic word " encryption " here yet, i will write this answer.

It seems to me that what you want is to prevent NSA to get the hands on your communications data, but you are looking the wrong way, you must trust only the encryption algorithm that make the data secure and private and nothing more, you should aim to make so that even if NSA is actually your email provider your emails are still private and can't be read.

The only way is of course, with encryption...as long as the keys are safe(e.g in your head) and the encryption algorithm is not broken it's does not matter where are the emails stored or on what server the emails are sent/received. You can enjoy all their good infrastructure, 24/7 run time and still have your data private.

Having your own self-hosted email server is equivalent to use your own self-hosted cloud storage, when you could just encrypt your stuff and enjoy the ease of use of Google Drive and better yet you don't stands out in the crowd.

So in resume nobody does that, because is too much effort ( like they said above no email provider is ran by only one person and they are paid for that ) and no further benefit plus do you really think that one person could hold the elite hackers that are very well paid to hack you ? Let them hack you, just make sure they can't make anything of it.

But if I was needed to hide something like what Snowden had, i would probably have a "master" PGP public key to be used in the first contact with someone, after that i would agree with the person to keep generating new PGP keys that would be passed on each message to encrypt the next one, like a Diffie-Hellman algorithm. And of course never reusing keys and do a secure delete after the use. And on top of that, i would encrypt all my private keys with a open-source software and keep them in a linux OS running in a virtual box with full disk encryption. And every single tcp and udp packets on VPN + TOR.Yeah really paranoid, but effective.

That being said, no encryption will ever protect you from Rubber-hose cryptanalysis so i would make even more paranoid actions to make sure they can't get to me ( fleeing the country would be one of them, like Snowden had to do)

Freedo
  • 2,253
  • 5
  • 19
  • 28
  • 1
    Rubber-hose cryptanalysis explained in pictures: https://xkcd.com/538/ – Chris J Jul 03 '15 at 07:48
  • @Freedom : just not that be stupid. For self hosted mails don’t use Ruber Hose for asking passwords or keys. Just torture for asking the contents directly. – user2284570 Jul 03 '15 at 19:58
  • 1
    You could always lie about the content and with the keys they would have a proof of what you did and write. Doing what i said would mitigate that since after the erase of the keys i wouldn't be able to give them that. I will edit my answer later to clarify why one should use different public keys for each message ( kinda perfect forward secrecy ) and secure erase of the keys (plausible deniability ) after use – Freedo Jul 03 '15 at 20:10
  • If you delete a key after use, how do you re-read and old message? – ott-- Jul 03 '15 at 20:24
  • You don't .There's no intent to re-read the message. If you are talking about really sensitive things you should store it on your head only. I'll add a warning for that. Why you would want keep a email that could kill you? – Freedo Jul 03 '15 at 20:34
  • @Freedom Well if you are dealing with people who will resort to torture you probably don't want deniable encryption. "Give us the key", "I can't I deleted it" "Of course you would say that" rinse and repeat. It is a pretty bad way to go. Then again if you are expecting to be tortured in the near future one would hope you don't need to rely on stackexchange.com to get you through that. There is a downside to deniable encryption and that is you can't prove you don't have the key either. Deniable swings both ways. – Gerald Davis Jul 06 '15 at 04:39