2023 Review: Skiff Mail
What is Zero-Knowledge/End-to-End Encrypted Email & Why Do You Need It?
Encrypted email is a bit of a misnomer. Technically all emails are “encrypted” using technologies such as TLS but in this context I'm specifically referring to “end-to-end” encrypted (sometimes called “zero knowledge”) email providers. This means that the provider can’t read your inbox, which is – in my opinion – a must-have for any person who values their privacy and security. Many people argue that zero knowledge email providers are overhyped – or worse – because you’re only securing half of the chain. If I’m emailing someone at a Gmail address, the contents are still exposed on Google’s servers. However, in my opinion, that’s still cutting your attack surface in half. If we’re both using Gmail – or if one of us is using another provider like Yahoo – that’s just twice the opportunity for a data breach, warrants, or an insider threat. Sure, you may not get the full benefit without both parties using encryption, but it still counts for something. See my past post about how privacy is a spectrum for more on that logic. Today, I’ll be taking a look at a newcomer in the encrypted email provider and giving my thoughts on them. A lot of people have been asking for my opinions on them, and they’ve generated quite a bit of buzz. But how does Skiff stack up to the tried and true competitors?
Courtesy of Skiff’s official website
Skiff is quite new on the privacy stage. According to Crunchbase, Skiff was founded in 2020 with the goal of providing a “privacy first workspace.” To that end, they seem to have succeeded. Skiff offers email, calendar, cloud storage, and “pages,” which is their online document editor, wiki, and notes. All in all, pretty good offerings, at least on par with competitors like Proton and Tutanota. Skiff also proudly presents their whitepaper and GitHub repo on the front page of the site, inviting anyone to come and take a look to ensure that they are delivering what they promise. They also come with mobile apps, making taking your workspace on the go a breeze if that’s your thing.
What sets Skiff apart, in my opinion, is their integration with cryptocurrency. Depending on how you feel about crypto – or at least, which ones they integrate with – this is either the future or a huge red flag. I’ll let you decide. But either way, it definitely makes them unique in this space. I can only assume that Skiff themselves are aware of how polarizing this particular integration is, as there’s no mention of it anywhere on the site, including the help documentation to see which currencies are supported. In fact, it wasn’t until I did a web search for “skiff mail crypto” that this page finally revealed itself. I suppose this is probably a good thing: like Brave or Session, one can safely ignore the crypto integration entirely and still use the product if they have no interest in that sort of stuff, while others can feel free to take advantage of it.
All in all, I don’t have a lot to write in the “good” part of this review, not because there’s nothing good to share, but rather because Skiff is on-par with other offerings. It’s a fairly completely suite of products with a good UI that functions well and offers transparency regarding their code and encryption. Well done.
That’s not to say that Skiff doesn’t have any downsides. In fact, I hate to say, there’s a significant number of them. For starters, Skiff has been saying for over a year now that they’ve been audited by Trail of Bits but this audit has never been made public. An audit doesn’t really do any good if you don’t share the results. Without that transparency, they could’ve failed miserably for all we know. Simply saying “we’ve been audited” is not good enough. If they want to instill maximum trust in their users, they need to publish the results. Period. Full stop. No room for debate. (In the course of researching for this blog post, I found that the company is indeed undergoing another audit with Cure53 which they plan to release, so that’s good.)
One of my biggest personal complaints is lack of PGP support. Now, for the record, I am well aware that PGP is not a perfect solution (neither is email itself, for that matter), but it makes me sad when a provider basically says “you can only initiate a secure conversation with our user if you’re on the same platform.” It feels very “walled garden.” You don’t need to be using ProtonMail to start a secure conversation with a Proton user, just use their public key. You do need to be using Tutanota or Skiff to start a secure conversation with one of those users. However, Tutanota offers a way to securely email non-Tutanota users by password-protecting the emails (of course, this requires the Tutanota user to initiate the conversation and to find a secure way to share the password with the recipient, but at least it’s something). Skiff does not offer even this feature (according to their CEO in a post I will cite momentarily, it is technically possible, but it requires a significant workaround that's not really practical, in my opinion). It’s unfortunate. And Skiff seems unlikely to ever integrate PGP support – or anything similar – given this blog post declaring PGP to be dead.
It’s also worth noting that only Skiff Mail is open source. The Calendar, Drive, and Pages are not open source. That’s not necessarily a bad thing (though for security’s and trust’s sakes they really should at least open source their cryptography-related bits), but it’s worth remembering since they like to advertise that they’re open source. Only one of those offerings is open source. (To be fair, I didn’t see the words “open source” on any other pages, but it can still be easy to forget these kinds of things if you’re not paying attention.)
Now let’s talk about Skiff Mail’s security concerns. The users and staff over at Privacy Guides have noted a range of concerns with Skiff Mail. Some of them are rather nitpicky (but valid), like questionable marketing, lack of certain user-friendly features (such as nested folders), and more, but others are more serious like inadequate security practices such as lack of DNSSEC, accepting deprecated standards like TLS 1.0, and missing DANE. These are complicated back-end things, but the short version is that they make your communications much stronger and harder to hack or spoof.
And finally, I want to start calling out any privacy-focused company who doesn’t at least mirror to privacy-focused alternatives. Skiff lets you connect with them on Twitter, Discord, GitHub, LinkedIn, and YouTube. No Mastodon. No Matrix. No PeerTube or GitLab. I’m getting kind of tired seeing companies advertise themselves as privacy-focused and then ignore privacy-focused alternatives that the privacy community tends to use. Imagine if I started a car company and then avoided car shows. It seems like you’re ignoring and alienating a large part of your audience, and hiding behind excuses like “low engagement” or “too many accounts to manage” is basically just saying “I don’t actually care about you, you’re not my target audience” despite the fact that they kind of are. In Skiff’s case, according to the forum post I linked above, the CEO says that their Matrix channel was inundated with spam. That’s fair, but also Crunchbase says they have $45m in funding and a team of less than 15 people. Surely it isn’t unreasonable to ask someone to have Matrix open throughout the day and check on it to moderate it, or ask for volunteer moderators, or to buy a Raspberry Pi and create a mjolnir bot. The New Oil is able to do all of these things with a budget of less than $10,000 annually and I have a full-time day job. And, as dngray pointed out, Telegram and Discord have these same problems. It’s not a good look.
Email is not secure. I think that’s always worth pointing out. Email was never designed to be 100% secure. You never know who might print it or forward it, and there’s also a bunch of super-technical issues with email that literally cannot be fixed. Society would have to adopt an entirely new protocol to fix them. You should never trust your life to email (which is one reason why Snowden didn’t just email his documents to people). Yet email is still a widely-used tool that permeates almost every service we use in some way, shape, or form. For that reason alone, it’s worth trying to get a secure email provider to mitigate the risks as much as possible. Skiff is new and still has a long way to go, but there are definitely worse options out there. If you’re a crypto enthusiast, Skiff would probably be the first stop you’d like to check out due to their integration. For everyone else, if you haven’t made the switch to an encrypted email provider yet, Skiff seems like a very promising candidate full of potential. There will undoubtedly be some growing pains in the near future (at least, I hope there will be because it would mean they’re improving and they definitely have room for it), but I think as they continue to grow and fix those shortcomings, they’ll really come into their own as a powerful choice of provider. For now, consider yourself an early adopter should you choose to go with them.