We’re pretty excited to see that Mailpile, a privacy-based web based email client, has now gone into beta and ready for anyone to download and try or use. At first we weren’t sure if the project would end up going anywhere, but here we are and it looks great! The developers seem very committed to moving Mailpile forward in a big way.
Mailpile’s project really took off and gained widespread support in the wake of the Snowden NSA leaks and more specifically, the now infamous Lavabit situation. It first came up on our radar after researching secure email solutions to serve as an alternative to Lavabit, Silent Circle, etc.
What’s important about Mailpile?
- Built from the ground up specifically with privacy and encryption integration in mind.
- It’s an email client in your browser that looks and feels like Gmail, rather than Thunderbird or Outlook.
- No more messing with plugins or complex settings to get encryption working. It’s ready by default.
- You’re in control of the encryption keys and stored emails.
- Open source.
Mailpile prevents a lot of the issues we saw with Lavabit, and does so in a user friendly way. For some basic context, Lavabit was strongarmed and put into a no-win situation by the government. The owner either had to comply and decrypt ALL their customers email and deceive customers as a result, or shut down. He chose to shut it down, fight, and speak out as much as he could.
This situation was only possible because users weren’t in control. With Mailpile, now you can use a web-based email client like most people typically enjoy, but you’re in control of the keys. Authorities or other adversaries would have to physically sieze your machine to decrypt your emails.
Even if you choose to access your Mailpile installation remotely, it’s still possible for you to keep it residing on a machine that only you control.
To be clear though, email itself can still only be secure to a certain point. The body of the email can be encrypted, but the fundamental structure of email forces metadata to still be open. This is why SilentCircle completely ditched their email offering after the Lavabit incident. Mailpile claims they are working on a way to at least help with metadata exposure, but it will still be limited.
From their FAQ:
So what exactly will be encrypted and what about the metadata?
The e-mail body will be encrypted. We are trying to find ways to make most of the metadata encrypted as well, but some of it can’t be because of how e-mail works.
Things would be much better if we could all just ditch email completely and move to a much more secure system like Bitmessage. For now though, email is too embedded in our society, so it’s important to do the best we can with it.
Why are we so excited about Mailpile?
Aside from the factors mentioned above, we feel that Mailpile and Gmail’s forthcoming end-to-end encryption plugin might be the perfect storm to make email encryption more commonplace since it will be much easier.
In the past, convincing a friend or other contact to use pgp encryption with email was next to impossible. Think your granny is going to install and configure Thunderbird, plugins, and generate pgp keys? Not a chance! At least with Mailpile and Gmail’s end-to-end, it will hopefully become more likely that people will be willing to do it.
Think about it; say you’re currently using Mailpile and routinely email a buddy using Gmail and you tell him:
“Hey man, do us both favor and install this end-to-end extension in Chrome real quick so our emails are secure.”
Easy stuff! Now compare that to convincing him to switch all his email to an email client like Outlook and spend an hour configuring it, getting pgp going, creating keys, etc.
So why not just wait for Gmail’s end-to-end and use that instead of Mailpile?
With end-to-end, there will still be somewhat of an element of trust with Google. And again, Mailpile was created specifically around privacy; end-to-end is just a layer on top of an existing service. Also, some people simply don’t like Gmail, and others want absolutely nothing to do with Google.
Self-hosted and/or domain based emails are another issue. Those will be easier and cheaper to secure with Mailpile, allowing you to stay in control of more steps of the email process and routing along the way.
How do you get started?
Start here: Mailpile.is Downloads
Remember though, Mailpile is NOT an email service. It’s an email client like Thunderbird or Outlook (except it’s in your browser), so you’ll still need to have an email address to route it through via POP or IMAP.
Windows and Mac OSX
Just install the app, run through the setup screens, and try it out!
Linux
For now, the choice is limited to source from github. Hopefully this will change soon and we’ll see it show up in repositories or standalone packages for download.
Just make sure you have the following installed:
- git
- gnupg
- openssl
- python 2.x
- python-pip
Actual package names will vary by distro. With Ubuntu and Debian distros, you can install them exactly as follows:
sudo apt-get install git gnupg openssl python2.7 python-pip
Then in your terminal, grab the Mailpile source via Github and use pip to install extra requirements:
git clone https://github.com/pagekite/Mailpile.git
cd Mailpile/
sudo pip install -r requirements.txt
From there you can either do a full installation, or if you only want to try it out, just launch it directly from the existing ~/Mailpile/ directory by running the command:
./mp
It will open your default broswer and you’re good to go. Just start following the instructions to set it up.
Config and preference file locations will vary by distro. For example in Ubuntu they will be in:
~/.local/share/Mailpile
Android
They said not quite yet, but likely in the future.
iPhone and iPad
Doubtful. The developers say they aren’t crazy about Apple’s policies and known cooperation with the NSA.