[ad_1]
Closed off
There is no doubt that Gmail has changed the way we use email. It's free, it gives most of us the storage we need and it does better than most programs to eliminate spam and malware. But all this has a cost. The advertising template that allows this free service allows us to analyze some of our most sensitive messages to find clues about who we are, what we are interested in and what we do, online and offline. It is also possible that Google is hacked or legally compelled to return the content.
On Wednesday, Seattle-based startup Helm launches a service designed to allow users to securely control their e-mails and other personal data. The company provides a small custom server that connects to the home or small business network of a user and sends, receives, and manages e-mail, contacts, and calendars. Helm plans to offer further storage of photos and other services.
With a 120GB SSD, a three-minute configuration and the ability to store encrypted disk images that can only be decrypted by customers, Helm explains that its service offers the ease and reliability of Gmail, as well as its closely linked contact and calendar services. The start-up is betting that people will be willing to shell out $ 500 the first year to buy the cabinet and use it for a year to house some of their most valuable assets at home. The service will cost $ 100 per year thereafter. Included in the fees are the registration and automatic renewal of a single domain selected by the client and a corresponding TLS certificate from Let's Encrypt.
When free is not free
"I think more and more people are learning that what they get for free is not really free," said Giri Sreenivas, Helm's co-founder and CEO. "They are learning that they are giving up their data and companies like Google and Facebook and others are realizing what they can do under the sun to make money with this data and the corresponding online behaviors. This growing awareness is causing people to ask themselves questions such as "How can I own my data? How do I have my identity online? "
The service takes a best-of-the-worlds approach that bridges the gap between on-premise servers and cloud-based offerings. The server looks elegant and is small enough to fit in a drawer or sit unnoticed on a desk. It connects to a network via Ethernet or Wi-Fi and runs all the software required to transmit e-mail and calendar entries to authorized devices. An expansion connector allows five additional terabytes.
The server also offers a large number of offers designed to make the service extremely difficult to hack, including:
- A system on an NXP chip that stores keys for full disk encryption and other encryption functions to ensure that keys are never loaded into memory, which could cause leaks. Disk Encryption is designed to prevent content from being read without the key, even if a person physically takes possession of it.
- Support for secure boot and hard wired keys during manufacturing so that the device can run or install only authorized firmware and updates. The devices are manufactured in the United States or Mexico to alleviate concerns about weaknesses in the supply chain.
- Firmware that communicates only through an encrypted VPN tunnel. This prevents employees of the user's Internet Service Provider, or anyone supervising the home or office connection, from knowing who the user is communicating with. The firmware also automatically generates TLS certificates from the free Let's Encrypt service.
- Before being saved in the cloud, messages are encrypted with the help of a key stored on the personal server and available only to the end user. This means that if the cloud server is hacked or if the provider is legally obliged to restore the saved data, it can not be decrypted without the key.
- Two-factor authentication based on what Helm calls "proximity-based security". Tokens that generate one-time passwords can only be installed on a smartphone that physically approaches the Helm device when paired by someone who knows the device. password. Pairing new phones, adding email accounts or making other changes requires not only a password, but also a password from an already paired phone.
"We believe this is a significant step forward in protecting users' email accounts," Sreenivas said of the proximity-based design. "It's actually about taking advantage of something different from what cloud service providers do not have, namely that the server has a physical presence at your home."
While the on-premise device is the backbone of the service, Helm's "best of both worlds" approach borrows some cloud resources. Anyone who has ever operated their own email server knows how difficult it can be. In order to block spam, ISPs usually close port 25. ISPs can also make it difficult to use static IP addresses and firewall configuration. To remedy these problems, Helm uses a security gateway currently hosted on Amazon. The device communicates with this gateway via a VPN, which means that employees or hackers who have access to it can not read any messages that pass through it. The gateway, in turn, is the server that sends and receives the email and saves the encrypted mail.
"The gateway is only forwarding packets," said Sreenivas. "All TLS are ending on this device, all we have done is to introduce an extra jump on the Internet, we are channeling the encrypted traffic."
To break is difficult
The idea of eliminating Google as an email provider is of great interest to me. I especially do not like to know that Google is analyzing my messages, but I am also concerned that the unimaginable amount of data hosted by Google makes it a juicy target for almost every advanced hacking business on the planet. In theory, being able to use my own server would allow me, alone, to decide who can analyze or display my messages. And while my device and the applications that connect to it remain vulnerable to hacking, a single box that only hosts my data generates a lower return on investment for potential attackers than Google's servers, which host 39, one billion people. accounts.
But as attractive as it may be to say goodbye to Gmail, I'm not ready for the last dive yet. Yes, my home internet service is reliable, and I can not measure any downtime. And I guess Helm can be trusted for reliable backup of my encrypted mail. Nevertheless, this is a service that has not yet been tested in production, like Gmail. If my home Internet service goes down, I will not be able to send or receive new messages. While the new messages will be spooled on the sender's servers and sent as soon as the Internet service is restored, this remains a major disruption. It will also be enlightening to see how Helm's service will cope once hackers and hackers have a chance to become familiar with the hardware and software. The company plans to announce a bug bonus program by the end of the year. In the meantime, Whitehats can contact Helm's security department at [email protected].
Helm creates even more uncertainty for experienced users who can use various server filtering rules to block spam or to transfer certain types of messages to different folders.
"It's a great product right now for someone who has a mailbox and who does not have a ton of filtering rules or who does all his filtering on the client side," said HD Moore. , a corporate security expert who provided a seed. stadium investment in Helm and also advised on technical and safety issues. "It's really different if your existence is entirely based on your email flow and you want to have a little more visibility on what's going on before you want to trust it. One of the features I'm waiting for before migrating myself is greater visibility on emails received and those dropped. Moore is Vice President of Research and Development at Atredis Partners.
There is no doubt that for more than a decade, people who pay $ 500 a year and the same reliability and security that Gmail offers to Gmail will be difficult to manage. But the company relies on the accumulated demand for a service that allows users to control their messaging, contacts and calendar. The bet is certainly not a certainty, but it is at least a noble experience that I hope will one day allow me to separate from Gmail.
Source link
