Why security experts prefer outdated email clients

In our blog, we write a lot about creating emails and working with e-mail. Many people use email, but IT professionals here are somewhat different - they have their own preferences in communication style , in addition, some of them use not the most popular tools among the masses.

For example, many security experts are still working with the mail client mutt, the predecessor of which was the console client elm. The Motherboard edition has published material on the reasons for such a love for outdated means of communication, and we have prepared an adapted translation of it.
')
A quarter of a century ago, in order to check email, you had to use a mainframe and work as a console email client like elm or pine . Today, many security experts still use and advise mutt .

Christopher Soghoian, chief technical officer of the ACLU (American Civil Liberties Union, American Union for the Protection of Civil Liberties), said that he was "an unhappy user of mutt."

“The fact that I use mutt does not mean that I like it,” writes Christopher. - "I can not stand him. I dream of a better solution, but have not yet found it. ”

So why should a user who cares about their security work with mutt?

“Simply means reliable,” says Marek Tuszynski of the Tactical Technology Collective, a non-governmental organization that educates activists and reporters on digital privacy and security. “In general, console tools have a simpler design, consist of fewer lines of code without vulnerabilities (Java, Flash, etc.). All this increases the security of the program as a whole (less errors, higher stability). "

“I don’t want my email client to use the rendering engine or the JavaScript interpreter,” writes Soghoyan. “The fewer opportunities for attack, the better.”

If you believe OpenHub.net, mutt runs just a hundred thousand lines of code, while Thunderbird, along with Enigmail, consists of almost a million. The Firefox browser has 14 million of them , and Chromium, the open source database for Google Chrome, consists of 17.4 million lines of code.

The number of vulnerabilities found in mutt over the past 10 years is negligible compared to vulnerabilities in browsers like Firefox and Chrome and email clients such as Outlook and Thunderbird.

As Sogkhoyan says, "(Mutt) is not a web browser, so it does not have such a huge amount of attack vulnerabilities as a web browser."

Nowadays, when organized attacks on users become commonplace, maximizing the security of the end-user device is important to many. In addition to mutt, tech-savvy users switch to console OTR chat clients, such as the xmpp client from Adam Langley .

The Off-the-Record Messaging ( OTR ) protocol offers chat encryption features that, judging by the Snowden documents of the end of 2012, were enough to avoid mass surveillance . However, the security problem on the end-user side is that Pidgin and Adium, the two most popular OTR chat clients, are based on the libpurple library, whose security is in question .



According to Snowden, the US government could not hack messages encoded using the OTR protocol

“Yes, I use the jabber xmpp client for correspondence,” writes Soghoyan. “But I also have an ambivalent attitude towards him. I like that it is written in Go, does not use libpurple and does not have various unnecessary emoji-like add-ons. But its user interface is terrible. I can't wait for someone to create a graphical interface for it. ”

But increasing security negatively affects usability, and this is bad - after all, no matter how safe the platform is if no one will use it. Programs with complex console commands are used only by tech-savvy users. Will there ever appear a reliable and safe means of communication for the mass user?



Hmpp client is more fun than it seems

“I am delighted with Ricochet : it does not have a central server and no metadata leaks,” Sogkhoyan writes. “But he is not yet ready to launch and has not even been thoroughly tested.”

“ Pond (another brainchild of Adam Langley) is also an excellent project and an example of how the future safe mail service may look like,” adds Soghoyan. “Unfortunately, Adam does not want people to use the pond, and Adam doesn’t have much time to work on it. If pond were in active development and ready to launch, I would gladly exchange email and pgp for it. ”

However, Tuzinsky notes that end-user security depends not only on the tools used. “It is important for us to pay attention not only to digital information security,” he writes, “but also to the user's security: physical and psychological. The problem that needs to be solved is broader than just the choice between an application with a console or graphical interface. ”

Other materials on email in the Pechkin blog:

• Email, social networks, instant messengers: What does the media influence and how to choose them
• How to create email-auto-answers: Analysis of 100 applications to support services of IT companies
• Working with email: How to reduce the number of incoming messages to zero
• Why spam is so hard to beat
• Email and Security: Is it possible to protect email correspondence?