For Whom is Mail-in-a-Box Ideal?

Hello,

I am not a computer expert, but am above average computer literate (which does not claim much). I am comfortable with linux. Also, I like long walks on beach.

1. Is the security of Mail-in-a-Box comparable to email service providers like gmail or protonmail?
2. If reasonably comparable, how much extra work needs to be done to maintain long-term security measures other than updating the software?
3. Is there a way to ensure that hosting provider is unable to snoop on the happenings (incl. email content, email metadate, etc.) within a VPS?
4. Will it blend?

Thank you.

1. You are not providing enough information for anyone to answer this question without making a whole bunch of assumptions. Key concerns include: what is the value of the target (i.e. what would a perp gain from accessing the information), where are you installing it, and what are you accessing it with.

2. Unknown (see 1), but little work is required to maintain it. Likely the most effort will be required with the OS, Ubuntu Server 14.04, is no longer supported (2019), thus requiring either an OS upgrade or migration.

3. No. Their admins have access to everything. Also, if the host is in the U.S., it is likely there is something monitoring not only traffic, but what is residing on the server. Since MiaB uses standard configuration of popular FOSS tools, it would be trivial to scan and find the files of concern. Admins have expressed concerns that the government requires the ISPs to allow government hardware be installed, and they aren’t allowed to discuss the specific nature of where or what that hardware does. For me, it is easy to conclude that they would scan for mail server files, private key files, etc., especially when they can see the traffic on the network.

4. It is software, so, no, it will not blend.

IN re 1: Value is well below “national security” level (not an activist, hacker, or terrorist. I don’t like google having many things I do online, but if my host can get all of my information, what would be the point?); I was thinking of installing it with a cheap VPS provider somewhere (e.g., RamNode); access it with imap per thunderbird?

IN re 3: And, encryption wouldn’t mitigate this at all? Often VPS providers explain that they may use a customer’s information and give it to 3rd parties for whatever reason.

Re: 1. There are perps of concern besides governments. There are also people who want to steal money, gain access to social media account (pretend to be you to fool someone else), etc. I know nothing about RamNode, but keep in mind that if they do something wrong, you may lose everything. I suggest using POP3 for at least a minimal local backup.

The biggest vector of attack is always the social engineering attacks. The most effective way to protect against those is with your own hardware. Short of that, I’m tempted to say that Google may be better at protecting against social engineering attacks than a typical ISP.

Re: 3. I’m not sure where you are talking about the data being encrypted. If you mean while in transport, no, that doesn’t do anything for the data before it is encrypted and after it is decrypted. It cannot be usefully encrypted on the server unless you are using some form of end-to-end encryption scheme, such as PGP.

Well, and excuse my ignorance, what I was concerned with is the VPS provider having access to the drive in a way that exposes its contents. I thought if the drive is encrypted with keys that I only have, this should be enough to thwart that sort of disk level snooping. PGP would be needed for transport, as I have come to realize.

I am certainly worried about just mean people gaining access, in addition to government intruders.

Also, do you recommend any particular cheap VPS hosting company?

Some scientists are working on CPUs that can process encrypted data, but until they are successful in applying their theories and manufacturers can make what they design, all data must be processed unencrypted. This is at least partly why end-to-end encryption is considered necessary by some people as it substantially mitigates these kinds of issues. At the very least, the data in RAM must be decrypted, and if data on the storage drive is encrypted, then its decryption key must be somehow used to unlock the data so it can be used in RAM, which becomes problematic.

I really can’t recommend an ISP, as I have no basis for comparison. If the only goal is to get away from Google, et al, so they don’t have this bit of your information, you could simply look at alternative email ISPs, such as Rackspace, Lavabit, Protonmail, Runbox, etc. The only real advantage of MaIB may more storage, email addresses, etc.