-
Notifications
You must be signed in to change notification settings - Fork 96
FAQ
Please send us your comments and ideas. We want to hear from you. Please send to support@whiteout.io.
You can see a list of known problems here.
Whiteout provides genuine end-to-end encryption. When you compose a message the data are encrypted with your private key before they leave your computer. We do not have this key and can not read your messages.
The Whiteout Mail app encrypts your message body and all attachments. We do not encrypt metadata, especially sender and recipient name and address, and the subject line. This is not part of the OpenPGP standard that our application implements.
When signing in to your email account, the client creates a TLS connection to the mail server to protect your password and messages in transit. When using the webmail client the IMAP traffic is proxied over the web server, but the connection is still encrypted end-to-end using JavaScript encryption, so that our proxy cannot read any data.
The encryption is based on the OpenPGP standard and uses well-known and widely accepted algorithms, primarily AES and RSA. See openpgp.org for further information on OpenPGP.
The recommended way to use Whiteout is to install the Whiteout Mail app on your computer. It is deployed to your computer as a signed packaged application, in the case of the Chrome browser as a Chrome Packaged App.
The application can also be used in the browser as a webmail client. Note that this mode of operation does not protect users against active attacks from Whiteout Networks, e.g. should we receive a subpoena for a specific user. But it will protect users against passive attacks, like dragnet surveillance and wiretapping of government agencies.
We think it's important that users are able to make an informed decision about how much convenience they want to give up for security. If you're a concerned citizen and don't want too much hassle to protect your email privacy, this might be the right mode for you. Just open your favorite web browser and navigate to mail.whiteout.io.
We have specifically based our design on the OpenPGP standard, which is well understood by the security community.
We have specifically not implemented any proprietary encryption or key management algorithms. We are continuously working with noted security experts who advise us on architecture and implementation of our software.
All encryption and decryption takes place on your computer in the Whiteout Mail app. The source code for the complete application is published here for inspection and review by the international security community.
Your keypair is stored locally on your computer. It is encrypted with your passphrase. You can export the keypair to a safe location of your choice (e.g. a USB flash drive) in order to install the Whiteout Mail app on another computer.
Yes, you can change the passphrase any time you like.
When you install the app on a new computer it will know that there is a keypair for your email address and you can import your keypair.
If you forgot your passphrase, you can reset your key here. Your Whiteout contacts will automatically receive an update of your public key the next time they send you a message or receive one from you.
It isn’t. This is standard OpenPGP with the cryptography provided by the OpenPGP.js library used in many products and projects. Our development is focused on packaging this technology in an application that is very easy to use and that runs on desktop computers, tablets, and smartphones.
At this time this is “beta” quality. Yes, we have been using it ourselves for a while and everything seems to work and, yes, we have done multiple security audits. But for the time being you may want to think twice before using it for really sensitive content.
We support the stable version of Chrome running on Windows, Mac OS X, and on Chromebooks. Additional browsers are planned for the future.
We are working on packaging the Whiteout Mail app for the popular mobile platforms. Expect to hear more in the near future.
When you set up an account with Whiteout Mail, we are running a series of tests to determine whether we can talk to your IMAP/SMTP server.
You've seen this error when you tried to set up Whiteout Mail despite being offline. We need to check your credentials at this point by trying to log in to your IMAP/SMTP server, so we need a working connection to the Internet.
This error occurrs when we can't talk to the server you have specified in the settings. There may be a multitude of reasons for this. The most popular ones are:
- The server settings are incorrect. Please re-check the host and port.
- You are behind a (corporate) firewall that is configured to block certain types of connections. In this case, please talk to your network administrator.
- The server is in a private network that is not accessible from the Internet.
- Local host configuration (
/etc/hostsorc:\windows\system32\drivers\etc\hosts) instead of a DNS name or IP address does not work.
Please make sure that the server is accessible from your network.
This happens when the server is in principle accessible, but we can't establish a connection within a certain amount of time. In this case, you have probably selected TLS encryption mode, but the server does not support it.
The server has reject your login attempt. As the error message says, please check your username and password. Depending on which server you are trying to connect to, the provider might also reject connection attempts based on your location.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), protect your data on the wire on top of PGP email encryption, very similar to how your web traffic is secured on the wire when visiting websites with https. The TLS protocol allows applications to communicate across a network in a way designed to prevent attacks like eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. When TLS is used correctly, the identity of the server is ensured so that Whiteout Mail can be sure with whom it is communicating.
This means that the identity of the server could not be verified. In most cases this is due to an invalid certificate. Please make sure that your certificate conforms to the following guidelines:
- Your certificate is signed by a Certification Autority that is trusted by the platform you're on. Support for self-signed certificates will be dropped.
- Please make sure that your hostname is included in the Common Name or Subject Alternative Names or covered by the wildcard you're using.
When you log in for the first time, the app remembers the identity of the server. If the identity of the server changes, the app alerts you. There may be legitimate and illegitimate reasons for this. Legitimate reasons could be that the provider's certificates have expired, forcing him to renew all certificates, or a change in the provider's technical infrastructure. Illegitimate reasons may be someone trying a Man-in-the-middle attack, e.g. a criminal third-party or a nation-state adversary. When this error dialog pops up, the app refused to connect to IMAP/SMTP.
If you are on a trusted network and/or trust the mail provider with the certificate update, go right ahead, and the app will reconnect with the new information about the mail server identity.
Yes, you can. In order to make things run as smoothly as possible, please make sure your IMAP and SMTP server stick to the respective protocol. Also, there are some IMAP extensions you can use that help in many ways:
- IDLE helps us to keep track of what is happening on the server. Defaults to polling.
- MOVE allows us to move messages rather than copy-delete them
- CONDSTORE allows us to make quick mailbox synchronizations at startup
- SPECIAL-USE points out which folders are meant to do what
- NAMESPACE
- ID
- UIDPLUS
If those extensions are not present, the app will still work, but the extensions are meant to fix shortcomings of the original protocol so that we can work with your server in a more robust and effective way. On the handling of TLS with a self-hosted server, refer to the preceding paragraph.
We run several servers to provide users with a fully managed solution stack. These servers are split up into several services:
This service includes all of the servers required to run our managed webmail client, our IMAP/SMTP backend, as well as the mail store in which the messages for your wmail.io account are stored. These servers are located in Frankfurt, Germany and the infrastructure provider of choice is Amazon Web Services (AWS).
This service includes the components required to store and serve public keys to all Whiteout Mail users. These servers are currently located in the Ireland region of AWS, but we are planning to move them to Frankfurt as soon as possible, so that all our managed services are located in Germany.
We chose AWS because they provide best in class security. This way we are able to provide our users the same level of operational security and availability as Amazon and their thousands of cloud customers. You can read more about AWS security here.