Thoughts on Hey email client?

hotdegs

I really appreciate their take on a new type of client, but don't know if there are too many tradeoffs compared to something like proton

https://www.hey.com/security/

thoughts?

brightjob4495

I guess it depends o what they mention: do you need E2EE email? then go for Proton or equivalent. If you don't, and like Hey's features, it seems like a fine provider. I'd check their ToS and privacy policy just in case though

secrec

I don't see anything in their security page that is particularly unique. Who doesn't have 2FA/TOTP these days?

hotdegs

secrec Yeah that's a good point! I think I'd just want to sanity check if there's anything obvious that they're missing privacy/security wise.l

I'll definitely check out their privacy policy and TOS.

Viewpoint0232

No IMAP? I wouldn't be interested

hotdegs

Viewpoint0232

Biggest concern being that you technically don't own and cannot access your emails without the usage of their client? IMAP is something protonmail offers, but could they not equally decide one day to eliminate access?

I'm interested in learning more here, so forgive the naive questions!

secrec

hotdegs IMAP is something protonmail offers

That isn't actually true. It looks like they have some kind of program they refer to as a "bridge" to allow imap clients to connect, but (a) its closed source, (b) it only runs on certain platforms (not Android), and (c) you have to pay extra for it.

Note that the implication of this is that you can't use IMAP IDLE on mobile devices for instant/push notification and instead have to rely on their gservices-only implementation.

As far as I know, protonmail is the only reasonably well known email service provider that does this. Everything else allows you to connect using standard protocols.

Sigismund

It looks like they'd want to try to reinvent the wheel here.. as someone said no IMAP support so you are locked down to their ecosystem. This is bad on many levels.

their claims about encryption etc being "super tight and locked down" does not really give any confidence since they still own keys to the encryption. Which is nothing else other companies like Google or MS have in offer. Ultimately you need to trust them that they don't work with your data, or that they won't in the future. In case this happens you are screwed and can't even move your emails out of it.

IMHO not worth it. I use migadu, and I trust them they won't fuck with my data. And I trust them more than proton so I don't care that migadu dont have e2ee since mail is a plaintext protocol.

I'd still recommend migadu any day over proton.

ryrona

From the site:

Even with all this encryption, HEY still technically holds the key to all email, because there’s no end-to-end encryption, as discussed above.

As far I have understood, Proton actually asymmetrically encrypts all incoming mail to you with your public key, and they have no access to your private key, since it is encrypted with your login password, and neither your password nor the decrypted copy ever leaves your app or browser. So Proton would not be able to decrypt any mails you have already received.

It sounds like HEY hasn't implemented anything similar, and that staff at HEY could theoretically read all your mail. So I guess that is one disadvantage. Besides the fact they don't offer end-to-end encryption of mail of course.

argante

ryrona Proton is a good replacement for gmail, but there's no guarantee it won't be able to steal your private key. Even though the code is open-source, the Proton server cant send you (and only you after login) a snippet of javascript code that copies the decrypted private key to the proton's server. And no one will even detect it. I'm not saying Proton does this - I'm just saying Proton has the technical capability. A browser extension that examines the Proton website's hash function would provide some protection - but someone have to audit it and independently publish the hash.

ryrona

argante Proton is a good replacement for gmail, but there's no guarantee it won't be able to steal your private key. Even though the code is open-source, the Proton server cant send you (and only you after login) a snippet of javascript code that copies the decrypted private key to the proton's server. And no one will even detect it.

This is very true, but we were comparing against HEY, and in their case, such an attack is not even needed. Such an attack may also fail for many reasons, including that you as the target actually aren't logging in to your account during the window they are able to do the attack. In the case of HEY, that would seem to not matter at all, as they can decrypt everything anyway.

The attack can also be largely prevented by using a regular app instead of the web app. That way they would need to ship the malicious code to everyone, as they cannot control who app updates are delivered to or not, and if the app is a third-party open source one, they would have no means to modify it at all. I don't know how Proton's official apps works though, if they are just wrapped web apps, or if they actually contain all the code and fetch no code from the server.