I find it very hard to trust any email service that claims to be E2EE without an audit by a reputable firm like Cure53 or Trail of Bits.
I signed up to give it a brief test and immediately noticed that emails are returned from the server in plain text. This means that the emails are decrypted on the server, which defeats the entire purpose of E2EE. The encrypted email contents and metadata should be returned to the user and decrypted on the client.
It's also painfully obvious that the entire thing is vibe-coded. While that in itself isn't an issue, it raises scrutiny. If the author doesn't have a full understanding of the code their LLM generates, some nasty bugs could be lurking.
I'm not wild about this benchmark. There are well-known firms (definitely not saying that about Trail! no experience at all with the other one here) that issue public-facing audit docs that read the same no matter what the project scope was.
If you're keying off 3rd party assessment, which is sane, you should be evaluating the combination of the testing team (the best firms will publish reports with the names of the consultants on them) and the scope and depth of the results. The company shouldn't matter; the scope should matter a lot.
A meaningful security assessment for an "E2EE mail service" is nosebleed expensive.
Did not expect this post to get all this attention. I've done a little digging and found the operator on X. Had some DMs and he(?) said that they've had 1 black box and 3 white box audits. I'm not going to speak for anyone, so maybe you can ask them directly.
I don't really care beyond continuing to nudge people away from this idea of "seal of approval audits", which have been an industry curse for decades. I don't think E2EE email is a good idea to begin with.
I guess we need to coin a new term, something like VibeE2EE. As in "we asked to make something E2EE but we have no idea what it has made, nor we asked anyone to audit it (because it wouldn't pass a code review, let alone security audit)"
The E2EE claim is BS, unless qualified by saying that the platform supports GPG-encrypted emails only. Proton makes the same claim and it’s just completely false. E2EE is not possible with existing email protocols.
I know it's in it's infancy here, but if it's a solo passion project I'd consider open-sourcing it so the E2EE can be verified.
If you plan on launching this as a monetized project of some sort, I, as a potential customer, would suffice for audits but I'm sure they can get pricey.
I do not understand why anyone would want their email provider to be "E2EE". If I want end-to-end encryption then I will exchange public keys with the recipient.
I'd like to know more about the operator, besides them being from USA. Having the data in Iceland sounds great, but we should be wary of any new service designed specifically to attract confidential conversations.
Maybe x.com/rootshell0 is their X account? I wish I could tell you more.
edit: the operator is one of the accounts 10 followers Lol https://x.com/haptagod
I’m trying to create an account to test this service. I get this error message, what does it mean? Why is the error message so short to the point where I (the user) don’t know what to do next? Why can’t software developers learn how to communicate better with their non-tech users? And this is coming from someone with a 30+ years career in software engineering.
edit: after hitting the button “I’ve saved my recovery phrase - continue” multiple times and getting the same repeated error message, it finally worked but then the API returned “error: Registration failed”. And at this point I give up. This is why many projects, even at Big Tech companies, fail: too much friction for new users, or too many features, or too many options to choose from.
Nice, the more stand alone non corporate email providers the better. You have it on a good host. I've never tried to email from their CIDR blocks, curious how it works out.
You defeated https://www.emailprivacytester.com straight off. Which is more than most new email services. You seem to be relying on CSP entirely for this, but it works.
You declare HSTS preload, but you are not in the preload list. You can not be added to the preload list at https://hstspreload.org/ because www.rootshell.is exists but has an invalid certificate.
Your MX TLS configuration supports various anon ciphers. These should be disabled.
Your DANE is broken. Try any of a number of freely available online validators.
I wasn't able to sign up for postmaster@rootshell.is, but I was able to get abuse@rootshell.is. You should be careful about what standard email addresses you allow people to take. I recommend you take abuse@ back from me and you should really have a strong denylist. I just asked an LLM for a list of things you should be blocking and it came back with the following. The cert validation ones seem particularly important:
RFC 2142 mailbox names (the core list):
postmaster@ — required by RFC 5321; mail systems expect it to always work
abuse@ — for reporting spam/misuse
hostmaster@ — DNS issues
webmaster@ — website issues
noc@ — network operations
security@ — security/vulnerability reports
info@, marketing@, sales@, support@ — business functions
admin@, administrator@
ssladmin@, ssladministrator@, sysadmin@
These can be used to validate domain control and issue certificates, so handing them to a random user is a real security risk.
Common automated/system senders people impersonate or that cause confusion:
billing@, accounts@, payments@
help@, contact@, service@
legal@, privacy@, dmca@
register@, registration@, signup@
The service's own name (e.g. [brand]@, team@, staff@, official@)
[edit] Re the TLS issue. You should set up a CAA DNS record and also check on crt.sh later to see if anybody managed to get a cert for rootshell.is if you didn't lock down the validation addresses
I hate shoving LLMs everywhere, but honestly this is probably a good use case for tiny models like the 0.6B Qwen model to flag account names for human review.
Wouldn't the better guidance be to use different domain for official communication similar to sites where you can customize the subdomain? Attackers can always come up with something you didn't think to block.
Google doesn't let just anyone make a mail on the google.com domain for example.
I gave your service a test, seeing all buttons in gray, and could not figure out if the service was broken, if my browser was broken, or if my e-mail client (Betterbird) was doing something good. Then I remembered that I use LuLu[1] to deny it all network access besides reaching my private e-mail server. Not ideal, I've learned to live with the caveats, but I do suppose it really does get the job done of stopping in-mail tracking.
There is no such thing as E2EE email. You can encrypt your storage or some of the hops, but the plain-text email contents goes through between every layer, unless you're talking about PGP, or some similar scheme you built on top of the email protocol (where obviously both the sender and the recipient must participate).
I’m never hosting or dealing with any companies in Iceland. I had a run in with a hosting company there who was DoS attacking us from compromised nodes. I emailed them and they told me to get a letter from a local lawyer telling them to stop and they’ll look at it. In the end we contacted our DC provider and they dumped all traffic from their entire blocks.
A year later same attitude from a different one hosting a web site for Covid misinformation which was against their own AUP.
for a moment i thought it was rootshell.be - many many years ago they were giving away shell accounts, and teenager me used to have one for learning purposes (and also for the cool domain)
Another company tried the Iceland root, and after growing steadily and without reporting issues (at least I never saw anything reported) just shut down one day.
I find it very hard to trust any email service that claims to be E2EE without an audit by a reputable firm like Cure53 or Trail of Bits.
I signed up to give it a brief test and immediately noticed that emails are returned from the server in plain text. This means that the emails are decrypted on the server, which defeats the entire purpose of E2EE. The encrypted email contents and metadata should be returned to the user and decrypted on the client.
It's also painfully obvious that the entire thing is vibe-coded. While that in itself isn't an issue, it raises scrutiny. If the author doesn't have a full understanding of the code their LLM generates, some nasty bugs could be lurking.
Not very promising.
I'm not wild about this benchmark. There are well-known firms (definitely not saying that about Trail! no experience at all with the other one here) that issue public-facing audit docs that read the same no matter what the project scope was.
If you're keying off 3rd party assessment, which is sane, you should be evaluating the combination of the testing team (the best firms will publish reports with the names of the consultants on them) and the scope and depth of the results. The company shouldn't matter; the scope should matter a lot.
A meaningful security assessment for an "E2EE mail service" is nosebleed expensive.
Did not expect this post to get all this attention. I've done a little digging and found the operator on X. Had some DMs and he(?) said that they've had 1 black box and 3 white box audits. I'm not going to speak for anyone, so maybe you can ask them directly.
I don't really care beyond continuing to nudge people away from this idea of "seal of approval audits", which have been an industry curse for decades. I don't think E2EE email is a good idea to begin with.
Ah yes, the good old “E2E”E. Is it the kind where they say the Server is an “end” and therefore that makes it E2E?
I guess we need to coin a new term, something like VibeE2EE. As in "we asked to make something E2EE but we have no idea what it has made, nor we asked anyone to audit it (because it wouldn't pass a code review, let alone security audit)"
The E2EE claim is BS, unless qualified by saying that the platform supports GPG-encrypted emails only. Proton makes the same claim and it’s just completely false. E2EE is not possible with existing email protocols.
I know it's in it's infancy here, but if it's a solo passion project I'd consider open-sourcing it so the E2EE can be verified.
If you plan on launching this as a monetized project of some sort, I, as a potential customer, would suffice for audits but I'm sure they can get pricey.
I'll give it a shot either way, just my two cents
I do not understand why anyone would want their email provider to be "E2EE". If I want end-to-end encryption then I will exchange public keys with the recipient.
I'd like to know more about the operator, besides them being from USA. Having the data in Iceland sounds great, but we should be wary of any new service designed specifically to attract confidential conversations.
Maybe x.com/rootshell0 is their X account? I wish I could tell you more. edit: the operator is one of the accounts 10 followers Lol https://x.com/haptagod
> Key bundle missing — please try again
I’m trying to create an account to test this service. I get this error message, what does it mean? Why is the error message so short to the point where I (the user) don’t know what to do next? Why can’t software developers learn how to communicate better with their non-tech users? And this is coming from someone with a 30+ years career in software engineering.
edit: after hitting the button “I’ve saved my recovery phrase - continue” multiple times and getting the same repeated error message, it finally worked but then the API returned “error: Registration failed”. And at this point I give up. This is why many projects, even at Big Tech companies, fail: too much friction for new users, or too many features, or too many options to choose from.
Quick question for the author in case they are here
> encryption key is derived from the password > One can use the passphrase in case password is lost
What does this really means? is the password encrypted with these pass phrases instead of being hashed?
nvm, looks like the encryption key is derived from password, stored on the server side encrypted with these passphrases
Nice, the more stand alone non corporate email providers the better. You have it on a good host. I've never tried to email from their CIDR blocks, curious how it works out.
Runbox in Norway: https://www.runbox.com/ - decades of ops history, proper Norwegian company
I don't trust online reviews that much, but some of these may be relevant:
- https://uk.trustpilot.com/review/runbox.com
- https://cyberinsider.com/email/reviews/runbox/
- https://uk.pcmag.com/cloud-services/94763/runbox
- https://old.reddit.com/r/mail/comments/1qdlyrh/runboxcom/
You defeated https://www.emailprivacytester.com straight off. Which is more than most new email services. You seem to be relying on CSP entirely for this, but it works.
Weirdly, if I click Load Images, all I get is a load more CSP errors and the image fetches don't happen.
You declare HSTS preload, but you are not in the preload list. You can not be added to the preload list at https://hstspreload.org/ because www.rootshell.is exists but has an invalid certificate.
Your MX TLS configuration supports various anon ciphers. These should be disabled.
Your DANE is broken. Try any of a number of freely available online validators.
I wasn't able to sign up for postmaster@rootshell.is, but I was able to get abuse@rootshell.is. You should be careful about what standard email addresses you allow people to take. I recommend you take abuse@ back from me and you should really have a strong denylist. I just asked an LLM for a list of things you should be blocking and it came back with the following. The cert validation ones seem particularly important:
RFC 2142 mailbox names (the core list):
postmaster@ — required by RFC 5321; mail systems expect it to always work abuse@ — for reporting spam/misuse hostmaster@ — DNS issues webmaster@ — website issues noc@ — network operations security@ — security/vulnerability reports info@, marketing@, sales@, support@ — business functions
TLS/certificate validation addresses (RFC 8552 / CA-Browser Forum):
admin@, administrator@ ssladmin@, ssladministrator@, sysadmin@ These can be used to validate domain control and issue certificates, so handing them to a random user is a real security risk.
Common automated/system senders people impersonate or that cause confusion:
noreply@, no-reply@, donotreply@ mailer-daemon@ — bounce messages (RFC 5321 sender) root@, daemon@, bin@, sys@ — Unix-style system accounts null@, devnull@
Brand/trust-sensitive ones worth blocking too:
billing@, accounts@, payments@ help@, contact@, service@ legal@, privacy@, dmca@ register@, registration@, signup@ The service's own name (e.g. [brand]@, team@, staff@, official@)
[edit] Re the TLS issue. You should set up a CAA DNS record and also check on crt.sh later to see if anybody managed to get a cert for rootshell.is if you didn't lock down the validation addresses
I hate shoving LLMs everywhere, but honestly this is probably a good use case for tiny models like the 0.6B Qwen model to flag account names for human review.
Or just read the RFCs tbh. I keep them indexed locally as text, it’s super useful for finding random garbage that may not pop up from a search.
There's a lot of stuff that looks officious enough that will trick folks, especially those distracted or not well-versed in the attack vector.
> not well-versed in the attack vector.
Stochastic outputs that may not mesh with reality? xD
I found the guy on X, wasn't that hard: https://x.com/haptagod You should probably hit him up and tell him these things?
I don't use X. You can tell him if you want.
Wouldn't the better guidance be to use different domain for official communication similar to sites where you can customize the subdomain? Attackers can always come up with something you didn't think to block.
Google doesn't let just anyone make a mail on the google.com domain for example.
That wouldn't be better guidance. That would be additional guidance. I'm sure Google also never let anybody set up postmaster@gmail.com
I gave your service a test, seeing all buttons in gray, and could not figure out if the service was broken, if my browser was broken, or if my e-mail client (Betterbird) was doing something good. Then I remembered that I use LuLu[1] to deny it all network access besides reaching my private e-mail server. Not ideal, I've learned to live with the caveats, but I do suppose it really does get the job done of stopping in-mail tracking.
[1] https://objective-see.org/products/lulu.html
I thought this was going to be related to the excellent libghostty based iOS terminal client: https://github.com/kitknox/rootshell
What does E2EE mean here? If I send an email to someone using rootshell from gmail, doesn't rootshell get the email in plaintext?
Excellent! Simple and functional UI, Thank you for this.
There is no such thing as E2EE email. You can encrypt your storage or some of the hops, but the plain-text email contents goes through between every layer, unless you're talking about PGP, or some similar scheme you built on top of the email protocol (where obviously both the sender and the recipient must participate).
I’m never hosting or dealing with any companies in Iceland. I had a run in with a hosting company there who was DoS attacking us from compromised nodes. I emailed them and they told me to get a letter from a local lawyer telling them to stop and they’ll look at it. In the end we contacted our DC provider and they dumped all traffic from their entire blocks.
A year later same attitude from a different one hosting a web site for Covid misinformation which was against their own AUP.
"I never host things at places where they let people host things. I only like places where they kick people off for hosting things, instead."
I don’t want to host from a neighbourhood with criminals in it. It makes me look bad.
What's your definition of criminal?
What the hell is that question?
So, no AWS?
AWS deal with criminals quickly rather than blowing raspberries at you and saying go find a lawyer.
Why is it called root shell?
Because it is a shell for the root user [1].
Or at least the app’s logo is the root user symbol: a number sign [2]
Normal users typically get a $ prompt, while the superuser (root) gets a # prompt [3]
[1] https://wiki.debian.org/Root
[2] https://en.wikipedia.org/wiki/Number_sign
[3] https://unix.stackexchange.com/a/291733
Yes, but its an email service... shell hosting died in the 00s with the advent of the VPS, I used to run one.
It doesn’t work, upon registering, you get “key bundle missing - please try again”
for a moment i thought it was rootshell.be - many many years ago they were giving away shell accounts, and teenager me used to have one for learning purposes (and also for the cool domain)
Not to be confused with rootshell: macOS terminal emulator built with libghostty with powerful features https://news.ycombinator.com/item?id=48390029
Another company tried the Iceland root, and after growing steadily and without reporting issues (at least I never saw anything reported) just shut down one day.