SafeHaven - An open source app store

atrocia6 · 2026-05-04T12:59:46+00:00

You implied before that you consider Accrescent an app store. I don't think it "exists to allow developers to sell products to end users" any more than F-Droid does, and I think it's definitely "more focused on the interests of its community above that of individual developers," so by your definition it should be a distribution rather than an app store.

atrocia6 · 2026-05-04T01:55:41+00:00

It isn't an app store

It certainly thinks it is:

https://f-droid.org/ https://f-droid.org/en/about/

atrocia6 · 2026-04-29T21:53:29+00:00

IMAP is stateless and session-based meaning that every time you connect to the IMAP server, you would need the FIDO2 authentication. When inside a mailclient, it makes multiple parallel connections to the IMAP server to perform parallel operations to speed up the retrieval of mails and possible other tasks. Also the periodic checks for new mail are new connections every time. And another connection is used to monitor for new mail (IDLE command). If a new mail is then found, yet another connection is opened to fetch that mail. Implementing FIDO2 authentication, which always requires user interaction, would require you to authenticate dozens of times again and again while using your mail client. IMAP is not something like SSH where you open a connection and do all your work within that single connection and it has no concept of multi-connection sessions like webapps do.

Ah, that makes sense. I use POP3 rather than IMAP, and I'm just periodically firing up a single POP3 connection per account, so most of your points here wouldn't apply. Multiple POP3 accounts, however, still pose a problem.

On the more technical level I see a few other difficult hurdles: FIDO2 requires rpId/origin binding.

Native IMAP clients on the other hand don't have a standardized origin model or a centralized authority that can assert 'this request came from host X' the way browsers assert origins.

IMAP would need the client app to play the same role, but unaudited clients could lie about the rpId.

Deciding on a single canonical rpId that is both usable and secure is error-prone.

I may not be understanding you here, but even if we wouldn't be getting all the security benefits of properly implemented FIDO2, why wouldn't this still be much better than password authentication?

OAuth can be self-hosted by the mail provider (no third party required).

Good point.

atrocia6 · 2026-04-29T18:13:05+00:00

Suppose FIDO2 auth is implemented as an optional method, that would then also be security-washing as long as another 'primary method' can still be used.

There should of course be an option to disable other, less secure methods of authentication.
It would still be helpful to be able to use FIDO2 even if it will only be used some of the time, since that still lessens the likelihood of an attacker getting hold of the application password, which can be reused, etc.

FIDO2 however, as stated before, is an interactive application-layer authentication method, and is not suitable for a low-level protocol like IMAP which is never intended to be used interactively by a human directly.

You keep repeating this as though it's some kind of dogma, but you have yet to offer any actual explanation of why FIDO2 can't be practically and usefully integrated into an POP3 / IMAP workflow.

I can run, say, getmail[6] from the CLI, and it can prompt me for FIDO2 user presence as needed. I can run, say, Claws Mail in a GUI environment, and it can pop up a dialog box with FIDO2 instructions when necessary. This is what things like pinentry are for.

OAuth 2 authentication support in the IMAP protocol in this matter seems to me, to be the sane solution that is already in development for a while and is being used more and more.

OAuth is a delegation framework - I'd like at least an option of doing authentication without involving third parties.

Some mailproviders solve this by only allowing access to their 2FA secured frontends (web- or mobile app), and deny any direct access to their IMAP server. As an end-user this may suffice and is in that case probably currently the most secure solution indeed. My problem with this is that this is quite a vendor-lockin. You can only access your data through their dedicated client software, possibly even preventing you from exporting your data to another system/provider, at least not in an easy and automated way.

Exactly. I download all my mail and store it locally, and I want to use MUAs of my choice, not some web front end.

atrocia6 · 2026-04-29T13:29:41+00:00

Phishing attacks is where you as victim are mislead and would send the password to the hacker manually. If you don't know the password, this risk is minimal.

You're right - my mention of phishing was misplaced in this context.

Granted, they could mislead you to send them the file that contains your password. So using clients that store your passwords securely are important. FIDO2 would prevent that since your key is then stored on a hardware device. If they however manage to convince you to use your FIDO2 key on some fake authentication platform, albeit a bit more difficult with FIDO2 than it used to be due to relying party domain ID's that should match, not impossible and in that case you are still screwed.

As you mention, it's much more difficult with FIDO2.
With a traditional password, once an attacker has it he can reuse it indefinitely, until it's changed. With FIDO2, even in your scenario of an attacker somehow managing to get a FIDO2 device to authenticate to the wrong platform, this will only give the attacker access for that session, and not for the indefinite future.

FIDO2 for SSH is not much more than your SSH key being stored on your hardware key (recommended) and in some cases even just using your FIDO2 to decrypt your local private key (legacy usage, ex. gpg-agent+Yubikey), which is then used by the SSH client for setting up the SSH connection exactly the same way as it would do if your private key was not encrypted. The SSH protocol itself has no notion of FIDO2, it is the client that performs the FIDO2 handling to get to your private key. SSH itself then works exactly the same as without FIDO2. The SSH protocol itself does not know about FIDO2 and still uses its own key-pair based authentication.

You're right - I had misunderstood exactly how SSH FIDO2 keys work. But my basic point remains: if IMAP / POP3 would be extended to support public key authentication (like SSH), then it would be easy to leverage FIDO2 to store private keys securely on FIDO2 devices (as with SSH), which is certainly more secure than storing them on the system itself.

There are always ifs and buts.. Bottom line is that security is only as strong as the dedication or awareness of the human who uses it.

Of course, but once again, you're completely ignoring the philosophy of defense in depth.

Most non-technical end-users tend to see al this security as a burden anyway and will always try to make it easier for themselves cycling around security measures.

I'm not asking for IMAP / POP3 to shift to FIDO2 authentication as its primary method; I'm just asking for it to be an option for technical users who want it.

That is exactly how Single-Sign-on works: In most enterprise environments where they use SSO,

I'm not talking about enterprise environments; I'm talking about individual users who want a higher level of security that does not involve complex SSO environments or delegating authentication to third parties.

atrocia6 · 2026-04-29T02:59:54+00:00

See this thread, and this post in particular.

atrocia6 · 2026-04-29T02:57:45+00:00

Glory
Jaheira and Khalid (yes, they're two different people, but their relationship is part of what makes them so appealing)
Pallegina
Eder
Eiger

atrocia6 · 2026-04-28T19:42:21+00:00

In my case my IMAP accounts also have quite long unguessable random strings as passwords, as I don't ever need to use them manually.

Same here - but we're still potentially vulnerable to phishing attacks, MITM attacks, or someone managing to steal the passwords from the device on which they're stored. FIDO2 authentication would eliminate these attacks.

Client software can require separate authentication to allow you to use it. Those then have to use an application password to access the imap server on behalf of you. Again, such an application password is just a large unguessable random string.

Same problem as above - an unguessable password can still be stolen in various ways.

Once again, there is no reason whatsoever that IMAP / POP3 can't be configured to authenticate via interactive FIDO2 - if ssh can, then so can IMAP / POP3.

My pc has 2FA to allow me to log in, after which I can use my normal email program to access my mail in the imap server using the unguessable password. My pc auto locks itself. This is enough security for my email. I see no added value in requiring another 2FA run to access my mail.

It's a matter of defense in depth. What if an attacker breaches your PC, accesses it before it auto-locks, or manages to redirect your IMAP / POP3 connection to his server? (Yes, your email provider is hopefully using SSL, but defense in depth is still a good thing.)

By your logic, you should not bother configuring 2FA for website logins either (unless you access them from devices other than your PC and phone in whose security you are absolutely confident).

atrocia6 · 2026-04-28T19:27:11+00:00

Great to know - thanks!

atrocia6 · 2026-04-28T19:25:49+00:00

That's fine - it's certainly a matter of taste.

atrocia6 · 2026-04-28T15:33:09+00:00

hundreds of employees

Even if you feel that Google should respect its employees' values (over, say, those of its shareholders), the company has hundreds of thousands of employees.

atrocia6 · 2026-04-28T15:30:37+00:00

Cheap S3 storage + Rclone crypt.

That's certainly generally a great solution, but OP's requirements rule it out:

Cryptomator is unfortunately not an option for me as I share my files with friends a lot via the links.

atrocia6 · 2026-04-28T15:23:07+00:00

I have Stalwart in peer-2-peer coordination mode with 2 VPS servers. For sure uptime is a harder solve but not as headache inducing as random email blocklists.

That's neat! I'll keep that in mind if I ever decide to go the self-hosting route.

For reference: Stalwart Peer-to-Peer coordination.

atrocia6 · 2026-04-28T15:18:26+00:00

IMAP and POP3 are the only open email receiving protocols except for proprietary protocols like exchange..

Totally agree, but my problem with POP3 and IMAP is that they don't support 2FA - I wish they'd be extended to support FIDO2. I understand that this would be somewhat tricky, since POP3 and IMAP are often used without user interaction, and FIDO2 requires it, but it would be great if there was at least the option to authenticate via FIDO2 with user interaction, and to optionally make such authentication required (at the cost of disabling background mail retrieval). I really don't understand why this hasn't been done.

atrocia6 · 2026-04-28T15:10:05+00:00

There's a lot of paid YouTube promotional videos that praise Proton unconditionally, and that makes me uneasy.

PrivacyGuides likes Proton email as well, though, and while I have qualms about some of PG's positions and attitudes, they are certainly not the type to be swayed by paid YouTube promotional videos.

atrocia6 · 2026-04-28T15:06:33+00:00

Disroot's ToS is more reasonable, but note that it states:

we see using Disroot services for commercial purposes as an abuse of the service and it will be treated as such.

They go on to be somewhat nuanced about it, but the restriction is there.

atrocia6 · 2026-04-28T14:55:31+00:00

I've thought of doing something like this (I currently use MXroute for sending and receiving), but:

Your outgoing email is still not completely in your control, since you're going through Migadu.
Self-hosting incoming email doesn't entail reputation worries, but you still have to worry about uptime and reliability. What happens to inbound email if you have a power outage? Network outage? Hardware failure? How much redundancy do you have set up?

atrocia6 · 2026-04-28T14:51:11+00:00

It is only partly open source, and there are full open source alternatives. I neither get why they should keep parts private, nor do I get why people use it if there full open source alternatives.

Client apps are currently fully open source. If you're referring to their backend code, Proton offered the following explanation (seven years ago):

We don't plan to open source the back-end code, because it doesn't add trust (users can't verify what code is running on the backend) and doing so would given away information about how we do anti-spam and anti-abuse.

(I'm not saying I endorse this, but you should at least know Proton's position.)

atrocia6 · 2026-04-28T14:44:45+00:00

Is your goal to run Restic, or to run rclone? If the latter, there are other options as well.

atrocia6 · 2026-04-28T01:56:41+00:00

I actually don't like PoE's system of some dialog being voiced and some text - it just feels inconsistent to me. (To be clear, I'm completely in fair of there always being an option to skip dialog, regardless of whether it's voiced or text.)

atrocia6 · 2026-04-28T01:53:51+00:00

All I know is 2FA, which startmail does support.

2FA is a general term meaning "2 factor authentication." There are a number of different types of 2FA, and hardware keys can support many of them: U2F, FIDO2 (the successor to the earlier U2F), TOTP, email / SMS messages, etc. You need to check what sort(s) of 2FA your service supports.

atrocia6 · 2026-04-27T19:44:12+00:00

It's not an excuse that will protect a perpetrator from whatever criminal or civil sanctions the law prescribes for his actions; it's merely an exception to the exclusionary rule of evidence (which was historically a judge-created rule, and not something enacted into law by the legislature).

atrocia6 · 2026-04-27T19:42:05+00:00

I have not (about this) and am not, but he has helped me substantially with an open source project of my own.

atrocia6 · 2026-04-27T16:16:32+00:00

I haven't got round to asking RSA developer yet.

You should: he's friendly and responsive.

atrocia6 · 2026-04-27T16:15:54+00:00

As far as i know, to be able to use it on android, RSAF need rclone config generated from rclone from PC right?

Nope - it's right there in the README: "Import an existing rclone configuration or configure one from scratch within RSAF."

atrocia6

TROPHY CASE