Tuesday, 30 April 2019

The Intercept's top security expert reviews Helm, a standalone home email server that keeps your comms out of Big Tech's data-centers

Last October, a startup called Helm announced a $500, plug-and-play home email server that was designed to be a secure, decentralized, privacy-oriented alternative to using one of Big Tech's email systems like Gmail, an option that was potentially even more robust than using email from a privacy-oriented provider like Riseup or Protonmail because your metadata would not be stored anywhere except in your home.

Micah Lee is a computer security engineer who was formerly a staff technologist at EFF; now he works at The Intercept. For several months, he's been hosting his personal email on a Helm device in his living room. He's just published an excellent, in-depth review of Helm, including a preliminary security audit.

His conclusion: largely positive. Helm's biggest security gap is the lack of an intrusion detection system that can warn you if someone is trying to hack it (this is in the works); but it has a "proximity-based authentication" setup that makes it much harder to phish an account (it also means that any time you set up a new account or a new mobile device to manage an existing account, you have to be within Bluetooth range of your Helm device, which might be a problem if your phone breaks while you're traveling).

The service itself works just like you'd expect a traditional, POP-based email service to work. Using a program like Thunderbird, you fetch your email and it just shows up in your inbox. The Helm doesn't support server-side filtering (a feature that power-users who already run their own mail-servers might miss), but it otherwise functionally identical to a managed, data-center-based mail server, except that it lives in your house. Helm provides DNS and other back-end services, and even includes a domain with the hardware (you can also use an existing domain).

I don't think I'll be getting a Helm, but only because I have a better "self-hosted" solution that most people don't have access to (Ken Snider, Boing Boing's amazing sysadmin, hosts my mail for me on a server he personally manages). If I didn't have access to this kind of one-off, non-scaleable solution, I'd definitely be willing to pay $100/year to get email from Helm, especially in light of Micah's positive review.

I believe that Helm’s technical infrastructure is well-engineered from a security prospective. It uses best practices (I go into greater detail in the “under the hood” section below), I don’t see any obvious flaws, and, though I haven’t made a thorough comparison, it appears to offer similar security as most small, well-run email providers. Basically, the only attackers who can get in are those armed with expensive zero-day exploits — exploits that rely on bugs that the software-makers themselves don’t even know exist and thus have not been able to release security updates for. An attacker would need to find a zero day for software Helm is known to run, like Dovecot, the open-source email server. The vast majority of attackers will remain locked out.

That said, there are some security tradeoffs involved with using Helm and some areas in which the system’s security could be improved.

If someone does manage to hack your Helm, you probably won’t notice, unfortunately. Sreenivas told me that Helm doesn’t have an intrusion detection system at this time. “We plan to summarize failed attempts in a weekly digest email,” he told me, “but alerting on actual intrusion is something we haven’t defined yet.”

Avoid Surveillance with Helm, a Home Server Anyone Can Use to Keep Emails Truly Private [Micah Lee/The Intercept]