Why Security Experts Are Using an Ancient Email Format in 2015
Command-line email clients are more secure simply by being simpler.
The mutt client. Image: Ethan Schoonover
A quarter of a century ago, checking your email meant logging onto a mainframe and using a command-line email program like elm or pine. Today, many security experts continue to use and recommend mutt, elm's bastard love child.
Christopher Soghoian, principal technologist at the ACLU's Speech, Privacy and Technology Project, confirmed that he is an "unhappy user of mutt."
"Just because I use mutt doesn't mean I enjoy it," he wrote in an email. "I hate it. I wish there were something better, but I've not found it yet."
So why would a security-conscious end user install mutt?
"Simplicity is security," said Marek Tuszynski of the Tactical Technology Collective, an NGO that trains activists and reporters to use digital privacy and security tools. "Command line tools are generally characterised by much simpler design, much fewer lines of code, and the non-existence of vulnerable code (Java, Flash etc)—all of which generally means better security (less bugs, more stability)."
According to OpenHub.net, mutt clocks in at a lightweight 100k lines of code, while Thunderbird plus Enigmail swells to nearly a million. If you're using Firefox, that's almost 14 million LOC, and Chromium, the open-source code base for Google Chrome, bulges at 17.4 million LOC.
In the last ten years, the number of security vulnerabilities discovered in mutt has been infinitesimal compared to web browsers like Firefox and Chrome and email clients like Outlook and Thunderbird.
As Soghoian put it, "[mutt] isn't a web browser, and thus doesn't have the massive attack surface of a web browser."
In a world in which Hacking Team-style targeted attacks on users become more common, maximizing end-point device security is of critical concern to many. In addition to mutt, tech-savvy users are turning to command-line OTR chat clients, like Adam Langley's xmpp-client.
Off-the-Record messaging (OTR) offers encrypted chat functionality that, as of late 2012 according to the Snowden docs, was enough to evade mass surveillance. The problem from an end-point security point of view, however, is that the underlying code for both Pidgin and Adium, the two most popular OTR chat clients, relies on the questionably-secure libpurple code library.
"Yes, I use xmpp-client as my jabber client," Soghoian wrote. "I also have a love/hate relationship with it. I like that it is written in go, doesn't use libpurple, and doesn't support unnecessary features like emojis. However, the UI sucks. I long for the day when someone builds a GUI for it."
Usability is a security concern, because it doesn't matter how secure a platform is if no one uses it. Difficult-to-use command line tools do not scale beyond the community of technical end users. Will we ever see secure, private communication for the masses?
"I am really excited about Ricochet, which doesn't have a central server and doesn't leak metadata," Soghoian wrote. "But it isn't ready for primetime, and hasn't been audited yet.
"Similarly, pond (which is also from agl [Adam Langley]) is a really exciting project, and an opportunity to see what a secure email-like service of the future might look like," he added. "Sadly, agl doesn't want people to use it, and doesn't have much time to work on it. If pond were actively developed and ready for primetime, I'd happily ditch pgp and email for it."
Tuszynski emphasized, though, that there's more to endpoint security than the tools you use. "For us," he wrote, "the focus is not the digital aspect of information security, but also the security of the user: physical and psychological… the problem to solve is more complex than a simple decision between command line only or GUI."