[MlMt] MailMate passed the CASA tier 2 security assessment (hurrah?)

Benny Kjær Nielsen mailinglist at freron.com
Wed Apr 9 14:46:59 EDT 2025

Previous message (by thread): [MlMt] MailMate passed the CASA tier 2 security assessment (hurrah?)
Next message (by thread): [MlMt] MailMate passed the CASA tier 2 security assessment (hurrah?)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9 Apr 2025, at 19:12, Pete Resnick via mailmate wrote:

> On 9 Apr 2025, at 9:35, Benny Kjær Nielsen wrote:
>
>> They should only allow cloud-to-cloud services which are (ironically) often much harder to implement in a safe way (which is really why CASA exists).
>
> Can you (or maybe Steve) explain that a bit more? I believe it, but I don't have the security chops to explain it to people who need to hear it.

I'm no expert and the above is just my opinion, but this is how I see it: A desktop app only communicates with the IMAP server over an encrypted connection. The data is either on the IMAP server or it's on your own personal machine which is hopefully well protected (password, disk encrypted, etc.). The same goes for your email account password (or your OAuth refresh token). They are only on your machine and they are stored, again encrypted, in Keychain Access (in the local keychain). Finally, you are (perhaps) the only one with physical access to the machine. In my opinion, this is all Google needs to know about MailMate: Does it safely store any passwords/tokens. Google already decides/controsl the safety of the encrypted connection to their server.

If you use a cloud-service, for example a web-based email client which can access your Gmail account, then all of this information is located on a server. This server needs to protect all information together with information for a lot of other users. A bug could have severe consequences if, e.g., one user accidentally gets access to another users emails. More people will have physical access to this server. You need to be able to trust them. You also need to be very careful that hackers cannot find a way into the server. You could say that everything related to this server needs to be at least as secure as what Google does to protect the Gmail server. Public servers are, in general, under constant attacks.

But I'm a desktop app developer. Of course I would think that it is easier to implement a desktop email client ;)

-- 
Benny

Previous message (by thread): [MlMt] MailMate passed the CASA tier 2 security assessment (hurrah?)
Next message (by thread): [MlMt] MailMate passed the CASA tier 2 security assessment (hurrah?)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the mailmate mailing list