codamail.com

Why You Should Never Let a Provider Generate or Store Your Private Key [https://codamail.com/articles/why\_provider\_should\_never\_store\_private\_key.html](https://codamail.com/articles/why_provider_should_never_store_private_key.html) # Why You Should Never Let a Provider Generate or Store Your Private Key Modern encrypted communication platforms often advertise *end-to-end encryption* and *zero-access security*. But beneath the marketing language lies a critical technical reality: >**If a provider generates or stores your private key, even in encrypted form, the system is not zero-trust or zero-access.** This article breaks down why true zero-trust cryptography *requires* that users generate, protect, and retain sole custody of their private keys. The provider should *only* have access to the public key and never even touch the private key, not even once! Anything less introduces hidden trust assumptions that undermine the entire security model. # Zero-Trust Begins With Key Ownership In any asymmetric encryption system, the foundation is simple: * **Public key** \- shared freely * **Private key** \- never leaves your possession The public key enables others to encrypt messages to you. The private key enables only *you* to decrypt them. A zero-trust system requires that: * You create your private key on hardware you control with software you choose. * You never upload the private key to any third-party service, ever. * You never depend on the service doing the encrypting to generate, manage, or store it. If a provider ever touches your private key, even once, the system transitions from zero-trust to trust-required. # Client-Side Key Generation Delivered by the Provider Isn’t Trustless Some services attempt to bridge convenience and security by generating your key pair “locally in the browser.” But this model has a fundamental flaw: **The provider supplies the JavaScript that generates your private key.** Because the service controls the code del

A beginner-friendly guide to evaluating website security With all the vibe-coded sites and temp mail sites popping up, I thought a guide to using some free online tools to evaluate the privacy and security of sites could be helpful to some. https://codamail.com/articles/how_to_check_website_privacy_security.html

Secure private unified WebDAV/CalDAV/CardDAV In looking to add DAV features to our services we encountered the simple fact that DAV services are just not private by design. There are two main problems, the weaknesses of basic authentication, which is required for client compatibility, and unique identifier in the URL derived from the login, which enables sync correlation and behavioral analysis based on sync times and services. These exist at the core of every WebDAV server. You can add authentication features like OAuth2, which excels in some things, but WebDAV/CalDAV/CardDAV is not one of them. **It didn't exist, so we built it** We introduce a novel unified DAV server that handles full method level scoped WebDAV, CalDAV, and CardDAV, built from the ground up for privacy, security, and scalability. We also turned basic authentication into full cryptographic authentication, removed the unique identifiers from login and URL, and gave users individually selectable full-scoped CRUD and global CDM (create/delete/modify(PROPPATCH)) abilities per sets with the ability to immediately and dynamically change scopes without authentication set reissue. We took it even further by allowing multiple authentication sets per user, each with their own unique properties, enabling the user to create compartmentalized unique authentication sets with fine grained permissions cross services, thus appearing to DAV services as different users for each authentication set. All while maintaining 100% RFC compliance and 100% client compatibility with IOS/macOS, DAVx5, Thunderbird with TBsync, Evolution, and all basic authentication clients. **How did we do that?** We had three issues to solve, the basic authentication issue of base64 encoded login and password, which really does not provide enough entropy without increasingly complex passwords. It has also enabled cross service behavioral correlation in DAV because it is the unique identifier in both the login and URLs. Finally, t

Anyone want to do a CodaMail Review? We have come a long way since the initial change to scale from Cotse to CodaMail and feel that it is now very polished and offers more e-mail related features than any other mail service, especially with the recent addition of the Deadman Switch. I'd be interested in some feedback, a simple bulleted one page list of features can be found here: [https://codamail.com/features\_list.html](https://codamail.com/features_list.html) You can get a free account if you want to investigate deeper, but a simple perusal of the features and your feedback is valuable. Please let me know if you think we are missing anything useful.

How to self-evaluate privacy services We've published an article on how to self-evaluate privacy services and some of the things to look for that might indicate that they are not actually offering what they claim (feedback welcomed): [https://codamail.com/articles/how\_to\_self-evaluate\_privacy\_services.html](https://codamail.com/articles/how_to_self-evaluate_privacy_services.html) Additionally, if anyone is using the roundcube plugin twofactor\_gauthenticator (A standalone TOTP 2fa), you should update it now. We discovered a few vulnerabilities in it. We notified the package maintainers and our fixes have been merged. Details here (it's markdown, but we don't render it, so you'll get it raw): [https://codamail.com/Information\_Leakage\_in\_Roundcube\_twofactor\_gauthenticator\_Plugin.md](https://codamail.com/Information_Leakage_in_Roundcube_twofactor_gauthenticator_Plugin.md)

Just how safe are the apps for your phone? "Every time you check the weather, play a game, connect to a VPN, or even open your email on your smartphone, you may be generating location data that will end up in the hands of military, intelligence, and law enforcement agencies around the world bought and sold via data brokers. This isn't tinfoil hat stuff - it's documented fact, revealed through government contracts, court documents, and data breaches." This article discusses the process which location data is fed from your phone to military, intelligence, and governments around the world. It discusses the Gravy Analytics breach shows the scope and names which include tinder, grindr, candycrush, microsoft 365, and thousands more including many vpn apps unknowingly collecting near real time location data that is sold through it's subsidiary Venntel to intelligence agencies and governments: [https://codamail.com/articles/your\_phone\_is\_a\_military\_target.html](https://codamail.com/articles/your_phone_is_a_military_target.html)

The myth of jurisdictional privacy I've put together a page that attempts to document the true nature of the current state of global surveillance and how it effectively nullifies jurisdictional protections. It's a bit long, but for those with the time to peruse it, I welcome feedback. https://codamail.com/articles/The_Myth_of_Jurisdictional_Privacy.html