Back with an update on Elusive: heard you on closed source
Posted here two days ago about the encrypted email thing I'm building, closed source at the time, said it'd open at 300 users. A bunch of you called that an immediate trust killer, and one comment stuck with me: "GPL will give you the best input into holes." Fair. Didn't wait for the number, opened it now.
Whole thing's public: server, browser crypto, storage layout, AGPL-3.0.
The part I'd actually pay attention to over "source is up somewhere": every build is signed by GitHub Actions itself, not by me by hand, no private key of mine sitting around for anyone to leak. The signature lands in a public log. There's a widget on the site that checks the live server against it, so you don't have to take my word that what's running matches what's in the repo.
Also since last time: forward secrecy per message, each one sealed to a key that's gone the second you read it. Outbound mail auto-encrypts too now if the recipient has a published key, used to be inbound only. And the columns that were still plaintext, username, aliases, read state, are ciphertext now.
Go find what's still broken. https://elusivemail.xyz/security https://github.com/elusivecloud/elusivemail