Beware of Aster Mail - I audited their code
I spent some time going through Aster Mail's public codebase. They market themselves as end-to-end encrypted, zero-access, post-quantum secure email. The code tells a different story.
I'm posting this because people in this community deserve to know what they're actually trusting their communications to. Everything below is verifiable from their public source code.
FULL DISCLOSURE: I am one of the founders of Secria Mail.
The critical issues:
- Post-quantum encryption doesn't actually exist. Their README promises "complete post-quantum protection" using ML-KEM-768. The code generates the post-quantum keys, uploads the public half to the server, then immediately deletes the secret half before saving it. It's never used to encrypt anything. They get the marketing checkbox. Users get zero post-quantum protection.
- "Forgot password via email" uploads the vault key in plaintext. When a user enables email recovery, the client sends both the encrypted vault AND the key that decrypts it in the same HTTP request. Anyone with database access, staff, a breach, a court order, can decrypt the vault and read everything. This single feature breaks their entire "zero-access" claim.
- Tor mode silently fails open. If Tor fails to start, the client sends the request over the regular internet with no warning. The user thinks they're anonymous. They're not. This is the kind of bug that gets activists and journalists hurt.
- The password hashing algorithm advertised is not the one used. The API says Argon2id. The code uses PBKDF2 with 310k iterations. Combined with #3, weak passwords can be cracked at hardware speed.
Other serious issues:
The Double Ratchet implementation skips a required authentication step. A network attacker can corrupt the protocol state without decrypting anything. Real protocol-level deviation from the Signal spec.
The desktop app exposes an unrestricted "make any HTTP request" function to the renderer. A single XSS bug, and they allow inline scripts, turns into the ability to hit internal services, exfiltrate data, and bypass Tor.
Mobile biometric lock is a UI illusion. Face ID / Touch ID just toggles a boolean. No key is bound to the biometric. On a rooted phone, the lock is bypassed by changing one value.
Cross-account login tokens are "encrypted" with a key stored in plaintext next to them. One XSS = takeover of every account on that device.
The Tor cleartext-blocking check has a substring bug. A URL like http://evil.example.onion.fake.com/ passes the check.
Inbound encrypted email signatures aren't verified. Anyone can forge messages that appear to come from anyone.
Their "signed prekey" uses RSA-4096 instead of an EC key. Registration takes ~30 seconds because of this. It's a strong indicator that whoever wrote this layer didn't understand the protocol.
In plain terms: most of what they market as security guarantees aren't enforced by the code. A motivated attacker, a malicious insider, or a court order can defeat the "we can't read your email" claim today, without breaking any cryptography.
I'm not posting this to start any sort of drama. I'm posting it because I genuinely care about peoples privacy and security.
Happy to answer questions or walk through any of these in more detail.
-Adrian