Go to file
Felix Hammerl 73ed053c66 Merge pull request #140 from whiteout-io/dev/wo-594
[WO-594] Return own hostname for 'hostname' call from socket.io
2014-10-14 18:40:21 +02:00
config Add production config file 2014-09-17 16:17:14 +02:00
res Add mobile homescreen icons and cca build scripts 2014-08-13 13:37:55 +02:00
src Merge pull request #134 from whiteout-io/dev/WO-588 2014-10-02 18:17:01 +02:00
test [WO-625] Catch exception on socket.oncert 2014-09-30 12:30:18 +02:00
.gitignore Skip setting passphrase in setup 2014-09-15 14:26:12 +02:00
.jshintrc [WO-565] Improve notifications 2014-09-17 13:29:51 +02:00
.travis.yml update readme and change deps to https github tarballs 2014-01-15 17:07:14 +01:00
Gruntfile.js Firefox App and AppCache 2014-09-21 03:25:53 +02:00
LICENSE.txt Update LICENSE.txt 2014-04-15 18:34:33 +02:00
README.md Update README.md 2014-10-14 09:05:36 +02:00
package.json Update package.json 2014-10-02 18:11:17 +02:00
server.js [WO-594] Return own hostname for 'hostname' call from socket.io 2014-10-14 13:51:52 +03:00


App Icon

Whiteout Mail Build Status

Whiteout Mail is an easy to use email client with integrated OpenPGP encryption written in pure JavaScript. Download the official version under whiteout.io.


You can read about product features and our future roadmap in our FAQ.

Privacy and Security

We take the privacy of your data very seriously. Here are some of the technical details:

  • Messages are encrypted end-to-end using the OpenPGP standard. This means that only you and the recipient can read your mail. Your messages and private PGP key are stored only on your computer (in IndexedDB).

  • Users have the option to use encrypted private key sync if they want to use Whiteout on multiple devices.

  • Content Security Policy (CSP) is enforced to prevent injection attacks.

  • HTML mails are sanitized with DOMPurify and are rendered in a sandboxed iframe.

  • Displaying mail images is optional and opt-in by default.

  • Like most native email clients, whiteout mail uses raw TCP sockets to communicate directly with your mail server via IMAP/SMTP. TLS is used to protect your password and message data in transit.

  • The app is deployed as a signed Chrome Packaged App with auditable static versions in order to prevent problems with host-based security.

  • The app can also be used from any modern web browser in environments where installing an app is not possible (e.g. a locked down corporate desktop). The IMAP/SMTP TLS sessions are still terminated in the user's browser using JS crypto (Forge), but the encrypted TLS payload is proxied via socket.io, due to the lack of raw sockets in the browser. Please keep in mind that this mode of operation is not as secure as using the signed packaged app, since users must trust the webserver to deliver the correct code. This mode will still protect user against passive attacks like wiretapping (since PGP and TLS are still applied in the user's browser), but not against active attacks from the webserver. So it's best to decide which threat model applies to you.

Reporting bugs and feature requests

  • We will launch a bug bounty program later on for independant security researchers. If you find any security vulnerabilities, don't hesitate to contact us security@whiteout.io.

  • You can also just create an issue on GitHub if you're missing a feature or just want to give us feedback. It would be much appreciated!


You can download a prebuilt bundle under releases or build your own from source (requires node.js, grunt and sass):

npm install && npm test

This will download all dependencies, run the tests and build the Chrome Packaged App bundle DEV.zip which can be installed under chrome://extensions in developer mode.


For development you can start a connect dev server:

grunt dev

Then visit http://localhost:8580/dist/#/desktop?dev=true for front-end code or http://localhost:8580/test/unit/ to test JavaScript changes. You can also start a watch task so you don't have rebuild everytime you make a change:

grunt watch

Releasing Chrome App

grunt release-test --release=0.0.0.x
grunt release-stable --release=0.x.0

Deploying Web App & Selfhosting

The App can be used both as a Chrome Packaged App or just by hosting it on you own trusted web server.

First build and generate the dist/ directory:


Then start the server and navigate to http://localhost:8585 (or whatever port is set using the PORT environment variable):

npm start

A note on security: The app should not be used without SSL so it's best to set up a reverse proxy or Loadbalancer with your SSL certificates. If you are not sure how to do this it might be easier to use our managed web hosting or packaged apps under https://whiteout.io/#product.


Copyright © 2014, Whiteout Networks GmbH. All rights reserved.

The code is open for inspection and peer review by the security community.
The code is currently not licensed under an open source license. If you're
interested in contributing or getting a license, please get in touch with
us (info@whiteout.io).

Third party libraries

We work together with existing open source projects wherever possible and contribute any changes we make back upstream. Many of theses libraries are licensed under an open source license. Here are some of them:

  • OpenPGP.js (LGPL license): An implementation of OpenPGP in Javascript
  • email.js (MIT license): IMAP, SMTP, MIME-building and MIME-parsing engine
  • Forge (BSD license): An implementation of TLS in JavaScript