How much does Inky cost?
Do I need to create a new email address?
No. Inky works with your current email accounts. You can also add new accounts at any time.
Can your employees read my mail?
No. Your mail provider stores your mail, and your email never goes through our network or computers.
Will using Inky mess up my mail?
No. Inky keeps your emails intact and in sync with your email provider. For example, if you read a work email message on your home computer, and then go to the office, you will see that the message is marked as read there as well. You can always “go back” after trying Inky. In fact, you can switch back and forth between your providers' web sites and Inky any time you want.
If I send mail using Inky, will it still look like it's coming from me?
Yes. When you compose a message, you can send it from any of your accounts. Messages sent using Inky look exactly the same as if you had sent them using your provider's web site.
Are my email passwords stored on Inky's servers?
Inky connects to your email providers and processes your mail on your machine. Your email data never passes through our servers. Inky stores your email passwords encrypted on our servers, but the decryption key is your Inky password. This means that no one -- not even Inky employees -- can access your data without knowing your password. This also means that you can have one Inky account for multiple computers because your information is transferred encrypted through the cloud.
How does Inky store my passwords and other sensitive information securely?
We use a combination of strong encryption, innovative algorithms, and common sense to make Inky safe. At a high level, Inky always uses your computer's network connection to talk to your mail servers, and always negotiates the most secure connection it can to your mail servers. This means that Inky's communications with your mail servers are private and secure -- neither a third party nor our employees can ever access your email.
Inky uses an important new technique to store your confidential information securely. This method -- known broadly as a "zero knowledge proof" -- allows Inky to prove to our servers that you know your Inky password without actually transmitting the password itself. As strange as that may seem at first, it's possible to prove that it works without leaking any confidential information.
Here's how: Our servers store what's known as a "password verifier" that matches your password and only matches your password. Computer scientists believe that it's similarly hard to recover your password from the password verifier as it is to simply guess the password using brute force -- in other words, by trying all possible passwords. This means that if a hacker or a rogue employee gets access to your stored password verifier, the verifier does not actually help the person determine your password.
When you type your password into Inky, Inky uses a zero-knowledge proof protocol called Secure Remote Password (SRP) to authenticate you. Your password is never transmitted outside your computer's memory, so no one can eavesdrop on it. The SRP protocol is an open standard developed at Stanford by Tom Wu, and is defined in IETF RFC 2945.
Because SRP allows Inky to prove to our servers that you typed in your password correctly without sending the password, your password remains secret. This, in turn, means that Inky can use your password as a key to encrypt other sensitive information we store on your behalf, such as your email passwords. Here again, our goal is to ensure that even if a third party gained access to our database and got your encrypted email passwords, it wouldn't help the third party get into your mail account and read your mail.
The specific encryption method we use is known as AES-256. This encryption method has been standardized by the US National Institute of Standards and Technology (NIST), and is authorized for use in top secret applications in the US.
To encrypt your sensitive information with AES-256, we first derive a key from your Inky password. Because your Inky password may not be very strong from a cryptographic standpoint, we use a method called PBDKF2 to "stretch" your password into a strong key. Our particular implementation of PBDKF2 allows us to increase certain parameters as time goes on and computers get more powerful, but right now we use PBKDF2 with 2048 cipher iterations, the SHA-256 hash function, and a 24-bit key length. See IETF RFC 2898 for more details on the PBKDF2 standard.
Does Inky use encryption? Does it validate server certificates?
Yes. Inky communicates with servers using the Internet standard encrypted communication methods collectively known as SSL or TLS. Inky will always negotiate the most secure connection offered by the remote server; for example, if a server offers both unencrypted and encrypted access, Inky will always use encryption.
Inky requires SSL 3.0 or better with at least a 1024-bit key, and allows only AES, 3DES, and RC4 ciphers. Inky won't connect to a server unless it can meet these minimum standards.
Inky validates standard X.509 server certificates and will warn you if you connect to a server whose certificate does not validate. When you first add an account to Inky, it may prompt you to "allow" the remote server; when you do this, you are implicitly allowing that server's X.509 certificate. However, if the certificate changes at some time in the future, and no longer validates, then Inky will refuse to connect until you explicitly allow the new certificate. This protects you against someone setting up a new server that pretends to be your mail host's server.
Does Inky invade my privacy?
No. By design, Inky can read your mail and help you organize it, but we, the creators of Inky, cannot. When you read an email with Inky, you're reading a copy that's stored in the memory of the machine you're reading it on -- e.g., your desktop computer. Unlike many mail services, with Inky you are not reading a copy of mail that's stored on our servers somewhere in the cloud. And because Inky never sends us your emails -- again, by design -- our employees can't ever access the contents of your email. This protects your privacy. Note, however, that your mail host -- the company that provides you your email account and mail storage -- very likely can still read your email. There are email storage providers that offer to host your mail in such a way that they cannot read your email; if you are worried about the absolute privacy of your email, you should consider using one of these providers in conjunction with Inky.