I don't think people use mutt because of security (other than good PGP support). I think people use mutt because they like the efficiency of a lean, terminal based, email client.
I agree with you here. Further, I'll add that it being 100kloc and not Thunderbird etc tells us nothing about its security. It will have plenty of flaws that show up when hackers decide it's worth the time just maybe less. I do like simple, console apps for all the security tech I can easily use with them. Doubt the mutt users are doing that outside MAC, jails, etc.
But just using mutt is giving up much usability and features with little benefit in security. They're better off using good config and sandboxing with a client that gets more audits and bug fixes.
I still use mutt (and default to text), but I don't see anyone else doing this, even in my geek coworkers or friends. So I'm a bit surprised by this article.
I use mutt because it's very very fast, and quite customizable (I maintain a kind of 0-inbox through a set of hotkeys, + spamassin + procmail). To handle numerous mailing-lists with medium volume, it's so far the best I've seen.
I tried many email clients (on Windows, OSX and Linux), but I always come back to mutt, because it's the fastest to handle the high-volume of email I have...
I've been using mutt exlusively for many years, and I got a fair amount of flack for it every now and then. While I like to believe that it's more secure than any full-featured bloated mail-client (hello Thunderbird), my reason for using mutt is simpler. I like the speed, efficiency and customization aspects of mutts, plus being able to use vim to compose my mails. Quite frankly, I don't get how people rave about text editors but then fail to include them in their mail workflow, which is where people spend quite a bit of time nowadays.
The other reason I like mutt is because it still conforms to the UNIX principle: One thing and one thing well. True, you could use mutt for SMTP/IMAP, but there are better tools for that. I use mutt with offlineimap, msmtp and mu (for searching).
Same here. I can sort through 300 emails in a few minutes, removing/organizing the cruft into folders, and keeping only a handful of them I need to reply to.
That, plus excellent PGP support, just makes mutt a much better email client that any other existing ones, local or web.
I'm also a mutt user. Love being able to edit documents with Vim, stable PGP support, and the mnemonic hot keys. However, I wish I knew more (or could remember more) about how it works...and I can't seem to get folders to synchronize properly from `offlineimap` (though `procmail` lets me search my mail rather easily).
Subscribe to LKML or one of the subsystem mailing lists (e.g. dri-devel). Pretty much the majority of Linux kernel developers seem to be using Mutt. (Disclosure: Me too, since 1997 in fact when I needed to replace ELM.)
Most "Security Experts" are working for consultancy, tech firms, and government agencies so they probably use plenty of other clients.
The majority will probably run Outlook since Exchange is the defacto mail-server standard for any organization (that isn't tied to Lotus because 45 years ago the CEO had to sacrifice a goat to appease IBM to spare his 1st born), the rest will probably use Gmail or any other web-based mail that their smaller company is using.
Most "experts" don't necessarily follow their own advice just as alcohol, drug use and smoking is more common in Doctors than any other diploma based profession out there, so can security "experts" run just as much as a shitty setup as everyone else and think that slightly better common sense and opsec will keep them safe which more often than not it would.
> (that isn't tied to Lotus because 45 years ago the CEO had to sacrifice a goat to appease IBM to spare his 1st born)
Those blood magic spells seem to be wearing off hard in the last year or so. I've been seeing a huge number of our customers migrate from the Lotus stack to Office365. Of course, IBM has already put their software divisions out in the back yard, and are popping the cartridges into their rifle to put the old girl down.
Security Experts... let me quote Linus Torvalds: "the security community tends to be very black and white. Either it's security or it's not. And if it is security, they care deeply. And if it is not, they don't care."
So who cares if you write your email in text mode but browse the web with Chrome/Firefox? No offense against Mutt... I can understand that some terminal pros like it but I cannot understand using it for security sake. So what happens if you want to view a html email? What about mail on a mobile phone (I guess security experts do not use them)?
And mutt has other attack surface because it is using the terminal. Look here for a Ubuntu security notice about mutt: http://www.ubuntu.com/usn/usn-2440-1/
Now I smile because gmail is not affected by that!
This is all not practical for 99,9% of normal users out there.
If you care about security do not let the paranoia control you. We need to improve security for the normal users out there. Just my opinion.
You can read html emails in mutt with decent support, using "links" or a somilar app.
Mutt let's you define application that generate dumps for a given MIME type.
I used to use mutt (now i use mu4e) and indeed i do not own a mobile phone capable of more than GSM. Also, as mentioned elsewhere, HTML rendering works fine in mutt and mu4e (although perhaps this opens me up to various nefarious things).
I don't do this because i'm a security expert (i'm not), i just love speed (so AJAX and fancypants websites are out for me, i'll use the terminal or Emacs where possible) and the keyboard.
EDIT: Oh yeah, and i'd never trust my web browser with my PGP key...
I use mu4e[1] to read, search and refile my emails, and there's a keyboard shortcut for viewing an HTML email in a browser. offlineimap[2] handles inbound messages. I love it!
But for writing email, I still tend to jump over to Apple Mail. msmtp[3] handles outbound messages on those occasions when I choose to fire off a message from within mu4e.
I used mutt when I used vim, but after switching to emacs, I began using mu4e. Very keyboard-driven and scriptable. Glad to see others on HN using it.
Speaking to your not using mu4e to compose mail, I compose mail in org-mode (I often make lists in emails) then copy them into an mu4e buffer. Funny to see someone using uncommon software the same way I do.
I also use mu4e, and i'm curious, why do you switch to Mail.app for composing? I love the fact that all my editor customisations (of which there are many) are still there when i'm writing email.
I've used mutt for ages, but a couple of years ago I switched to Karel Zak's mutt-kz branch (https://github.com/karelzak/mutt-kz), which integrates notmuch into mutt. The setup is a little fussy (although well documented), but the results are spectacular. Mutt's search was never horrible but with notmuch its nutty fast, and the tagging feature makes dealing with search and mailing lists very convenient.
As I'm a emacs person, I tried once wanderlust[1] and got hooked up to it. Wanderlust is mail client which supports a wide variety of protocols. For me the biggest advantages are the blazing fast IMAP support and the whole emacs thing (Keybindings, Help (C-h b for all keybindings in this buffer, priceless I have to say), the possibility to run it either in GUI or in a terminal, etc). Recently the devs uploaded it to melpa[2] which makes it even more easy to get started. I would definitly recommend it, to people who are already using emacs, its such a joy!
There are several slightly less hardcore alternatives to Mutt for those wanting a more modern e-mail experience without the security baggage of running an entire browser. Sylpheed for instance is a very pleasant text-only MUA (http://sylpheed.sraoss.jp/en/). For added peace of mind it does not take long to write an AppArmor profile to further confine Sylpheed to just the parts of your filesystem you'd like it to be able to access.
For added peace of mind it does not take long to write an AppArmor profile to further confine Sylpheed to just the parts of your filesystem you'd like it to be able to access.
Do you have an example? Sounds like a pretty awesome setup that you should share.
Thunderbird has, or had, a plain text mode and a "Simple HTML" mode (other than only recognizing a subset of HTML, I don't know what it does) for displaying messages. You can leave it in plain text mode and, in the event you really need to view HTML, switch it to "Simple" or full HTML. It also can block remote images and, I think, all JavaScript.
The wonderful Nostalgy add-on provides a very responsive keyboard interface.
I use Thunderbird and keep it set as text only for sending and remote images loading is disabled by default (as it should be). JavaScript in emails is not loaded or run.
I'm not sure I buy the reasoning on "surface area", at least not the specific comparisons in the article. It seems unfair to count Chrome but not Unix. For that matter, shouldn't we count the surface area of everything that touches the email as it hops around, including routers, etc? And isn't that the whole problem with email that the protocol does not require secure transport? So, seems like the only way to make that even vaguely secure is to use PGP (or something) on top, in which case who cares about mutt...
I'm rapidly returning to mutt from gmail because the new gmail compose widget is so bloody awful. I use Firefox-Aurora and the compose widget is sluggish, buggy, and the faux-window manager is a terrible paradigm. I'm fairly sure this isn't my aging brain calcifying on me and turning me into "grrr, I hate change": messages not sending when requested (or sending twice), line breaks not rendering, and a generally unresponsive UI.
As a bonus, I can start toying with GPG for real now (for all of my friends and family that will never use GPG?).
Copy+paste? It's rare that I write an email that's more than a couple of paragraphs, but when I need to, it only takes a second to copy the text over from a real editor.
The title carries sarcasm as soon as you finish the article half-way.
I totally agree that usability is damn important. One reason I stopped using Ubuntu Desktop version is exactly the poor usability of Unity, and I now prefer headless (and if I ever need browser I'd use X-windows).
For email client I either use Thunderbird, or Outlook 2013, simply because graphical interface is easier to work with. I code using VIM and I do a lot of work from terminal, but I can't image myself learning all the tricks like dragging image, setting up a meeting, viewing people's availability the next day all via terminal screen. Doable but I still think graphical interface has advantage. The thing I dislike about email clients like Outlook is their WYSIWYG editor as sometimes the editor is limited, or too aggressive. But since my job involves a lot of communication, I do need the convenience of WYSIWYG and COPY-PASTE. What a struggle.
Claws (and sylpheed, which it is a fork of) is by default text-only (html rendering only through a plugin). I used to use just mutt, but use claws quite a bit now.
My graphical client of choice. Lightweight, quick, and relatively easy to box in. Didn't play with Gmail so nicely so I access it a different way. Works with other accounts fine.
I don't use mutt anymore, but I still feel it's a beautiful client, both in its simplicity and its appearance (take the screenshot from the article, for example). I probably should start using it again since I'm transitioning away from Gmail to a traditional mail host.
I do use mutt as my principal e-mail client. It started as an experiment, now I fully transitioned to it. I enjoy being able to compose messages in vim and the tight integration with gpg. In case you want to try mutt out, some time ago I wrote a short guide about setting up mutt on osx,
> A quarter of a century ago, checking your email meant logging onto a mainframe
The lead in seems incorrect. Pine wasn't publicly released until 1992. By the early 90s many college and university environments were thin clients or unix workstations connecting to unix servers.
[+] [-] tptacek|10 years ago|reply
[+] [-] jvehent|10 years ago|reply
[+] [-] nickpsecurity|10 years ago|reply
But just using mutt is giving up much usability and features with little benefit in security. They're better off using good config and sandboxing with a client that gets more audits and bug fixes.
[+] [-] jbk|10 years ago|reply
I use mutt because it's very very fast, and quite customizable (I maintain a kind of 0-inbox through a set of hotkeys, + spamassin + procmail). To handle numerous mailing-lists with medium volume, it's so far the best I've seen.
I tried many email clients (on Windows, OSX and Linux), but I always come back to mutt, because it's the fastest to handle the high-volume of email I have...
[+] [-] heipei|10 years ago|reply
The other reason I like mutt is because it still conforms to the UNIX principle: One thing and one thing well. True, you could use mutt for SMTP/IMAP, but there are better tools for that. I use mutt with offlineimap, msmtp and mu (for searching).
[+] [-] jvehent|10 years ago|reply
That, plus excellent PGP support, just makes mutt a much better email client that any other existing ones, local or web.
[+] [-] tomphoolery|10 years ago|reply
[+] [-] blumentopf|10 years ago|reply
[+] [-] alwillis|10 years ago|reply
[+] [-] dogma1138|10 years ago|reply
[+] [-] totony|10 years ago|reply
[+] [-] eru|10 years ago|reply
> [...] just as alcohol, drug use and smoking is more common in Doctors than any other diploma based profession out there [...]
What I could find with a quick search pointed in the other direction. Do you have some evidence?
[+] [-] douche|10 years ago|reply
Those blood magic spells seem to be wearing off hard in the last year or so. I've been seeing a huge number of our customers migrate from the Lotus stack to Office365. Of course, IBM has already put their software divisions out in the back yard, and are popping the cartridges into their rifle to put the old girl down.
[+] [-] spacehome|10 years ago|reply
[+] [-] therealmarv|10 years ago|reply
So who cares if you write your email in text mode but browse the web with Chrome/Firefox? No offense against Mutt... I can understand that some terminal pros like it but I cannot understand using it for security sake. So what happens if you want to view a html email? What about mail on a mobile phone (I guess security experts do not use them)?
And mutt has other attack surface because it is using the terminal. Look here for a Ubuntu security notice about mutt: http://www.ubuntu.com/usn/usn-2440-1/ Now I smile because gmail is not affected by that!
This is all not practical for 99,9% of normal users out there.
If you care about security do not let the paranoia control you. We need to improve security for the normal users out there. Just my opinion.
[+] [-] hyyypr|10 years ago|reply
See: https://www.debian-administration.org/article/75/Reading_HTM...
[+] [-] toothbrush|10 years ago|reply
I don't do this because i'm a security expert (i'm not), i just love speed (so AJAX and fancypants websites are out for me, i'll use the terminal or Emacs where possible) and the keyboard.
EDIT: Oh yeah, and i'd never trust my web browser with my PGP key...
[+] [-] mobiuscog|10 years ago|reply
Just to note that I'm not a security expert, but I never check email on my phone. Just don't need to.
Whilst I realise mobile devices are very popular, there are a lot of people who don't require checking email when they're not at a desk.
[+] [-] michaelsbradley|10 years ago|reply
But for writing email, I still tend to jump over to Apple Mail. msmtp[3] handles outbound messages on those occasions when I choose to fire off a message from within mu4e.
[1] http://www.djcbsoftware.nl/code/mu/mu4e.html
[&] https://github.com/djcb/mu
[2] https://github.com/OfflineIMAP/offlineimap
[3] http://msmtp.sourceforge.net/
[+] [-] delish|10 years ago|reply
Speaking to your not using mu4e to compose mail, I compose mail in org-mode (I often make lists in emails) then copy them into an mu4e buffer. Funny to see someone using uncommon software the same way I do.
[+] [-] toothbrush|10 years ago|reply
[+] [-] gooseyard|10 years ago|reply
[+] [-] pilooch|10 years ago|reply
[+] [-] 0XAFFE|10 years ago|reply
[1] https://github.com/wanderlust/wanderlust
[2] http://melpa.org/#/wanderlust
[+] [-] rekado|10 years ago|reply
[+] [-] mfincham|10 years ago|reply
[+] [-] dfc|10 years ago|reply
[+] [-] kjs3|10 years ago|reply
Do you have an example? Sounds like a pretty awesome setup that you should share.
[+] [-] hackuser|10 years ago|reply
The wonderful Nostalgy add-on provides a very responsive keyboard interface.
https://addons.mozilla.org/en-US/thunderbird/addon/nostalgy/
I don't know if current Thunderbird versions include all that, however.
[+] [-] JohnTHaller|10 years ago|reply
[+] [-] purpleorange|10 years ago|reply
[+] [-] methehack|10 years ago|reply
[+] [-] lottin|10 years ago|reply
[+] [-] Steltek|10 years ago|reply
As a bonus, I can start toying with GPG for real now (for all of my friends and family that will never use GPG?).
[+] [-] icebraining|10 years ago|reply
https://addons.mozilla.org/en-us/firefox/addon/its-all-text/
[+] [-] foldr|10 years ago|reply
[+] [-] TsiCClawOfLight|10 years ago|reply
[+] [-] yeukhon|10 years ago|reply
I totally agree that usability is damn important. One reason I stopped using Ubuntu Desktop version is exactly the poor usability of Unity, and I now prefer headless (and if I ever need browser I'd use X-windows).
For email client I either use Thunderbird, or Outlook 2013, simply because graphical interface is easier to work with. I code using VIM and I do a lot of work from terminal, but I can't image myself learning all the tricks like dragging image, setting up a meeting, viewing people's availability the next day all via terminal screen. Doable but I still think graphical interface has advantage. The thing I dislike about email clients like Outlook is their WYSIWYG editor as sometimes the editor is limited, or too aggressive. But since my job involves a lot of communication, I do need the convenience of WYSIWYG and COPY-PASTE. What a struggle.
[+] [-] aidenn0|10 years ago|reply
[+] [-] nickpsecurity|10 years ago|reply
[+] [-] morganvachon|10 years ago|reply
[+] [-] icebraining|10 years ago|reply
[+] [-] kkapelon|10 years ago|reply
[+] [-] koevet|10 years ago|reply
http://www.lucianofiandesio.com/getting-started-with-mutt-on...
[+] [-] bakul|10 years ago|reply
[+] [-] a3n|10 years ago|reply
[+] [-] dllthomas|10 years ago|reply
[+] [-] jakeogh|10 years ago|reply
[+] [-] massysett|10 years ago|reply
[+] [-] lloydde|10 years ago|reply
The lead in seems incorrect. Pine wasn't publicly released until 1992. By the early 90s many college and university environments were thin clients or unix workstations connecting to unix servers.