When the WebCrypto API will be incorporated into most browsers, wouldn't it be possible to develop a PGP version that runs completely in the browser? This way, it can run on mobile devices, and can be used with hosted webmail solutions.

That's because some countries DO learn from their mistakes in the past?

Even Atlantis had a subway with concentric circles, according to Indiana Jones & The Fate of Atlantis.

If it worked for them, it can sure work for New York.

Citrix ShareFile?

In most companies, doing all this will just get you fired...

- Implementing DKIM?
- Implementing SPF?
- Make sure the sender address doesn't bounce?
- Make sure you don't open thousands of connections to the receiving party for each recipient ? (in case of yahoo, hotmail, gmail, ...)
- The contents of the e-mail is not considered spam? (provide unsubscibe link, no big images included, etc...)


Setting up a mass-mail infrastructure is not to be taken lightly. There are lots of reasons why you could be listed as a spammer. That's why most companies outsource their their mass-mailing to 3rd parties like MailJet, MailChimp, SendGrid...

Okay listen... Starting a business costs money... a lot of money. If you don't have the funds to overcome a year without income, you shouldn't be starting a business in the first place. If you are out of a job, I hope you saved money when you still had a job.

And read the second part of my sentence: involving investors. Maybe you can convince former businesspartners to invest in your company? Or maybe contact an ex-colleague who happens to be out of a job too?

You may not like the truth, but that doesn't change the fact that starting a business costs money. I considered the same thing when I was unemployed, and I almost started one too. But I took a look at the worst-case scenario (giving my current financial status at that time), and I realized that things could get very ugly if I didn't start making profit after the first 6 months. That's quite a short period, and given the economy at that time, I was not sure that would be the case. So, yeah, I know what you are going through. Ofcourse, if you already have an interested customer who's willing to spent his money on you for a year, than I guess you can take the risk.

You can also try to do some freelance consulting (team up with some big consulting companies if you have to). It allows you to make money, and gives you the freedom to start your company when your finances are looking better. Most IT freelancing jobs don't require a big investment (laptop+office suite software+some bookkeeping stuff). That's how Joel Spolsky of Fog Creek Software started his company, I believe... (do consulting to bring in the money, while working on his software product)

That should not be interpreted as a negative, but as a positive

I see what you did there...

By saving a lot of money for a few years before you start your business and/or involving investors...

Simple: The Apple Store rejects applications that disable proper CA checking. It can only be disabled by private iOS API's if I'm not mistaken. Apps that use private API's are automatically rejected.

By making sure you already have enough money to start your own business. Create a business-plan, and take all those costs into account already. Make sure you have enough cash for your initial investments + cover your costs for the first year at least. Let an accountant check that business-plan too, to make sure it's actually feasable.

Most ISV's don't do this...

Most ISV's fail because they don't do this...!!

And I don't see the problem with that if the developer needs the money to feed his family.

Also, you can buy wildcard certificates for your domain if you use multiple subdomains. Still safer than self-signed certs

I run it on my own VPS, which has a dedicated fixed IP address. I'm not saying my set-up is perfect. But a signed certificate + validation of the entire CA chain already solves a lot of issues.
And I don't SNI because I only have one hostname.

Look, we can discuss this as much as you want, but it doesn't change the fact that self-signed certs are simply "not-done" in a production-environment. As soon as I encounter an unsigned or expired certificate in a product, I just don't trust that product anymore. And I'm sure I'm not the only one...

Really? I had to verify by e-mail, sms, and phone for my cheap cert. If you can get a valid signed certificate for my domain at that price without my approval, please contact me. I'm eager to test this. But somehow I doubt that any cheap ssl registrar will issue a signed certificate without at least an email verification of the domain-holder himself. But feel free to prove me wrong.

Nevertheless a signed certificate protects you against 95% of all MTM attacks.