Nomx? No thank you

"World's most secure email communications device" falls badly short, researcher reveals.


Nomx describes itself as “the only secure email communications device compatible with legacy email systems.”

Everything else is insecure.

The world’s most secure communications protocol

nomx ensures absolute privacy for personal and commercial email and messaging


Some pretty bold claims there, and so the BBC asked British security researcher Scott Helme to take a closer look.

What Scott found was pretty shocking, and definitely didn’t live up to Nomx’s marketing hype.

Tinkering around, Scott discovered that Nomx was relying upon software that was - in some cases - seriously out of date:

Raspbian GNU/Linux 7 (wheezy) - last updated 7th May 2015
nginx version: nginx/1.2.1 - released 5th June 2012
PHP 5.4.45-0+deb7u5 - released 3rd September 2015
OpenSSL 1.0.1t - released 3rd May 2016
Dovecot 2.1.7 - released 29th May 2012
Postfix 2.9.6 - released 4th February 2013
MySQL Ver 14.14 Distrib 5.5.52 - released 6th September 2016

What’s more, there was no apparent way for the system to automatically update itself should a fix be required.

And it just gets worse from there.

There’s much to leave you astonished and appalled in Scott’s autopsy of Nomx, but I found this bit particularly amusing:

The code is riddled with bad examples of how to do things and it seems was developed by one guy called ‘shawn’ whose name appears throughout. They narrowly avoided one persistent XSS vulnerability by stripping tags followed by the comment /* should we even bother? */

Read the full shocking story, in gory technical detail, on Scott Helme’s blog.

Well done to Scott for his detective work. Watch the full report on BBC iPlayer.

Tags: , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

4 Responses

  1. David L

    April 27, 2017 at 4:02 pm #

    If you didn’t read the blog post of the researcher, you don’t know what you’re missing! And after reading, all I can say is WOW ! I hope that word of this gets to any and all customers for this joke of a product.

  2. MCT

    April 28, 2017 at 8:27 am #

    Have you read the nomx statement?

    • Mark Jacobs in reply to MCT.

      May 2, 2017 at 12:58 pm #

      Utter falsehoods!

  3. Jim

    April 30, 2017 at 11:36 am #

    And the price of this ‘box of tricks’ had me spluttering!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.