I wouldn't touch an iphone with a bargepole either. It's not a question of who owns the "i's" but how much they allow integration with other platforms. That said, I would have preferred a black and white, "This is an Apple app" on their frontpage, so I don't have to waste time drilling through their website to find out.
OpenMailBox.org RuggedInbox.com Tutanota.com Posteo.de mailbox.org Runbox.com Neomailbox.com CounterMail.com StartMail.com KolabNow.com ProtonMail.com
I'll just add to the IOS debate. No matter what you think about apple as a company when it comes to security the iPHONE is leaps and bounds ahead of Android or Windows Phone. It's very easy to create malware and get it onto a Android phone. Too easy. But it's very hard to get malware onto a iPHONE without having physical access. Every exploit that comes out for the iPHONE is basically a physical in hand exploit. Apple polices the iPHONE ecosystem really well including the app store.
Let's see, Masque Attack, FREAK, XARA, etc. Funny: http://www.macworld.com/article/293...ore-malware-steal-os-x-and-ios-passwords.html
It may be true that the iPhone is more secure in some technical ways. As J L notes, it is far from immune from attacks. Apple (both OS X and iOS, as well as Safari) has also been vulnerable to most of the recent SSL bugs and has been the slowest to patch the problems (ironically Microsoft has in several cases been the quickest). I think Apple still has not fully patched the Poodle bug (opting for a lesser solution for some reason). More importantly, I have read several security experts saying that Apple is the primary target for malware and other hacks now. So whether or not iOS is technically more secure, due to the greater interest in hacking its more lucrative customers, Apple users will more and more suffer the most problems. People have long predicted that if Apple became more of a target it would have more problems. Many dismissed this. But now its happening just as predicted.
I didn't say it was immune to malware and attacks. But I said it's way better than Android and Windows Phone when it comes to security. Anyway we are getting off topic. This is a email thread
Yes that was clear. And the truth is that: 1) iOS is far more vulnerable than Apple users and Apple like to pretend and not that different from Android and Windows Phone (in fact, I've read some security people saying Windows Phone is now the most secure phone OS). Further you asserted there are only "physical in hand" attacks on iOS and that is patently untrue. 2) Because iOS is now the primary target for hackers, whether or not iOS is technically a little bit more secure than other OSes (and that is debatable), iOS users are in fact increasingly at the greatest risk, because they are the biggest juiciest target. So there may be some technical merit to your claim (though not that much), but the practical reality for iOS users is not any more secure than for Android or Windows Phone users and will only increasingly become worse. So I think your claim that there is some greater security to be had for iOS users has almost no merit technically speaking and in practice is not true at all. Frankly, I think all phones are nightmares and should not be used for anything where security matters (especially banking).
Could we rephrase that to all smartphones? I'm quite fond of my 6310i because I can talk to people, it has physical buttons I can press....! One thing that interests me about the whole security/privacy space is the way words influence us. Calling a smartphone a phone is deeply misleading, because it hides the fact it's also a computer with loads of processing and memory AND associated with you AND connected to the internet and cell network. SpyPhone might be a better description. So I'm with you on mistrusting the things. What's worse, other people voluntarily give up data like contact lists where I'm listed on them, and I have NOT CONSENTED - and have no recourse. The other word I'm getting aerated about is "browser". Again, function creep and the ability to run arbitrary unsigned code (unless you spend loads of time turning stuff off), cookies, etc) - browsers are now smart dumb terminals onto the various mainframes (aka webservers). People volunteer their computers to run the spyware that the corporations want to "give them". Free is way too expensive.
Yes, and the guts of plain cellphones are still under total control of cellular service providers. But if you add old-school audio-coupled third-party voice encryption, it's arguably secure.
Cost of a iOS zero day exploit $250,000 ++++. Cost of a Android zero day exploit $25,000 if your lucky. And smartphones are a nightmare. But the ecosystem is getting better in terms of privacy controls. There are some very good encryption tools available now. Both iOS and Android have encryption built into the OS these days. And there are many chat, sms, phone call encryption type programs now.
Yes, I suppose I meant smartphone. Though mirimir's point about old-school phones is also well taken. And you are, of course, correct that smartphones are really computers (but with much less potential user control over them than laptops, etc.) and browsers are something else (I don't know if they're semi-smart terminals or rather pseudo-virtual operating systems). Both (smartphones and browsers) serve the purpose of removing the user more from the underlying system and handing control (and ownership) over more to the party that created the system.
@cb74 - at least old-school phones (as far as content interception is concerned), are subject to POTS circuit-switched legislation - IOW, warrant and probable cause. Which is what I agree with as a citizen. What I don't agree with, is the bulk suspicion-less data collection and search of cellphone metadata including location, which applies to cellphones of all types. At least the US is making glacial progress on that one, we'll see what benighted legislation emerges in the UK.
Yes, I agree. Although when I said "old-school phones" I was trying to acknowledge mirimir's point about "plain cellphones" (i.e. cellphones that are not smartphones). So many different types of phones these days it's hard to be clear what one is talking about!
Hi Mirimir, Please check and add the following email solutions as well... https://lavaboom.com/ https://scryptmail.com https://www.ghostmail.com/
Of the various secure/encrypted email options, which one is the easiest to use when sending/receiving email with recipients that don't have/use the same type of secure/encrypted email account?
They are much the same really. All have good points and weaknesses. I have accounts at most of them and there really isn't a best option. I would put a * next to RuggedInbox.com because it didn't work when I signed up fro account.
Scryptmail looks interesting. They have quite a list of features. Anyone know more about them, have any experience, opinions? I do find their explanation of why it doesn't make a difference if their servers are in the U.S. or Germany of Switzerland to be fairly bogus: https://blog.scryptmail.com/q-a/ Essentially they just say, well bad things have happened in Germany and Switzerland too, and ignore that no one said these places are perfect--but that doesn't mean that the differences in laws and how the courts work aren't real. It just seems like bad reasoning in which they point out a couple things and then draw a false general equivalency between different countries. If I'm supposed to be convinced by that, then I question a little bit their reasoning about other things. They also, like many new sites, make a big point that all of their code is open to review, in a way that is not completely true for Protonmail or Tutanota. But of course, the fact that the code of a small not well known enterprise is open, doesn't in fact mean that it has been reviewed. In principle, of course, open is better, in practice, it's not if no one reviews your code (or you don't go out of your way to get a recognized third party to do so). Anyway, I do like all the features they've included in their interface.
Do any of these providers have the ability to send some sort of alert or notification to another standard email account when you receive mail in your Inbox -- or do you actually have to login periodically to see if anything has arrived? As you can probably tell from my question, one of these services would not be my Primary email address, so I was just wondering how to simplify the process of having to check for any new (received) email.
I believe Protonmail.com sends a email to the email account you signed up with when a new email is received to your Protonmail.com account.
Yes, Protonmail does this. Though as mirimir notes, you may not want to link accounts, depending on your purposes. I think Scyptmail also says it does in their feature list (though you can see from my post above that I have questions about them). Others may do it do, I'm not familiar with all of these services.
Hi to everyone, thank you for bringing the point we described in our FAQ area. It is obvious now, we was not very clear and need more work over there. What I was really trying to say when compared different countries, is that if you really offering end-to-end encrypted email service, country shouldn't be the first things to make decision on what email to choose. So to speak there is handful services making their only value at being located in Swiss or Germany, which are not perfect. Bringing attention to this facts is what I tried to achieve. Open code can not guarantee security neither reliability, but at least it is the first step to give ability to inspect the code if someone willing to do so. If data at rest is encrypted, how is one country laws can make it more secured? Other than that, thank you for considering our service and the feedback. Constructive criticism is what making us better after all.
Hi Scryptmail, Good to see you in the forum. I appreciate your response, but I think it still elides a couple points. First, perhaps there are email services marketing themselves as being in other countries than the U.S. and that's their main advantage. But two of the main encrypted email services discussed in this forum and this thread, Protonmail and Tutanota, clearly do not fit in this category. And as far as I know, they are among the services mostly heavily promoting their location as a benefit. They also use end-to-end encryption in an equally sophisticated manner as Scyptmail, as well as promoting the benefits of their server locations. It is not an either/or, but rather an both/and. Encryption is good, but location matters too. If you can have both, why would you choose only one? You ask, what does the location matter, if the email is end-to-end encrypted? I think that would be a fair point if we were talking about people using PGP themselves, through enigmail and Thunderbird, to encrypt their Gmail or email through any service. In that case, the user and their recipient would themselves be in control of the encryption. But with an encrypted email service, the user must count of the service properly encrypting the email for them. In a country like the U.S., a service could be forced with a secret court order to intall a back door in their software and not inform their users. This is not hypothetical, but the sort of thing that has happened (probably more times than we know). And it would totally obviate the benefits of end-to-end encryption technology, since the technology would have been secretly defeated. This is the fundamental problem with services in the U.S. Legally, courts do not have this sort of power in Germany and especially Switzerland. Of course, that's not a perfect assuarnce (illegal things do happen). But still the law matters, not just technolgy. The U.S. has shown itself to be one of the most aggressive collectors of information, using all technical and legal means at its disposal and often bending the limits of the law far beyond what anyone would recognize as legitimate. Germany and Switzerland have very different attitudes about privacy and spying. Further, for a U.S. resident, U.S. court orders are obviously not valid in Germany or Switzerland and so that provides further legal protection. So, with all do respect, I don't agree with your assertion that encrypted data on an email service's server in the U.S. is immune from legal means of coercion that would defeat the benefits of encryption. Second, you assert that open code is not a panacea, but at least it's there if someone wants to look at. However, in my post that you quote, I noted that there is a big difference between open code from a small operation that no one is going to look at (most users aren't coders), which is more of a thing to promote than a real benefit, and a company going out of it's way to get a legitimate third party to review their code. Some companies do that. It's not just a hypothetical suggestion. I think making sure a third party code review actually happens is putting one's money where one's mouth is, as far as open code is concerned. Simply promoting the openness of code that no one is going to review is a bit like promoting the benefits of email in Germany or Switzerland, while ignoring encryption. In any case, good luck with Scryptmail. It looks quite nice and feature rich, compared to other services. I may try it out. But the above points still concern me. Cb
