Does anyone actually use Countermail?

I've been looking at the different privacy conscious and encrypted email services, to find something more private and secure than the usual suspects (Gmail, Yahoo, etc.).

From the perspective of what I'd like to see in a service (secure most of all, anonymous secondarily), Countermail seems the best, with Lavabit as a second runner up.

But I hesitate a little bit about Countermail, since I just don't seem to see a lot of people out there talking about actually using it. I've read other threads in this forum (and elsewhere) discussing Countermail's various merits and comparing it to other private and secure email services. But I'd feel more like it's a legitimate business if I had a sense that some people were actually using it and having good experiences.

Given that the most informed threads about email services, seem to be here at the Wilders forum, I'm wondering is anyone actually using Countermail?

 

If you want real security you wont trust your privacy with third-parties. Not a jab at Countermail -- they may be good guys -- but we all saw what went down with Hushmail.

Get your contacts to create their own GPG keys and exchange them with you. Then set up your e-mail client to work with it.

 

Thanks for the comment.

Yes, I realize from a pure security perspective that would be a superior solution. I have read the many comments in these forums to that end (including with respect to Countermail--and I believe some of those comments may have been made by you in those other threads).

I would be very happy if everyone I knew was willing to set up a GPG key and exchange email with me that way. But the reality is that I'm pretty sure I don't know a single person who cares and is willing to do that. I'm also pretty sure this is the situation for almost everyone who uses email.

So the best I can do is hope to maintain the security and privacy of my own messages, including plain text messages. I like that Countermail and Lavabit both encrypt even plain text messages on their servers. That offers a real level of added security over pretty much every other service I've seen (including Hushmail, which does not encrypt plain text messages).

Anyway, this has all be discussed at length in other threads on this forum. I've read them closely and appreciate the insights people have provided in those threads. But it's really off topic. I don't mean to reproduce those discussions.

My question (for the reasons explained in my OP) is simply does anyone actually use Countermail? Are they happy with it?

 

They are solid & know their ****. Now there is tormail all the steroid dealers and dodgey **** has moved there.

Do I trust it it? Well more than Google or Microsoft. But please get rid of that ****ing java applet, terrible security hole.

 

Yeah, I suppose that was one thing that made me a little nervous. Other than on Wilders, the main place I found people mentioning Countermail were forums devoted to body building, where I assumed people wanted security for discussing/selling controlled substances (and also on other similar forums). Not exactly the crowd I want to feel associated with. But I realize this could be a problem for anyone service providing encryption and privacy.

What's the problem with java to you? A representative for Countermail already has explained in another thread here that it's the only way to do end-to-end encryption with a webmail application. And for those who don't like java, they can use a separate email client with Countermail, to avoid it. See:

www.wilderssecurity.com/showpost.php?p=1986138&postcount=90

I don't expect Countermail to be perfect. Chronomatic has already pointed out above what would be a better security solution from a strictly technical perspective. But Countermail is trying to provide a service that deals with real world practicalities. That seems like a worthwhile endeavor to me.

 

The amount of exploits out there is huge. Your basically screwed using it. I'm not worried about Countermail but other people landing a RAT or keylogger on my PC and then your account is compromised.

 

I see, so you just prefer not to have java installed on your system at all?

(Countermail does offer the usb key option, which I think would protect you from keyloggers.)

What does RAT stand for?

 

You're both right about GPG...it *should* be used, but no *normal, everyday, regular Joe* correspondent will use it. "Hey dad, first you download GPG4Win, then you have to...." LOL, not happening. A few 3rd party services always pop to the top on Wilder's, and I think they are a viable option. Being in Sweden is a plus. The others are CryptoHeaven (Panama, IIRC) and RiseUp! (Invite only, Seattle/NYC). I run my own email server, but am thinking about getting a CM account just for kicks. I wish they would take Bitcoin, and I wish they would make whatever app that is on their USB key...available for download so we could make our own USB key (or integrate Yubikey somehow)...having to provide an address for mailing adds complexity to trying to create an anon account. The Java thing is a legitimate concern, but they have also explained it, from a security perspective...and I need to run Java for other programs I use, so I'm not bothered by it. And like was said above, you can always just use Thunderbird. I trust them more than Tormail (just from a "who the heck are they, and just what goes on with your mail" perspective...I have no negative info on Tormail). Everything on the big providers, GPG or not, I consider read, correlated, and cataloged...no thanks.

PD

 

There is a monetary cost associated with Countermail's services, which is probably the reason you do not see a lot of activity from users on this form adopting it. However from a business standpoint and security standpoint there have been no negative reports about them. I would surmise they are safe to use.

 

Tormail is run by Russian FSB security service

 

You know this how?

 

I'd like to know this too. Especially since they tried to switch hosts from a US based one, to a Russian based one, and had the .net domain locked, and had to switch to .org. Just words on a screen, I know, but a pretty convoluted ruse...but I guess anything is possible

PD

 

Someone told me, even if it isnt I still wouldn't use it. Way to sketchy.

 

We have several thousands of paying customers, so someone is using our service

Yes, that's the disadvantage when providing this type of service. But it's hard to act as a private judge, in most cases we need a court order before we will close an account.

There is no encryption in the world that will protect 100% against a compromised computer, but using a keyfile will give very good protection against keyloggers.

I always recommend using security addons like Noscript (which disables Java & Javascript by default), and activate Java/Javascript only on the pages you trust.

Our Java applet is signed by a code signing certificate, this is something that makes it much harder to forge/falsify. And as I have written earlier, it's impossible to get end-to-end encryption in a web browser without a signed Java-applet.

 

I am currently evaluating Countermail and thus far I like it. Like PD said I wish they would take BTC. Countermail, do you mind if I send you a question in private, regarding payment alternatives?

Thanks,

~h

 

Thanks to all who replied. I'm glad to see a couple people on Wilders are interested in Countermail.

*

Yes, I suppose you're right. I've seen people here complain that Countermail doesn't have free accounts. It baffles me that people think they should be able to get security and privacy for free from a webmail service. An email service has to have a business model, so if they're not doing targeted advertising, how are they supposed to make their money--at least to break even and pay for the equipment that runs the service? If you're not paying the service directly, there's got to be a strings attached and/or potential conflicts of interest.

I actually see paying a reasonable fee for the service as a security benefit. It aligns the interests of the email provider and my interests as a client more closely (as opposed to Gmail, Yahoo, etc., that are just riddled with conflicts of interest). If they don't provide the service they say they're providing, I'm going to stop paying.

Compared to other expenses in my life $59/year ($4.92/month), for Countermail, is a pretty minimal cost (certainly a lot less than I pay monthly for broadband, cell phone service, etc.). And if that's too much, you can get Lavabit for $8/year. That's practically free. Unless you're dirt poor, I just can't understand the perspective from which someone who wants privacy and security can't stand to pay $8/year for it. People drop more money for a couple apps on their phones in a day (or a couple beers, a burrito, whatever). The people at Lavabit can't be making any money on that; they're just breaking even to provide a service that they think is important.

It's weird this world in which people expect to get everything for free. I'm happy to pay a fair price, when I can afford it.

 

The reason is you can already do it for free and have even more assurance of security. You can do this by having your contact create a PGP/GPG key-pair and by having him send you his public key. It's free and there's no middle man.

The problem, as mentioned already, is most people don't want to create their own keys and learn how to use PGP/GPG. This is either because they don't know how or simply don't care. My opinion is, unless someone is competent enough to know how to use PGP correctly, they are probably not competent enough for me to be discussing "sensitive" things with. Why? Because the crypto iself is not the weakest link -- the user is. If he doesn't understand how the system works, he isn't going to understand how to keep it secure. This doesn't matter if your using PGP directly or a service that uses it for you (countermail).

Personally, I feel that crypto is fine for some threat models, but probably pretty useless against TLA's who want you badly enough. They will find other ways to get your info even if they can't break the crypto directly.

 

Chronomatic, I appreciate your reply, but I think you're missing the point of my interest in Countermail, which I have already explained above. I'm not trying to achieve perfect technical encryption for discussion of sensitive matters. I just want have have reasonably secure (from identity thieves, for example), private, email, that's not scanned for targeted advertising.

As I and others already said above, in the real world, of day to day actual email use, no one except a tiny handful of people are going to setup a system with PGP (like Thunderbird and Enigmail, for example). So for all the actual emailing that I (and almost everyone) do on a day to day basis, this solution is useless. Countermail (or the like) is just an improvement in security and privacy over Gmail, Yahoo, etc. And it provides the convenience of a webmail application, if one wants that. It is not an alternative to PGP with Thunderbird, or however one wants to otherwise accomplish end-to-end encryption, without having to trust a third party service provider.

That said, I think that if the reason people do not want to pay for Countermail is because they can already set up PGP for free on their own, then people on this forum would not be posting in many different threads that they wish there were free accounts on Countermail, Lavabit, CryptoHeaven, and the like. Those people obviously aren't just going off and using free PGP applications on their own and being content with that, since they are directly expressing a desire to use these services if they were free. It is that desire that one should get something for nothing, which I was critiquing.

 

IMO, after content, the biggest privacy risk is who you talk to, when, and how much. These last three are obtainable in the US with a very, very low 'burden of proof'...sometimes by just paying a small fee and going to an LEO 'web portal'. GPG or not, if it's on Gmail, Live Mail, Yahoo!, etc... you're stuff is being looked at. It's common knowledge that Gmail has at least a machine scanning all content in order to target adds. I can speculate that I bet that thing also queries a 'Key Word' or 'Known Associates' list, and sounds off a big red siren if it see's anything interesting...but I may just be paranoid. *Who* stores your email, is as important as how you send it, IMO. In that case, CounterMail, CryptoHeaven, etc... provide more protection than just GPG'ing your Gmail.

PD

 

No you are correct; it all comes down to how individuals value a service. If Countermail was free I would be concerned as I am with some of the other alternatives posted here regularly from time to time. A couple users mentioned Tormail, which is my biggest red flag alternative of them all. One of the first questions that comes to mind even before I weigh security implementation concerns, is privacy of my data. If the service is free, how are they making their money? Who owns Ultasecuremail Corp? What are their policies?

I would like to add any email not hosted on your own local device and stored in a webmail cloud environment is considered abandoned in the United States after 6 months and can be looked at without a warrant. Something to keep in mind.

 

I have NO problem at all with paying for CounterMail; as others have said on this forum, you have to make money some way, and as there are no ads on the website, that's the only way I could see them staying afloat

 

Just curious PD, do you yourself have any of those more general email accounts? I know I do, and I am trying to decide if I want to unload them.

~h

 

Do I still have them? Yes, but I don't use them. Stuff like "New Cat Food Sale!" comes in on the various accounts, but that's about it. I decided enough was enough, and purchased Ability Mail Server. They'll have to come to my house if they want to poke around in my inbox.

PD

 

Yes, I think that's a good point. Countermail, etc., may not be perfect, but it has many privacy and security benefits over Gmail, etc. It is precisely this question of who and how email is stored, which is one of my main concerns. For example, just with online purchases, one is often sent a receipt that includes your name, address, phone number. People's inboxes are often a treasure trove of personal information, handy for identity theives. And they're sitting there, unencrypted, protected by a password like "password" or something equally ridiculous. It's an often overlooked security risk.

This is an important point too. I don't like the idea that a goverment could secretly issue a warrant to search my email and do so, without me ever knowing. At least if the email is encrypted and I am the only one with the password or if it's on one's own server, they would have to inform you that you're under investigation, since the warrant would have to be issued directly to the person in question.

That aside, I don't think I'll do this, but I'm curious, if you're running your own email server at home, don't you have to have it on a system that's always up and connected? That wouldn't really be pratical for me (since basically I just have my laptop that goes with me everywhere and is not running all the time).

*

That's interestings. I do vaguely remember hearing something like this a while ago. Does this apply even to an email account that's actively in use? In other words, if I'm actively using a Gmail account on an ongonig basis, are all emails in my inbox more than 6 months old legally considered abandoned and therefore searchable without a warrant?

*

This is where I'm at right now. I feel like I know the security risks. I need to get off the free services. And just for my own sense of privacy, I don't like the idea that my email is being scanned for targeted advertisting or any other purpose. And as I said above, the cost seems minimal given the considerable advantages. I'm leaning toward Countermail. But as I also said above, for $8/year for Lavabit (where all your emails are encrypted and nothing is scanned) how can you go wrong? Indeed, when I emailed Lavabit someone there told me that the guy who started it, like people here, was just fed up with Gmail and it's lack of privacy and wanted to provide something that wasn't doing that. It really seems like a project he's providing more as a public service, given that he can't be doing more than breaking even for $8/year.

 

I know, I was just responding to the other guy. If you just need a modicum of privacy from passive snooping, then countermail is likely to be just fine. Hell, Hushmail is probably OK for that too. But I wouldn't trust it for any sort of "real work" like Fortune 500 business secrets and the like.

Well GPG/PGP takes some work and takes some knowledge, so in that sense it isn't free. But I am not against countermail or anyone else charging for their service.

I agree. Knowing who is talking to whom is a big part of "intelligence." But even if you use countermail, it wouldn't be hard to figure out who is talking to whom. So, really, it is no better than using PGP/GPG over Gmail. If you need anonymity as well, then there are other ways to achieve that and for free.

Well, the whole point of tormail is anonymity. Since it is using an .onion address, it is by definition anonymous. This means the deliverers want to remain anonymous as much as the users. Looking at it like that doesn't make me suspicious -- they probably want to provide a service but don't want to be held accountable for any nefarious activities (though they do try to stop spammers).

The bottom line is, if you trust Tor, then the Tormail people can't track you. So in a sense, it doesn't matter who they are. I suspect it is just a couple of guys who have access to an old box they use as a mail server. It could even be a group like EFF behind it to help people in oppressive countries. I am speculating. We just don't know, which is kind of the whole point.

Good point. This is why I don't like gmail. I have some personal conversations with people on there and I don't like the thought of anyone being able to view it without a warrant. But they can. Unfortunately most people I talk to in email just don't care about privacy (because they are ignorant and are not aware of the fact you just stated).

The problem is, there is simply no way around this "6 month rule" unless you run your own mail server. And since almost no ISP will allow you to do that (against TOS), then we are all forced to have our mail stored on someone else's server. There's no way around it. Since this is true, I just use Gmail since it is the "best" of all the snooping mail services.