Is email that provider encrypts, all decrypted at login?

Discussion in 'other security issues & news' started by phkhgh, Jan 31, 2013.

Thread Status:
Not open for further replies.
  1. phkhgh

    phkhgh Registered Member

    Aug 17, 2007
    For email providers like Lavabit, which offer "on server encryption", where the encryption algorithm is based on your PW, is all the email decrypted when you log in?

    What about using POP / IMAP with similar services to d/l mail that's encrypted WHILE it's on their server. Once your client transmits the acct PW, I assume the mail is 1st decrypted & then transmitted to you, using SSL / TLS connection?

    Unless the provider had you install software on your device, it would have to be decrypted & downloaded just like any other (modern) email provider.

    The only real benefit I see of that type of email encryption, is if someone hacks their servers. Unless they also had your PW, they couldn't read the stored, encrypted email.

    That's fine as far as it goes, but technically (though unlikely) they could read your mail once it's decrypted. So could da gubment.

    Yes, I'm aware of using my own encryption, public & private keys, but few of my friends / acquaintances are keen on "going to that trouble." If I send any secret formulas, I will encrypt it.

    It would be nice if there was a way (like sender / recipient both had specific software) that would automatically encrypt / decrypt, when sending / receiving. Yes, that's sort of how public / private keys work, but setting it up & using it is over the heads of many friends, family.
  2. Tr0gd0r

    Tr0gd0r Registered Member

    Feb 1, 2013
    Try Vaultletmail:

    It has some of the features you are looking for, with the added bonus of being able to control whether the emails you send can be printed or forwarded. It even has a TTL (Time to Live) function.

    The downside is you have to use their program to send or receive email, there is no webmail function.
  3. shuverisan

    shuverisan Registered Member

    Dec 23, 2011
    You can use POP or IMAP with Lavabit. I think it gives you the settings in their FAQ. And yes, you give your pw, your mail is decrypted on-server, sent to your browser through https.
    Yes, but if a system is set up well, encrypted mail storage will prevent all 3rd party access. This means employees and govt. Mail providers which give end-to-end encryption are the next step up from encrypted storage providers.
    While true, another thing to consider with small companies like Lavabit (especially companies based in the US), is the pressure through the legal system da gubment could impose on them. With a company like Google, they have the leverage to tell the FBI or Dept of whatever to pi$$ off, but a tiny email provider would soil their pants just thinking of receiving a letter with the DHS seal at the top. If they wanted to fight that, they'd need to get organizations on their side (basically, paying their legal bills and providing council and publicizing the event like crazy) which is no guarantee, that's if the company even cares.
    Cryptoheaven fits that description exactly. It requires that senders & recipients have the CH software installed, and Java. Even with this method, you still need friends/acquaintances who are willing to use the program. Cryptoheaven is a solid service and you can get it for a VERY good price. Countermail is probably THE other end-to-end provider around here but there are obviously others.
    Last edited: Feb 1, 2013
  4. phkhgh

    phkhgh Registered Member

    Aug 17, 2007
    Thanks Tr0gd0r & awkwardpenguin,
    Thanks for details.
    My biggest problem is convincing people to use any system. Though, some systems like jumbleme don't require much on the part of recipients replying in encrypted form. (Jumbleme isn't accepting new customers). Even saving typed text, URLs, quotes to a text file & encrypting it w/ something like 7Zip, then attaching to email is "too much trouble" for most.

    I've gotten into disagreements w/ close, life long friends that keep sending links & articles about this or that security agency being investigated for wrong doing, whistle blower activities or websites, articles about militants in foreign nations, that I don't want my address flagged as receiving stuff w/ all sorts of buzz words / phrases / watched websites, that might indicate interest in some subversive activity. "You are judged by the company you keep."

    But, you must trust 3rd parties like jumbleme. I'm not trading national secrets or dealing illegal goods, so my security needs are fairly low. But going to trouble or paying for something that only gives false sense of security may be pointless, depending.

    Yes, Lavabit would have trouble standing up to LEAs, but Gmail offers no security, other than what users provide (using GnuPGP / keys, etc.). I'd advise anyone - no matter what provider they use - if you really don't want anyone to get at email, use a provider that deletes it quickly, doesn't keep backups. Delete email off servers ASAP.

    That won't matter in case of warrants / NSLs. If it's that important, you'd better encrypt it yourself & trust the recipients implicitly.

    Thanks for info about countermail. I've heard the name but not researched, but will check them out.

    An issue w/ Cryptoheaven - JAVA! Not the most comforting security topic, these days.
    Haven't checked out their "system" so don't know much about it. One issue w/ some "secure" providers in past was, they were forced to hand over stored encrypted data & possibly PWs (though they're SUPPOSED to be encrypted also), or some means to decrypt the data.

    Possibly thru some back door, that providers were forced to install. Seem to recall something about Lavabit or others handing over encrypted data. Which raises the issue w/ ANY provider that has any part in encrypting the data (even software they use, loaded on your machine). They could be forced to hand over data and /or install back door. And quite likely, them saying anything about it, might well be "violating national security" or some law.

    But FBI / HLS aren't only ones that could demand access. Any lawyer w/ a warrant, anyone suing you, an insurance co. wanting to fight a claim, divorcing spouse's atty w/ a warrant... on & on. That's why I say - get it OFF their server ASAP & use a provider that purges deleted mail VERY quickly & "normally" doesn't keep BU logs or archives.
  5. wilson_franklin

    wilson_franklin Registered Member

    Jan 17, 2013
    It is a "Trust Me" service so outsiders can't be certain when it is decrypted.

    Outsiders can't even be certain it is encrypted at all.
Thread Status:
Not open for further replies.