Secure (not anonymous) email services

While this approach may not be as transparent as the original poster would prefer, the reality is that implementing any change impacting users requires some learning -- but, with an email client such as Outlook, the incremental effort to send/receive encrypted email is minimal (using, for example, a VeriSign Class 1 Digital ID). You don’t even really need PGP.

 

Yes, it was strange as i had to turn off Privoxy in order to access that site which was a first for me since i began using privoxy.

While countermail does look impressive, secure and offers some anonymity that the others don't, it still doesn't solve the problem all the others have as evidenced by the bottom of this screenshot - and that is "the emails are stored to disk on the mail server"

We all know how to secure email between parties that put email encryption in place and this simple function solves all the trust issues. The tricky part is finding a secure service to use where your emails are "stored encrypted" on the server "even if they weren't firstly encrypted client side"

This would solve "all the issues", at least on 1 end, dealing with contacts who can't be bothered using encryption.

Not sure how this could be accomplished but something like a key pair created client side with the server having your public key and access to your account only gained by entering the private key client side.

Any thoughts on this concept as this is what i'm looking for??

 

Doesn't the Lavabit email service claim to provide this functionality? Please see: Security Through Asynchronous Encryption.

 

Interesting Pleonasm - Thank You

Your knowledge is much greater than mine - does this Asynchronous Encryption sound like it can still be backdoored by Lavabit if pressured by the NSA or other ant-privacy branch ?

 

The countermail website says they (if countermails is more than one person at all) start the servers from a CD. That means they don't have it at a professional hoster or at least racks. They run it from a normal computer from their basement. I guess they (?) have maybe hundred customers. Rather a few dozen. And you are one of them.

I'd never trust such an outfit.

 

Just to clarify, the webserver is run from cd but the mail server is hard disk.

 

Not necessarily a bad thing

 

It's always a mystery to my simple brain why people want to use an inherently open method (www) to send secrets.

Now we are looking for an ISP to facilitate this notion and all big brother has to do is produce a search warrant and bingo your secrete is exposed!

Good luck on that approach.

If you must send secret messages in the open/clear at least use code to make it harder! My grade 7 grandchild has a code book that can make messages unreadable. No unlock key needed, all I need is the method and I can decode them.

Or even better put your message in an attachment (text) remove all the identifying properties and encrypt the message. Of course your friend will need the key ( snail mail it).

So all I have to do is use the grade 7 code book methods and encrypted text attachments. Or I could use psw protected excel files instead!

Then when you get done with decoding the message all it says is what's for dinner?

Seriously if we have real secrets don't use the INTERNET.

 

According to discussions from other forums countermail.com runs a script on their server once an hour which encrypts received emails with the accounts public key; i.e. a received clear text email will be stored for max 1h in clear on the server before it's encrypted.

The countermail.com key generation is not as elegant as having the client generate the keys (although on another forum they've admitted it as a technical possibility but there's nothing implemented for it right now); the server creates the keys so the private key is stored on the server with only the pass phrase as protection, unless the user opts to buy the hardware token in which case the private key is put on the USB key and then erased from the server (that is what they claim).

Now I feel like I'm beginning to be an advocate for countermail.com; the service still has two problems for me; they're incorporated and physically located in Sweden (although they have elsewhere stated that they've already researched alternatives in case they feel the need) and there is no track record; I have no clue who these guys are and if they're doing what they say they do (fine, they've been audited by Commodo).. But my reason for posting here is to find alternatives..

j

 

Just a thought.. I understand that my "specs" are kind of strange and to some extent make little sense (not addressing the issue of the email transmission over the internet and on the recipients server, the possibility despite all this whoohaa to just sniff the emails as they come in and go out); I wrote so in the initial post. So if you think I'm an idiot for looking for this type of solution, that is ok, you can start a thread called "j is an idiot" and discuss the subject at length if it makes you feel better; it would however be great if you could leave this thread to revolve around the original subject as written in the first post.
j

 

I don't trust third-parties to generate and sign my keys. This is why I prefer PGP and its WOT model over the use of CA's.

 

Agreed

And J, how about a comment on

 

Hear, hear!

 

Not true at all, there are several providers that can't read their customers email. Read about PKI.

I suppose you never heard about server co-location? If not read about this to.
You make a lot of assumptions that are not true.

 

We have a script running every hour (24 times/day) that is doing PGP-encryption on all non-encrypted emails (like Hotmail,Gmail etc), using your public key. It's only the account-owner who can decrypt these after the script is finished. Attachments is also encrypted.

 

Sweden is one of the few countries in the world which can't force their email providers to store IP-addresses, which fits us very well. Data surveillance is not any big threat as long as your using end-to-end encryption in the correct way.

Yes, we have just opened our service, but we do have people who can vouch for us, but maybe not on this forum, yet. We also have some private corporations changing from one of our competitors to our service. But I can assure you that we did not invest a lot of money and years of development just to trick anyone, our goal is to provide the most secure webmail service on the net.

 

Thanks for entering this thread Countermail

I like this idea but still leaves a maximim 1 hour window to access plain text email. Any plans on running this script more often or better yet, is run automatically when an email enters the server??

 

Yes, we will change this behaviour later this year, filtering all incoming emails directly.

 

Nice to hear that

Do you offer free accounts and if so, what are the limitations compared to the paid accounts??

 

J or anyone else

Have you looked at CryptoHeaven?? - www.cryptoheaven.com

 

You're kidding about the "code" from a 7th grade textbook, right? It would take all of 5 minutes for the crypto nerds at NSA to decrypt your messages if you used these well-known and very weak ciphers (substitution and transposition ciphers).

A much better solution is to use a modern cipher like Rijndael (AES) or Serpent where the session key is encrypted with an asymmetric algorithm like RSA. Behold, such a system already exists! It's called PGP (or GnuPG). Using PGP is exponentially stronger than mere codebook ciphers. This encryption is strong enough that governments aren't going to be able to read messages encrypted with them. Therefore, it doesn't matter how insecure the Internet itself is -- no one is going to read these encrypted messages except for the person with the key.

 

registered countermail 30 day trial ...
not sure if i get it right or wrong.... but each time when i send an email.... session is expired...

 

We have some problems if you surfing via webproxy, but we're working on this problem right now. Are you using a proxy?

 

nope not thru any proxy.... using Firefox with defensewall..
I had defensewall disabled but still the same...

 

I agree that PGP is the preferred approach. However, from a practical perspective, it is important to recognize that not all certificate authorities are equally trustworthy -- and, in my opinion, VeriSign is commonly considered to be highly trustworthy.