Which Secure Email Provider?

Discussion in 'privacy general' started by TomAZ, Dec 28, 2017.

  1. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    Imagine this: I'm on the phone with someone, they ask for my email
    I spell it out for them: name.surname@tutanota.com
    I get the response "tuta what?"
    Tutte means tit in Swedish which doesn't make it any better btw.

    Didn't know they had other domains, will check it out for sure!

    Keemail is too close to keymail so that won't cut it either.
     
  2. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Yes I see where your coming from but when giving someone an email address over the phone, unless you are lucky enough to have a name like john.smith@whatever.com it is usually a matter of spelling it out letter by letter anyway.
     
  3. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    With posteo I can spell it out as post-e-o which is a lot easier than t-u-t-a-n-o-t-a
     
  4. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I had to laugh when you said tutte means tit in Swedish, I can imagine the scenario.
    Having said that, some years ago one of my work collegues, who had me in his contact list told me his wife took issue with it because my email address was myname@hotmail.com
    She misread it as, "hot male" dot com and accused him of joining gay porn sites! :argh:
     
  5. klarm

    klarm Registered Member

    Joined:
    Apr 7, 2012
    Posts:
    85
    Location:
    europe
    what about startmail guys?
    didn't see that mentioned. are they bad in some way?
     
  6. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    https://www.startmail.com/en/privacy/
    They mention absolutely nothing about whether or not they can access your emails. Also, they are ~6 times more expensive than Posteo.
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Yes, and even easier is mailbox.org as in https://mailbox.org/en/. It's an excellent alternative to posteo.de. I've been using it for several years.
     
  8. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    Yes I considered those at first, but from what I could gather from their site they can access your emails if they want to. Posteo can't access your emails at all if you've encrypted your inbox.
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Neither can mailbox.org.
     
  10. 142395

    142395 Guest

    There're some old info. Protonmail don't require 2 passwords anymore tho you can still use 2 passwd if want.
    I saw someone in Malwaretips said Tutanota uses AES128, but it's long time since they pushed change to AES256 tho their official page still says it uses AES128.
    (IMO, AES128 is secure enough in foreseeable furure, don't be too scared by quantum computer)
    Another web site says (but with caveat) registering Proton requires GSM phone number, but it's not true and unlike the caveat, using CAPTCHA should not be much problem.

    I'll highlight diff btwn Proton & Tutanota.

    Proton:
    While web app is opensource, their mobile apps are still closed source(!!). There's no ETA about open sourcing.

    They follow OpenPGP standard so there're more eyes to monitor vulnerability. Attachments & contacts are also encrypted.

    They have bug bounty program tho ammount is a little. It seems they're more constantly scrutinized.

    They have option to choose RSA4096, so you'll be safe even after 2030. I know 12 years is almost eternity in IT and am sure Tutanota will change their RSA2048 key until then.

    Their Android app requires more permission than Tutanota, especially it requires Sticky broadcast which is deprecated and not recommended. I hope they don't include ANY sensitive info in the broadcast. IDK why they still use it, bit concerning.

    Their mobile apps allow you to put PIN protection.

    You can view authentication log (login succeeded or failed, etc.) if you enabled it, tho potentially have privacy concern.

    They offer ProtonVPN, but free plan is very limited.

    They plan to add option to contain others' public key in contacts. IDK if it means we can communicate to other PGP user.


    Tutanota:
    Full OSS

    They reinvented the wheel. While it enables them to encrypt subject line which is not ecrypted in Proton, it also introduced vuln in past (it seems a link to the vuln is dead?).

    They were audited by Syss Gmbh in 2011, but it's not clear if they're constantly audited.

    They offer FIDO U2F as a 2FA which is the most secure 2FA method. Their mobile app currently doesn't support 2FA but it's planned.

    They seems to have stringent password policy not to allow user to use weak passwd.

    They plan to add encrypted calender, storage, etc.
     
    Last edited by a moderator: Jan 12, 2018
  11. netbook0tr

    netbook0tr Registered Member

    Joined:
    Nov 7, 2010
    Posts:
    24
    Location:
    england
    I used ProtonMail and MailBox in the past but I am now using Tutanota.
     
  12. ZMsiXone

    ZMsiXone Registered Member

    Joined:
    Mar 30, 2017
    Posts:
    326
    Location:
    EUROPE/poland/germany
    i'm using Protonmail. This provider seems to have a quite good reputation and also seems to be very popular.
     
  13. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    735
    Location:
    South Park, CO
    I've been using Proton mail (on the desktop only) for about a year, very happy with it so far.
     
  14. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    255
    Location:
    Albany, CA
    I use ProtonMail and Tutanota. Don't know that one is better than the other. If you count general irritation and difficulty of use as an indicator of higher security, then try mail1click.com. I also use mailfence.com (it replaced safe-mail.net), although most pan it. Frankly if I was wanting a high security email account, I would deploy TAILS, and find a Darknet email provider.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    All I care about is reliability and deliverability. I mainly use Riseup and VFEmail. And sometimes c**k.li and its aliases, but it's blacklisted on some mail servers and sites. I do my own end-to-end encryption with GnuPG. And I use VPNs and Tor to minimize worrisome metadata. I have used onion mail servers, but they don't tend to last for very long, and there are sometimes deliverability problems to clearnet, or even to other onion mail servers.
     
  16. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I must agree the "short term" tendencies of darknet email providers can become problematic if your circle of contacts is more than a few folks. Even if ALL participants only use the same darknet provider you just wake up one day and again the whole server is gone. Happened more than once to me and my buds. We/I am hoping that protonmail via onion only will be around for awhile. Its sometimes a little slow since the protocol is so secure signing on, but in the end I am hoping not to wake up to a dead email system. I will always gladly sacrifice speed for anonymity and security. Easily nest gpg2 messages on top of their alleged already secure methods. No metadata, BUT this only works for like minded associates. Forget it for real name stuff and my friends in that arena.
     
  17. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    255
    Location:
    Albany, CA
    I could be wrong, but I would tend to assume that them most attracted to using a Darknet email provider would be spooks, whistleblowers, blackhatters, etc., and I doubt any of those would value long term reliability...more likely a short term throwaway account would be more desired.
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Some people run onion sites, for example, and need stable email addresses.
     
  19. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    This thread is a couple months old. But recently seems like everybody is changing their TOS. Can we continue this discussion.
    Which Secure Email Provider?
    I still don't know what to think.
     
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    At the risk of being boring, the "secure" part is encrypting stuff locally. Using, say, Thunderbird plus Enigmail (GnuPG). And getting contacts to do the same. What happens between you and them doesn't really matter. All adversaries can likely do (unless you're a really hot target) is get messages dropped. They can't be read or altered.

    Then there's metadata, of course. If that matters to you, y'all need to be using Tor. Most easily, Whonix.
     
  21. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    My problem is nobody I've ever corresponded with is willing to encrypt. I stopped sending 7zip files cause everyone flipped out.
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yeah, well. Maybe there's nothing that needs to be encrypted ;)

    As one might imagine, I receive occasional more-or-less scandalous inquiries. And most of them aren't encrypted. I tell people, but what can you do? Mirimir isn't shy, so he doesn't really care :)
     
  23. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I think it hasn't been mentioned in this thread: There is MECSA (My Email Communications Security Assessment) offered by the European Commission - a great tool to assess the security of your email provider. An excellent comparison table which is regularly updated and uses the MECSA findings is available here.

    You can click the lines in that table and get directed to the detailed MECSA results. Sometimes newer results are available.
     
  24. Would avoid ProtonMail. They have to comply with the Swiss data retention legislation just like any other e-mail service and in fact already have handed over data to Swiss law enforcement authorities.

    "ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws."
    Where exactly are the servers located? There is no such thing as "Swiss privacy laws".


    "Therefore, we handed over available data in this case without waiting for a court ruling"
    https://protonmail.com/blog/transparency-report/


    Now, do they store the data or not? "Your encrypted data is not accessible to us"
    https://protonmail.com/security-details

    Snake-oil merchants, if you ask me.

    Recommend VFEmail.net. Fended off the DDoS some years ago where ProtonMail, which also was concerned, crowdfunded the ransom money and in the end pocketed it in. VFEmail has got some nice features: Secure delete (have to pay) and onion address. One-man show but at least the guy has proven to be trustworthy. And he knows the trade.
     
  25. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Well, the boilerplate in that canary report is "...Proton Technologies AG decided to comply with the data request, to the extent that it is possible, given our cryptography".

    Is there any evidence that ProtonMail has access to plaintext? If it's just cyphertext, and they don't have your private key, that's not such a big deal.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.