Private Email Services

I feel your pain... that is always my biggest hurdle as well. If it were solely up to me every single email, IM, PM, etc... I ever send would be encrypted end to end. But the people on the other end of the equation don't take the time.

But on a bright note, they're not the types of people I'd need to encrypt my conversations with anyway. It's just run of the mill BS'ing. The few people I do discuss what may be deemed sensitive things with ARE on the same page with me.

I mean if I had a choice even the frivolous conversations would be private. I feel we're entitled to our privacy period, and not a fan of the "if you have nothing to hide you don't need to hide" rationale. But you just can't get "them" to cooperate, and if you voice your convictions it may only serve to get you laughed at and called a conspiracy theorist.

 

This is also pretty good:

http://www.autistici.org/en/get_service.html

 

There's an argument for encrypting everything. If all plaintext conversations are frivolous, observers would be more confident that encrypted conversations are important.

 

Yep...seems too much "trouble" for most. No problem for business, but personal / casual is a no go.

Must admit that I am only becoming serious about it now, only because of hearing horror stories out there even for people who have nothing to hide.

The vast majority of us have been complacent about privacy.

 

Clever observation!

Are there any services/products that encrypt in a way that camouflages the message with another message, kind of like inserting a message in a jpeg file?

 

I am looking at mutemail looks pretty good anyone tried this service?

 

I just noticed that Countermail is accepting Bitcoins. That's very cool!

I'm also reminded that they provide an IMAP server, so one can use Thunderbird with Enigmail for local encryption (using keys exported from Countermail). However, I'm not sure whether headers in messages to other Countermail accounts are still hidden. I'm guessing that they are, because the connections use SSL/TLS and "internal" messages wouldn't leave Countermail servers. But it would be great to have confirmation.

Also, I wonder whether it's possible to create a Countermail account without using the Java applet. As long as one were using Thunderbird with Enigmail, one could just generate a key pair locally. What am I missing?

Regarding privacy, I see "How do you handle court orders? What information can you provide them with?" at -https://support.countermail.com/kb/faq.php?id=56 Although that sounds really great, it's hard not to worry, in light of recent revelations and events. I wonder what's happening in Sweden.

Edit: I see this in the court order FAQ:

So which is better, totally private local encryption with plaintext headers in stored email, or full remote encryption using a browser with the Java applet?

 

With the shutting down of email services from Lavabit and Silent Circle, are there any other secured and reliable alternatives?

I am average user, definitely not getting myself involved in illegal activities, so i have no issue with authorities looking at my email.

However, i will be registering the email address for e.g. Paypal, banks accounts notifications, insurances, credit cards, Amazon , ebay and other online retailers etc

With the above usage and also sensitive information, I don't want the administrator / helpdesks looking at these information.

It should be reliable enough to stay in business. Imagine if one uses Lavabit for the above purposes.

what are the other email alternatives? Free and paid?

Thank you in advance !!

 

IMAP/SMTP do not support headerless emails or encrypted headers.
However IP-addresses are never stored in any header/email sent from a CM-user, we have filters that removes them. But of course its more secure to send email to another CM-user since the email never leave our server.

You must first create an account, using Java. There are several ways you can use Java securely: https://support.countermail.com/kb/faq.php?id=52

But you can replace your keypair after registration, you can create them with any PGP-compatible program. Then you need to email us your new public key. And delete the old private key from our server.

We have also added another FAQ: https://support.countermail.com/kb/faq.php?id=74
Nothing new has happen in Sweden, we still have good privacy laws, compared to many other countries.

One problem with third party email client is that they are not designed to do something extra to protect the user. Our applet have some extra features, like DNS/IP-check to detect if "countermail.com" is pointing to wrong IP. Extra session encryption to protect login credentials, while an email client is more vulnerable for SSL-MITM attacks. Our applet can read USBs and use them as a token and as keyfile, to give better protection against keyloggers and other attacks.

But Thunderbird is pretty good compared to other clients. For example Outlook do not support secure password authentication (Cram-MD5/DigestMD5), in Outlook you have to send the login key/password in plaintext.

 

NOW they implement Bitcoin! I had to renew before BTC was online, so I used their Method #3 of using an email alias to pay, deleting it, and then not sending anything for 2 weeks. Yes, my CC shows a payment to 'Email Provider', but there is no way prove what account it belongs to, or if I ever used it, etc... Correct CM?

I may let that account lapse and get another though, with BTC. I never use my main CM address, only alias'. I assume I can delete them all, and re-create on another account. It would be great if there was someway to anonymously transfer my remaining time, to a new account created using BTC?

I use Thunderbird and Enigmail almost exclusively. I also have firewall rules to only allow connection when the VPN is up. If I need to use the web/Java for settings, etc... I have one version of a portable browser that has Java enabled. I only use it to go to CM. I also removed the CM generated Private Key from the server.

Happy as a clam with CM.

PD

 

FYI: Understanding Secure Email.

-- Tom

 

Yes, PGP or shout it out the window. BUT, STARTTLS *could* be made mandatory for every email server on the planet (fat chance, I know).

PD

 

CM, I have one question:

When the CM Engine runs every hour, to encrypt any plaintext email that arrives, You *are* only encrypting to the user's Public Key, and *not* adding your own key as a decrypting entity, correct?

As we all know, most PGP users add themselves as able to decrypt, so they can read past messages (encrypt to self). This would be bad for a provider, because just having that ability, could be abused.

There is talk on the net that that may be what was asked of LavaBit - either start adding themselves as a party for decryption, and give up the associated pass phrase, or if they already were (bad decision if so) to give up the private key pass phrase.

PD

 

Secure alternative to e-mail.

-- Tom

 

Yes, we are only encrypting to the users public key. You can verify this by pasting the encrypted body, the PGP-block, into www.pgpdump.net (or use GPG with --list-packets). It should only be one "Public-Key Encrypted Session Key Packet(tag 1)". If it's encrypted to multiple public keys you will also have multiple Public-Key Encrypted Session Key packets.

 

Thanks

I know that headers aren't gpg encrypted.

But are they hidden by SSL/TLS during transmission from Thunderbird etc clients to and from Countermail servers? Or does SSL/TLS just protect message bodies, leaving headers in plaintext?

Using Countermail's Java applet, are all headers hidden during transit to and from Countermail servers?

Also, if users generate new key pairs locally, what must they provide to Countermail to update their accounts? Do they just supply the public key? Or must they supply both public and private keys?

 

I don't use the web interface too much, but on Thunderbird, you can just use any pub/priv keys you want. The only time you *need* to use the CM created key, is when a plaintext email arrives and get's encrypted to your CM public key. But any already encrypted email gets skipped over. You can add/remove CM priv keys at will, except I think you need support to change the CM public key...not sure.

I just never use the main CM email address and keys ( 2048 )...except for useless plaintext stuff that comes in and gets PGP'd automatically. I create alias' and pub/priv keys locally, and use those.

SSL/TLS should be protecting the headers in transit between you and CM...just bouncing around the internet is when they can't be encrypted I would think...unless the entire route supports STARTTLS.

PD

 

Yes, all traffic is protected with SSL/TLS.

It's enough with the public key. But you can also email us the private key if you don't want to take the risk of loosing it.

There are a lot of people, even so called "security experts" who thinks that the pure access to users PGP private key make it possible to decrypt all messages for that user. The fact is that a Private PGP-key is useless without the password. The password is converted to a iterated and salted SHA1-hash and then used as a key to AES-CFB to symmetrically encrypt the private key. If some PGP application stores the private keys in unencrypted format, they are doing something really bad. If the password is weak then the private key is vulnerable to normal attacks, such as bruteforce or dictonary attacks.

 

hello...what can i use ?? please recommend one that will not shut down easily ..... Reliable...secured but still below lavabit and countermail..

 

VFEmail.net
GMX.com
GMX.at (need Austrian IP)

 

VFEmail looks good. But unable to locate their Privacy Policy.

wonder if emails / clients information are encrypted at their servers

 

thanks Mod ..

 

no information that states data/information are encrypted at servers