Lavabit alternative

Runbox.com

Why?
https://runbox.com/why-runbox/email-privacy-offshore-email/

https://runbox.com/about/privacy-policy/

To be 100% safe only communicate with other people by encrypting your email, for normal everyday email this service offers some decent features for the price. Seems a lot of Lavabit users are going there looking at their IMAP backlog.

Support it fast and easy, real people that answer your questions instead of fooling about.

 

Good explain.

Although it makes a strong case for NSA due to the whole "reasonable expectation of privacy” thing.

 

Lavabit did encrypt stored and incoming email, Runbox don't do that, personally I don't think they belong in this thread. But at least they are better than Gmail

 

They are back on business now.

http://cavallette.noblogs.org/2013/08/8424

Scroll down for English.

 

For normal everyday email that one gets Runbox should do the trick. Here I learned that there is nothing I can do to prevent people from reading order confirmation emails sent from companies in an unencrypted format to myself. Regardless of TLS even.

Even if it is sent through TLS only one server in the row needs to not have it and the message is sent without TLS and therefore subject to exposure.

So for my needs, even if I would go with a cmail account, there is nothing that can be offered that is better regarding transit of unencrypted email, or is there?

Do you guys use ForceTLS and reject email from people not sending over TLS? I am not so much concerned about the email being stored securely as I am about it being sent over a secure connection start to end and most of all being received over a secure connection start to end. Can you force incoming email to be received start to end over TLS or over a secure encrypted connection, even though the content is not encrypted?

 

Thank you. This the same question that I have been hitting at in this thread:
https://www.wilderssecurity.com/showthread.php?p=2271392#post2271392

 

There is nothing *anybody* can do to *guarantee* that unencrypted email is sent secure. Refusing it wouldn't help - your buddy still sent the nuke plans to *you*...doesn't matter that you didn't get them

This is an unsolvable problem with email, unless a worldwide standard for TLS transport is mandated, and the old protocols cease to function. Very unlikely.

You can't *guarantee* that a confirmation email from xyz company will be secure, end to end.

But using a secure provider still protects from other methods (or running your own server).

PD

 

One important aspect is if your email provider supports Perfect Forward Secrecy.

I've just tested it for riseup.net - and the result is not "perfect", IMHO.

If I execute

Code:

openssl s_client -cipher 'ECDH:DH' -connect mail.riseup.net:465

the result is:

This suggests that their SMTP server supports PFS.

However, if I execute

Code:

openssl s_client -cipher 'ECDH:DH' -connect mail.riseup.net:995

or

Code:

openssl s_client -cipher 'ECDH:DH' -connect mail.riseup.net:993

the result is:

This suggests that their pop3 and imap server does NOT support PFS.

I've also tested Countermail:

Code:

openssl s_client -cipher 'ECDH:DH' -connect imap1.countermail.com:993

and

Code:

openssl s_client -cipher 'ECDH:DH' -connect imap1.countermail.com:465

yield:

That's how it should be

 

Just a headsup especially to android users:

Cryptoheaven which is migrating to a new name called "SaluSafe", has finally offered "free accounts" though with some limitations. They seem to have grown tired of my many questions so maybe someone else could post what those limitations are in their entirety.
The mobile app works very well (encryption,decryption,key storage all local!)

 

What price did Lavabit charge their customers a year? I was just reading an article on them and they had 400,000 members when they closed down.

 

I had just paid the £8 (about 10 Euro) for a year. I had been running it flawlessly for about 6 weeks and had made it my main email for everything when it just vanished off the face of the earth with no warning at all. Ok, it wasn't a massive amount of money but it was the inconvenience. If your electricity supplier did the same leaving you with suddenly with no electric you would be most unhappy.............and that's how Lavasoft left me feeling. I will not be trusting them or anyone similar in the future as the same could easily happen again in the current environment. I am now using outlook as they don't peak at your emails for advertising. That was the only reason I went with Lavasoft. Thank you so much Snowden! Hopefully Outlook won't do the same disappearing act

 

Did you ask for your money back? Don’t you think the “disappearance act” was not Lavabit’s fault? Did you at least retrieve your emails? Lavabit reopened for a short time in October “in order to give customers time to access their information”.

Code:

http://www.theguardian.com/world/2013/oct/15/lavabit-reopens-temporarily-customers-information

I had that kind of a problem with a file hosting service and many people were complaining. I wrote an email, got my money back, end of story. Life goes on.

I am waiting for the first impressions of Startmail.

 

I wrote off the money as it was a small amount really, put it down to experience. By the time they got down to allowing access I had managed to retrieve important receipts etc from the sellers after changing my email address with them.
These things happen, it was the suddenness of it all that caused the problem. I have learned my lesson and have all emails backed up these days. The disappearance act may not directly have been Lavabits fault, but the end result is the same who ever is to blame. As you say, life goes on and I have moved onto better things. Startmail sounds promising, but I wouldn't trust it as my main email address until it has been around for a while and has a proven track record. Once bitten..............

 

I would try arkOS in a raspberry pi or similar board

 

List of the best Tor email hidden services.

-- Tom