About Countermail.

Hey guys.

I just wanted to let you all know my feelings about Countermail after being a full subscriber for 6 months. I used to have a Lavabit account until the closure of Lavabit and found Countermail was my only real alternative that included encrypted storage. I will say Countermail offers more then Lavabit, but a lot I don't even use.

I can say with honesty after my year is up I wont be re-subscribing. Not because the service is bad, its just three little problems.

(1)

Lavabit: $6 a year.
Countermail: $59 a year.

(2)

Lavabit: Clean UI, very simple no hassle for Thunderbird/Outlook.
Countermail: Clunky UI. Complex, big hassle configuring Thunderbird/Outlook.


(3)

Lavabit: HTTPS web/Thunderbird/Outlook.
Countermail: JAVA web, requires JAVA, complex Thunderbird/Outlook Setup.

I'm not saying Countermail is bad, I'm just saying its very overpriced and with StartMail in the works what is the point really? I could not even get Countermail to work on my phone, and I'm no newbie. Also very inconvenient if your phones browser does not have JAVA if you try to do it that way, it flat out won't work.

I would be happy to stay on if they severely reduce their price, make the UI cleaner fix it so it does not have to use JAVA and just add simple HTTPS web based message access, it would very much make the whole thing simple for people.

I hardly even use it, its just going to waste because its such a bother to access sometimes.

Anyway, Just stating my opinion on the matter, as of now I'm not going to renew. Its just not worth the huge price tag for what your actually getting.

 

Unfortunately any of the so called private emails services are prone to just disappearing overnight, especially if they get any pressure from the NSA.
I guess end to end encryption is the only real safe long term solution, but getting everyone to use it is another matter.

 

I am wondering what you intend to use next, just out of curiosity.

Something you are leaving out of your comparison:

- Lavabit: Company can decrypt email.
- Countermail: Company can not decrypt email.

 

he has a point, perhaps you should use openpgp with any private email anyhow no matter the provider i recon

hell you could go with riseup / based in US or Autistici/Inventati / based in italy, wich are pay as per what you feel is deserved services aka donation based email providers , come recommended for all things regarding IRL emails, they take theyre job seriously aka not handing out your emails , again openpgp is a must anyhow for anything regarding IRL and must be practiced by all parties in the chain not just you in order to uphold end to end security logically

 

Countermail is closed source to my knowledge, who says they can't decrypt your messages, or if they store secret keys. Its about trust, Lavabit has proven they will shut their company down to protect user privacy. Countermail for now is un-tested.

I plan to use StartMail for now when it comes out, its by the same people who make Ixquick. If they keep prices low and keep the system simple its can be like Gmail but privacy oriented which is ideal.

 

email servers are located in Iceland, Norway and Netherlands, not in Italy.

 

Sorry, but it's pretty obvious that you don't understand what you're getting.

It seems like you don't understand the difference between end-to-end security and server-based security...

HTTPS? A provider that only uses HTTPS/SSL is far from secure.
We are not interested in providing an unsecure HTTPS-only service, there are tons of them.

More about SSL attacks:
http://www.theguardian.com/world/interactive/2013/sep/05/nsa-project-bullrun-classification-guide
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl
https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google
http://www.theinquirer.net/inquirer/news/2106065/major-domains-targeted-diginotar-ssl-attack
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
http://technet.microsoft.com/en-us/security/bulletin/ms12-006
http://files.cloudprivacy.net/ssl-mitm.pdf
http://www.wired.com/threatlevel/2011/03/comodo-compromise/
http://www.wired.com/threatlevel/2010/03/packet-forensics/
http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/
http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z820120202

 

Untested? We have been around since 2010. Let me know if you can find any case where we have providing unencrypted email to anyone.

We have never given out a single IP-address or a single unencrypted email. Simply because we can't. We have approx. 6 court orders per year. so there are plenty of proofs.
More about court orders: https://support.countermail.com/kb/faq.php?id=74

 

Oh, I know what I'm getting. I know what server-based security is and its why I was using Lavabit before Countermail. I guess it was not made clear enough in my first post. I want server-based security and HTTPS/Secure contact to the email inbox without having to use Java, which is prone to many more attacks then HTTPS is right now. I would not care as much but Java is just inconvenient.

You obviously came at me very aggressively. You could have taken note of my post and helped the situation or asked what would make my experience with your service better, but instead you came at me in an aggressive way claiming I don't know what I'm talking about. Please, don't go there its not professional.

Yes you are untested, why? because you have never had any real legal issues as of yet, not simple issues you can just ignore because of Swedish law. I'm talking about big things like the Swedish laws changing for your service and the Swedish government directly requesting access with a similar national defense style letter and gag order. Then and only then will you be tested.

Please don't come at me in an aggressive way. Your service is over priced for what we get. I am stating my opinion. Your inbox 250mb of space? really really over priced. You are making a huge premium from your users so don't tell me I don't know what I'm getting, I know exactly what I'm getting. Its not a lot.

 

You should not allow Java on all sites, java is pretty secure if you use it the correct way, it's simply not possible to get end-end-security with HTTPS-alone. Java is also only needed for the registration. Then you can use third party email clients.

Personally I think it's unprofessional to compare two different things that provides two different levels of security, and then saying it's overprized, without mentioning all differences. And saying that our service is untested is also very very strange. Some differences between us and Lavabit below:

• We are under Swedish jurisdiction and swedish laws, not USA
• Web based OpenPGP encryption with no possibility to disable the end-to-end encryption, passwords and decrypted texts is never sent to our server
• We have an USB-key option, which gives you two factor authentication, and increased protection
• Our webmail server do not have any hard drives, only CD-ROM, which means no “leakage” to any hard drive is possible
• Our customers never have any direct connection to our mailserver, regardless how they connect to their account, IMAP/SMTP/webmail always connects to a diskless server (tunnel)
• You can delete the private key from our server (but we recommend this only for advanced users, your private key is always encrypted on our server anyway)
• We have an additional encryption layer to protect against HTTPS-man-in-the-middle attacks

You are missing the fact that Sweden is not USA.

If the law changes, we will of course adapt, and move our business, we have already prepared for that.

No, it does not seem so, since you think HTTPS-alone is secure. People who read the links I posted would understand why.

I agree that you can find cheaper alternatives if you don't need end-to-end security, and all our other features. But these days more and more people want that, and not only the unsecure HTTPS-traffic encryption.

 

I have a couple friendly clarifications. When you use Countermail with its Java browser plug-in, message headers are encrypted during transmission, not just the message content. Also, if Countermail has your private key, your messages are fully encrypted (including headers) on their mailservers.

Also, as strange as it seems in the current stuff-should-be-free environment, 60 USD per year is not at all expensive. That's about what I paid my ISP for an email account back in the early 90s.

 

$60/yr is expensive if you consider a 250mb storage cap. I could go ahead and host my own email in Sweden for $60/yr with more space. I understand counter-mail has many different things in place like him and yourself say, but really most of those things are stuff you really don't need as an end user unless your doing bad things to begin with. I am just a guy who cares about his privacy that wants his emails stored in encrypted format where they can be recovered quickly without any hassle through simple protocols like HTTPS which despite most claims is still pretty good for email retrieval when set up correctly. I could pull up a bunch of articles about Java to scare people too, its not helpful.

60% of Counter-mails set-up is really unnecessary for 99.99% of people, the only reason someone would need a set-up like that is for corporate espionage or some other shady dealing.

I'm a privacy enthusiast and a long time researcher. I Just wanted to state my own person opinion on a service I tried out for a while and believe now is overpriced and inconvenient in many ways to use. Not start a discredit war with the owner of counter-mail about how little I supposedly know.

Anyone can use PGP, its not new technology you can use PGP with Gmail. Only thing you really offer is a CD based web-mail server, which is fine but its not really necessary since you are behind the Swedish laws. I admit its good to have regardless but even then the price of the service is too high.

I am just saying, I wish you would lower the price and make it simpler for the end user to get their emails without having to either have tools to load and unload Java every time you want an email. You say you can use Thunderbird/Outlook and sure you can, but the effort it takes to do so is tedious and on my Android device flat out did not work.

 

@Taliscicero

You clearly don't need/want most of what Countermail provides, so it's entirely reasonable that it's not worth $60 per year to you. There's no arguing about that.

But it's not proper to characterize Countermail's core features as "stuff you really don't need as an end user unless your doing bad things to begin with". Countermail is valuable to people doing various dangerous things, of course, but in many cases those are "bad" only in the opinion of human-rights abusers.

 

yeah theyre email servers not they themselves, i messed up by adding servers to my above post my bad, has been updated

on the above posts regarding countermail , may i add a thing or two

first off mirimir is right on this one thing countermail is clearly overpriced for your usage model Taliscicero , thing is you cant just limit the world view to yours , thats not how reality works my friend no offense , mind you there are people in oppresive countries that might require the level of security countermail provides and cant or dont know how to setup an anonymous email account and use openpgp themselves or for

IRL stuff ever heard of donation based activist outfit email providers , sure some cant afford 60$/year in the more poverty stricken countries , but for them theres always free alternatives , like using mailtor aka tormail 2.0 for anonymous temp emails or vmail for pseudo temp mails or for IRL stuff riseup or Autistici/Inventati , they still then can donate whatever change they got left without having to fear hunger , hell imo the only reason id use countermail would be if there werent free alternatives such as previous mentioned , hell tbh i dont trust any of them but much more than others such as google, yahoo, hotmail etc ., the security itself

of your emails lies within you and you alone instead of trusting a third party with it no matter how reputable they might be and untouchable , remember what i usually preach , consider everything compromised from the get go, its YOUR responsibility to use openpgp and your receiving party as well if you plan on end to end security not some 3rd party you pay whatever amount of money a year for the use of its services , the only payservice i consider non optional would be when it comes to vpns , my 2 cents, and for all its worth even thou i myself dont use it , keep up the good work and improving the countermail service , countermail , and thanks for the interesting articles , makes for a good read

 

I never meant anything against Counter-mail. Only stating my personal opinion on it. My opinion is its over priced for what it is. That's all I'm saying guys.

 

First of all, I don't run Countermail, I use runbox. But before you guys bash Countermail over Lavebit please understand that Lavabit was compromised, people's emails acquired by LE and their privacy violated without due process while Countermail as far as we know remains intact. Maybe the $60 per year did pay off no? Just my $0.02.

 

LE never actually got any emails, they closed down before anything was leaked to my knowledge.

 

Of course they did. They got the key and they decrypted all intercepted emails that way.

 

We have several companies that don't want their company secrets email read by foreign governments or some other advanced attackers. We have also journalists, lawyers, doctors, military and police as customers. They understand that HTTPS-alone is not secure.

A Java exploit is not exploitable from other domains when you don't have enabled Java on that domain, to use an Java exploit they must first hack into our server, so far, no one has been able to do that.

There is a big difference between Java and HTTPS, HTTPS is a protocol, and in our opinion it's broken, and it can't be fixed easly. Java is a programming language.

More about Java security:
https://support.countermail.com/kb/faq.php?id=52

Your wrong, there are many that wants web based end-to-end security.

No, anyone can not install it easily, for example Thunderbird+Enigmail+GnuPG, it requires more knowledge than an average computer user. Also that setup do not have a SSL-MITM protection during the server-authentication.

Again, it's not possible to get end-to-end security in web browser without Java. We have several users using our service with Android and iPhone, so I don't know what you did wrong.

 

That is a vary dangerous mindset to have in this day and age. Those who want simplicity and convenience with data end up losing both privacy and security. I'd say why not just use gmail or hotmail if that is the case, they both achieve everything else an end user could want.

Storing emails in encrypted format unfortunately HTTPS will not help you there. You will need to use a true public/private key pair if you want privacy, which would take away from the ease of use for most users as the data, by its secure nature, would not be allowed to be accessed from any source that doesn’t have access to the private key. If you just want your email stored on a server that protects it from outside malicious users only, then again why not just use gmail or hotmail?

 

CM with Thunderbird/Enigmail is as easy as any other account with the same combo. Remove the private key from CM's servers (don't lose it ) and there is no way anyone could even attempt to decrypt. With a GREAT passphrase, leaving the key is no biggie, but I like having it solely myself.

If you want to use the web interface, but hate the risk of Java - just disable Java in every browser you have, save for a portable Firefox or Iron that *you only use for CM*.

Then there's all the server side stuff and foreign location.

That's why I *will* be re-newing...with Bitcoin!

 

I have to chime in here. I agree with Taliscicero that Counter-mails approach was heavily aggressive and put me off. Also, Taliscicero is right Counter-mail has not been tested to the extent Lavabit has. The Counter-mail service seems too good honestly. I am commenting right now because I have considered subscribing to Counter-mail despite how much they cost (and they are very expensive). I am disturbed at the aggressive posture I have seen Counter-mail take in Taliscicero's case, a current customer, and in other posts potential customers. I am seeking a company that is going to work with my issues not prove that they are right regardless what the customer says to the contrary. I am also after a company that has gone through the legal system much as Ladar Levison has.

On a personal note, Taliscicero, I thank you for bringing out this type of a response from Counter-mail it makes me wonder if I would receive a similar aggressive response from them if I decided to sign up and had a problem with their service. Point, there is more to customer service then attempting to prove yourself right all the time. Other potential customers are on Wilders reading what you say.

 

I don't know. I like to hear what the other side has to say. And it's not about proving anybody right, it is about showing your side of the argument and for users here on Wilder to decide.

 

Matt: Of course I agree with you on that point. What I had a problem with was the aggressive posture Counter-mail has taken in a couple of instances. I like to learn from other peoples experiences so I don't go through similar issues. It is as you say up to the CUSTOMER to decide what is correct and what is not and that includes good customer service.

 

Matt: Before we discredit Ledar Levison the court required those keys be turned over. Levison immediately shut down Lavabit to prevent any future compromise to customers (that action angered prosecutors by the way). It is extremely unclear if the government was able to decrypt those messages. Levison's feet were put to the fire and as an honest business man (a patriot in my view) who did as much as he could to preserve his clients privacy without sacrificing his own freedom. I challenge you to preform better if the government was after your email business.

The service I am waiting for is Dark Mail. Phil Zimmerman is legendary and Ledar Levison stands for the type of customer focused ideals I would expect in an email provider.