About Countermail.

You forget that NSA backs up all encrypted data (that cannot be decrypted at the moment). Chances are that they already had all the emails they needed in encrypted form. After they got the keys it took few minutes to get them decrypted.

 

Ladar Levison has basically admitted that:

http://arstechnica.com/security/2013/11/op-ed-lavabits-founder-responds-to-cryptographers-criticism/

 

I think there's a misunderstanding here. The Lavabit SSL keys did not enable decrypting of emails; instead, the SSL keys enabled decrypting of SSL communications. Customer emails were encrypted with unique, customer selected, passwords. Customer passwords were not contained in the SSL keys nor stored on the Lavabit servers. Customer passwords were known only to customer. Only if customer entered their passwords after the govt. had the SSL keys, then the govt would have customer keys. The shutdown was intended to avoid this possibility.

__

 

Correct, but the password/pass phrase *was* transmitted, so there are better options. If Ladar caved fully, the emails could have been read. He didn't, so good for him. But it is technologically possible to prevent that weakness, and the subject of this thread, does that.

 

Thank you for the clarification. I had forgotten this aspect. In fact no customer data had been compromised. I am unsure if the Government ever got the data from Snowden's account? While we are here does anyone remember the reason the government wanted access to Lavabit customer accounts other then Snowden's? With a man willing to go to these lengths, bring on Darkmail. Let's hope it lives up to the initial reports as a plugin for the larger providers.

 

@S.B, PaulyDefran

It's worse than that. In the same Ars Op-ed, Ladar Levison wrote:

Given that many (most?) of Lavabit's SSL connections didn't implement PFS, plaintext from any archived intercepts became available once he provided the SSL keys. Given that message headers can not be encrypted during SMTP transit, they clearly became available.

He goes on to say:

This confirms that even message bodies were not encrypted by default during transit. For that, users needed to employ their own end-to-end encryption.

 

@mirmir,

I think I see what you're saying-- and if you are right, it goes way beyond Lavabit, and it is a scary proposition. In a nutshell, you are suggesting that Govt can capture and store all encrypted communications; and then if Govt. forces the SSL or TSL (or whatever) keyholder to turn over the encryption keys, then the communications thought to be encrypted become available to Govt in unencrypted form. Correct? Doesn't that mean that no VPN communication is in fact secure (unless using some sort of recent encryption process that wasn't used in the past?). So the net effect is virtually no encrypted communications possible via internet (except PGP and GPG, which have only seen limited use and only for email)?

__

 

That's the case for SSL/TLS without perfect forward secrecy (PFS). Although PFS is becoming more common for SSL/TLS used in HTTPS and secure SMTP, it's by no means universal.

And other common implementations -- such as Truecrypt or dm-crypt/LUKS volumes, and archived GnuPG-encrypted email -- entirely lack PFS. Once adversaries have the passphrase, keyfile and/or private key, they can decrypt all encrypted data.

Not at all. OpenVPN using PKI certificates (ca.crt and server.crt/client.crt) has always used SSL/TLS with PFS. That's not the case for OpenVPN with shared keys, but that's never been used in VPN services, just for point-to-point links. But PPTP doesn't provide PFS, of course. And it's not been the default for IPsec.

For example, Tor, OpenVPN and OTR provide PFS. I2P probably does, but I'm too lazy to confirm that. And, as I've noted, PGP/GPG and FDE do not provide PFS. If they did, you couldn't read your archived data, at least not without some way to securely archive the proper session keys. Then we'd have questions like "OMG I didn't save my Truecrypt session key!"

 

Yup, (Good) VPNs rotate keys every x-minutes with the -reneg- property. The server is set to a default (usually 1 hour), but the client can specify a lower limit.

 

SSL/TLS with PFS is of course better than SSL without it, but it still does not protect against active MITM attacks. Some companies use SSL-proxies which decrypt the SSL (as MITM) and scan the plaintext, for viruses or just plain snooping, and then re-encrypt it and forward it to the destination. After the SSL-proxy CA-key is installed in the web browser, the SSL-termination is done invisible and seamless. Or even better, if the SSL-proxy have access to a CA-keypair that's already installed by default in your browser, then there's no need for any installation on the client computer, the listeners just have to pick an IP-address/MAC-address that they want to snoop on, regardless of PFS.

In our opinion, you can not trust on SSL/TLS when sending sensitive information, you always need another layer of encryption. And this fact is not new, at least not for people who work with IT-security/encryption professionally, it's been known for many many years.

For me, it's pretty funny when some companies write "we only use encrypted SSL-connections" or "your information is safe, we only use strong SSL encryption", yeah sure...

 

I'm a long-time lurker, but wanted to comment on this. There seems to be a pervasive mentality that if you're not doing something bad/wrong/illegal, you shouldn't need a certain solution/control/capability. It is further propagated by organizations/governments to disincentivize its use (guilt for using such strong controls). This is exactly the wrong mentality to have if you are to consider yourself a proponent for privacy.

The if you have nothing to hide, you don't need X mentality is dangerous and unproductive, especially to issues of privacy. Challenging Countermail on their product is okay, but suggesting that the use of added controls is unneeded/excessive, and points to dishonesty/immoral acts, is reckless and counter to the purpose of their service.

If the service is cost prohibitive, that is an excellent reason for you to decline their service. Your responses read as though you want their service for free (or reduced price), cannot get said capability, and instead used non-nonsensical arguments to justify your criticisms.

On the inverse, I too would like to see some testing done and white papers generated on the Countermail service. I use the service and have nominally researched each of the controls they implement and have discussed with colleagues possible outcomes. The one thing that really sets it aside from others, for me, is the ability to download and remove my private key from their server. That said, there really isn't any way to confirm that my key is indeed off their servers.

Looking at it logically, you have to weigh the risks of using their services with that unknown versus the cost of and value of what you're getting otherwise. $60/year is no an exorbitant amount in consideration of what you're getting in return.

This post turned out longer than I had anticipated. Sorry for my lack of brevity!

 

I started using Countermail back in December. Their diskless web servers are what sold me. Then I had done a search and found that they actually post on these forums (which I've lurked for years) and that was all I needed. Price isn't bad personally.

To me, when I think about how many accounts online are tired into a email address- I'd think a email account should be pretty damn secure. Take Yahoo that were "hacked" recently: http://www.washingtonpost.com/busin...57ef8a-8a7d-11e3-833c-33098f9e5267_story.html

 

I want to add that I have been using countermail for the past 3months and I am very impressed. The only issue I had was logging into a machine that was on a corporate network, having understandably blocked Java.

The support is very good and i have always had a fast response and assistance with the initial setup of the account. I have not found it an issue using the account with android, as using K9 mail (which they recommend) linked to your key offers a great secure service. I have always used Thunderbird too so this compliments my previous thoughts.

The downside to using Java is only an inconvenience . However once initially configured it is no issue, plus the security aspect of using Java is required to ensure the utmost security is maintained. This is the reason for using CMail as a provider after all.

 

The last three posters have brand news Wilders accounts with one post each. Each poster leaves a message praising Countermail in a thread that has been dead for a few months. That's not suspicious? Come on...

That's why I never trust information from sources who are not well-established and reputable.

 

I was about to say the exact same thing, creepy much? If that's countetmails doing shame on them, if it's not... Well, why does someone want you to use their service so bad. Either way, creepy creepy. Probably because countermails owner realised this thread come up as the second link right under the countermail website when you Google search counter mail hah.

 

Even I reacted on the things you mention, but I can assure we would never use fake users to try to promote us. I have seen companies do that, and in the end it just backfires on themselves. I rather buy a Banner on Wilders than using some fake advertising. BlackSeo and similar marketing strategies is something I personally hate.

In this case I am pretty sure these are real customers, then I think it's correct with a Bump, it's better to keep things in same thread than creating new threads about the same thing.

/Simon Persson

 

I consistently see Wilders near the top for relevant searches. Posts made here sometimes show up within minutes in Google results. Look at Truecrypt, for example. I don't see why Countermail should be any different.

 

As I wrote earlier, we have nothing to do with the other posts on this forum. However, I can't blame any of you for thinking so, it looked a bit strange. Regarding Google search, the most important thing is that we have the #1 spot. If I search from google.com , this thread does not come up as 2nd primary link, it's another Wilders thread about us: https://www.google.com/search?q=countermail&btnG=Google Search

 

Yeah, because this is the only forum or site I'm on with this name...

Simply just trying them out and haven't had any real issue. I've read stuff on Wilders on and off for years, I just never made an account till now. Hell, I remember when Nod32 used to be here, but they've got their own forum. I'm also on ESET's new forum too, so ESET must be paying me off. I also use an AMD cpu and nvidia gpu and post on various tech forums, guess I'm getting paid off there too.

EDIT

I won't deny 3 poster in a row isn't off putting, but I won't also deny I'm happy that I finally dumped Gmail. I've recommended CounterMail on a few other sites, like the DuckDuckGo forums- but I also recommended StartMail which is just starting up. I am kind of cautious of a lot of things that are out now that weren't before the NSA stuff- a lot of that is indeed snake oil.

 

@all

We are a paranoid sorts, that's what makes us special so don't judge hehe

 

Good Evening! This Representative from Countermail...is a Scary Individual. Aloof...Arrogant...and Distainful...of an Existing Customer's Opinion. Having a lengthy history in Customer Focus... Sales and Marketing...I just might know what I speak of. Unless Countermail changes their Customer Focus...their Bottom Line will be Severely...Impacted. Taliscicero! I'm not retracting my critique...Countermail's response was in my opinion totally Un-Professional! Sincerely...Securon

 

As I said in my first post, I had found this thread through a search, on DuckDuckGo: https://duckduckgo.com/?q=countermail

And Wilders is also the second link. I can't speak for the other two, but I'd bet they found it through search engine results. The types that'd be interested in some secure email would be the same type that might want to sign up to a security forum.

CounterMail kind of had me wondering for a while, but it's just that thing with any unheard of type of newer thing. And I was just so fed up with Google personally and all the alternatives were looking kind of crap. I even had asked over on the TechPowerUp forums in their security section if anyone had heard of it- and of the two response I got none had. Truly, if there weren't a few discussion about it on these forums I don't know if I would of gotten it, but I've been liking it so far well enough.


Also Taliscicero you owe me 20 bucks a post, boss. I think ya threw them off our trails!

edit

But seriously, I just do stupid game glitch videos on Youtube. I don't know who in the right mind would pay me to advertise ANYTHING.

 

He's just Swedish

Don't take it personally.

It's my impression that directness is proportional to latitude.

 

Good Evening! Mirimir...Attitude's the problem...certainly not Latitude! Lol! Sincerely...Securon

 

@Secureon, yes, attitude is the problem. This representative from CM seems to be the CEO of CM or something. I have spent my entire working career in customer service. Turn time back six months. I was ready to sign up for CM. The thing that dissuaded me was the attitude I saw in relation to Taliscerno. In Taliscerno's case I felt that if CM was going to come out that aggressive with an existing customer I began to wonder how they would treat me. It just goes to show that if you value potential customers your customer service on the public net needs to be non confrontational.

For one second lets talk about the secret key. Someone mentioned earlier in this thread (I forget who) that they could not be certain that CM had not deleted their secret key once generated by the CM system upon sign up if they wanted to manage it their selves. This statement lacks understanding because when you delete the CM generated secret key you then us PGP to privately create your own. The new secret key, thus, has never been on CM servers.

I want to be clear on this. I don't like CM. I can't stand too much arrogance and aggression in any provider as CM has demonstrated here. For those reasons I won't use CM. However, on the aspect of technology we need to put personal issues aside as we have always done in order to competently evaluate any service.