Email options

Discussion in 'privacy technology' started by mirimir, Jan 18, 2015.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    Thanks, blaker and LockBox :)
     
  2. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    342
    Thanks mirimir. This is a great idea.

    Shouldn't Startmail be in the list? https://www.startmail.com/

    And does Mailpile count? https://www.mailpile.is/ I guess it's more akin to Thunderbird with Enigmail, since it's not a mail service and they have not yet implemented the original idea of making it easy to run one's own mail server.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    Thanks :)
    Yes, there ought to be a clients category.
     
  4. winstonschmidt

    winstonschmidt Registered Member

    Joined:
    Oct 6, 2014
    Posts:
    1
  5. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Do you honestly believe that if any email provider at all gets a court order saying that a certain email account has, for example, CP or details of a bomb plot on it (and it doesn't have to be true or based on any evidence, it could just be an excuse), they won't do anything in their power to assist? Of course they will, and that's probably true with less egregious things as well. The idea is with encrypted email is that even the provider can't access your account without the password, and that's what safe-mail and others claim to do.

    Anyhow, if you put your trust in any service provider (email, VPN, etc), your security is really just based on trust which isn't worth much when it comes down to it. Bottom line is that the safest thing is using open source impenetrable technologies like Tor and GPG and not relying on any company for utmost security. Gmail + GPG is infinitely safer than any of these, without GPG.
     
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,805
    Location:
    UK
    You might want to make these terms a bit more contingent. End-point security is "terrifically weak", all you can do, is do your best. There are pros and cons which work as far as they may, for your threat model - that applies to any of these technologies. Email as it stands is fundamentally flawed, and Google will certainly hand over your metadata and message subjects if requested, and you do not have PFS.

    My understanding of the class of provider like ProtonMail and Tutanota is that they are intending most of all to be easy to use rather than be as secure as possible (hence them storing encrypted private keys on their servers, use of javascript encryption and so on). In a way though, widespread adoption of reasonably secure and easy-to-use email is likely to raise the bar and increase penetration of stronger protections.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    Yes, I'm sure of that. End-to-end encryption, keeping private keys local, is a good start. But one must also obscure metadata, avoiding meaningful subject lines, anonymizing correspondents' identies using multiple accounts, and Internet access via nested chains of VPNs, JonDonym and Tor.
    Yes, distribute trust so that compromise requires collaboration.
     
  8. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Good list. I only know of the provider I use (CM) - do any of those others allow local storage of private keys?
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    ProtonMail does not allow keys to be stored locally. I'm not sure about Tutanota. Their FAQ is ambiguous. It seems that neither uses GnuPG, or at least straight GnuPG, so users can't securely correspond with regular GnuPG users (except using symmetric keys).

    I gather that their goal is hiding metadata. CounterMail also needs your private key in order to hide metadata, as I understand it.

    I need to real about all these services and ask questions before saying much specifically.
     
  10. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,879
    Location:
    US
    Just a thought for food. I hope none of you guys are access your email service from iphone. Cause you might as well use regular gmail.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    Right. Smartphones are a morass :(
     
  12. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    342
    Tutanota plans to enable PGP functionality for interoperability with other services in the future: https://tutanota.uservoice.com/knowledgebase/articles/470724-why-does-tutanota-not-use-pgp

    Also note that Tutanota has a system for making suggestions, if you're a Tutanota user, and they seem to really be listening: https://tutanota.uservoice.com/forums/237921-general
     
  13. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    342
    Can you elaborate on this? What about while using something like Tutanota's app, which keeps things encrypted? Even CounterMail has a way to use their service on Android phones, with K9 mail and PGP. Is that also useless?

    Also, it's not email, but what about TextSecure, ChatSecure, RedPhone? There are some ways to communicate securely from phones, aren't there?
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981

    Thanks. I gather that ProtonMail has similar plans.
    OK, I'll follow up.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    I'm not sure where to draw the line, for the article that I'm starting.
     
  16. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    342
    I guess rather than drawing the line, you could just describe the relative risks of different options and people can decide for themselves what they need. Or you could describe the relative risks and for what type of people different options make sense, e.g. if you just want some privacy from prying corporate eyes you're probably okay with x, if you need to protect information from such and such legal entities only use y, if you think you're the target of a major state security agency don't use a phone.

    *

    I'm still unclear though, with proper encryption, why phones are inherently worse than computers. I can see that with just regular built in email apps, phones are totally unreliable and basically designed to spy on you. But with an open source OS, good encryption from a reliable opensource app and dev like Whispersystem's Chatsecure, shouldn't it be just as good as proper PGP with Thunderbird? In both cases, one is relying on trusting the opensource system and the specific devs in question, but technically the encryption should work.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    I meant more like "what to cover?" than "what's secure?".
    Even with an open-source OS and apps, you must trust the firmware/radio and its closed-source OS, which is known to share freely with carriers. The old-school PC BIOS had far less power to pwn users. But that's changing :(
     
  18. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    342
    Ah, oops. Yeah, there's a lot to write about. Whatever you do will be appreciated.

    I get that phones in their default state are a nightmare (it's why I totally recommend against using phones for banking apps, payments, purchases). But I still don't get how for secure communication it can break proper encryption. How does the radio break encryption? And if you don't want your cell service to track you connections, use a VPN. So I thought it takes more care and precaution with a phone, but it's not impossible. What am I missing, in comparison to computers?
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    I think that it basically comes down to the fundamental role of radio in phones, handled at firmware level, vs networking in PCs, handled in kernel and above. Maybe someone can say more about specifics. I'd just be quoting Wikipedia ;)
     
  20. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    342
    I guess I'll have to search around. I'm still having trouble imagining how the radio can break proper encryption. I can imagine the radio could act as a man in the middle. But so can a router, public wifi, ISP, so isn't that what encryption and VPNs are for?
     
  21. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I'm using Yandex right now, and I like it.
     
  22. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Vmail is a good option too
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    Right. It's not just the radio. It's the firmware (like BIOS) plus the radio, under joint control. The firmware can see everything, so encryption is useless. On a PC, encryption would be useless if the BIOS were backdoored. Phones are backdoored by default :(
     
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,981
    Is vmail.me back again? It wasn't accepting new accounts, when I last checked.

    I've also liked yandex.com and mail.ru, and even gmx.*, but I don't know that I'd classify as privacy friendly. But then, how privacy-friendly is vfemail.net? They do have a hidden service, though.

    Maybe I need another category, semi-privacy-friendly ;)

    But anyway, thanks :)
     
  25. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,805
    Location:
    UK
    For me, the interest is about services that support users who are not online (in other words, store-and-forward, or some kinds of P2P). The IM secure messaging is rather "easier", although they vary in terms of pfs etc - and there are some pretty good solutions already for all platforms for IM.

    Like you, I wouldn't touch mobiles with a bargepole for this. Each to their own.

    Because of the reliance on strong passwords for Tutanota, ProtonMail etc, I would want/expect TFA to be supported, and one of those two has plans for that under their premium/paid service, as well as domain support.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.