Encryption of email in storage. Available?

Discussion in 'privacy technology' started by Higashi, Jan 26, 2009.

Thread Status:
Not open for further replies.
  1. Higashi

    Higashi Registered Member

    Joined:
    Jan 26, 2009
    Posts:
    6
    Hey,

    I have been using gmail for years and have got into the habit of archiving email (instead of deleting) and am used to having gigs of emails available online to reference whenever I need. This data in its entirety would be very valuable to anyone trying to steal my identity or harm me in any way and I dont like the idea of it being available to google for the development of their advertising business. I have recently downloaded all my email off gmail and closed my account.

    What I need is a service which I can access via IMAP and which will encrypt my email before storing to disk and give me sole control over the private key (including its generation preferably). i.e. not even the service provider can read my emails. I am not interested in sending/receiving secure emails - simply because they are not individually confidential. I have my own dedicated server which I have considered using so that I have full control over the message store, but I have no idea if there is any software available to encrypt the message store. I also believe that most email providers would have the resources to keep their servers more secure that I could keep my own.

    Do any services exist which offer this? I have only come across lavabit.com and havn't got a very good impression based on some other reviews.

    Any advice is appreciated. Thank you.
     
  2. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
  3. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    As usual, XeroBank does remote encrypted IMAP. Connection by encryption only, emails are stored encrypted with your own password. Unlike hushmail, XB can't decrypt your email.
     
  4. Higashi

    Higashi Registered Member

    Joined:
    Jan 26, 2009
    Posts:
    6
    Thanks, I've ignored hushmail because of their recent privacy leak and keptprivate doesn't inspire much confidence. If you look at their Links page, it has links to anabolic bodybuilding websites o_O Im looking for a service to use long term, one I can trust for decades, unfortunately neither of those fit the bill, but thanks!

    Thanks, nice site but I've browsed around and cant find any information about the encrypted IMAP service. I found these links but they all 404. I also found it particularly difficult to get a list of services offered and a price list. However, after choosing the identity protection service I got a price of $35 pm on checkout. Is this what im expected to pay for encrypted email? (im not interested in a vpn). I appreciate any advice.
     
  5. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    May I ask why you don't feel confident with lavabit?
     
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    You're right. Do you mind if I quote you to management? We can probably get that cleared up rather quickly.
     
  7. Higashi

    Higashi Registered Member

    Joined:
    Jan 26, 2009
    Posts:
    6
    Mostly because of the statement below from their privacy policy. I don't understand why a company so passionate about privacy would choose not to strip the headers.


    On a final note, the Lavabit e-mail servers do record the IP address used to send an outgoing message in the header of an outgoing e-mail. Because of this, it is possible for the recipient of a message to identify what IP was used to send a message. We record this information in the message header so that law enforcement officials in possession of a message that violates the law can identify the original sender. Lavabit does not retain this information.



    Sure, no problem.
     
  8. n33m3rz

    n33m3rz Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    114
    hushmail is no good. I don't trust any web based Email. Use GPG.
     
  9. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
  10. TKHgva

    TKHgva Registered Member

    Joined:
    Feb 19, 2009
    Posts:
    77
    Location:
    Confoederatio Helvetica
    Hello Higashi,

    I saw this post is dated from over a month, but thought that you might still be subscribed to the thread and perhaps still looking for a decent and secure email services provider.

    I have been looking for a new email service myself , preferably with a paying subscription, for similar reasons as yours. It's quite tough to get past the marketing promises of "secure email" and find what one is looking for.

    I'm no expert in encryption/internet securiyt, nevertheless here are my personal opinions for the email services I have either come accross or eventually tested:

    I looked at MuteMail and 4SecureMail websites but they didin't inspire much. MuteMail's FAQ ressembles very much another service I saw and seems like it's inspired by looking at what others do on their webiste (personal opinion). 4SecureMail looks more sincere and transparent (personal opinion).

    I have tried Hushmail free service (signed up before reading the famous privacy breach articles) just to give it a try. It's slow on loading pages and in the free version commercial links (more than one) are embedded in outgoing email, which I didn't like. It's ok to embed commercial links, everyone has to pay fixed costs and bills, as long as it's in the emails that we see. But it's not very nice to send emails to our contacts with advertisements inside the messages. I failed to clearly see a statement or a mention of this practice before signing up to Hushmail, so I feel like it was not very honest.

    I visited the Lavabit website and then opened a free account to check it out. Despite what you said in your argument for not choosing Lavabit, I have to say that at least the clearly and openly state how they practice advertisement in messages for the free personal account (only in incoming messages) and also why they practice it. I have to give them credit for this because at least you know what to expect when signing up for free.
    Also, they provide detailed info on their email service without the marketing hype and give you a clear picture of who they are. I also liked their postions and philosophy reagrding privacy. They seem to use moral values/principles as a motor for their project rather than a marketing tool. So they kind of stand out in my opinion.
    Works easily with Thunderbird for example, however, webmail is lacking a bit in features. But I believe they are progressing rapidly and adding improvements to all their services.

    All in all, it appeared like the most "transparent" of the email services providers I came accross (personal opinion).

    However, as you stated, IP address isn't masked.

    Another one I've been researching and seriously considering is NeoMailbox. They offer anonymous surfing as well but apparently it's for light browsing. I'm more looking at the offshore secure email service.

    Regarding you initial post, they do offer anonymous IP and secure email to/from their servers which are either US or Netherlands-based. Encrypting messages yourself for end-to-end encryption is also possible (see the FAQ here).

    Netherlands has good/above average privacy protection laws regarding personal data form what I read (read more here). I'm enquiring if they wiill offer secure email on Swiss servers. Living in Switzerland, I know that there is one of the strongest data protection polices here (everyone knows how Swiss banks are famous for protecting the privacy of account holders despite EU and international pressure to stop this parctice. The Swiss federal government backs this up - except for the last UBS affair. Also, remember Switzerland is not an EU member but has certain bi-lateral agreements with EU, thus saveguarding it's ability to parctice policies more independently).

    NeoMailbox's policy on keeping logs might interest you. Here.

    I have also enquired regarding the initial criteria you posted: Encryption of email in storage. I failed to see on the website if NeoMailbox encrypts on the servers. Awaiting a reply from them and will add a post here when they send the info. perhaps you might be interested to learn about their server infrastructure and security measures they take. Here.

    Apologies for a long post. Hope any of this helps.

    Would be very interested to hear any feedback on other services that you or anyone has investigated and which provides precisely what you posted here for: Encryption of email in storage.

    Best regards.
     
  11. n33m3rz

    n33m3rz Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    114
    You would be better off to just use GPG. If you are a business and don't want to force clients to use GPG, keep in mind that encrypted E-mail services only usually encrypt messages with in their service and their affiliates services. For example, Hushmail accounts will only send encrypted E-mail to other hushmail accounts and their affiliate cyber-rights. If you E-mail from hushmail to yahoo or hotmail, it wont be encrypted. Not that it really matters since hushmail encryption is a snake oil implementation anyways.

    So using GPG is the best choice, you give your clients the option to learn to use it. Just like if you use hushmail you give your clients the option to use hushmail too. The difference is that if you and your clients choose to use GPG, you will actually be secure, if you and your clients choose to use hushmail you will be using a flawed security model.

    The best way to use GPG is to use RSA for key distribution and symmetric encryption for the actual messages, but RSA/elgamal for messages should be fine too I think.
     
  12. TKHgva

    TKHgva Registered Member

    Joined:
    Feb 19, 2009
    Posts:
    77
    Location:
    Confoederatio Helvetica
    Here is a reply from Neomailbox support regarding server encryption:

    Q. "Is Secure Email on Swiss server a feature you might offer in the
    future?"

    A. Yes, we hope to introduce this in the next few months.

    Q. "If so, is it possible to change to Swiss server after one has
    registered with you on Offshore Secure Email Netherlands?"

    A. Yes, we will offer the option to upgrade from Netherlands to Swiss hosted Secure Email service.

    Q. "Are you able to provide info regarding encryption of
    emails while stored on the Netherlands server (some brief info on
    the encryption process, for ex.: is it done before emails are saved)?"

    A. Messages are not encrypted for storage on the server. They are encrypted while in transit between our servers and your computer. If you'd like to keep your emails encrypted through their entire journey you would need to use end-to-end encryption software such as PGP (which is also supported in our alternate webmail system).


    n33m3rz,

    Thanks for the advice with GNU PG. Also for your advice on key distribution. I'm still in the learning stages and I'm basically trying to educate myself to use the GPG. As someone said in another post "People should educate themselves on how to use these systems to encrypt communications as unsecure communication through eMail is one of the major flaws in internet". It's true we aren't really aware of the insecurity surrounding our internet communications; at least for the majority of users communicating daily very personal info that could be misused or taken advantage of.

    You know, about Hushmail, I've used the free version to make an idea. Their system is quite practical if one wishes to send a secure message to someone else who is not familiar with encryption/decryption process or who uses eMail services other than Hushmail: we send the message from Hushmail and choose a security question and answer, the latter being transmitted by our care to the receiver. That person receives a first message informing them why they received it and what it is (secure email etc). They are then brought to a Hushmail page where they can insert the password/answer, then they can read the message. Quite practical as a solution, but not that practical if secure communications are to be done on regular basis. I think you're right about being better off using GPG.

    As general feedback on Hushmail: once the user signs into the Hushmail account (but not yet given the passphrase), one can "enable java" for added security or disable this feature. Hushmail free is available on webmail, and the premium service enables one to get eMail through desktop client. However, I would say that from the time I sign in to actually being able to see my inbox on webmail, quite some time has passed by. The pages are quite slow to load, even with java disabled. Also, the user interface, although I like it because simple, is not really practical/user friendly.

    After testing and articles I've read, I'm not going to continue with it.

    However, as you say it's better to get used to using a system like GNU PG, to get into the habit of having more "control" over one's communications and to avoid the other things you mentioned.
     
    Last edited: Mar 2, 2009
Loading...
Thread Status:
Not open for further replies.