Secure (not anonymous) email services

Hello boys and girls,
I'm looking for a secure email service; I know, I should really run my own mail server but I don't have the time or inclination. These specs are probably going to sound weird, but see them as an analogue to a house; I can secure the house and make sure nobody can get in unless I want to, they can still coerce the neighbors to spy on me as I walk in and out of the house but can't get into the house without walking over my dead body so to speak. So; I am, ideally looking for a service that (below I'll use asymmetric cryptography to illustrate ideas, I have no preference for it in the actual implementation as long as the functionality requested is fulfilled):

1. The provider cannot, by design, read my emails once they're stored on the server (and therefore no one can make them), something like incoming emails gets encrypted with my public key before written to disk, outgoing emails gets sent then encrypted with my public key before written to disk in my sent box
2. Logs nothing
3. Will let me use my own domain
4. Is trustworthy
5. Has high service reliability, i.e. uptime etc.
6. Strips as much info from email headers etc as possible
7. Doesn't cost an arm and a leg (I don't use email that much) I guess $100 would be ok, but $360 isn't

I know that some degree this doesn't make sense, at no point do I talk about the emails being secure while traveling the internet or on arrival with the recipient; that I would handle with PGP when it's an issue. Lets face it the majority of people _will_not_ go through "the hassle" of encryption; they live in fluffy land and there's not much I can do about it (or at least have the energy to). Also anonymity is not an issue; as it will be used in everyday business it will easily be attributable to me for someone "a little connected" and/or have some time to waste.

Now I know there are a lot of issues with the above, the first and foremost is trust (as mentioned elsewhere, not a good thing in cryptography); a provider can claim to fulfill all the points, his product may be completely open source, but how to we know he's running what he claims? Fine, external audits, but there are ways to get around that too..

Obvious problems with my wish list are (I'm sure there's more):

1. The provider cannot read my emails once they're stored on the server - clear text emails can still be sniffed going in and out (and elsewhere on the internet obviously) and under coercion the provider could obviously be made to eavesdrop in incoming and outgoing emails, this is ok, it is also ok that he can nuke my account, as long as what's already there is beyond his reach (he doesn't have my private key or equiv). I understand that under coercion he could be made to modify everything that comes/goes from/to the server, so basically all encryption/decryption needs to be done client side to assure that he doesn't get a hold of my private key. Also that there's some way of detecting that he's trying to alter stuff client side (changes of file hashes or whatever).
2. Logs nothing - same thing, once the provider has a gun to his head (or cash on the table), all bets are off, he can now be expected to modify everything server side so that my access is logged, but nothing before that point should, by design, be available
3. Will let me use my own domain - has nothing to do with privacy, but would be extra icing on the cake if they could handle DNS etc as I have at least one of Larry Wall's traits of a great programmer..
4. Is trustworthy - Find some trail of trustworthiness
5. Has high service reliability, i.e. uptime etc. - Here track record alone speaks I think, which means finding someone who's been doing this for a while
6. Strips as much info from email headers etc as possible - the one thing that is easy
7. Doesn't cost an arm and a leg (I don't use email that much) I guess $100 would be ok, but $360 isn't

So, any ideas of anything that hits at least a couple of the points above?
j

 

Hmmmmm - your not asking for much are you??

Seriously though, i've run into the same issues as you (friends and contacts couldn't be bothered with securing email) and the only way to secure it is encrypt on one end (client side) and decrypt on the other (client side). That way while they sit on the sever, they're protected.

What users like us need to try is to make it as easy as possible for our contacts to use secure email. They don't want to install thunderbird with the enigmail extension and GPG4win. Or Instantcrypt if they only use a webmail interface.

The only hope is a client/service such as Opolis - http://www.opolis.eu/index.html which creates secure email between users - and ask contacts if they'll create a new email address for secure communication.

I think more would secure their email if it was easier.

 

Or you could try Zmail - https://zsentry.com/ZMAIL.htm

Just ask your contacts to send email to you though it. They can use any email address they want. I've tried it and it works fine.

Quote from their site - "These instructions guide you through the steps required to setup a custom 'From' address using your Gmail or Google Apps service, to seamlessly send and receive secure email ZSentry Mail (Zmail), also using PKI/X.509 and PGP. Supports Yahoo Mail, Microsoft Live, Hotmail, other providers and email addresses,

 

OP,

Just use any e-mail provider and encrypt all your e-mails. Pretty simple actually. If anyone gains access to your messages, what good will it do them if they're encrypted? That's how I roll.

 

Every provider is able to read the mail you store on their servers. I'd go to a huge provider that doesn't care about you personally or your mail. My recommendation is the new Windows Live Hotmail which is a nice package all around. They offer domain hosting (http://domains.live.com) and for $20 you get it all ad-free (http://www.gowindowslive.com/hotmailplus). In the near future they'll have ActiveSync which lets you sync mail, calendar and contacts seamlessly with Outlook or smartphones. An alternative is Gmail but you can't get it ad-free and it just doesn't look as nice as the new Hotmail.

Don't go to a small provider with only a few thousand (or less) customers like zsentry. They don't have Microsofts or Googles tech expertise. You don't know how well they back up everything or secure their servers. These are one or two person shops. If the person who runs that outfit has a bored moment, he might read your mail. I'd seriously only use something as big as Hotmail, Gmail or Yahoo Mail who each have several hundred million customers.

 

Thanks for the input so far, however none of the propositions fulfill my "specs".. I am well aware of different methods of encrypting my emails etc. that's not the issue, the storage, logging and transparency for correspondents are..

Neither fulfills my "specs" - neither are transparent to the correspondent - most will simply ignore the emails..

Doesn't fulfill my "specs" - some recipients will simply ignored encrypted emails and most will certainly respond in clear..

It is quite possible to do a technical solution where the service provider does not have the ability to read stored emails (see my examples); the question is if anyone has implemented it so far..

Trust Microsoft or Google? That'll be the day...
j

 

A provider doing what you want most likely doesn't exist. If it is important to you that there is no person on the providers site reading your mail, go to one of the big three I mentioned. That's the next best thing.

I'd rather trust Google or Microsoft than some small outfit promising the things you are after.

EDIT: To some extend Hushmail may fullfill your specs. Your mail is stored encrypted on their servers but IIRC years ago there was a story that they handed over some guys encrypted mail together with his private key to the authorities. But in your case, you said others won't encrypt their mail to you, that should be enough. I suspect you receive "normal" mail like everyone else but are paranoid about an admin snooping through your little secrets. Again, I'd rather go to the "big three".

 

I just read a bit about Hushmail and their "Premium Business" package doesn't look bad at all for $4 a month: http://www.hushmail.com/services/business/features/all. They are also developing a new web-interface which will go public beta soon. Really not bad. I'll keep an eye on it.

 

They have a backdoor built in and don't seem to have a problem turning over your info if asked so would certainly not recommend Hushmail.

 

That's all fine and dandy if your contacts all encrypt. But the fact of the matter is most email users at this point in time, can't be bothered with securing their email

 

Please re-read my first sentence to you

All your specs aren't out there and is the reason why your asking here. You haven't found it with your searching because it doesn't exist

The closest you'll get is Zsentry. Even though your emails are encrypted, your contacts can decrypt easily without practicing email encryption. They can encrypt to you in a simple way using whichever email address they like.

As far as i can see, the only thing missing with Zsentry is transparency - emails are sitting on their servers encrypted but can they be backdoored ?. But i think you have to say that with all of them and will only gain full trust by owning and running your own server.

 

First off, if I came/come off as rude, I apologize, it's not my intention.

There is one service that, at least on paper and what I've gathered from different discussions on other forums, fulfill all those specs; countermail.com. However countermail.com has two problems; it's based in Sweden, a country that is becoming more and more 1984 for every day (not up there with the UK yet, but seems to be working hard on it). Secondly it has no track record, there is no one that can vouch for it; they might have the most fantastic technical implementation or just be BS'ing everyone, hard to know.

Hushmail gets discarded because of what their previous track record says about their technical implementation. I have no illusion of an enterprise saying "no, we'd rather go to jail than give you the info", the issue I have is that they claimed their technical implementation would prevent them from doing what they then did (if that sentence made any sense). Albeit, from what I gather the accounts "internally hacked" was done so via the user using the https login and not the Java applet.. Also it would be awesome to have an email address that doesn't make every correspondent think of online pharmacies..

I would put trust in a service headed by a well known computer geek, preferably "on a crusade"; if Bruce Schneier would write an email server that claimed to do the above and then was run by Richard Stallman (I have no special affinity for either, it was just an example) I would put a fair bit of trust in the technical solution..

I was sort of guessing that my specs were a bit too much out there to find a plethora of options, but I thought I'd ask..

Thanks
j

 

There is also http://www.cyber-rights.net

Privacy policy here: -

http://www.cyber-rights.net/privacy.htm

They appear to be closely linked to hushmail.com from what I can gather...

 

The answer to that is to encrypt it. Pretty simple. No matter what e-mail provider one uses, there is *always* going to be the threat of someone reading your mail. The answer is PGP.

 

It isn't my fault that your contacts are too lazy to use PGP. If your e-mails are that important, they should learn to use it.

You know, I wish I had a Porsche in my garage and a Victoria Secret's model in my bed, but it probably ain't happening anytime soon.

 

So just to demonstrate the possibility of creating such a service as comments indicating "it can't be done" seems to pop up all the time; what follows is obviously a _very_ simplified example of how to do it with asymmetric encryption.

1. NN creates an account, nn@nn.org, by creating user/pass as usual but also supplies a public key (i.e. NN generates the key pair himself with whatever software he wants, he then copy-pastes the public key) over some sort of encrypted connection, lets say via a browser and https. Account details and public key gets stored in a table with the email address on a "storage server".
2. Incoming mail server has no hard drive only a Live CD with a script that is run for each email which takes the recipient address, puts a request to the "storage server" and gets the corresponding public key back, encrypts the email and then passes it to the "storage server" which pushes the entire thing (all of it is encrypted, including headers) on the addressees mail spooler (obviously not a vanilla spooler to allow that format) and then the RAM is overwritten with the text "lamerlamerlamerlamer....".
3. NN connects to the "storage server" using his credentials and gets access to his spooler; but all the contents are still encrypted; NN downloads the items and decrypts with his private key on his machine, which has never been anywhere near any of service providers machines.
4. NN replies, outgoing email is sent in clear over the encrypted tunnel to the outgoing mailserver which also doesn't have any hard disk only a Live CD with a script that sends a request to the "storage server" with the senders email address and gets the corresponding public key in return, sends the email then encrypts it with the public key and pushes it to the "storage server" and NN's mail spoler; an encrypted copy in the sent box and then the RAM is overwritten with the text "lamerlamerlamerlamerlamer..."
5. At this point someone walks in with a gun or a trillion dollars and says "I want all emails to/from nn@nn.org"; the service provider cannot give out anything but the encrypted emails, as the private key has never been near the provider there is not much to do but try to brute force.. Good luck with that..
6. At this point however the gun/cash wielder can say "Well I want everything from now on", this is hard to defend against as the provider now makes a new Live CD where the script sends a copy of all incoming/outgoing mails to snitch@nn.org before encrypting, pushing to spooler and overwriting RAM. This is obviously an issue but I don't really see what can be done about it; at any rate the gun/cash wielder could just sniff the traffic upstream. Unless you want to forbid unencrypted emails which isn't practically plausible for most; the majority of other recipients will simply not communicate with you "Hi, I'm calling because I want to send you my unsolicited CV by email, could you please install PGP and create a key pair and read me back the public key? You don't know what PGP is? Ok could you please ............................................"

The above was just a really rough description of one way of doing it, there's lots of stuff to add to make it a real implementation (have to write the spooler, the client, modify Sendmail or similar, etc, etc.). There are technical faults above but you get the idea..

As mentioned if NN wanted end to end encryption that will be solved outside the provider (NN encrypts the outgoing email with the recipients public key and vice versa).

And yes, there's a significant trust issue here that the provider is actually doing what he says and not something else; he could be cc:ing snitch@nn.org from the get go..

j

 

I didn't say it was your fault; your answer was a good one, but not to my question.

 

All of that requires you *trust* the provider. Do you really want to put your trust in a third-party? Not me. I would rather put the trust in myself and in the difficulty of factoring large primes (a well studied and unsolved problem). Then I would teach my contacts how to generate and manage their own keys. Once it's setup, it's quick and easy to use.

But, hey, some people just like complicated solutions -- solutions that typically end up screwing them.

 

Privacy policy Last modified - August 2004
The Website itself looks like December 2005

Kind of old don't you think

 

You live in a different world than I, which is fine, but your solution is not viable in my world; if it works for you, all the power to you.
j

 

I envy you because most of my contacts just don't want to be bothered despite me supplying a email list of the various free encryption solutions.

Could you or anyone else comment on Zsentry and any weakness, negatives with this service besides the possibility of a hushmail type backdoor ?

 

Just tried going there but appears to be down

 

Strange, works for me.. The site uses redirects, http referrer and Java so you need to allow that for countermail.com and verisign.net.

j

 

is countermail secured?

 

From what they claim, yes; but see my two question marks above with countermail.com

j