What is the best encrypted email provider?

Discussion in 'privacy technology' started by ackzor20, Mar 3, 2012.

Thread Status:
Not open for further replies.
  1. ackzor20

    ackzor20 Registered Member

    Joined:
    Feb 15, 2012
    Posts:
    17
    What is the best encrypted email provider that doesn't give out IP addresses and that doesn't have access to the mail themselves. The only good one I know is countermail but they use java which is bad, right?
     
  2. woomera

    woomera Registered Member

    Joined:
    May 21, 2004
    Posts:
    212
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    If you're worried about having your IP address revealed, use a good VPN. If it really matters, tunnel the VPN through Tor, and pay for it anonymously. If you want privacy, use Thunderbird with Enigmail. If you want total anonymity and privacy, use remailer chains and alt.anonymous.messages (and be very patient). If you're too lazy for any of that, Countermail is your best bet. But don't use that browser with Java for other web access.
     
  4. ackzor20

    ackzor20 Registered Member

    Joined:
    Feb 15, 2012
    Posts:
    17
    Well, a VPN will give out any information to any authority if asked, right? And you never know if they keep loggs.

    The problem with countermail is that you need java to create an account and to keep paying the subscriptions.. and to make some other configurations, right? Isn't there a better alternative to Countermail?

    If not, I pressume countermail routet through TOR with Thunderbird is the best option?
     
  5. Countermail

    Countermail Registered Member

    Joined:
    Aug 7, 2009
    Posts:
    169
    Location:
    Sweden
    I wrote a post earlier about Java, and also TOR:
    https://www.wilderssecurity.com/showpost.php?p=1986138&postcount=90

    In my opinion you will decrease the security by using TOR with our service, and we don't log IP-addresses anyway.

    I hope you don't think that we put a backdoor or anything dangerous in our applet? If we did, our business would be ruined, and years of work would be wasted. As long as the applet is signed by our company, Intergrid AB, the risk for malware is almost non-existent.

    But as I wrote before, you can also use a virtual OS where you run the Java-enabled browser, like Virtualbox, or a from Live-CD etc.
    Edit: It might be worth mentioning that Windows 7 (Pro/Ultimate/Ent) have a free Virtual Windows PC (XP), which works fine: http://www.microsoft.com/windows/virtual-pc/download.aspx
     
    Last edited: Mar 4, 2012
  6. ackzor20

    ackzor20 Registered Member

    Joined:
    Feb 15, 2012
    Posts:
    17
    But if the police asks you, you have to cooperate with getting the IP don't you? Isn't that exactly what happend with Husmail? How can a user know that you don't start logging IPs all of a sudden? Out of curiosity, what would happen if the police asked you to start cooperating with them? Has no agency ever in the history of your company ever asked you to give out information or cooperate? What was your response?

    Oh and as a side-question, do you store creditcard information or liberty reserve account information?
     
  7. Countermail

    Countermail Registered Member

    Joined:
    Aug 7, 2009
    Posts:
    169
    Location:
    Sweden
    We do not have to log IP-adresses in Sweden, see my earlier posts, like this one: https://www.wilderssecurity.com/showpost.php?p=1992477&postcount=93

    With a service like ours there will always be a risk of some people abusing it. Yes, we've had a few cases when the police asked us about account-info, like IP and password, and we have always responded that we do not store such information, which they have accepted. As long as we follow the law we have nothing to worry about. It's only the email headers that are unencrypted*, in one fraud-case we found an email stored in the Sent-folder, this email was sent to a personal Hotmail address, the police wanted that Hotmail-address. So I suppose the police contacted Microsoft to advance in that case.

    Yes, we have to cooperate with the Swedish police, but we can not give them information that we don't store.

    *=From,To,Subject,Date. The SMTP/IMAP protocol do not support encrypted email headers, but later this year we are going to create a converter where you can select any email folder and convert it to a pure database version of the folder, then the email headers will also be encrypted. The only disadvantage with this is that the database-folder will only be visible from our webmail interface.

    Yes, we store them for 14 days to be able to follow the law which says that every user have the right to a refund (within 14 days from the purchase). Our cron-script automatically deletes personal info after this period. The payment provider may store info longer, but we don't.
     
    Last edited: Mar 4, 2012
  8. bryanjoe

    bryanjoe Registered Member

    Joined:
    Feb 23, 2006
    Posts:
    380
    can the swedish authority request providers to start logging?
     
  9. Countermail

    Countermail Registered Member

    Joined:
    Aug 7, 2009
    Posts:
    169
    Location:
    Sweden
    Not the ordinary police, but the swedish security police (SÄPO) might be able to do that if there is a serious threat to the whole nation. We have not had such a case yet. As far as I know, every country have these exceptions in their laws. I would not recommend using our service if you are planning to detonate a nuclear bomb ;)
     
    Last edited: Mar 4, 2012
  10. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Thanks for the info CM. It's nice to have the vendor answer questions in a direct manner. SMTP Smart Host please :D

    PD
     
  11. Countermail

    Countermail Registered Member

    Joined:
    Aug 7, 2009
    Posts:
    169
    Location:
    Sweden
    Thanks. Does your ISP have port 25 open? Here in Sweden most ISP:s have closed that port to prevent private spamming SMTP servers.
     
  12. ackzor20

    ackzor20 Registered Member

    Joined:
    Feb 15, 2012
    Posts:
    17
    So if I use something like TOR Box I can use your services with the Java Enabled Browser without revealing my IP? Would you say that is better than using a client like Thunderbird through TOR?

    Also, is SSL safe enough to use TOR through your service, I might of missunderstood, but would it be safer to use the USB key because that would make it impossible for MITM attacks?
     
  13. Less

    Less Registered Member

    Joined:
    Dec 24, 2008
    Posts:
    288
    any promo for countermail?
     
  14. Countermail

    Countermail Registered Member

    Joined:
    Aug 7, 2009
    Posts:
    169
    Location:
    Sweden
    You can use TOR if you have java enabled. But as I wrote earlier, it's even better to not use TOR, since we don't store IP-adresses, by using TOR you are adding an unknown third party. We have had some police requests regarding IP-addresses, but since we don't store IP:s we can't give them any, and they have accepted that. In our country there are no laws requiring us to store IP-adresses or passwords.

    When using a third party client like Thunderbird you will only connect to our proxy, your IP will not be forwarded or stored anywhere.

    Thunderbird do not have the same protection against SSL-MITM as our Java-applet have. Same with DNS-spoofing, our applet will detect spoofing, a third party client like Thunderbird will not do that.

    The USB-keyfile will make your password much stronger by adding 512 random bits. These bits will also be added to the protection of your private PGP-keyring. The USB will also give a really good protection against keyloggers. USB works only with our Java-applet.

    SSL gives a decent protection, but it will not give full protection against some advanced organizations or criminals, some examples below:
    https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl
    https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google
    http://www.theinquirer.net/inquirer/news/2106065/major-domains-targeted-diginotar-ssl-attack
    http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
    http://technet.microsoft.com/en-us/security/bulletin/ms12-006
    http://files.cloudprivacy.net/ssl-mitm.pdf
    http://www.wired.com/threatlevel/2011/03/comodo-compromise/
    http://www.wired.com/threatlevel/2010/03/packet-forensics/
    http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/
    http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z820120202
     
  15. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    It does if you use PGP/GPG directly.

    Also, I LOL'ed at your pic of the USB key next to a cigarette on your website. You said "We do not endorse smoking, this is just for comparison purposes." :thumb:

    Couldn't you have found an ink pen or something? LOL

    EDIT:

    Also I found this incorrect info on your website:

    A 512 bit RSA key was brute forced publicly in 1999. A 768 bit key was brute forced publicly in 2009. And 1024 bit keys will not be safe for decades (it wont be long before they are brute forced. NSA likely already does it). NIST has already recommended that 1024 bit keys be dropped by 2010 (2 years ago).
     
    Last edited: Apr 24, 2012
  16. Countermail

    Countermail Registered Member

    Joined:
    Aug 7, 2009
    Posts:
    169
    Location:
    Sweden
    Not fully, you will be able to see the sender and the recipient, and the account username. In some cases that could be dangerous info.

    Thanks, yes, the info on that page was old :)
     
  17. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    According to the description/picture on your website here, only the mail body is encrypted with the recipients public key by the CounterMail engine, before being sent over SSL. How is this more secure than Thunderbird (From, To, Subject still remain visible to SSL-MITM) ?

    To be more secure, the CounterMail engine should still encrypt the body with the recipients public key first, but then encrypt everything (including all headers) with the public key of the CounterMail server.

    If this is how it already works, the description on the web page needs updating to reflect this.
     
  18. xM5

    xM5 Registered Member

    Joined:
    May 27, 2012
    Posts:
    8
    Location:
    International
    por que? what do you mean by this? so if I use firefox and countermail, don't use firefox to browse the web also?
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Java in Firefox is dangerous, because of its capabilities.
     
  20. xM5

    xM5 Registered Member

    Joined:
    May 27, 2012
    Posts:
    8
    Location:
    International
    any comment on the below, it is from 2010..

    As far as Relakks and Ipredator are concerned since they are in Sweden I don't know if this is still a problem for using a Swedish service;

    In June the Swedish parliament passed a controversial surveillance law that gives authorities a mandate to read all email and listen in on all phone calls without warrant or court order. In response to the law, The Pirate Party organized rallies, bloggers and journalists turned into activists, and even Google decided to relocate their servers.

    http://torrentfreak.com/swedes-massi...ap-law-080707/
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.