Recommended e-mail ?

35 replies [Last post]
Jayn
Offline
Joined: 08/27/2010

Does anyone recommend a particular web-mail service that meets the approval of the Free world? Also, how would I go about encrypting my mail? I am switching from GMX mail, btw.

SirGrant

I am a member!

I am a translator!

Offline
Joined: 07/27/2010

Unfortunately I don't think there is a web-mail service that meets approval of the free world. Really the ideal mail service would be you run your own email server. People are working on making this easy with projects like the freedombox. Any other situation where you aren't running your own server you are basically putting faith in another group and often times that group is motivated by $$. That makes them potentially untrustworthy. It also puts them at the whim of governments who may take an interest.

As far as encryption goes see this manual (http://trisquel.info/en/wiki/email-encryption).

adherry

I am a member!

Offline
Joined: 04/19/2011

Unfortunately it seems like Freedombox will still take a long time until release.

Jayn
Offline
Joined: 08/27/2010

I get "access denied" when trying to access the manual page...

SirGrant

I am a member!

I am a translator!

Offline
Joined: 07/27/2010

Mmm the page may have been closed because there was a problem with it earlier. I'll talk to the distro maintainer about reopening it. You might just have to bookmark it and check back later.

SirGrant

I am a member!

I am a translator!

Offline
Joined: 07/27/2010

Ok well for now check out (http://enigmail.mozdev.org/documentation/quickstart.php.html). You will need thunderbird and enigmail both of which are in the repos. Unfortunately I am having trouble getting in touch w/ the guy who can unlock that manual. He is awake while I'm at work and since we are in different time-zones I haven't been able to talk to him. I'll try to get it unlocked as soon as I can.

SirGrant

I am a member!

I am a translator!

Offline
Joined: 07/27/2010

Manual is unlocked.

Jayn
Offline
Joined: 08/27/2010

Thanks for the quick reply! I am researching the Freedom Box right now actually... So you all run your own mail servers? I kind of need to use web mail for now until I am a better hacker (or the Freedom box gets more mainstream)

SirGrant

I am a member!

I am a translator!

Offline
Joined: 07/27/2010

The freedombox is in development and isn't released. Unfortunately I don't run my own email server. Setting one up is a tad difficult (but not impossible). I am guilty and use gmail. It definitely isn't an ideal solution.

You can setup your own server and still have webmail using squirrellmail. Squirrelmail is in the repos so you could install that. You would have to read the documentation (http://squirrelmail.org/documentation/) on how to set it up because I have never done it myself so I can't help you with that. However I do know someone who has run their own email server for a while so if you really want I could help you get in touch with him.

Ok, I have to go to bed. I'll check back tomorrow. Good night.

adherry

I am a member!

Offline
Joined: 04/19/2011

Would not recommend the further use of GMX, heise once tested what happens with various Mail Providers when the owner dies. GMX sent the plain Password after receiving the "death documents" so I would not trust it.

teodorescup

I am a member!

Offline
Joined: 01/04/2011

As far as I know people don't usually put real info, on any web form (except banking), so this vulnerability is relative since the death papers are certainly not issued for "Daffy Duck" from Fuckville USA.
Also, a user can backup/store his messages offsite/home because GMX offers free IMAP(and pop3).

__
| FSF.org | EFF.org | Tor | Flattr | h-node |

Cyberhawk

I am a translator!

Offline
Joined: 07/27/2010

I don't run my own mail server, just rent one, since I run a website and the mailserver comes with it. It even has squirrelmail preinstalled!

bluejupiter
Offline
Joined: 02/12/2011

I use Zoho mail and I prefer that to Gmail. I don't think they use your email content to give you ads, etc., more privacy.

Jayn
Offline
Joined: 08/27/2010

I found dragoncrypt.com and have been using it for 2 days now.

trisquel.im
Offline
Joined: 04/14/2011

Your best off with rockmail.com (Y!ahoo division) as that seems to have gone through all the hoops concerning average mail and email services since 2008.

quiliro@congresolibre.org
Offline
Joined: 10/28/2010

On 13/07/11 02:45, name at domain wrote:
> Does anyone recommend a particular web-mail service that meets the
> approval of the Free world?

If you do not have the knowledge how to set up a mail server, use
riseup.net . It is not your own server so try to get your own server as
the next step.

lembas
Offline
Joined: 05/13/2010

These guys run a bunch of services all on free software and for gratis (donations). No first hand experience though.

http://ninthfloor.org/

apvp
Offline
Joined: 12/10/2011

You could also check out https://www.hushmail.com

The problem with the free version of Hushmail is that you have only 25 MB storage, and you have to sign in at least once every three weaks... but you should consider taking a look at it.

SirGrant

I am a member!

I am a translator!

Offline
Joined: 07/27/2010

I wouldn't recommend hushmail. Hushmail basically uses PGP encryption to encrypt the email. Trisquel already has the software to do all this. See the documentation on email encryption. In fact I would rather use a service like gmail w/ GPG that is run on my own computer then hushmail. Essentially a private key consists of a file and a password. At least with GPG + gmail if I encrypt it on my computer and send it via gmail they (google) can't decrypt it while it is on their servers. However in the case of hushmail they have your private key which they generated (you don't want others to have your private key) and you type your password into their website. There is nothing to prevent them from recording that password and decrypting all your email.

I would consider hushmail SaaS or at least psuedo-SaaS. Do your own encryption on your own computer. Trisquel already comes with GPG installed by default. Don't let someone else manage your private key for you.

lembas
Offline
Joined: 05/13/2010

Here's more why you should do any encryption yourself http://en.wikipedia.org/wiki/Hushmail#Controversy

apvp
Offline
Joined: 12/10/2011

Yeah... You're absolutely right about hushmail. I really don't need encryption in e-mail, but i wanted a less corporate webmail provider whose servers wouldn't be so susceptible to "outside interference".

I don't know... I really don't think there is one.

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

I bought email with a personal domain for a friend recently as a gift.
I chose one with a datacentre in the same country as us because then
her legal insurance will cover her enforcing what rights she has. It
was simply the least worst compromise because of her being unable to
run her own server.

I suggest you review your thinking about email encryption - the
guidance is best said 'if you wouldn't put it on a postcard, encrypt
it.' The test is privacy, not secrecy.

Leny

On Mon, 12 Dec 2011 16:11:27 +0100 (CET)
name at domain wrote:

> Yeah... You're absolutely right about hushmail. I really don't need
> encryption in e-mail, but i wanted a less corporate webmail provider
> whose servers wouldn't be so susceptible to "outside interference".
>
> I don't know... I really don't think there is one.

SirGrant

I am a member!

I am a translator!

Offline
Joined: 07/27/2010

I agree with you. Definitely look into using GPG with your email if you can. Even if you feel you don't need to encrypt your email. Let me try to convince you why you (and IMO everyone else) should.

  • Firstly using GPG also comes with this nifty backwards feature called signing. That way you can be sure it hasn't been modified by anyone in the middle and you can be sure of who you are emailing.
  • Leny2010 is right, it is about privacy not necessarily (although possibly) secrecy. Lets say I want to email my Dad about something totally innocent. Say where to have lunch this Friday. This is totally boring and innocent subject. I will still encrypt my email to my Dad. This is because it simply isn't anyone else's business to know that information. Not because I have something to hide. I just don't want anyone else reading my emails. IMO if I send an email to my Dad it should just be between me and my Dad. Not me, my Dad, and google. Privacy is about sharing (and not sharing) what you want with who you want.
  • If you think people/computers don't read (or at least have the capability) your email you are honestly kidding yourself. Google's computers read your email all the time. Take the above scenario. If I email my Dad unencrypted they would pop up a bunch of ad's for me about where to go have lunch. They probably even know so much about you that they know what kinds of food you like.
  • Even if I have nothing to hide that doesn't mean I want to show everything.
  • Lets say you send 100 emails. 1 of them contains sensitive information that should be encrypted. The rest are boring uninteresting emails. If I am an attacker monitoring your emails and you send 99 unencrypted emails and 1 encrypted. If I am going to try to crack your encryption well then I just focus on the one (which probably contains the important info). However, if you routinely encrypt everything they won't know which one contains the info and makes their job way way harder.
leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

I think it is important emphasize that what is or is not private
differs between people and is a matter of personal choice. Encryption
merely ensures that choice has effect.

To illustrate that I'll say that my personal privacy choices are more
about what would cause embarrassment, or be a faux pas if taken out of
context. After all, here in the UK we know especially well that there
is no telling if or when your electronic communications and personal
life might be subject to the scrutiny and willful misconstrual by some
prurient journalist and make a victim out of you. q.v. News of the
World / Milly Dowler / Levenson

http://www.guardian.co.uk/media/2011/dec/12/leveson-inquiry-milly-dowler-voicemail

Leny

On Tue, 13 Dec 2011 03:59:02 +0100 (CET)
name at domain wrote:
> google. Privacy is about sharing (and not sharing) what you want
> with who you want.

>
> *Even if I have nothing to hide that doesn't mean I want to show
> everything.
>

rod
rod
Offline
Joined: 12/07/2011

That's very interesting. After reading your messages and the owni news today about cryptography and network spying (www.owni.fr, it's in french), I'm convinced. I think that you're right SirGrant. It's not about secrecy but privacy. We can live in a "Rechtsstaat", trust the laws of our countries, and want some privacy. We can even think that these laws and our justice will fight for this privacy. It's like our home, we don't want cameras in it. We don't need a door which looks like the door of a bank safe, but we still put a bolt. These comparisons are a little bit shaky, but this distinction between privacy and secrecy is very important. We can even see it in the evolution of the government reactions against cryptography. At the beginning, it was illegal and considered like military materials, and today some governments recommend for example their firms to teach their employees how to encrypt emails, etc.

But I don't know a lot about all that stuff and I'm asking myself two questions.

1) If we use cryptography for emails or even surfing in this kind of "Rechtstaat" for example in Europe, like with the freedombox, don't we put on us a mark a suspicion ? Don't we draw authorities attention to us and our banal activities (like you said, sending email to our relatives) ?
It's like we want to hide something (it's an argument of the Google's CEO) and we don't trust our laws, and even anybody. After that they will perhaps want to know more seriously what we're doing (even if we have a crypted Internet).

2) When we use for example, google to research some informations, don't they know our interests and save it ? Or could we use google with some security guarantees ?

Michał Masłowski

I am a member!

I am a translator!

Offline
Joined: 05/15/2010

> 1) If we use cryptography for emails or even surfing in this kind of
> "Rechtstaat" for example in Europe, like with the freedombox, don't we
> put on us a mark a suspicion ? Don't we draw authorities attention to
> us and our banal activities (like you said, sending email to our
> relatives) ?

If enough people use encryption, it won't be a problem.

Using encryption for online banking is very common, although it's not a
good example since it doesn't prevent the government from getting all
the data from the bank, which is easier with a small number of known big
banks.

> It's like we want to hide something (it's an argument of the Google's
> CEO) and we don't trust our laws, and even anybody. After that they
> will perhaps want to know more seriously what we're doing (even if we
> have a crypted Internet).

With sufficiently good cryptography (if it's used correctly) a
government won't decrypt your emails. In the UK it's required to give
the keys to them if they ask, I don't know if any other state does this.
So even if they want to, they won't know more about us.

Any practical way of blocking a big decentralized encrypted network
would probably also prevent at least online banking from working (or
being secure), I don't expect an European government to do this.

> 2) When we use for example, google to research some informations,
> don't they know our interests and save it ? Or could we use google
> with some security guarantees ?

Some use https://ssl.scroogle.org/ so it's not identified with other
queries or the user (but it also needs trusting a single organization).
Maybe a distributed search engine like YaCy solves this problem (I never
used it).

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

On Tue, 13 Dec 2011 11:16:38 +0100
name at domain (Michał Masłowski) wrote:

> > 1) If we use cryptography for emails or even surfing in this kind of
> > "Rechtstaat" for example in Europe, like with the freedombox, don't
> > we put on us a mark a suspicion ? Don't we draw authorities
> > attention to us and our banal activities (like you said, sending
> > email to our relatives) ?
>
> If enough people use encryption, it won't be a problem.

Related to this is the point that the overwhelming use of email
encryption is for what is _merely_ privacy. It is in fact no more
incriminating than having frosted glass and a lock on the door of the
bathroom. Conversely you can see that some current webmail services
are like having CCTV in each cubicle of a public restroom.

Normalizing encryption as the privacy of the bathroom door has an
ethical imperative. Because if everybody used it as privacy then
people like human rights actvitists etc. who need encryption for the
secrecy are then undetectable.

Leny

sphynx
Offline
Joined: 11/30/2011

Trying to escape from surveillance, unsecurity, Fear, Uncertainty and Doubt, I stopped using Google Search and GMail.

Now, I use:

· As search engine, DuckDuckGo:
https://duckduckgo.com/privacy.html
· As e-mail provider, Lavabit:
https://lavabit.com/privacy_policy.html
https://lavabit.com/features.html

When it's safe, I use Tor: https://torproject.org

Unfortunately, none is entirely Libre.

I plan to start using GnuPG soon.

Nathan
Offline
Joined: 09/01/2011

I was just about to recommend Lavabit, since registration is back up. Will definitely be using it, and completing my exodus from Google.

fotosintesi
Offline
Joined: 12/14/2011

On 14/12/2011 05:00, name at domain wrote:
> I was just about to recommend Lavabit, since registration is back up.
> Will definitely be using it, and completing my exodus from Google.
>
try here: https://www.riseup.net/en/radical-servers

--
fotosintesi || GnuPG/PGP Key-Id: 0xF224EC9B
find my key on >> keys.indymedia.org <<
send me an encrypted mail:
https://tboxes.tracciabi.li/fotosint3si

quiliro@congresolibre.org
Offline
Joined: 10/28/2010

> · As e-mail provider, Lavabit:
> https://lavabit.com/privacy_policy.html
> https://lavabit.com/features.html

how about gustavo_cm.org ?

sphynx
Offline
Joined: 11/30/2011

> how about gustavo_cm.org ?

Do you mean to setup my own server? Never tried it -- no chances to have a full-time operating machine. Though, I never considered the possibility to pay others to host my own webmail service.

quiliro@congresolibre.org
Offline
Joined: 10/28/2010

On 14/12/11 22:42, name at domain wrote:
> > how about gustavo_cm.org ?
>
> Do you mean to setup my own server? Never tried it -- no chances to
> have a full-time operating machine.

Freedom deserves it. You just need a low end machine running Freedombox.
A Plug computer. It rungs on about 20W.

> Though, I never considered the possibility to pay others to host my
> own webmail service.

Having others run your server makes them control it. The idea is that
you can control your most important asset; your information and
communications.

Daniel Molina
Offline
Joined: 07/04/2009

I have something to say against Lavabit: Since long time ago it is a mailbox at the end of an unknown road, so you cannot contact them. In

https://lavabit.com/contact.html

you can read

"The friendly engineer whose been answering your questions has moved onto a more profitable endeavor; and were afraid that doesn't leave anybody available to monitor the suggestion box. The rest of our team is hard at work finishing a new version of our mail platform. So while we push towards a launch date and search for the right person to take over as spokesperson, we'll just have to disable this contact form.

If your one of our corporate customers with a service line agreement and you need to get a message to us, you can always contact the support engineer assigned to your account. Their contact information is on the escalation list we provided!"

The first paragraph remains (although I think it has been slightly modified) for long time ago (one/two year(s)?). And I don't understand what is talking about the second paragraph.

It wouldn't be a problem if you don't have other problems, but 3 different lavabit's accounts (one is owned by a friend of mine) have been blacklisted and we cannot do anything, anything obvious at least, for changing it. While my main lavabit account works perfectly, every other one cannot be used from Evolution, since it is reported

"Failed RCPT TO <$email_address_you_wrote>: The IP address $current_IP has been listed on a realtime blacklist, and the user $email_address_you_wrote has elected to enforce blacklists."

nevermind which is $email_address_you_wrote and where are you connected to internet. So this message is false, because, if not, I have the power of blacklisting every internet connection I wish. Also I'd be able to unblacklist it, since I can send emails to the same $email_address_you_wrote from my main lavabit account.

Probably, the origin of this fact was the day I installed a Tor relay at home in "free access to IP of my internet connection for everyone"-mode, so the IP was listed and lavabit (and everyone) could match that list and considered that various addresses going out though that IP is a suspicious (false in my case).

I tried contacting with them through the "report abuse" section (the only one way I knew to ping them) but no one answered.

So, I'm blacklisted and without support. Luckily, I can always use the webmail without problems, so the email accounts are not totally invalid, but it is a pain.

sphynx
Offline
Joined: 11/30/2011

Indeed. I think it's less than a year. I used that form in oct/2010* in order to setup my account, since there wasn't other way to do it.

*They answered me in few hours

"Hi Gustavo C. M.,

You can reply with the username you would like and we will setup an account for you. Be sure the username starts with a letter and only contains letters, numbers, and underscores. At this time we will have to setup every account by email correspondences so just let us know if you would like any other accounts with us.

Thanks,

Lavabit Support Team"

sphynx
Offline
Joined: 11/30/2011

There is another thing in which encryption is a good practice: storage. See https://lavabit.com/secure.html