Recommended e-mail ?
Does anyone recommend a particular web-mail service that meets the approval of the Free world? Also, how would I go about encrypting my mail? I am switching from GMX mail, btw.
Unfortunately I don't think there is a web-mail service that meets approval of the free world. Really the ideal mail service would be you run your own email server. People are working on making this easy with projects like the freedombox. Any other situation where you aren't running your own server you are basically putting faith in another group and often times that group is motivated by $$. That makes them potentially untrustworthy. It also puts them at the whim of governments who may take an interest.
As far as encryption goes see this manual (http://trisquel.info/en/wiki/email-encryption).
Unfortunately it seems like Freedombox will still take a long time until release.
I get "access denied" when trying to access the manual page...
Mmm the page may have been closed because there was a problem with it earlier. I'll talk to the distro maintainer about reopening it. You might just have to bookmark it and check back later.
Ok well for now check out (http://enigmail.mozdev.org/documentation/quickstart.php.html). You will need thunderbird and enigmail both of which are in the repos. Unfortunately I am having trouble getting in touch w/ the guy who can unlock that manual. He is awake while I'm at work and since we are in different time-zones I haven't been able to talk to him. I'll try to get it unlocked as soon as I can.
Manual is unlocked.
Thanks for the quick reply! I am researching the Freedom Box right now actually... So you all run your own mail servers? I kind of need to use web mail for now until I am a better hacker (or the Freedom box gets more mainstream)
The freedombox is in development and isn't released. Unfortunately I don't run my own email server. Setting one up is a tad difficult (but not impossible). I am guilty and use gmail. It definitely isn't an ideal solution.
You can setup your own server and still have webmail using squirrellmail. Squirrelmail is in the repos so you could install that. You would have to read the documentation (http://squirrelmail.org/documentation/) on how to set it up because I have never done it myself so I can't help you with that. However I do know someone who has run their own email server for a while so if you really want I could help you get in touch with him.
Ok, I have to go to bed. I'll check back tomorrow. Good night.
Would not recommend the further use of GMX, heise once tested what happens with various Mail Providers when the owner dies. GMX sent the plain Password after receiving the "death documents" so I would not trust it.
As far as I know people don't usually put real info, on any web form (except banking), so this vulnerability is relative since the death papers are certainly not issued for "Daffy Duck" from Fuckville USA.
Also, a user can backup/store his messages offsite/home because GMX offers free IMAP(and pop3).
I don't run my own mail server, just rent one, since I run a website and the mailserver comes with it. It even has squirrelmail preinstalled!
I use Zoho mail and I prefer that to Gmail. I don't think they use your email content to give you ads, etc., more privacy.
I found dragoncrypt.com and have been using it for 2 days now.
Your best off with rockmail.com (Y!ahoo division) as that seems to have gone through all the hoops concerning average mail and email services since 2008.
On 13/07/11 02:45, name at domain wrote:
> Does anyone recommend a particular web-mail service that meets the
> approval of the Free world?
If you do not have the knowledge how to set up a mail server, use
riseup.net . It is not your own server so try to get your own server as
the next step.
These guys run a bunch of services all on free software and for gratis (donations). No first hand experience though.
You could also check out https://www.hushmail.com
The problem with the free version of Hushmail is that you have only 25 MB storage, and you have to sign in at least once every three weaks... but you should consider taking a look at it.
I wouldn't recommend hushmail. Hushmail basically uses PGP encryption to encrypt the email. Trisquel already has the software to do all this. See the documentation on email encryption. In fact I would rather use a service like gmail w/ GPG that is run on my own computer then hushmail. Essentially a private key consists of a file and a password. At least with GPG + gmail if I encrypt it on my computer and send it via gmail they (google) can't decrypt it while it is on their servers. However in the case of hushmail they have your private key which they generated (you don't want others to have your private key) and you type your password into their website. There is nothing to prevent them from recording that password and decrypting all your email.
I would consider hushmail SaaS or at least psuedo-SaaS. Do your own encryption on your own computer. Trisquel already comes with GPG installed by default. Don't let someone else manage your private key for you.
Here's more why you should do any encryption yourself http://en.wikipedia.org/wiki/Hushmail#Controversy
Yeah... You're absolutely right about hushmail. I really don't need encryption in e-mail, but i wanted a less corporate webmail provider whose servers wouldn't be so susceptible to "outside interference".
I don't know... I really don't think there is one.
I bought email with a personal domain for a friend recently as a gift.
I chose one with a datacentre in the same country as us because then
her legal insurance will cover her enforcing what rights she has. It
was simply the least worst compromise because of her being unable to
run her own server.
I suggest you review your thinking about email encryption - the
guidance is best said 'if you wouldn't put it on a postcard, encrypt
it.' The test is privacy, not secrecy.
Leny
On Mon, 12 Dec 2011 16:11:27 +0100 (CET)
name at domain wrote:
> Yeah... You're absolutely right about hushmail. I really don't need
> encryption in e-mail, but i wanted a less corporate webmail provider
> whose servers wouldn't be so susceptible to "outside interference".
>
> I don't know... I really don't think there is one.
I agree with you. Definitely look into using GPG with your email if you can. Even if you feel you don't need to encrypt your email. Let me try to convince you why you (and IMO everyone else) should.
- Firstly using GPG also comes with this nifty backwards feature called signing. That way you can be sure it hasn't been modified by anyone in the middle and you can be sure of who you are emailing.
- Leny2010 is right, it is about privacy not necessarily (although possibly) secrecy. Lets say I want to email my Dad about something totally innocent. Say where to have lunch this Friday. This is totally boring and innocent subject. I will still encrypt my email to my Dad. This is because it simply isn't anyone else's business to know that information. Not because I have something to hide. I just don't want anyone else reading my emails. IMO if I send an email to my Dad it should just be between me and my Dad. Not me, my Dad, and google. Privacy is about sharing (and not sharing) what you want with who you want.
- If you think people/computers don't read (or at least have the capability) your email you are honestly kidding yourself. Google's computers read your email all the time. Take the above scenario. If I email my Dad unencrypted they would pop up a bunch of ad's for me about where to go have lunch. They probably even know so much about you that they know what kinds of food you like.
- Even if I have nothing to hide that doesn't mean I want to show everything.
- Lets say you send 100 emails. 1 of them contains sensitive information that should be encrypted. The rest are boring uninteresting emails. If I am an attacker monitoring your emails and you send 99 unencrypted emails and 1 encrypted. If I am going to try to crack your encryption well then I just focus on the one (which probably contains the important info). However, if you routinely encrypt everything they won't know which one contains the info and makes their job way way harder.
I think it is important emphasize that what is or is not private
differs between people and is a matter of personal choice. Encryption
merely ensures that choice has effect.
To illustrate that I'll say that my personal privacy choices are more
about what would cause embarrassment, or be a faux pas if taken out of
context. After all, here in the UK we know especially well that there
is no telling if or when your electronic communications and personal
life might be subject to the scrutiny and willful misconstrual by some
prurient journalist and make a victim out of you. q.v. News of the
World / Milly Dowler / Levenson
http://www.guardian.co.uk/media/2011/dec/12/leveson-inquiry-milly-dowler-voicemail
Leny
On Tue, 13 Dec 2011 03:59:02 +0100 (CET)
name at domain wrote:
> google. Privacy is about sharing (and not sharing) what you want
> with who you want.
>
> *Even if I have nothing to hide that doesn't mean I want to show
> everything.
>
That's very interesting. After reading your messages and the owni news today about cryptography and network spying (www.owni.fr, it's in french), I'm convinced. I think that you're right SirGrant. It's not about secrecy but privacy. We can live in a "Rechtsstaat", trust the laws of our countries, and want some privacy. We can even think that these laws and our justice will fight for this privacy. It's like our home, we don't want cameras in it. We don't need a door which looks like the door of a bank safe, but we still put a bolt. These comparisons are a little bit shaky, but this distinction between privacy and secrecy is very important. We can even see it in the evolution of the government reactions against cryptography. At the beginning, it was illegal and considered like military materials, and today some governments recommend for example their firms to teach their employees how to encrypt emails, etc.
But I don't know a lot about all that stuff and I'm asking myself two questions.
1) If we use cryptography for emails or even surfing in this kind of "Rechtstaat" for example in Europe, like with the freedombox, don't we put on us a mark a suspicion ? Don't we draw authorities attention to us and our banal activities (like you said, sending email to our relatives) ?
It's like we want to hide something (it's an argument of the Google's CEO) and we don't trust our laws, and even anybody. After that they will perhaps want to know more seriously what we're doing (even if we have a crypted Internet).
2) When we use for example, google to research some informations, don't they know our interests and save it ? Or could we use google with some security guarantees ?
> 1) If we use cryptography for emails or even surfing in this kind of
> "Rechtstaat" for example in Europe, like with the freedombox, don't we
> put on us a mark a suspicion ? Don't we draw authorities attention to
> us and our banal activities (like you said, sending email to our
> relatives) ?
If enough people use encryption, it won't be a problem.
Using encryption for online banking is very common, although it's not a
good example since it doesn't prevent the government from getting all
the data from the bank, which is easier with a small number of known big
banks.
> It's like we want to hide something (it's an argument of the Google's
> CEO) and we don't trust our laws, and even anybody. After that they
> will perhaps want to know more seriously what we're doing (even if we
> have a crypted Internet).
With sufficiently good cryptography (if it's used correctly) a
government won't decrypt your emails. In the UK it's required to give
the keys to them if they ask, I don't know if any other state does this.
So even if they want to, they won't know more about us.
Any practical way of blocking a big decentralized encrypted network
would probably also prevent at least online banking from working (or
being secure), I don't expect an European government to do this.
> 2) When we use for example, google to research some informations,
> don't they know our interests and save it ? Or could we use google
> with some security guarantees ?
Some use https://ssl.scroogle.org/ so it's not identified with other
queries or the user (but it also needs trusting a single organization).
Maybe a distributed search engine like YaCy solves this problem (I never
used it).
On Tue, 13 Dec 2011 11:16:38 +0100
name at domain (Michał Masłowski) wrote:
> > 1) If we use cryptography for emails or even surfing in this kind of
> > "Rechtstaat" for example in Europe, like with the freedombox, don't
> > we put on us a mark a suspicion ? Don't we draw authorities
> > attention to us and our banal activities (like you said, sending
> > email to our relatives) ?
>
> If enough people use encryption, it won't be a problem.
Related to this is the point that the overwhelming use of email
encryption is for what is _merely_ privacy. It is in fact no more
incriminating than having frosted glass and a lock on the door of the
bathroom. Conversely you can see that some current webmail services
are like having CCTV in each cubicle of a public restroom.
Normalizing encryption as the privacy of the bathroom door has an
ethical imperative. Because if everybody used it as privacy then
people like human rights actvitists etc. who need encryption for the
secrecy are then undetectable.
Leny
Trying to escape from surveillance, unsecurity, Fear, Uncertainty and Doubt, I stopped using Google Search and GMail.
Now, I use:
· As search engine, DuckDuckGo:
https://duckduckgo.com/privacy.html
· As e-mail provider, Lavabit:
https://lavabit.com/privacy_policy.html
https://lavabit.com/features.html
When it's safe, I use Tor: https://torproject.org
Unfortunately, none is entirely Libre.
I plan to start using GnuPG soon.
I was just about to recommend Lavabit, since registration is back up. Will definitely be using it, and completing my exodus from Google.
On 14/12/2011 05:00, name at domain wrote:
> I was just about to recommend Lavabit, since registration is back up.
> Will definitely be using it, and completing my exodus from Google.
>
try here: https://www.riseup.net/en/radical-servers
--
fotosintesi || GnuPG/PGP Key-Id: 0xF224EC9B
find my key on >> keys.indymedia.org <<
send me an encrypted mail:
https://tboxes.tracciabi.li/fotosint3si
> · As e-mail provider, Lavabit:
> https://lavabit.com/privacy_policy.html
> https://lavabit.com/features.html
how about gustavo_cm.org ?
> how about gustavo_cm.org ?
Do you mean to setup my own server? Never tried it -- no chances to have a full-time operating machine. Though, I never considered the possibility to pay others to host my own webmail service.
On 14/12/11 22:42, name at domain wrote:
> > how about gustavo_cm.org ?
>
> Do you mean to setup my own server? Never tried it -- no chances to
> have a full-time operating machine.
Freedom deserves it. You just need a low end machine running Freedombox.
A Plug computer. It rungs on about 20W.
> Though, I never considered the possibility to pay others to host my
> own webmail service.
Having others run your server makes them control it. The idea is that
you can control your most important asset; your information and
communications.
I have something to say against Lavabit: Since long time ago it is a mailbox at the end of an unknown road, so you cannot contact them. In
https://lavabit.com/contact.html
you can read
"The friendly engineer whose been answering your questions has moved onto a more profitable endeavor; and were afraid that doesn't leave anybody available to monitor the suggestion box. The rest of our team is hard at work finishing a new version of our mail platform. So while we push towards a launch date and search for the right person to take over as spokesperson, we'll just have to disable this contact form.
If your one of our corporate customers with a service line agreement and you need to get a message to us, you can always contact the support engineer assigned to your account. Their contact information is on the escalation list we provided!"
The first paragraph remains (although I think it has been slightly modified) for long time ago (one/two year(s)?). And I don't understand what is talking about the second paragraph.
It wouldn't be a problem if you don't have other problems, but 3 different lavabit's accounts (one is owned by a friend of mine) have been blacklisted and we cannot do anything, anything obvious at least, for changing it. While my main lavabit account works perfectly, every other one cannot be used from Evolution, since it is reported
"Failed RCPT TO <$email_address_you_wrote>: The IP address $current_IP has been listed on a realtime blacklist, and the user $email_address_you_wrote has elected to enforce blacklists."
nevermind which is $email_address_you_wrote and where are you connected to internet. So this message is false, because, if not, I have the power of blacklisting every internet connection I wish. Also I'd be able to unblacklist it, since I can send emails to the same $email_address_you_wrote from my main lavabit account.
Probably, the origin of this fact was the day I installed a Tor relay at home in "free access to IP of my internet connection for everyone"-mode, so the IP was listed and lavabit (and everyone) could match that list and considered that various addresses going out though that IP is a suspicious (false in my case).
I tried contacting with them through the "report abuse" section (the only one way I knew to ping them) but no one answered.
So, I'm blacklisted and without support. Luckily, I can always use the webmail without problems, so the email accounts are not totally invalid, but it is a pain.
Indeed. I think it's less than a year. I used that form in oct/2010* in order to setup my account, since there wasn't other way to do it.
*They answered me in few hours
"Hi Gustavo C. M.,
You can reply with the username you would like and we will setup an account for you. Be sure the username starts with a letter and only contains letters, numbers, and underscores. At this time we will have to setup every account by email correspondences so just let us know if you would like any other accounts with us.
Thanks,
Lavabit Support Team"
There is another thing in which encryption is a good practice: storage. See https://lavabit.com/secure.html