add ghostmail

[elijh]

https://www.ghostmail.com

[taoeffect]

The problem with "secure email" providers like ProtonMail (and GhostMail), is that they are "end-to-end encrypted-kinda-sorta-not-really".

Problem 1 - Your private key is not yours

• Their server sends you the javascript that creates your private key.
• Their javascript can send your private key back to their server.

They say it "stays in your browser", but they cannot guarantee that. There are multiple scenarios where your private key would leave your browser and get sent to their server:

1. They decide to make their JS do that.
2. They get ordered to do it.
3. HTTPS is MITM'd using a rogue cert and you are sent malicious JS that sends your key.

Problem 2 - Your friend's public key is not theirs

Their server sends you the public key for your friend. How do you know it's actually your friend's and not theirs?

You don't.

Neither GhostMail nor ProtonMail belong on this list.

[taoeffect]

Also, this is nonsense (from here):

A new randomly generated 256 bit AES key is used to encrypt actual message (Forward Secrecy).
The AES Key is then encrypted with the recipient’s public RSA key.

No. That is not forward secrecy.

Stay away from all of this nonsense folks. If you want GPG, use GPGTools, Enigmail, or Mailvelope.

[elijh]

yes, i agree that ghostmail is snakeoil, but i try to document the snakeoil projects too and highlight what is wrong with them.