New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update README.md #41
Update README.md #41
Conversation
Added a new web-mail provider: Mailfence. The written piece has been derived from their blog (blog.mailfence.com), my experience as a user (that spans to 8 months now) and the conversation I had with their support department. Any further investigation of the made claims will be welcomed. Regards, M Salman
Thanks for the details, very useful. I have one question about this part:
Why would their SSL chain matter? This would only be a benefit if they used HPKP to pin to a particular CA, which they don't. |
They tend to believe that non-US based services are not prone to US gag-orders and NSL's - which was the prime reason of lavabit's shutdown, and emphasize on the strictness of 'European Online Privacy and Data Retention laws', which again as per their stance are more fairer than of US. Besides, thanks for notifying the HPKP factor - I guess it can easily be achieved on 'leaf level' with a robust backup solution for the backup pins. However, I'll pass on this matter to the Mailfence team. Regards, |
Corrected a typo.
Understood, but the problem with CAs is that every CA in the world is trusted, so it doesn't matter if you use a CA in the EU, all the clients are still trusting CAs in the US, unless you have HPKP set. |
This seems good to merge, although I am unclear on this part:
I take this to mean that stuff stored on the server is encrypted using AES, and that the key for the AES encryption is generated from the passphrase using a string-to-key specifier, or what outside of openpgp is just called a KDF. This does not relate at all to how the passphrase is kept from the server, however, since the user still needs to authenticate with the server before they can start the process of decrypting their secrets they have stashed there. |
A general perspective (IMO) is the ability of NSA/CIA to compel US CAs to generate phony certificates, with of course a requisite gag order - whereas the CA is bound to not even disclose such intrusion to media/or general public. Given that, I agree with the importance of HPKP in any case.
Yes, your conceived analogy is correct - and can be further verified from this blogpost of Mailfence. Thanks for taking your time and merging the pull request. |
Added a new web-mail provider: Mailfence. The written piece has been derived from their blog (blog.mailfence.com), my experience as a user (that spans to 8 months now) and the conversation I had with their support department.
Any further investigation of the made claims will be welcomed.
Regards,
M Salman