New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Now that TorMail has been compromised, we need more email alternatives #461

Closed
chovy opened this Issue Aug 5, 2013 · 99 comments

Comments

Projects
None yet
@chovy

chovy commented Aug 5, 2013

MyKolab looked good except they require existing email and I think it costs money, could not tell.

@Zegnat

This comment has been minimized.

Show comment
Hide comment
@Zegnat

Zegnat Aug 5, 2013

Collaborator

Please note that TorMail has already been off of PRISM Break’s list for over a month. It was removed on Appelbaum’s (@ioerror) recommendation.

MyKolab is not free, you are right. This should probably be made clear in some way. I filed an issue to rectify this. You do not need an existing email address to use them though, you even get a pick of 7 different domain names when signing up (6 of those are managed out side the U.S.).

If you have any ideas for solid free email services please open an issue to get them added.

Collaborator

Zegnat commented Aug 5, 2013

Please note that TorMail has already been off of PRISM Break’s list for over a month. It was removed on Appelbaum’s (@ioerror) recommendation.

MyKolab is not free, you are right. This should probably be made clear in some way. I filed an issue to rectify this. You do not need an existing email address to use them though, you even get a pick of 7 different domain names when signing up (6 of those are managed out side the U.S.).

If you have any ideas for solid free email services please open an issue to get them added.

@btegs

This comment has been minimized.

Show comment
Hide comment
@btegs

btegs Aug 5, 2013

You should add Geary, which is free software under the LGPL 2.1: http://www.yorba.org/projects/geary/

btegs commented Aug 5, 2013

You should add Geary, which is free software under the LGPL 2.1: http://www.yorba.org/projects/geary/

@hasufell

This comment has been minimized.

Show comment
Hide comment
@hasufell

hasufell Aug 5, 2013

Contributor

Geary was already discussed. It is not a general purpose mail client and is in a relatively early stage of development. There are tons of things it does not support.

Contributor

hasufell commented Aug 5, 2013

Geary was already discussed. It is not a general purpose mail client and is in a relatively early stage of development. There are tons of things it does not support.

@Zegnat

This comment has been minimized.

Show comment
Hide comment
@Zegnat

Zegnat Aug 5, 2013

Collaborator

This is a call for email services, please discuss email clients – like Geary – elsewhere.

Collaborator

Zegnat commented Aug 5, 2013

This is a call for email services, please discuss email clients – like Geary – elsewhere.

@chovy

This comment has been minimized.

Show comment
Hide comment
@chovy

chovy Aug 5, 2013

What about lavabit.com ? they seem pretty good.

chovy commented Aug 5, 2013

What about lavabit.com ? they seem pretty good.

@Zegnat

This comment has been minimized.

Show comment
Hide comment
@Zegnat

Zegnat Aug 5, 2013

Collaborator

Please see #284, Lavabit seemed to do some heavy logging and be unsupportive of anonymity. I don’t think their terms have changed much since then.

I am interested to see where this is going. I haven’t been invited to Riseup yet and would love to see a similar service somewhere.

Collaborator

Zegnat commented Aug 5, 2013

Please see #284, Lavabit seemed to do some heavy logging and be unsupportive of anonymity. I don’t think their terms have changed much since then.

I am interested to see where this is going. I haven’t been invited to Riseup yet and would love to see a similar service somewhere.

@chovy

This comment has been minimized.

Show comment
Hide comment
@chovy

chovy Aug 5, 2013

Ok, well something web-based for the non-techies would be good.

chovy commented Aug 5, 2013

Ok, well something web-based for the non-techies would be good.

@haary

This comment has been minimized.

Show comment
Hide comment
@haary

haary Aug 6, 2013

In #157 openmailbox.org was suggested. It was pointed out, that the interface is available in french only at that time. Now it is available in english as well (click "Langue").

Another one is mailoo.org. Like openmailbox it runs completely on free software. Website available in english and french (registration is only available at the french page now). Offered protocols are SMTP, POP3, IMAP and their SSL variants. Subscribing is without personal informations. Quota is 1 GB.

haary commented Aug 6, 2013

In #157 openmailbox.org was suggested. It was pointed out, that the interface is available in french only at that time. Now it is available in english as well (click "Langue").

Another one is mailoo.org. Like openmailbox it runs completely on free software. Website available in english and french (registration is only available at the french page now). Offered protocols are SMTP, POP3, IMAP and their SSL variants. Subscribing is without personal informations. Quota is 1 GB.

@greve

This comment has been minimized.

Show comment
Hide comment
@greve

greve Aug 6, 2013

Contributor

@chovy

About MyKolab: Yes, it costs money, because data centres and staff to develop and maintain a solution cost money.

A service that claims to be gratis should be treated with extreme caution.

If it is not you, then someone else is putting up the cash. Question is: Why are they doing it and can you rely upon them to continue doing it for the foreseeable future such that you can rely upon the service? There are sometimes well-meaning initiatives by enthusiasts, but these often die with the passion of their founders or get into trouble when the next set of hardware must be purchased - because without your own hardware, you have no access control, meaning you have no security.

As for the rest: If you're not paying for it, you're not the customer, you're the product being sold.

That is why MyKolab has a cost associated and takes great care to make transparent the terms of service and actual, guaranteed privacy users can actually rely upon today and in the future. That said, the business behind it is as hard core Free Software as they come, so money goes into the service and the development of more Free Software, which again improves the service. But we /never/ do proprietary software. Take a look at some of the people involved, or check out the #kolab IRC channel and you'll see why. :)

And the software that comes out of this for the general good is what most other web mail hosting providers use. So anyone using MyKolab is helping an entire ecosystem of Free Software providers. Which was part of the point.

As to the email address for registration: This is used for the password reset mechanism. If you have a better idea on how to do that in a way that does not require excessive manual labour, please let us know.

Contributor

greve commented Aug 6, 2013

@chovy

About MyKolab: Yes, it costs money, because data centres and staff to develop and maintain a solution cost money.

A service that claims to be gratis should be treated with extreme caution.

If it is not you, then someone else is putting up the cash. Question is: Why are they doing it and can you rely upon them to continue doing it for the foreseeable future such that you can rely upon the service? There are sometimes well-meaning initiatives by enthusiasts, but these often die with the passion of their founders or get into trouble when the next set of hardware must be purchased - because without your own hardware, you have no access control, meaning you have no security.

As for the rest: If you're not paying for it, you're not the customer, you're the product being sold.

That is why MyKolab has a cost associated and takes great care to make transparent the terms of service and actual, guaranteed privacy users can actually rely upon today and in the future. That said, the business behind it is as hard core Free Software as they come, so money goes into the service and the development of more Free Software, which again improves the service. But we /never/ do proprietary software. Take a look at some of the people involved, or check out the #kolab IRC channel and you'll see why. :)

And the software that comes out of this for the general good is what most other web mail hosting providers use. So anyone using MyKolab is helping an entire ecosystem of Free Software providers. Which was part of the point.

As to the email address for registration: This is used for the password reset mechanism. If you have a better idea on how to do that in a way that does not require excessive manual labour, please let us know.

@chovy

This comment has been minimized.

Show comment
Hide comment
@chovy

chovy Aug 6, 2013

MyKolab may be great, but my real identity will be tied to the payment to them. Not very anonymous.

chovy commented Aug 6, 2013

MyKolab may be great, but my real identity will be tied to the payment to them. Not very anonymous.

@greve

This comment has been minimized.

Show comment
Hide comment
@greve

greve Aug 6, 2013

Contributor

@chovy

We're working to provide more forms of payment, it's just that we had to start somewhere.

Mind if I ask you which would be your preferred way of payment? We'd like to know what people would like to see so we can prioritize developing further payment channels.

Contributor

greve commented Aug 6, 2013

@chovy

We're working to provide more forms of payment, it's just that we had to start somewhere.

Mind if I ask you which would be your preferred way of payment? We'd like to know what people would like to see so we can prioritize developing further payment channels.

@i2000s

This comment has been minimized.

Show comment
Hide comment
@i2000s

i2000s Aug 7, 2013

Sorry, guys. Just want to add some conditions for consideration: Is there any safe&open email service provider that combines email, calendar and maybe other services together? Is there any email service provider that can hide meta data in a safe way?

For the first condition (question), I and many other people usually use calendar to send email for reminders. Maybe there are also other combined usages needed. In this case, it is better to find a services provider that can combine the necessary needs together with email service.

For the second condition (question), I am thinking how to avoid leaking our meta data even the communication content is well-hiden. In case NSA or other organizations found the meta data, they can still know whom we are communicating with, even though we use open-source email service.

I personally don't know what satisfies those two extra conditions. Hopefully we can find good solutions!
Qi

i2000s commented Aug 7, 2013

Sorry, guys. Just want to add some conditions for consideration: Is there any safe&open email service provider that combines email, calendar and maybe other services together? Is there any email service provider that can hide meta data in a safe way?

For the first condition (question), I and many other people usually use calendar to send email for reminders. Maybe there are also other combined usages needed. In this case, it is better to find a services provider that can combine the necessary needs together with email service.

For the second condition (question), I am thinking how to avoid leaking our meta data even the communication content is well-hiden. In case NSA or other organizations found the meta data, they can still know whom we are communicating with, even though we use open-source email service.

I personally don't know what satisfies those two extra conditions. Hopefully we can find good solutions!
Qi

@greve

This comment has been minimized.

Show comment
Hide comment
@greve

greve Aug 7, 2013

Contributor

@i2000s You are right, of course. There is no perfect solution.

FWIW, MyKolab combines Email, Calendar, Address Book, Tasks and Files in one service. So when communicating or collaborating with people within that service, no data is transmitted over the internet. More services will be added. Calendar data is directly transmitted to you over CalDAV/CardDAV or the mobile sync, and thus you do not depend on email reminders - your clients and devices remind you.

So it would seem to fit both conditions as best as I know how to in today's world.

All of this is part of Kolab, as well, so you can get the same by setting up your own server for your group of people. Kolab as a concept is distributed, and the Kolab client can aggregate & integrate an unlimited amount of servers and services into one information picture for you. But that data only comes together on your device.

As it is all fully Open Source, you are free to run with it.

Contributor

greve commented Aug 7, 2013

@i2000s You are right, of course. There is no perfect solution.

FWIW, MyKolab combines Email, Calendar, Address Book, Tasks and Files in one service. So when communicating or collaborating with people within that service, no data is transmitted over the internet. More services will be added. Calendar data is directly transmitted to you over CalDAV/CardDAV or the mobile sync, and thus you do not depend on email reminders - your clients and devices remind you.

So it would seem to fit both conditions as best as I know how to in today's world.

All of this is part of Kolab, as well, so you can get the same by setting up your own server for your group of people. Kolab as a concept is distributed, and the Kolab client can aggregate & integrate an unlimited amount of servers and services into one information picture for you. But that data only comes together on your device.

As it is all fully Open Source, you are free to run with it.

@rev22

This comment has been minimized.

Show comment
Hide comment
@rev22

rev22 Aug 7, 2013

E-mail is the single most important personal service for Internet users, and is often used for critical personal communications and to register to websites.

An ideal solution in my opinion would comprise:

  • https web interface
  • access through common encrypted protocols, like SMTP and POP3
  • adaptive spam filtering
  • commitment to privacy (no data retention or logging of traffic)
  • commitment to provide long-term services to users
  • transparent funding
  • only using captcha or other basic intelligence tests to discourage service abuse (instead of monetary fees, or requesting of personal information like cellphone number, real name or documents)

.. all based on Libre software

Useful extra protocols for the open Web:

  • OpenPGP
  • OpenID
  • WebFinger

rev22 commented Aug 7, 2013

E-mail is the single most important personal service for Internet users, and is often used for critical personal communications and to register to websites.

An ideal solution in my opinion would comprise:

  • https web interface
  • access through common encrypted protocols, like SMTP and POP3
  • adaptive spam filtering
  • commitment to privacy (no data retention or logging of traffic)
  • commitment to provide long-term services to users
  • transparent funding
  • only using captcha or other basic intelligence tests to discourage service abuse (instead of monetary fees, or requesting of personal information like cellphone number, real name or documents)

.. all based on Libre software

Useful extra protocols for the open Web:

  • OpenPGP
  • OpenID
  • WebFinger
@chovy

This comment has been minimized.

Show comment
Hide comment
@chovy

chovy Aug 7, 2013

@greve as for payment, i think the obvious choices are PayPal, CreditCard and Bitcoin.
I would only use bitcoin from Tor network to remain truly anonymous. The other two (paypal/cc) I would use for personal use.

chovy commented Aug 7, 2013

@greve as for payment, i think the obvious choices are PayPal, CreditCard and Bitcoin.
I would only use bitcoin from Tor network to remain truly anonymous. The other two (paypal/cc) I would use for personal use.

@greve

This comment has been minimized.

Show comment
Hide comment
@greve

greve Aug 7, 2013

Contributor

@chovy PayPal is currently the default option.

The other option would be bank transfer, which can be anonymized at the cost level and only needs to map to a customer id, which has no mapping to the email address/account, so the bank won't know who this is.

Direct acceptance of credit card is not quite so simple, you need a merchant account and a couple of other factors. And then it'll typically put some restrictions on where you can accept them from at least at the beginning. But we're working on that.

Bitcoin might be another option. Because it is not so far spread and seems to have some issues, we have not prioritized that very highly.

Contributor

greve commented Aug 7, 2013

@chovy PayPal is currently the default option.

The other option would be bank transfer, which can be anonymized at the cost level and only needs to map to a customer id, which has no mapping to the email address/account, so the bank won't know who this is.

Direct acceptance of credit card is not quite so simple, you need a merchant account and a couple of other factors. And then it'll typically put some restrictions on where you can accept them from at least at the beginning. But we're working on that.

Bitcoin might be another option. Because it is not so far spread and seems to have some issues, we have not prioritized that very highly.

@chovy

This comment has been minimized.

Show comment
Hide comment
@chovy

chovy Aug 7, 2013

@greve You can integrate with BitPay. Should be pretty simple, and they convert your BTC to USD right away so you don't play the investing game with your earnings.

chovy commented Aug 7, 2013

@greve You can integrate with BitPay. Should be pretty simple, and they convert your BTC to USD right away so you don't play the investing game with your earnings.

@greve

This comment has been minimized.

Show comment
Hide comment
@greve

greve Aug 7, 2013

Contributor

@chovy Thanks, we'll look into that.

Contributor

greve commented Aug 7, 2013

@chovy Thanks, we'll look into that.

@PierreBarre

This comment has been minimized.

Show comment
Hide comment
@PierreBarre

PierreBarre Aug 7, 2013

I have updated all the "black" points #157

PierreBarre commented Aug 7, 2013

I have updated all the "black" points #157

@nylira

This comment has been minimized.

Show comment
Hide comment
@nylira

nylira Aug 8, 2013

Owner

Lavabit shuts down: https://lavabit.com

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.

HN discussion: https://news.ycombinator.com/item?id=6181081

Owner

nylira commented Aug 8, 2013

Lavabit shuts down: https://lavabit.com

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.

HN discussion: https://news.ycombinator.com/item?id=6181081

@chovy

This comment has been minimized.

Show comment
Hide comment
@chovy

chovy Aug 8, 2013

It looks like riseup.net is a good one.

chovy commented Aug 8, 2013

It looks like riseup.net is a good one.

@Zegnat

This comment has been minimized.

Show comment
Hide comment
@Zegnat

Zegnat Aug 8, 2013

Collaborator

Riseup seems very good, yes. I haven’t met anyone who could invite me yet so I can’t speak out of personal experience but it looks like some good and trustworthy people back it. Still an American service though, which is something you will have to consider. (It helps that they aren’t an actual company running it.)

If you get into Riseup, go for it.

Collaborator

Zegnat commented Aug 8, 2013

Riseup seems very good, yes. I haven’t met anyone who could invite me yet so I can’t speak out of personal experience but it looks like some good and trustworthy people back it. Still an American service though, which is something you will have to consider. (It helps that they aren’t an actual company running it.)

If you get into Riseup, go for it.

@chovy

This comment has been minimized.

Show comment
Hide comment
@chovy

chovy Aug 8, 2013

It requires an invite?

chovy commented Aug 8, 2013

It requires an invite?

@Zegnat

This comment has been minimized.

Show comment
Hide comment
@Zegnat

Zegnat Aug 8, 2013

Collaborator

If you want to get an account immediately, yes. 2 codes even, if I understand the form right. Else you will have to leave a plea and get approved by one of the system operators:

If you do not use the invite method, please tell us about your activism. Do not include acronyms or personally identifiable information. This information will be destroyed as soon as your account is approved.

This is why most of the currently advised services are hard to get into: Riseup needs you to know others who use it, A/I needs you to get approved as well (see below), and MyKolab is pricey for your average freedom fighter.

That’s why I am hoping to see more interesting services come by here on the site. Something like Posteo – for just 1 EUR/month – would be sweet for those of us who do not wish to set-up their own mail servers. And I am constantly on the look-out. Just haven’t found it yet.


A/I will have you fill out a form:

Please tell us why you would like to request a service from Autistici/Inventati. We would also like some information about what you would like to do with it (for public services only, of course).

Collaborator

Zegnat commented Aug 8, 2013

If you want to get an account immediately, yes. 2 codes even, if I understand the form right. Else you will have to leave a plea and get approved by one of the system operators:

If you do not use the invite method, please tell us about your activism. Do not include acronyms or personally identifiable information. This information will be destroyed as soon as your account is approved.

This is why most of the currently advised services are hard to get into: Riseup needs you to know others who use it, A/I needs you to get approved as well (see below), and MyKolab is pricey for your average freedom fighter.

That’s why I am hoping to see more interesting services come by here on the site. Something like Posteo – for just 1 EUR/month – would be sweet for those of us who do not wish to set-up their own mail servers. And I am constantly on the look-out. Just haven’t found it yet.


A/I will have you fill out a form:

Please tell us why you would like to request a service from Autistici/Inventati. We would also like some information about what you would like to do with it (for public services only, of course).

@greve

This comment has been minimized.

Show comment
Hide comment
@greve

greve Aug 8, 2013

Contributor

@Zegnat FWIW, Freedom Fighters get a special deal on MyKolab.com.

But if you want to actually provide privacy beyond pure marketing claims, there are a couple of decisions involved that drive up the cost of providing the service. Especially if you also want to do right by society at large in terms of the technology you use and the contribution to Free Software you would make when doing this properly.

But then we're always talking in the realm of the value of a pizza or 2 beers or some such in most places.

Question is: Is privacy worth that?

Too many people got too used to offers that seem to be "zero" cost. That has shifted the perception of what one might pay for such services. Only that the cost was never actually zero.

Contributor

greve commented Aug 8, 2013

@Zegnat FWIW, Freedom Fighters get a special deal on MyKolab.com.

But if you want to actually provide privacy beyond pure marketing claims, there are a couple of decisions involved that drive up the cost of providing the service. Especially if you also want to do right by society at large in terms of the technology you use and the contribution to Free Software you would make when doing this properly.

But then we're always talking in the realm of the value of a pizza or 2 beers or some such in most places.

Question is: Is privacy worth that?

Too many people got too used to offers that seem to be "zero" cost. That has shifted the perception of what one might pay for such services. Only that the cost was never actually zero.

@Parcival09

This comment has been minimized.

Show comment
Hide comment
@Parcival09

Parcival09 Aug 9, 2013

@greve
t I've been lookking for you're E-mail service. For 1 year SFR 120.- is quit some money for a private E-mail.
But oke I was willing to pay, and went to the sign-up page. I had to fill in my family name and my E-mail adress and then I just stopped.

I'm a grown man and I do not need you to take care of me, if I loose my password, thats my responsibility. I also did not like that you need my family name.

After the signing-upp, you can give a number, that need to be put on the payment, with the payment details how to pay. And you're administartion throws away that number to the E-mail reference after the payment is received and the E-mail service is running.

I still think SFR 120/year is a lot of money, I only need the E-mail-services. Maybe it is possible to start with just E-mail and upgrade if you need other services you provide. (by upgrading the price rises)

At Lavabit I payd $18/year for 8GB for just the E-mail service.
If you're willing to make the changes and can give me a good offer I'll subcribe.

Parcival09 commented Aug 9, 2013

@greve
t I've been lookking for you're E-mail service. For 1 year SFR 120.- is quit some money for a private E-mail.
But oke I was willing to pay, and went to the sign-up page. I had to fill in my family name and my E-mail adress and then I just stopped.

I'm a grown man and I do not need you to take care of me, if I loose my password, thats my responsibility. I also did not like that you need my family name.

After the signing-upp, you can give a number, that need to be put on the payment, with the payment details how to pay. And you're administartion throws away that number to the E-mail reference after the payment is received and the E-mail service is running.

I still think SFR 120/year is a lot of money, I only need the E-mail-services. Maybe it is possible to start with just E-mail and upgrade if you need other services you provide. (by upgrading the price rises)

At Lavabit I payd $18/year for 8GB for just the E-mail service.
If you're willing to make the changes and can give me a good offer I'll subcribe.

@greve

This comment has been minimized.

Show comment
Hide comment
@greve

greve Aug 10, 2013

Contributor

@Parcival09 The service provides a whole lot more than email. And in comparison to similar offers in Switzerland, it's actually quite cheap. But yes, with the Swiss Franc being as overinflated as it is, I understand that Swiss pricing is currently high for the rest of the world. Think of it this way: This is the price of the universal Berlin currency, a Doner Kebap per month, in Geneva.

As to the name & email requirements, these are primarily ways to reduce support overhead.

Because the majority of people want invoices. And their name on them. If they haven't filled them, that's another 10 minutes someone has to spend in support. Multiply by a couple of thousand and you can perhaps see how that might become an issue. Same for password resets, which is the number one support request. Even just in beta period we often had several of them per day. It is commendable that you do not require or desire this level of service and hand holding. But that makes you unusual.

Either way: If you wanted to provide the name of Santa Claus, provide North Pole as your place of residency, and use a discardable email address for the sign-up, the system would still sign you up. We felt that people who did not want to provide this kind of information simply would choose to go down that route.

But yes, it's also been an internal debate. The problem is not trivial though. If someone puts a lot of data into the service and lose their password - which happens surprisingly often - then you need to have some way that is not so easily socially engineered to give them access again. Name & Email establish a certain minimum level that is already pretty low and easily circumvented for those who do not want it.

As to the "smaller" package for service, that is indeed something we should be considering.

It won't reach the same pricing as Lavabit, though, as the US are an extremely low-cost hosting country, while Switzerland is the extreme opposite. Our costs are in Swiss Franc, and so the pricing needs to be. The only way to avoid that would be to move the servers to a different country. But then you'd lose a primary advantage of the service. So Swiss level privacy will always have to come with Swiss level pricing, unfortunately.

Contributor

greve commented Aug 10, 2013

@Parcival09 The service provides a whole lot more than email. And in comparison to similar offers in Switzerland, it's actually quite cheap. But yes, with the Swiss Franc being as overinflated as it is, I understand that Swiss pricing is currently high for the rest of the world. Think of it this way: This is the price of the universal Berlin currency, a Doner Kebap per month, in Geneva.

As to the name & email requirements, these are primarily ways to reduce support overhead.

Because the majority of people want invoices. And their name on them. If they haven't filled them, that's another 10 minutes someone has to spend in support. Multiply by a couple of thousand and you can perhaps see how that might become an issue. Same for password resets, which is the number one support request. Even just in beta period we often had several of them per day. It is commendable that you do not require or desire this level of service and hand holding. But that makes you unusual.

Either way: If you wanted to provide the name of Santa Claus, provide North Pole as your place of residency, and use a discardable email address for the sign-up, the system would still sign you up. We felt that people who did not want to provide this kind of information simply would choose to go down that route.

But yes, it's also been an internal debate. The problem is not trivial though. If someone puts a lot of data into the service and lose their password - which happens surprisingly often - then you need to have some way that is not so easily socially engineered to give them access again. Name & Email establish a certain minimum level that is already pretty low and easily circumvented for those who do not want it.

As to the "smaller" package for service, that is indeed something we should be considering.

It won't reach the same pricing as Lavabit, though, as the US are an extremely low-cost hosting country, while Switzerland is the extreme opposite. Our costs are in Swiss Franc, and so the pricing needs to be. The only way to avoid that would be to move the servers to a different country. But then you'd lose a primary advantage of the service. So Swiss level privacy will always have to come with Swiss level pricing, unfortunately.

@nylira

This comment has been minimized.

Show comment
Hide comment
@nylira

nylira Aug 10, 2013

Owner

All email messages "leak metadata" they say. That information includes data about who you are talking to and where you are. That info is visible even if the message itself is encrypted.

"E-mail as we know it today is fundamentally broken from a privacy perspective," Callas says. That's a pretty strong statement coming from this particular guy.

Read more: http://www.businessinsider.com/silent-circle-shutters-private-email-service-2013-8#ixzz2bYeIJICw

Instead of email service alternatives perhaps we need email protocol alternatives. It may be worth reinstating Bitmessage with a warning to use randomly generated UUIDs. #465

Owner

nylira commented Aug 10, 2013

All email messages "leak metadata" they say. That information includes data about who you are talking to and where you are. That info is visible even if the message itself is encrypted.

"E-mail as we know it today is fundamentally broken from a privacy perspective," Callas says. That's a pretty strong statement coming from this particular guy.

Read more: http://www.businessinsider.com/silent-circle-shutters-private-email-service-2013-8#ixzz2bYeIJICw

Instead of email service alternatives perhaps we need email protocol alternatives. It may be worth reinstating Bitmessage with a warning to use randomly generated UUIDs. #465

@Zegnat

This comment has been minimized.

Show comment
Hide comment
@Zegnat

Zegnat Aug 10, 2013

Collaborator

FWIW, Freedom Fighters get a special deal on MyKolab.com.

That’s really good news!

As to the "smaller" package for service, that is indeed something we should be considering.

I will be looking out for that too. As an unemployed student I cannot justify spending a day (possibly more) worth of food for 1 GB of email. Like @Parcival09, I do not actually need the full Kolab package.

You might also want to take a look at Riseup’s registration, they have made second email addresses (for password resets) optional on sign-up. People who really want privacy can then chose not to enter one.


All email messages "leak metadata" they say. That information includes data about who you are talking to and where you are. That info is visible even if the message itself is encrypted.

You could limit these things a lot, and Silent Circle could have invested in this. Take a look at Riseup:

  • Riseup offers any number of aliases, and it seems MyKolab will be rolling out ‘identities’ too.

    Normally Alice and Bob would both email me at martijn@zegnat.net, but when Alice contacts me at 3fAYkhyxkvw1BWH@riseup and Bob at aoTzSHn6vTV2vie@riseup there is no meta-data that links them together. If everyone knows me by a different alias ([randomstring]@riseup) it becomes impossible for surveillance to find out who is emailing me or do ‘social network’ analyses.

  • Riseup strips meta data like your home IP address when sending an email:

    We do not include your home IP address in the headers of your outgoing mail.

Using TorBirdy will try to route your email through Tor and anonymise it further. It also tries to strip other identifiable information from your email headers, such as your time zone. (Currently the later feature is in limbo, see #9131.)

Email can be as anonymous as you want, it just takes work. In the end I think people are more likely to put in this work than to learn to use under-development solutions like Bitmessage. (Although I fully believe Bitmessage shouldn’t have been removed in the first place.)

@greve, does MyKolab do any anonymisation of out-going email message headers?

Collaborator

Zegnat commented Aug 10, 2013

FWIW, Freedom Fighters get a special deal on MyKolab.com.

That’s really good news!

As to the "smaller" package for service, that is indeed something we should be considering.

I will be looking out for that too. As an unemployed student I cannot justify spending a day (possibly more) worth of food for 1 GB of email. Like @Parcival09, I do not actually need the full Kolab package.

You might also want to take a look at Riseup’s registration, they have made second email addresses (for password resets) optional on sign-up. People who really want privacy can then chose not to enter one.


All email messages "leak metadata" they say. That information includes data about who you are talking to and where you are. That info is visible even if the message itself is encrypted.

You could limit these things a lot, and Silent Circle could have invested in this. Take a look at Riseup:

  • Riseup offers any number of aliases, and it seems MyKolab will be rolling out ‘identities’ too.

    Normally Alice and Bob would both email me at martijn@zegnat.net, but when Alice contacts me at 3fAYkhyxkvw1BWH@riseup and Bob at aoTzSHn6vTV2vie@riseup there is no meta-data that links them together. If everyone knows me by a different alias ([randomstring]@riseup) it becomes impossible for surveillance to find out who is emailing me or do ‘social network’ analyses.

  • Riseup strips meta data like your home IP address when sending an email:

    We do not include your home IP address in the headers of your outgoing mail.

Using TorBirdy will try to route your email through Tor and anonymise it further. It also tries to strip other identifiable information from your email headers, such as your time zone. (Currently the later feature is in limbo, see #9131.)

Email can be as anonymous as you want, it just takes work. In the end I think people are more likely to put in this work than to learn to use under-development solutions like Bitmessage. (Although I fully believe Bitmessage shouldn’t have been removed in the first place.)

@greve, does MyKolab do any anonymisation of out-going email message headers?

@Parcival09

This comment has been minimized.

Show comment
Hide comment
@Parcival09

Parcival09 Aug 10, 2013

@greve
"Because the majority of people want invoices" ==> If the family-name is optionel (with registration), then make it optional. The name shows already up, when the client pay\s, wouldn't it? So my idea works, by giving the registration number, the registered gives that number with payment, then you're admin looses that connection. The name on the invoice will be the name that PayPal shows.(invoice after payment will be no problem)
If the E-mail is optionel (with registration), then make it optional, (with the explanation that you can't service them when lost password. "The child-registration" :-)

You're the owner, so on what time-base could you implement the "the get less, then pay less" option? ("The get less, then pay less" option is © Parcival09)
On what time base you think you can offer the more identeties, with 1 E-mail supscription?

Were is the check-box with registration for Freedom Fighters ("get a special deal on MyKolab.com.")
My paid-Lavabit accounts are closed, so make it quick else I'm gone. While I need fast a good payable E-mail server.

Parcival09 commented Aug 10, 2013

@greve
"Because the majority of people want invoices" ==> If the family-name is optionel (with registration), then make it optional. The name shows already up, when the client pay\s, wouldn't it? So my idea works, by giving the registration number, the registered gives that number with payment, then you're admin looses that connection. The name on the invoice will be the name that PayPal shows.(invoice after payment will be no problem)
If the E-mail is optionel (with registration), then make it optional, (with the explanation that you can't service them when lost password. "The child-registration" :-)

You're the owner, so on what time-base could you implement the "the get less, then pay less" option? ("The get less, then pay less" option is © Parcival09)
On what time base you think you can offer the more identeties, with 1 E-mail supscription?

Were is the check-box with registration for Freedom Fighters ("get a special deal on MyKolab.com.")
My paid-Lavabit accounts are closed, so make it quick else I'm gone. While I need fast a good payable E-mail server.

@Parcival09

This comment has been minimized.

Show comment
Hide comment
@Parcival09

Parcival09 Aug 10, 2013

Update about Lavabit
"What happens to your customer's e-mails and data?
Levison: I'm looking into setting up a site where users can download their data and set up a forwarding [e-mail] address, but that may take a week or two to set up. That's all I can do until I feel confident that I can resume the service without having to compromise its integrity. "
and
"I will make it clear that I don't plan to use any encryption for that site. [People] should only use it if they feel comfortable with the information being intercepted. And yes, I do plan to have that disclaimer on the site. "
and
" Unfortunately, what's become clear is that there's no protections in our current body of law to keep the government from compelling us to provide the information necessary to decrypt those communications in secret.

I'm still looking at seeing if that's even logistically feasible -- there's half a billion messages [sent in the 10 years Lavabit operated]. By shutting down the service, I will be losing the infrastructure that I used to support all those people."
Via: http://news.cnet.com/8301-1009_3-57597954-83/lavabit-chief-predicts-long-fight-with-feds-q-a/

Parcival09 commented Aug 10, 2013

Update about Lavabit
"What happens to your customer's e-mails and data?
Levison: I'm looking into setting up a site where users can download their data and set up a forwarding [e-mail] address, but that may take a week or two to set up. That's all I can do until I feel confident that I can resume the service without having to compromise its integrity. "
and
"I will make it clear that I don't plan to use any encryption for that site. [People] should only use it if they feel comfortable with the information being intercepted. And yes, I do plan to have that disclaimer on the site. "
and
" Unfortunately, what's become clear is that there's no protections in our current body of law to keep the government from compelling us to provide the information necessary to decrypt those communications in secret.

I'm still looking at seeing if that's even logistically feasible -- there's half a billion messages [sent in the 10 years Lavabit operated]. By shutting down the service, I will be losing the infrastructure that I used to support all those people."
Via: http://news.cnet.com/8301-1009_3-57597954-83/lavabit-chief-predicts-long-fight-with-feds-q-a/

@greve

This comment has been minimized.

Show comment
Hide comment
@greve

greve Aug 10, 2013

Contributor

@Zegnat & @Parcival09 Please forgive me for wrapping answers into one.

Firstly, I published an article last night that was trying to explain some of the thinking behind MyKolab.com and the rationale and motivation for starting it. You'll find it at http://blogs.fsfe.org/greve/?p=609

Secondly, on packages & smaller pricing: We'll look into that. I cannot give you a time when that will be available, nor for what price it would be available.

And chances are you would still find it expensive. The reason for that is simple. Switzerland is an expensive country. Hosting, including space, security, electricity, bandwidth, labour all are expensive because the country has enjoyed hundreds of years of stability and security. That's also the upside, by the way. For hosting data, security, stability, reliability are all desirable. So is the privacy legislation. But with things being what they are and the Swiss Franc being overinflated at close to 30%, chances are that "privacy services done right" (see article above for what that would mean) might still end up too expensive for unemployed students in other countries.

Pricing could certainly never be what the US services offer, especially when they don't have an upstream commitment. The aspect of MyKolab.com that it delivers its own escape hatch along with the service is unique, as far as I know, and is part of the sustainability of the service, in my book. But sustainability is hardly ever free.

So I wonder: If that account then costs something like 6 CHF / month, would you get it?

On freedom fighter discount: Just sign up & send email to sales@mykolab.com telling our staff "My account is X and I am active contributor to A, B, C. Can you please give me a freedom fighter discount?" and see what happens. ;)

On the subject of privacy vs pseudonymity vs anonymity. The three are actually not the same thing. Privacy and a solid level of pseudonymity is what we can provide, so that's what we promise. Not more.

True, sustained anonymity is close impossible to have on the internet and there is a lot of snake oil out there.

Some of what riseup is doing - besides it being in the US and that causing the obvious concerns - looks a lot like that. Because you only need to use the same random alias with the same person a couple of times (if that) and traffic analysis will have identified them to originate from the same person.

Patterns of when emails are sent, typing patterns, languages, way of quoting emails, people you communicate with, subjects of conversation, all these things make you unique very quickly. IIRC, you needed a shopping bill of 7 items from a supermarket to identify people almost perfectly, although I can't find the reference for that particular study right now. Any email will typically contain a lot more clues as to your identity than a list of 7 items from your supermarket.

Stripping IP addresses for relayed mail by properly authenticated users on the other hand sounds rather useful. It's on the list. So are aliases / identities in general, not because we think they add much in terms of anonymity, but because they are very useful and can be rotated occasionally as and when it makes sense without having to change your primary email address. Expect them to become available within 3-6 weeks.

There are a couple of other things that will help maintain pseudonymity on the list, as well.

As to the idea to track payment by nonce, that sounds nice but how much does it really add. The bank records will still list the nonce and their date of payment. Which means you have a small time window for application of the nonce, a name, and an amount to match a certain service period and parameter. Even in a very large installation that ought to be enough for a third party that has lawfully gained access to your records to narrow it down to a handful of people, at most. Usually it should be easy to identify you simply by when your account started becoming active on the system, which you can tell from the IMAP store itself.

So you'd need to randomize periods and pricing to some level, ideally add cash transactions into the mix and avoid money laundering provisions as you are doing this. All of this is going to make the service more expensive. So how much more are you willing to pay to put all of this in place even though it will always be imperfect? If reviewed critically, I don't see how this adds more than allowing random names and one-time email addresses, which achieve much the same thing, but at a much lower cost.

Please also see our FAQ on some of the other typical questions about what others are providing and which we sometimes have deliberately chosen not to do because the value is often purely for marketing.

But look at it this way: At least we're not trying to bullshit you.

Contributor

greve commented Aug 10, 2013

@Zegnat & @Parcival09 Please forgive me for wrapping answers into one.

Firstly, I published an article last night that was trying to explain some of the thinking behind MyKolab.com and the rationale and motivation for starting it. You'll find it at http://blogs.fsfe.org/greve/?p=609

Secondly, on packages & smaller pricing: We'll look into that. I cannot give you a time when that will be available, nor for what price it would be available.

And chances are you would still find it expensive. The reason for that is simple. Switzerland is an expensive country. Hosting, including space, security, electricity, bandwidth, labour all are expensive because the country has enjoyed hundreds of years of stability and security. That's also the upside, by the way. For hosting data, security, stability, reliability are all desirable. So is the privacy legislation. But with things being what they are and the Swiss Franc being overinflated at close to 30%, chances are that "privacy services done right" (see article above for what that would mean) might still end up too expensive for unemployed students in other countries.

Pricing could certainly never be what the US services offer, especially when they don't have an upstream commitment. The aspect of MyKolab.com that it delivers its own escape hatch along with the service is unique, as far as I know, and is part of the sustainability of the service, in my book. But sustainability is hardly ever free.

So I wonder: If that account then costs something like 6 CHF / month, would you get it?

On freedom fighter discount: Just sign up & send email to sales@mykolab.com telling our staff "My account is X and I am active contributor to A, B, C. Can you please give me a freedom fighter discount?" and see what happens. ;)

On the subject of privacy vs pseudonymity vs anonymity. The three are actually not the same thing. Privacy and a solid level of pseudonymity is what we can provide, so that's what we promise. Not more.

True, sustained anonymity is close impossible to have on the internet and there is a lot of snake oil out there.

Some of what riseup is doing - besides it being in the US and that causing the obvious concerns - looks a lot like that. Because you only need to use the same random alias with the same person a couple of times (if that) and traffic analysis will have identified them to originate from the same person.

Patterns of when emails are sent, typing patterns, languages, way of quoting emails, people you communicate with, subjects of conversation, all these things make you unique very quickly. IIRC, you needed a shopping bill of 7 items from a supermarket to identify people almost perfectly, although I can't find the reference for that particular study right now. Any email will typically contain a lot more clues as to your identity than a list of 7 items from your supermarket.

Stripping IP addresses for relayed mail by properly authenticated users on the other hand sounds rather useful. It's on the list. So are aliases / identities in general, not because we think they add much in terms of anonymity, but because they are very useful and can be rotated occasionally as and when it makes sense without having to change your primary email address. Expect them to become available within 3-6 weeks.

There are a couple of other things that will help maintain pseudonymity on the list, as well.

As to the idea to track payment by nonce, that sounds nice but how much does it really add. The bank records will still list the nonce and their date of payment. Which means you have a small time window for application of the nonce, a name, and an amount to match a certain service period and parameter. Even in a very large installation that ought to be enough for a third party that has lawfully gained access to your records to narrow it down to a handful of people, at most. Usually it should be easy to identify you simply by when your account started becoming active on the system, which you can tell from the IMAP store itself.

So you'd need to randomize periods and pricing to some level, ideally add cash transactions into the mix and avoid money laundering provisions as you are doing this. All of this is going to make the service more expensive. So how much more are you willing to pay to put all of this in place even though it will always be imperfect? If reviewed critically, I don't see how this adds more than allowing random names and one-time email addresses, which achieve much the same thing, but at a much lower cost.

Please also see our FAQ on some of the other typical questions about what others are providing and which we sometimes have deliberately chosen not to do because the value is often purely for marketing.

But look at it this way: At least we're not trying to bullshit you.

@Parcival09

This comment has been minimized.

Show comment
Hide comment
@Parcival09

Parcival09 Aug 10, 2013

@greve
You'know what you\re talking about and I think you stand behind you're philosophy.

"Pricing could certainly never be what the US services offer, especially when they don't have an upstream commitment. The aspect of MyKolab.com that it delivers its own escape hatch along with the service is unique, as far as I know, and is part of the sustainability of the service, in my book. But sustainability is hardly ever free.

So I wonder: If that account then costs something like 6 CHF / month, would you get it?"

Maybe it's a language problem from my side, but you're lowest level is 120CHF on the subsribe page. (12 times 6 makes CHF72)
To answer you're question, or I would get it for 6 CHF / month: Yes! Show me how.
If I subscribe this weekend and make the PayPal payment for 72CHF/1024MB/ per year, do you then "Oké it" with you're administration? (about no bullschitting, I wrote per year, for every subsequent year )

Parcival09 commented Aug 10, 2013

@greve
You'know what you\re talking about and I think you stand behind you're philosophy.

"Pricing could certainly never be what the US services offer, especially when they don't have an upstream commitment. The aspect of MyKolab.com that it delivers its own escape hatch along with the service is unique, as far as I know, and is part of the sustainability of the service, in my book. But sustainability is hardly ever free.

So I wonder: If that account then costs something like 6 CHF / month, would you get it?"

Maybe it's a language problem from my side, but you're lowest level is 120CHF on the subsribe page. (12 times 6 makes CHF72)
To answer you're question, or I would get it for 6 CHF / month: Yes! Show me how.
If I subscribe this weekend and make the PayPal payment for 72CHF/1024MB/ per year, do you then "Oké it" with you're administration? (about no bullschitting, I wrote per year, for every subsequent year )

@greve

This comment has been minimized.

Show comment
Hide comment
@greve

greve Aug 10, 2013

Contributor

@Parcival09 Like also explained on the pricing section of the FAQ, we fully understand that living realities are not the same for everyone. And some people also contribute to Free Software and a free society in other ways.

So if at all possible, I'd love for you to help us develop the system further. If you can code, please consider joining the Kolab community (see http://kolab.org). If you cannot code there are still many things that need doing, starting from spreading the word about Kolab and MyKolab, and continue your work on activities such as PRISM Break, because this kind of community based activism is essential.

If you think you can do that, please sign up and then drop a mail to sales@mykolab.com giving them your account.

I'll ask them to provide you with a "freedom fighter++" rebate, just link to this post. :)

Contributor

greve commented Aug 10, 2013

@Parcival09 Like also explained on the pricing section of the FAQ, we fully understand that living realities are not the same for everyone. And some people also contribute to Free Software and a free society in other ways.

So if at all possible, I'd love for you to help us develop the system further. If you can code, please consider joining the Kolab community (see http://kolab.org). If you cannot code there are still many things that need doing, starting from spreading the word about Kolab and MyKolab, and continue your work on activities such as PRISM Break, because this kind of community based activism is essential.

If you think you can do that, please sign up and then drop a mail to sales@mykolab.com giving them your account.

I'll ask them to provide you with a "freedom fighter++" rebate, just link to this post. :)

@Parcival09

This comment has been minimized.

Show comment
Hide comment
@Parcival09

Parcival09 Aug 10, 2013

Is it okay with you that I sign-up and login-in with kolab.org, I'll send you're administration a mail with this website-link, they send me the payment-link for PayPal to my Kolab, I pay. (don't bother about an invoice)
And you get you're money and I'll surely spread the word.
Or else I can call you guys.

Pffff please KIS

Parcival09 commented Aug 10, 2013

Is it okay with you that I sign-up and login-in with kolab.org, I'll send you're administration a mail with this website-link, they send me the payment-link for PayPal to my Kolab, I pay. (don't bother about an invoice)
And you get you're money and I'll surely spread the word.
Or else I can call you guys.

Pffff please KIS

@privacyd

This comment has been minimized.

Show comment
Hide comment
@privacyd

privacyd Aug 11, 2013

vmail.me ?

  • Free 500Mb storage
  • Webmail
  • Spam protection
  • Secure browsing (HTTPS)
  • No targeted advertising
  • Email forwarding
  • IMAP & POP

https://www.vmail.me/en/privacyPolicy

privacyd commented Aug 11, 2013

vmail.me ?

  • Free 500Mb storage
  • Webmail
  • Spam protection
  • Secure browsing (HTTPS)
  • No targeted advertising
  • Email forwarding
  • IMAP & POP

https://www.vmail.me/en/privacyPolicy

@cr1pt0

This comment has been minimized.

Show comment
Hide comment
@cr1pt0

cr1pt0 May 26, 2014

France indeed has some pretty bad law when it comes to communication privacy. You should expect all communication to be monitored when hosted on a French service. And I think another reason they were not listed was that it wasn't clear how Open Source they really are, or what they do to contribute to it.

cr1pt0 commented May 26, 2014

France indeed has some pretty bad law when it comes to communication privacy. You should expect all communication to be monitored when hosted on a French service. And I think another reason they were not listed was that it wasn't clear how Open Source they really are, or what they do to contribute to it.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost May 26, 2014

I see. Can you recommend me some email service provider ? I became paranoid after the disclosure of built-in backdoors in my router and wifiextender firmwares.

ghost commented May 26, 2014

I see. Can you recommend me some email service provider ? I became paranoid after the disclosure of built-in backdoors in my router and wifiextender firmwares.

@ksl89

This comment has been minimized.

Show comment
Hide comment
@ksl89

ksl89 May 26, 2014

I don't know why it says they encrypt the mail on http://prxbx.com/email/, but it's probably do to the the strange wording they used to have on the site ("mails sont stockés sur notre serveur dans un répertoire à votre nom. Personne ni même les administrateurs ne peuvent y avoir accès.") At prxbx.com they probably thought openmailbox keeps their data encrypted but they were clear in their reply to me that they don't.

To be honest I think until a decent free alternative shows up, there is no real secure alternative for gmail and the like. You can make it secure by using PGP encryption on your emails. If you are willing/able to pay for your email service, prism-break already has a couple of good options.

ksl89 commented May 26, 2014

I don't know why it says they encrypt the mail on http://prxbx.com/email/, but it's probably do to the the strange wording they used to have on the site ("mails sont stockés sur notre serveur dans un répertoire à votre nom. Personne ni même les administrateurs ne peuvent y avoir accès.") At prxbx.com they probably thought openmailbox keeps their data encrypted but they were clear in their reply to me that they don't.

To be honest I think until a decent free alternative shows up, there is no real secure alternative for gmail and the like. You can make it secure by using PGP encryption on your emails. If you are willing/able to pay for your email service, prism-break already has a couple of good options.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost May 26, 2014

I'm willing to pay for email service provider, but I'd wish to try it first. 'Riseup' is listed in prism-break page but in http://prxbx.com/email/ they say:

Be wary of services with servers hosted in:
the United States (yes, even Riseup)

So I'll give bitmessage a try and if it fails will deploy mine email server with subdomain.

Thank you for the tips guys :}

ghost commented May 26, 2014

I'm willing to pay for email service provider, but I'd wish to try it first. 'Riseup' is listed in prism-break page but in http://prxbx.com/email/ they say:

Be wary of services with servers hosted in:
the United States (yes, even Riseup)

So I'll give bitmessage a try and if it fails will deploy mine email server with subdomain.

Thank you for the tips guys :}

@Dablim

This comment has been minimized.

Show comment
Hide comment
@Dablim

Dablim Jul 23, 2014

I found a really interesting service, actually in beta:
https://protonmail.ch/
https://protonmail.ch/pages/security-details

Dablim commented Jul 23, 2014

I found a really interesting service, actually in beta:
https://protonmail.ch/
https://protonmail.ch/pages/security-details

@cr1pt0

This comment has been minimized.

Show comment
Hide comment
@cr1pt0

cr1pt0 Jul 23, 2014

Proprietary. Also, apparently written by amateurs who have no idea how to write secure applications: http://www.theregister.co.uk/2014/07/07/protonmail_fail_javascript/

Given how they advertise themselves, adding a "do not use" warning might be a good idea.

cr1pt0 commented Jul 23, 2014

Proprietary. Also, apparently written by amateurs who have no idea how to write secure applications: http://www.theregister.co.uk/2014/07/07/protonmail_fail_javascript/

Given how they advertise themselves, adding a "do not use" warning might be a good idea.

@Dablim

This comment has been minimized.

Show comment
Hide comment
@Dablim

Dablim Jul 24, 2014

@cr1pt0 In your same article:
"The ProtonMail security team has reviewed the video released by Mr Roth and confirmed that this particular security issue is not present on the live version of ProtonMail. Mr Roth's video appears to be using an earlier development release of ProtonMail that was originally released on May 10th, 2014 for public testing. We are supportive of all efforts to improve the security of ProtonMail and security inquiries can always be directed to security@protonmail.ch."

Dablim commented Jul 24, 2014

@cr1pt0 In your same article:
"The ProtonMail security team has reviewed the video released by Mr Roth and confirmed that this particular security issue is not present on the live version of ProtonMail. Mr Roth's video appears to be using an earlier development release of ProtonMail that was originally released on May 10th, 2014 for public testing. We are supportive of all efforts to improve the security of ProtonMail and security inquiries can always be directed to security@protonmail.ch."

@cr1pt0

This comment has been minimized.

Show comment
Hide comment
@cr1pt0

cr1pt0 Jul 24, 2014

@Dablim They would say that, wouldn't they? The same security researcher is on record he found other vulnerabilities but does not know how to proceed with these since their security response is so poor.

But you're missing the main point, it seems. This particular issue was such an amateur mistake it shows these people have about 10 years more of learning to do before they should work on security sensitive architectures. If they made this big a mistake, the whole code base is going to be rife with 0day exploits.

And it confirms the doubts about their outlandish claims, namely that they could not intercept the user pass phrase used to encrypt data. Not only do they rely blindly on sand box security in browsers, which is known to be imperfect. Of course they (or a capable third party) could inject code to read that pass phrase and decrypt all data. And given their legal status, US citizenship and money involved, they might be compelled to do just that.

So their response does the opposite of building confidence. The issue was there when they already flogged themselves as "NSA secure". Which they still do. Although by now they should have received enough security advice to explain to them why they are not.

Proprietary snake oil is all this is. Nothing to see here, please go along.

cr1pt0 commented Jul 24, 2014

@Dablim They would say that, wouldn't they? The same security researcher is on record he found other vulnerabilities but does not know how to proceed with these since their security response is so poor.

But you're missing the main point, it seems. This particular issue was such an amateur mistake it shows these people have about 10 years more of learning to do before they should work on security sensitive architectures. If they made this big a mistake, the whole code base is going to be rife with 0day exploits.

And it confirms the doubts about their outlandish claims, namely that they could not intercept the user pass phrase used to encrypt data. Not only do they rely blindly on sand box security in browsers, which is known to be imperfect. Of course they (or a capable third party) could inject code to read that pass phrase and decrypt all data. And given their legal status, US citizenship and money involved, they might be compelled to do just that.

So their response does the opposite of building confidence. The issue was there when they already flogged themselves as "NSA secure". Which they still do. Although by now they should have received enough security advice to explain to them why they are not.

Proprietary snake oil is all this is. Nothing to see here, please go along.

@chovy

This comment has been minimized.

Show comment
Hide comment
@chovy

chovy Jul 24, 2014

this has got to be the most popular issue I ever created on github. a year later still going strong.

chovy commented Jul 24, 2014

this has got to be the most popular issue I ever created on github. a year later still going strong.

@privacyd

This comment has been minimized.

Show comment
Hide comment
@Dablim

This comment has been minimized.

Show comment
Hide comment
@Dablim

Dablim Sep 10, 2014

No one on Vmail? Is a valid alternative?

Dablim commented Sep 10, 2014

No one on Vmail? Is a valid alternative?

@Zegnat

This comment has been minimized.

Show comment
Hide comment
@Zegnat

Zegnat Sep 10, 2014

Collaborator

Re: vmail, I don’t have much time lately so I haven’t done a lot of looking into it but it says on the bottom that they are run by a french student and some of the policies are in french too. If they are hosted in France then I would assume the same laws apply as to openmailbox.org, meaning they will have to give up their encryption keys to law enforcement no questions asked. As such is the French law. Based on that I can’t recommend them.

(Not a lawyer, not a french lawyer, not even in france, and only gave them a cursory look. Just thought I’d point it out. For more discussion on the matter, search for the issues we have had about openmailbox.org.)

Collaborator

Zegnat commented Sep 10, 2014

Re: vmail, I don’t have much time lately so I haven’t done a lot of looking into it but it says on the bottom that they are run by a french student and some of the policies are in french too. If they are hosted in France then I would assume the same laws apply as to openmailbox.org, meaning they will have to give up their encryption keys to law enforcement no questions asked. As such is the French law. Based on that I can’t recommend them.

(Not a lawyer, not a french lawyer, not even in france, and only gave them a cursory look. Just thought I’d point it out. For more discussion on the matter, search for the issues we have had about openmailbox.org.)

@oljnkjhb

This comment has been minimized.

Show comment
Hide comment
@oljnkjhb

oljnkjhb Nov 11, 2014

I've just known this thread, so my comment is probably late; but just in case...
Autistici's target is principally people involved in civil rights and liberties movements and people who frequently participate in political debate from that left winged perspective, so they are a clear target for being "preventively" monitorized by State agencies. They also provide blogs, chat and other services that in theory couldn't be shut down arbitrarily nor manipulated by said agencies and intitutions. But you don't need a social hero to be accepted; just write to them in italian, spanish or english and telli that you just want an email account because you participate in software libre forums and use to send and comment political news with your friends and family, like most of the socially conscious people, and don't want to be tracked and included in some huge database about "politically uncomfortable individuals from all the world" in some server under the USA administration even if you aren't an activist at all.
That's all what I did to get the mine one. Never had to explain my political points of view nor prove that I was being sincere. After some days I received a mail teliing me that my account had been created. This was a couple of years ago; nobody ever asked me for a single proof that I were even a sympathizer to what I have said.
But in your case, if you tell them you are one of the Prism Break "crew" I'm sure you will be accepted without any reserve.

Another thing: your opinión about Protonmail is near to a year and a half old. Do you know if things have improved? The fact that people from the CERN and the MIT are its developers makes one to be favorably inclined fro mthe "intellectual" point of view; besides, their selfdestructing mail option makes it very interesting. I knew about selfdetructing notes apps on the web, but didn't know email providers were providing it too (https://protonmail.ch/pages/security-details About the second half of the page).

Cheers.

oljnkjhb commented Nov 11, 2014

I've just known this thread, so my comment is probably late; but just in case...
Autistici's target is principally people involved in civil rights and liberties movements and people who frequently participate in political debate from that left winged perspective, so they are a clear target for being "preventively" monitorized by State agencies. They also provide blogs, chat and other services that in theory couldn't be shut down arbitrarily nor manipulated by said agencies and intitutions. But you don't need a social hero to be accepted; just write to them in italian, spanish or english and telli that you just want an email account because you participate in software libre forums and use to send and comment political news with your friends and family, like most of the socially conscious people, and don't want to be tracked and included in some huge database about "politically uncomfortable individuals from all the world" in some server under the USA administration even if you aren't an activist at all.
That's all what I did to get the mine one. Never had to explain my political points of view nor prove that I was being sincere. After some days I received a mail teliing me that my account had been created. This was a couple of years ago; nobody ever asked me for a single proof that I were even a sympathizer to what I have said.
But in your case, if you tell them you are one of the Prism Break "crew" I'm sure you will be accepted without any reserve.

Another thing: your opinión about Protonmail is near to a year and a half old. Do you know if things have improved? The fact that people from the CERN and the MIT are its developers makes one to be favorably inclined fro mthe "intellectual" point of view; besides, their selfdestructing mail option makes it very interesting. I knew about selfdetructing notes apps on the web, but didn't know email providers were providing it too (https://protonmail.ch/pages/security-details About the second half of the page).

Cheers.

@pickfire

This comment has been minimized.

Show comment
Hide comment
@pickfire

pickfire Dec 18, 2014

riseup.net have good service but the registration seem to be hard.

pickfire commented Dec 18, 2014

riseup.net have good service but the registration seem to be hard.

@codekiddy2

This comment has been minimized.

Show comment
Hide comment
@codekiddy2

codekiddy2 Jan 13, 2015

Hello guys,
I've been searching a lot before deciding to reply here and here are few suggestions/conclusions that I came out with:

According to your comments mykolab seems to be pretty good with privacy and after reading the privacy policy on https://mykolab.com/tos it's obvious that mykolab can give up data to Swiss government due to Swiss law if requested.

I'm not a law-guru but according to http://nomadcapitalist.com/2013/12/15/top-5-best-countries-host-website-data-privacy/
Switzerland is not top country when it comes to privacy, instead Iceland seems to be the best.
So I come up with https://unseen.is/ which claims to protect privacy as well according to https://unseen.is/privacy.html but it also can give up data to government if asked, reason why I think it could be better is that it is completely free unlike mykolab and also because Iceland has more strict privacy laws.
according to website it seems that it's still beta so I don't know how much my statements can be true when it comes to security in general.

Also Iceland is part of NATO while Switzerland isn't which is a minus for unseen since I don't trust countries that are part of the block when it comes to privacy
https://en.wikipedia.org/wiki/Member_states_of_NATO.

BTW fabianlischka (post before mine) noted tutanota.de but I'm not so much sure about germany :/

This is my personal opinion so please don't take it offensive.
I will further investigate about data privacy laws between Iceland and Switzerland only for comparison purposes.

BTW also creating free email accounts based in Switzerland seems to be impossible without giving proofs of residence or additional personal data. that scks.

EDIT:
The http://prxbx.com/email/ website does not list any email providers 😕 do you know why?

codekiddy2 commented Jan 13, 2015

Hello guys,
I've been searching a lot before deciding to reply here and here are few suggestions/conclusions that I came out with:

According to your comments mykolab seems to be pretty good with privacy and after reading the privacy policy on https://mykolab.com/tos it's obvious that mykolab can give up data to Swiss government due to Swiss law if requested.

I'm not a law-guru but according to http://nomadcapitalist.com/2013/12/15/top-5-best-countries-host-website-data-privacy/
Switzerland is not top country when it comes to privacy, instead Iceland seems to be the best.
So I come up with https://unseen.is/ which claims to protect privacy as well according to https://unseen.is/privacy.html but it also can give up data to government if asked, reason why I think it could be better is that it is completely free unlike mykolab and also because Iceland has more strict privacy laws.
according to website it seems that it's still beta so I don't know how much my statements can be true when it comes to security in general.

Also Iceland is part of NATO while Switzerland isn't which is a minus for unseen since I don't trust countries that are part of the block when it comes to privacy
https://en.wikipedia.org/wiki/Member_states_of_NATO.

BTW fabianlischka (post before mine) noted tutanota.de but I'm not so much sure about germany :/

This is my personal opinion so please don't take it offensive.
I will further investigate about data privacy laws between Iceland and Switzerland only for comparison purposes.

BTW also creating free email accounts based in Switzerland seems to be impossible without giving proofs of residence or additional personal data. that scks.

EDIT:
The http://prxbx.com/email/ website does not list any email providers 😕 do you know why?

@Zegnat

This comment has been minimized.

Show comment
Hide comment
@Zegnat

Zegnat Jan 13, 2015

Collaborator

In basically every country in the world the State could bring your email provider to court and have them forced to hand over your data. This is just as true for Switzerland as Iceland. If you do not want them to have anything to hand over use a solid encryption system like GPG. I do believe that MyKolab does a good job of explaining the swiss legal framework, which Unseen doesn’t seem to do.

I would not put all too much trust in the Nomad Capitalist page. Romania made the list but is actually a country that tried to implement the EU Data Retention Directive. Twice. The Netherlands has been known to have provided information to the US global data collection program, but wins over Switzerland? This seems to be based on hosting companies not taking websites offline rather than evidence of them fighting back against wiretaps. Norway, coming in at number 2, is praised for not being part of the EU. That would be great, were it not for the fact that Norway often copies the EU going as far as implementing the EU Data Retention Directive.

Is Iceland comparable in protection to Switzerland? It could be, just that none of the things you have linked really go into it so I cannot make a good judgement on the matter.

Is Unseen comparable to MyKolab? Maybe. I am definitely seeing some cons. MyKolab specifically runs their whole service on an open-source platform that you could also run yourself. As well as giving you the ability to back-up all your data and move away from them. While I didn't seen any mention about the technology Unseen uses.

One thing that scared me was reading this in the Unseen FAQ:

[…] and premium users can generate and store their own private key.

And free users can’t? Does that mean free users do not get encryption or does Unseen generate their private key for them? The latter is bad. The whole idea of a private key (in public key encryption models) is that the user is the only one with access to it. Storing it on your email provider’s server is equal to not using encryption at all, so their practice may even endager their premium users if that’s what they mean. Extremely bad from a cryptography point of view there.

I will further investigate about data privacy laws between Iceland and Switzerland only for comparison purposes.

Please do! Email is a sore point here as there are so many providers making claims and few of them that can live up to it.

[…] creating free email accounts based in Switzerland seems to be impossible without giving proofs of residence or additional personal data.

MyKolab is not a free provider, but PRISM Break is less about free (gratis) and more about freedom (libre). Some of the free providers that we do recommend limit their users in another way, e.g. for I/A you have to agree to their politically charged manifesto.

The http://prxbx.com/email/ website does not list any email providers 😕 do you know why?

Something seems to be broken on their end, we will have to monitor it and possibly remove our link to them. Too bad, as they were doing a good job sorting through a lot of providers.

Collaborator

Zegnat commented Jan 13, 2015

In basically every country in the world the State could bring your email provider to court and have them forced to hand over your data. This is just as true for Switzerland as Iceland. If you do not want them to have anything to hand over use a solid encryption system like GPG. I do believe that MyKolab does a good job of explaining the swiss legal framework, which Unseen doesn’t seem to do.

I would not put all too much trust in the Nomad Capitalist page. Romania made the list but is actually a country that tried to implement the EU Data Retention Directive. Twice. The Netherlands has been known to have provided information to the US global data collection program, but wins over Switzerland? This seems to be based on hosting companies not taking websites offline rather than evidence of them fighting back against wiretaps. Norway, coming in at number 2, is praised for not being part of the EU. That would be great, were it not for the fact that Norway often copies the EU going as far as implementing the EU Data Retention Directive.

Is Iceland comparable in protection to Switzerland? It could be, just that none of the things you have linked really go into it so I cannot make a good judgement on the matter.

Is Unseen comparable to MyKolab? Maybe. I am definitely seeing some cons. MyKolab specifically runs their whole service on an open-source platform that you could also run yourself. As well as giving you the ability to back-up all your data and move away from them. While I didn't seen any mention about the technology Unseen uses.

One thing that scared me was reading this in the Unseen FAQ:

[…] and premium users can generate and store their own private key.

And free users can’t? Does that mean free users do not get encryption or does Unseen generate their private key for them? The latter is bad. The whole idea of a private key (in public key encryption models) is that the user is the only one with access to it. Storing it on your email provider’s server is equal to not using encryption at all, so their practice may even endager their premium users if that’s what they mean. Extremely bad from a cryptography point of view there.

I will further investigate about data privacy laws between Iceland and Switzerland only for comparison purposes.

Please do! Email is a sore point here as there are so many providers making claims and few of them that can live up to it.

[…] creating free email accounts based in Switzerland seems to be impossible without giving proofs of residence or additional personal data.

MyKolab is not a free provider, but PRISM Break is less about free (gratis) and more about freedom (libre). Some of the free providers that we do recommend limit their users in another way, e.g. for I/A you have to agree to their politically charged manifesto.

The http://prxbx.com/email/ website does not list any email providers 😕 do you know why?

Something seems to be broken on their end, we will have to monitor it and possibly remove our link to them. Too bad, as they were doing a good job sorting through a lot of providers.

@codekiddy2

This comment has been minimized.

Show comment
Hide comment
@codekiddy2

codekiddy2 Jan 13, 2015

Thank you Zegnat for reply...
I spent some time reading unseen FAQ etc.. and would like to quote you on following:

I didn't seen any mention about the technology Unseen uses

According to TERMS OF SERVICE under DESCRIPTION OF SERVICE

Unseen uses encryption technology and software running on custom-designed and custom-built > > platforms controlled by Unseen

next you say:

One thing that scared me was reading this in the Unseen FAQ:

[…] and premium users can generate and store their own private key.

And free users can’t? Does that mean free users do not get encryption or does Unseen generate > their > private key for them? The latter is bad.

Yes this is obviously bad, I created an account with them anyway and after completion was presented with a dialog saying that I will not be able to store my private key on my computer, the point here is that emails get encrypted
Anyway, on their FAQ it says this:

How does it work?

We use a hybrid peer-to-peer and hosted network solution for transmission of encrypted >messages. Messages are encrypted and decrypted by each person sending or receiving a
message. They are never decrypted along the way (we don’t have the key). This is done >automatically and is transparent to the user and our services will appear on the surface to work the >same as the regular free email or chat services.

I do not understand what they mean by "we don't have the key" ? while also limiting local key storege 😕 where is the private key stored then is unknown here ?
but I use PGP anyway (as you suggested earlier) with thunderbird and torbirdy connecting via Tor network to them so their limitation by not giving me the right to actually store my private key locally makes no real world sense 😕

MyKolab is not a free provider, but PRISM Break is less about free (gratis) and more about > freedom (libre). Some of the free providers that we do recommend limit their users in another way, > e.g. for I/A you have to agree to their politically charged manifesto.

Yes I absolutely understand that, obviously unseen.is has choose to limit their "free" users by not giving the right to store private keys locally unless you pay :D

I don't know but at least the service is free, and each email transport indeed is encrypted.
The keys are generated manually via web form (even free users can do it).
I don't see why would that be a limitation because you either pay them for local private key storage or use PGP with free version of service.

EDIT:
I have made a test with these keys...
Here is a screenshot of key manager presented in browser after logging in:
obviously one can generate, import and export it's own keys with free account:
Key manager

They even provide their own email client so that same keys can be used within, or using the keys with 3rd party client once exported. (or using GPG to ensure private key is your own, and not the one generated in the browser, and then importing via browser or using from the client such as thunderbird)

I think Unseen deserves further attention by you guys so that clear conclusion can be made without false judgement.

As for laws by country I come out with a website that makes easy to compare countries by data protection laws:
http://dlapiperdataprotection.com/#handbook/world-map-section/c1_IS/c2_CH

It's easy to spot if something is (possibly) outdated and in this case (Swiss and Iceland) one can get particular updates from these two sites:
ICELAND: http://www.personuvernd.is/information-in-english/greinar/nr/438
SWITZERLAND: http://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.CH

From what I gathered Iceland is pushing to be number 1, problem is that there is a lot to read lol :)

codekiddy2 commented Jan 13, 2015

Thank you Zegnat for reply...
I spent some time reading unseen FAQ etc.. and would like to quote you on following:

I didn't seen any mention about the technology Unseen uses

According to TERMS OF SERVICE under DESCRIPTION OF SERVICE

Unseen uses encryption technology and software running on custom-designed and custom-built > > platforms controlled by Unseen

next you say:

One thing that scared me was reading this in the Unseen FAQ:

[…] and premium users can generate and store their own private key.

And free users can’t? Does that mean free users do not get encryption or does Unseen generate > their > private key for them? The latter is bad.

Yes this is obviously bad, I created an account with them anyway and after completion was presented with a dialog saying that I will not be able to store my private key on my computer, the point here is that emails get encrypted
Anyway, on their FAQ it says this:

How does it work?

We use a hybrid peer-to-peer and hosted network solution for transmission of encrypted >messages. Messages are encrypted and decrypted by each person sending or receiving a
message. They are never decrypted along the way (we don’t have the key). This is done >automatically and is transparent to the user and our services will appear on the surface to work the >same as the regular free email or chat services.

I do not understand what they mean by "we don't have the key" ? while also limiting local key storege 😕 where is the private key stored then is unknown here ?
but I use PGP anyway (as you suggested earlier) with thunderbird and torbirdy connecting via Tor network to them so their limitation by not giving me the right to actually store my private key locally makes no real world sense 😕

MyKolab is not a free provider, but PRISM Break is less about free (gratis) and more about > freedom (libre). Some of the free providers that we do recommend limit their users in another way, > e.g. for I/A you have to agree to their politically charged manifesto.

Yes I absolutely understand that, obviously unseen.is has choose to limit their "free" users by not giving the right to store private keys locally unless you pay :D

I don't know but at least the service is free, and each email transport indeed is encrypted.
The keys are generated manually via web form (even free users can do it).
I don't see why would that be a limitation because you either pay them for local private key storage or use PGP with free version of service.

EDIT:
I have made a test with these keys...
Here is a screenshot of key manager presented in browser after logging in:
obviously one can generate, import and export it's own keys with free account:
Key manager

They even provide their own email client so that same keys can be used within, or using the keys with 3rd party client once exported. (or using GPG to ensure private key is your own, and not the one generated in the browser, and then importing via browser or using from the client such as thunderbird)

I think Unseen deserves further attention by you guys so that clear conclusion can be made without false judgement.

As for laws by country I come out with a website that makes easy to compare countries by data protection laws:
http://dlapiperdataprotection.com/#handbook/world-map-section/c1_IS/c2_CH

It's easy to spot if something is (possibly) outdated and in this case (Swiss and Iceland) one can get particular updates from these two sites:
ICELAND: http://www.personuvernd.is/information-in-english/greinar/nr/438
SWITZERLAND: http://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.CH

From what I gathered Iceland is pushing to be number 1, problem is that there is a lot to read lol :)

@Zegnat

This comment has been minimized.

Show comment
Hide comment
@Zegnat

Zegnat Jan 13, 2015

Collaborator

Did you see any mention of the technology used to store the private key? Because that sounds like a really, really bad thing to be doing…

Collaborator

Zegnat commented Jan 13, 2015

Did you see any mention of the technology used to store the private key? Because that sounds like a really, really bad thing to be doing…

@codekiddy2

This comment has been minimized.

Show comment
Hide comment
@codekiddy2

codekiddy2 Jan 13, 2015

Zegant,
You are correct, they keep it all secret, I found Why you should stay away from Unseen.is that elaborates unseen.is from security aspect more closely.
Thank you a lot!

BTW The http://prxbx.com/email/ works again 😄

codekiddy2 commented Jan 13, 2015

Zegant,
You are correct, they keep it all secret, I found Why you should stay away from Unseen.is that elaborates unseen.is from security aspect more closely.
Thank you a lot!

BTW The http://prxbx.com/email/ works again 😄

@cup

This comment has been minimized.

Show comment
Hide comment

cup commented Jan 19, 2015

@pickfire

This comment has been minimized.

Show comment
Hide comment
@pickfire

pickfire Jan 19, 2015

What make it down?

pickfire commented Jan 19, 2015

What make it down?

@kevinSuttle

This comment has been minimized.

Show comment
Hide comment
@kevinSuttle

This comment has been minimized.

Show comment
Hide comment
@cup

This comment has been minimized.

Show comment
Hide comment
@cup

cup Dec 12, 2015

@kevinSuttle are you dense? The page I linked has over 20 providers, why would they list them all on the main page?

prxbx.com/email

cup commented Dec 12, 2015

@kevinSuttle are you dense? The page I linked has over 20 providers, why would they list them all on the main page?

prxbx.com/email

@kevinSuttle

This comment has been minimized.

Show comment
Hide comment
@kevinSuttle

kevinSuttle Dec 12, 2015

Who said all of them? And watch your mouth. No need for that.

kevinSuttle commented Dec 12, 2015

Who said all of them? And watch your mouth. No need for that.

@cup

This comment has been minimized.

Show comment
Hide comment
@cup

cup Dec 12, 2015

@kevinSuttle sorry, but no. You are being an idiot. The page here:

prism-break.org/en/all#email-accounts

is layed out exactly as it should be. It has a few prime examples, followed by
this link and text:

For more email providers, take a look at prxbx.com/email

Also if you notice carefully, the first link I put has this text:

Free Recommendations

According to the second link Fastmail is not free, so suggesting it for that
page is absurd. Go away.

cup commented Dec 12, 2015

@kevinSuttle sorry, but no. You are being an idiot. The page here:

prism-break.org/en/all#email-accounts

is layed out exactly as it should be. It has a few prime examples, followed by
this link and text:

For more email providers, take a look at prxbx.com/email

Also if you notice carefully, the first link I put has this text:

Free Recommendations

According to the second link Fastmail is not free, so suggesting it for that
page is absurd. Go away.

@kevinSuttle

This comment has been minimized.

Show comment
Hide comment
@kevinSuttle

kevinSuttle Dec 12, 2015

People like you give open source a bad name. Good luck being a sad little child.

kevinSuttle commented Dec 12, 2015

People like you give open source a bad name. Good luck being a sad little child.

@pickfire

This comment has been minimized.

Show comment
Hide comment
@pickfire

pickfire Dec 12, 2015

@kevinSuttle, @svnpenn: i'm going to need you to retard your anger level a few notches

pickfire commented Dec 12, 2015

@kevinSuttle, @svnpenn: i'm going to need you to retard your anger level a few notches

@chovy

This comment has been minimized.

Show comment
Hide comment
@chovy

chovy Dec 12, 2015

I read that as I'm going to need you to retard your angel level... and was confused. Carry on :)

chovy commented Dec 12, 2015

I read that as I'm going to need you to retard your angel level... and was confused. Carry on :)

@cup

This comment has been minimized.

Show comment
Hide comment
@cup

cup Dec 12, 2015

Hey @kevinSuttle, fuck yourself!

cup commented Dec 12, 2015

Hey @kevinSuttle, fuck yourself!

@vyp

This comment has been minimized.

Show comment
Hide comment
@vyp

vyp Dec 12, 2015

Collaborator

@kevinSuttle Fastmail is mentioned on http://prxbx.com/email/ though (which is mentioned at https://prism-break.org/en/subcategories/os-x-email-accounts/). I suspect it's not recommended on prism break directly because (some) of its servers are located in the US. That isn't necessarily a bad thing, but in practice it means that they're much more easily susceptible to being compromised by the US government. (i.e. See what happened to Lavabit.) I am surprised though to see no other mention of Fastmail on prism break's issue tracker, you're right!

Collaborator

vyp commented Dec 12, 2015

@kevinSuttle Fastmail is mentioned on http://prxbx.com/email/ though (which is mentioned at https://prism-break.org/en/subcategories/os-x-email-accounts/). I suspect it's not recommended on prism break directly because (some) of its servers are located in the US. That isn't necessarily a bad thing, but in practice it means that they're much more easily susceptible to being compromised by the US government. (i.e. See what happened to Lavabit.) I am surprised though to see no other mention of Fastmail on prism break's issue tracker, you're right!

@Zegnat

This comment has been minimized.

Show comment
Hide comment
@Zegnat

Zegnat Dec 12, 2015

Collaborator

Email itself is a pretty broken system from a privacy point of view. Too much metadata, too much data travelling in the clear. PRISM Break realises that people cannot go without email just yet, but we would rather not expand the current section.

  1. Riseup and A/I are on there not because of their server locations but because of their history fighting for their users. Very few other email providers can claim the same long history of offering activists a way out. This is why these two are included over other providers.
  2. Kolab Now is included partly because of their location (they really thought about their options and their website clearly states their do’s/don’t concerning the Swiss law) and partly because they use FOSS software. They even make it easy for you to migrate away from them into your own Kolab installation. And PRISM Break already recommends Kolab.

Linking to http://www.prxbx.com/email/ is a way to give people more choices, and inform them about those choices, without inflating the contents of PRISM Break.

If you know an email provider with either a history supporting activists (like Riseup) or with a set-up for privacy and open-source software (like Kolab Now) then please open a new issue specifically for that service. Otherwise you can assume PRISM Break is not actually the right place for it.

I am closing and locking this issue to stop people from dragging it up again.

Collaborator

Zegnat commented Dec 12, 2015

Email itself is a pretty broken system from a privacy point of view. Too much metadata, too much data travelling in the clear. PRISM Break realises that people cannot go without email just yet, but we would rather not expand the current section.

  1. Riseup and A/I are on there not because of their server locations but because of their history fighting for their users. Very few other email providers can claim the same long history of offering activists a way out. This is why these two are included over other providers.
  2. Kolab Now is included partly because of their location (they really thought about their options and their website clearly states their do’s/don’t concerning the Swiss law) and partly because they use FOSS software. They even make it easy for you to migrate away from them into your own Kolab installation. And PRISM Break already recommends Kolab.

Linking to http://www.prxbx.com/email/ is a way to give people more choices, and inform them about those choices, without inflating the contents of PRISM Break.

If you know an email provider with either a history supporting activists (like Riseup) or with a set-up for privacy and open-source software (like Kolab Now) then please open a new issue specifically for that service. Otherwise you can assume PRISM Break is not actually the right place for it.

I am closing and locking this issue to stop people from dragging it up again.

@Zegnat Zegnat closed this Dec 12, 2015

Repository owner locked and limited conversation to collaborators Dec 12, 2015

@Zegnat Zegnat removed the discussion label Dec 12, 2015

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.