since we already noted that these services are not trustable just use them for registration then adding lavabit as well will not be a problem.
Edit:- lavabit doesnt contain “free signup” , all their services user need to pay in order to have an account, so its not recommended to put it as suggestion for the new users who want to have an email in order to communicate with us.
Too long for me to read and verify all by myself but perhaps it has some pointers for those interested in reviewing protonmail.
Well both points are true. Protonmail did in fact announce CRV stake ownership. CRV is an investment company and not a charity. No doubt they gave them 2 million dollars for something in return.
Yes Protonmail’s security claims are snake oil. Their barriers for anonymous registration and letting users make use of their own keys are problems I’ve confronted them about it on twitter. The situation has not changed since. This blog post confirms that no E2E encryption is available for protonmail and that their JS implementation can be circumvented at will, which is true:
Someone has to test that they allow IMAP access over Tor. I don’t want to use their super duper encryption nor sign-in via their JS required web interface that loads Google fonts.
@nurmagoz would you be up for this?
results:
My opinion:
Not recommended for anonymity usage. Maybe secure but nothing special with it.
Hey I’m here from CTemplar.
We will soon post an article about how to setup a very secure email environment directing users to Whonix’s email page. We are not affiliates however it is best to be honest with people and direct people them to the content they need.
Can you explain how cloudflare prevents Tor users from soling the recaptcha?
Currently we are not that unique. All we offer users is sincerity and hard work. We respectfully ask the community about what we can improve on. Then please allow us the opportunity to work hard to prove that we are sincere.
-Godfrey
We dont support IMAP or POP. We will probably add those in January. I mean no disrespect to you, we are a small team and have other tasks that are a priority right now.
Respectfully,
Godfrey
Godfrey@ctemplar.com
https://people.torproject.org/~lunar/20160331-CloudFlare_Fact_Sheet.pdf
https://www.zdnet.com/article/cloudflare-ends-captcha-challenges-for-tor-users/
Haven’t heard that much from the Tor/Whonix community on the last one (cloudflare-ends-captcha-challenges) so i guess it will be a - wait and see how it goes. Since Tor Project tweaked their binaries for this (or so it states??) I would imagine they will be commenting on this eventually. If they haven’t already?
BTW, Thanks for opening dialog! 
Thanks for chiming in.
Can you please strip out any Google scripts and allow non-JS to signup? These are two areas that would put you on par with the competition.
Google Scripts: We have google scripts at signup and login to prevent account abuse. We are looking for any other solution for this and we will happily replace it with something equal. The alternatives are cell phone confirmation which is anti-privacy, email confirmation which is silly for an email site, and asking for a donation for a free account which is evil. So to prevent account abuse we are stuck with using google recaptcha in those two places. It’s not ideal but we are searching for alternatives and we’ll make the correction as soon as we can. I would sincerely like to know peoples thoughts on this.
Non-JS to signup: I have always felt like using javascripts is like putting 3 ounces of sh*t in a birthday cake. It doesn’t matter if it’s a small amount, no one will eat it:) Lame joke. Our front end is built using Angular (Javascripts) because it is what does the encryption and decryption. We have added checksums so users can confirm that the code they receive is the same code that we show in github. Right now other E2E email services offer a “You can trust us not to screw you” security model. They show code in github but serve it from a private responsitiy and ask you to trust them that it wont have malcious code. We are trying to take a step in the right direction with checksums but we realize it’s a small step. Regardless we are working on a way to use our email without javascripts but it will take some time.
Whats more serious than Google Scripts are the Paypal and Stripe scripts. They are able to see into users inbox’s more than google scripts. We’re going to write a post about that in the near future. If users use the free account or pay with bitcoin/monero they can protect themselves from evil paypal/stripe scripts.
I’m not ignoring you I just have no idea how to respond. I’m going to study this and get back to you. Thank you for these links.
We have removed both those posts about Protonmail. Although we felt they were completely true, we are not the right group to show their weaknesses.
If not you, then who is the right group? If the post is accurate/true why not leave it up?
Github is not ideal place to compare your code to. very bad to trust github to save your real code. you should either switch to gitlab or host your own git version with e.g: Gogs.
Thats horrible, needs triage for sure. also it might help check also projects like liberapay.
why would you remove that? and if you cant put it again , please post it here.
@CTemplar i checked again ctemplar , you guys made great and brilliant improvements to your infrastructure from removing cloudflare , removing the need to JS, payment with Monero and v3 Onion Hidden services, All TLS and DNS security features implemented and hardened… just great!
Is there any notices to add?
Major feature needed is to allow users to use their own email clients (allowing pop/imap/smtp) and their own encryption (gpg/pgp), i asked the support they told me it maybe applied in the future.
Minor stuff to check out:
Missing Headers (new)
Permissions-Policy: Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.Warnings
Content-Security-Policy: This policy contains ‘unsafe-inline’ which is dangerous in the script-src directive. This policy contains ‘unsafe-eval’ which is dangerous in the script-src directive. This policy contains ‘unsafe-inline’ which is dangerous in the style-src directive.
https://zonemaster.net/result/a882610509288f40
If you press on warnings and notices you will find: (if this single route go offline all nameservers gonna be offline)
CONNECTIVITY
0 CONNECTIVITY WARNING All nameservers in the delegation have IPv4 addresses in the same AS (13335).
1 CONNECTIVITY WARNING All nameservers in the delegation have IPv6 addresses in the same AS (13335).
2 CONNECTIVITY WARNING All nameservers in the delegation are in the same AS (13335).ZONE
0 ZONE NOTICE SOA ‘refresh’ value (10000) is less than the recommended minimum (14400).
1 ZONE NOTICE SOA ‘retry’ value (2400) is less than the recommended minimum (3600).
Cant wait to see your email added on my client!!
As I read in Whonix Wiki, the only really important question about using e-mail anonymously is the question if registration over Tor possible. Every e-mail provider reads your mails so the question is about anonymity not privacy. If you don’t share your personal information about your real identity and use an anonymous e-mail account only over Tor, then it is ‘pseudonymous’ because pure anonymity doesn’t exist.
But they still don’t allow to make a registration over onion site, only log in.
Did you inspect their code?
That’s great, but unfortunately, mail from unpopular e-mail providers can be easily blocked by big services like Gmail, Outlook, Yahoo etc. because of ‘spam’ so it is a risk that your mail will never be recieved by these providers. Also many popular social networks block sending their verification messages to unpopular and ‘fraud’ e-mail mailboxes such as Protonmail, Tutanota, Lavabit etc.
So, the best variant is to use both popular and Tor-friendly e-mail provider.
Hi ,the Tor community has heavily relied on secmail for free anonymous js-less email, but sadly it is now gone. Does anyone know of a comparable service?
http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/
fuckitalllls via Whonix Forum:
Sad to see such good services going down…
https://ctemplar.com/ctemplar-is-shutting-down/
Thanks for all the efforts and time spend on this project.
