Which e-mail provider is more adviseable, protonmail or lavabit reloaded?

Email is a pile of shit however its going nowhere. The best thing is to point people to use modern secure alternatives with backwards compatibility so they can interoperate. For those who know people who are smart enough the messages will never exit the secure network between them.

HulaHoop:

Last I saw DIME support is in Thunderbird is worked on a fork called Volcano behind closed doors.

Dark Mail Alliance - Wikipedia

Nonetheless if you think this belongs better in the browser I’ll see what I can do.

Yes, please do (if you think DIME is worthy or promising).

DIME support in Thunderbird is great. DIME support in browser would be
even greater.

It’s not so much about good/better. For widespread adaption, it needs to
be included everywhere. And users using webmail in browsers are a large
group.

Good day,

Well, the thing is, historically, E-Mail’s were never designed to be used in the way we are using them now. Just like a lot of other standards today used as a basis for network based communication, the idea and implementation used today was created by scientists which didn’t really see what they had developed as being used in such a major way as it is today.

There was one differences though, between E-Mail’s (or MAILBOX, as it was called at MIT) and other standards used to this date like HTML. Whereas the latter was designed as somewhat of a standard which could be expanded, E-Mail (or what we call E-Mail today) wasn’t really made with that in mind. Part of this, at least as far as I can tell, was likely the fact that while HTML was first made public in the 80s, MAILBOX came out almost two decades before it. Because of this, mailing is a lot older then the Usenet, the Internet, or even ARPANet. A lot of things we know about how to make a standard futureproof and adaptable for new requirements thus was learned via the evolution (or rather lack there off) of E-Mail’s. And while it was in the 70s somewhat introduced into ARPANET and latter the Internet, with SMTP, most of the basic design stayed the same. The format we use for mail addresses (nameofsystem/user@server/systemused) as well as the simple nature of the whole process thus has been kept the same ever since the days in which it was only used by scientists to communicate with eachother.

That’s why the standard doesn’t include encryption. That’s why the standard can’t verify who was the real author of a message. That’s why you may impersonate anyones mail address with ease. It just didn’t evolve or improve like HTML or other standards have.

The only changes we’ve seen were SMTPS (which is the implementation of SSL on top of SMTP) and Extended SMTP, which as far as I’m aware mainly introduced a few new commandos.

Thus, looking at it, there appears to be no genuine effort in improving what we currently call E-Mail. Maybe SMTP just isn’t flexible enough to make any significant improvement in regards to verification and encryption.

Though it seems to be getting replaced for better or for worse anyways. Love them or hate them, but modern Instant-Messaging-Services have a better encryption and user verification standard than mail ever will. And for as much distaste as we might have for the practices employed by Whatsapp, Telegram or Signal the fact of the matter is that when it comes to giving the average user a rudimentary surface level protection from surveillance, they can only be rivaled by SSL.

So, long story short, it seems that the issues found in E-Mail will be somewhat solved not by improvements to the standard, but by replacing them all together.

Have a nice day,

Ego

1 Like

Done. Asked the TBB/Mozilla uplift team and Google’s Adam Langley.

1 Like

That’s great. Let’s see if they pick that up. If not, please create a pubic feature request ticket on their tracker.

A post was split to a new topic: pretty Easy privacy (p≡p)

Actually, why write the guide for PGP key generation with Enigmail and integration into Icedove (with safe Icedove settings), when it has already been written :slight_smile:

https://securityinabox.org/en/guide/thunderbird/linux/

This is exactly the hands on, step-by-step guide that is required for usability. It needs to be referenced in the email section of the wiki.

Now re: usability of providers, Rise-Up and invites to the service is never going to work, plus they are located in Trump-Land, home of the dictator-in-chief. No sale.

This is why ProtonMail apparently working on a plug-in or otherwise compatibility with Thunderbird is the answer.

We are working on a solution that will allow you to use ProtonMail with other email clients in the future.

&

ProtonMail Support
4 months ago

We are working on this, but we do not have an exact date when it will be available. 

The issue was first raised two years ago though (don’t hold your breath).

I see that Tutanota was mentioned here, I wouldn’t trust them with my privacy after this joke: Fake News: After Recent Scandal Trump Family Turns Towards Encryption.

I use it myself only because ProtonMail requires identifiable information to register from Tor, and only for things like public mailing lists.

If anyone wants an alternative approach to mails I suggest looking into I2P Bote:

I2P-Bote is a plugin for I2P that allows users to send and receive emails while preserving privacy. It does not need a mail server because emails are stored in a distributed hash table. They are automatically encrypted and digitally signed, which ensures no one but the intended recipient can read the email, and third parties cannot forge them.

Some of its cool features are:

  • One-click creation of email accounts (called email identities)
  • Emails can be sent under a sender identity, or anonymously
  • Encryption and signing is transparent, without the need to know about PGP
  • Sending via relays for stronger anonymity guarantees
  • ElGamal, Elliptic Curve, and NTRU Encryption
  • Delivery confirmation
  • Basic support for short recipient names
  • IMAP and SMTP support

You might be interested:

1 Like

FTR Lavabit is not a free service and therefore not anonymous either.

Why is something not anonymous if you have to pay for it ?
You could use offline bought bitcoin…
I would rather trust a company with a service i pay for to do what they promise then some free service to keep their word.
Obviously a Setup like I2P Bote or Bitmessage would be best but that’s another Topic.

You will be part of a very small anonymity set. Paying for anything already keeps many potential users away and the number of them smart enough to do it anonymously is less.

I would not trust anything that is not technically secure. Lavabit was liable last time because their encryption system was still under the server admin’s control. He behaved honestly but how many people are willing to risk their business and freedom to do that?

Also DIME is a good start but nothing beats timing and traffic obfuscation at the network layer.

That’s true but this could be said to a lot of privacy related stuff, i wouldn’t want to lower my security standard just because some people are to “stupid”/unwilling to do the same…

Sure i wouldn’t trust a non technical secure service either.
I think the Incentive to behave honestly and not screw up (like Riseup) is much higher if you’re getting paid from your Users , then some freebee service like Riseup who just lies and bows down once their own Freedom is threatened.

Thats why I2P Bote exists :wink:

Related:

//cc @nurmagoz

since we already noted that these services are not trustable just use them for registration then adding lavabit as well will not be a problem.

Edit:- lavabit doesnt contain “free signup” , all their services user need to pay in order to have an account, so its not recommended to put it as suggestion for the new users who want to have an email in order to communicate with us.

Too long for me to read and verify all by myself but perhaps it has some pointers for those interested in reviewing protonmail.

https://blog.ctemplar.com/who-controls-protonmail/

relativity new (?) competitor:

https://ctemplar.com

Opinions?

Well both points are true. Protonmail did in fact announce CRV stake ownership. CRV is an investment company and not a charity. No doubt they gave them 2 million dollars for something in return.

Yes Protonmail’s security claims are snake oil. Their barriers for anonymous registration and letting users make use of their own keys are problems I’ve confronted them about it on twitter. The situation has not changed since. This blog post confirms that no E2E encryption is available for protonmail and that their JS implementation can be circumvented at will, which is true:

1 Like

Someone has to test that they allow IMAP access over Tor. I don’t want to use their super duper encryption nor sign-in via their JS required web interface that loads Google fonts.

@nurmagoz would you be up for this?

1 Like

results:

  • They are using cloudflare captcha which prevent Tor users to solve it (even if they did). But sometimes it can bypass you (rarely after many trails).
  • Email registration will stuck and not let you passing this page:

My opinion:

Not recommended for anonymity usage. Maybe secure but nothing special with it.

3 Likes