A post was split to a new topic: pretty Easy privacy (p≡p)
Actually, why write the guide for PGP key generation with Enigmail and integration into Icedove (with safe Icedove settings), when it has already been written 
https://securityinabox.org/en/guide/thunderbird/linux/
This is exactly the hands on, step-by-step guide that is required for usability. It needs to be referenced in the email section of the wiki.
Now re: usability of providers, Rise-Up and invites to the service is never going to work, plus they are located in Trump-Land, home of the dictator-in-chief. No sale.
This is why ProtonMail apparently working on a plug-in or otherwise compatibility with Thunderbird is the answer.
We are working on a solution that will allow you to use ProtonMail with other email clients in the future.
&
ProtonMail Support
4 months ago
We are working on this, but we do not have an exact date when it will be available.
The issue was first raised two years ago though (don’t hold your breath).
I see that Tutanota was mentioned here, I wouldn’t trust them with my privacy after this joke: Fake News: After Recent Scandal Trump Family Turns Towards Encryption.
I use it myself only because ProtonMail requires identifiable information to register from Tor, and only for things like public mailing lists.
If anyone wants an alternative approach to mails I suggest looking into I2P Bote:
I2P-Bote is a plugin for I2P that allows users to send and receive emails while preserving privacy. It does not need a mail server because emails are stored in a distributed hash table. They are automatically encrypted and digitally signed, which ensures no one but the intended recipient can read the email, and third parties cannot forge them.
Some of its cool features are:
- One-click creation of email accounts (called email identities)
- Emails can be sent under a sender identity, or anonymously
- Encryption and signing is transparent, without the need to know about PGP
- Sending via relays for stronger anonymity guarantees
- ElGamal, Elliptic Curve, and NTRU Encryption
- Delivery confirmation
- Basic support for short recipient names
- IMAP and SMTP support
FTR Lavabit is not a free service and therefore not anonymous either.
Why is something not anonymous if you have to pay for it ?
You could use offline bought bitcoin…
I would rather trust a company with a service i pay for to do what they promise then some free service to keep their word.
Obviously a Setup like I2P Bote or Bitmessage would be best but that’s another Topic.
You will be part of a very small anonymity set. Paying for anything already keeps many potential users away and the number of them smart enough to do it anonymously is less.
I would not trust anything that is not technically secure. Lavabit was liable last time because their encryption system was still under the server admin’s control. He behaved honestly but how many people are willing to risk their business and freedom to do that?
Also DIME is a good start but nothing beats timing and traffic obfuscation at the network layer.
That’s true but this could be said to a lot of privacy related stuff, i wouldn’t want to lower my security standard just because some people are to “stupid”/unwilling to do the same…
Sure i wouldn’t trust a non technical secure service either.
I think the Incentive to behave honestly and not screw up (like Riseup) is much higher if you’re getting paid from your Users , then some freebee service like Riseup who just lies and bows down once their own Freedom is threatened.
Thats why I2P Bote exists 
Related:
- Support: Difference between revisions - Whonix
- Long Wiki Edits Thread - #321 by nurmagoz
- Free Support for Whonix ™
//cc @nurmagoz
since we already noted that these services are not trustable just use them for registration then adding lavabit as well will not be a problem.
Edit:- lavabit doesnt contain “free signup” , all their services user need to pay in order to have an account, so its not recommended to put it as suggestion for the new users who want to have an email in order to communicate with us.
Too long for me to read and verify all by myself but perhaps it has some pointers for those interested in reviewing protonmail.
Well both points are true. Protonmail did in fact announce CRV stake ownership. CRV is an investment company and not a charity. No doubt they gave them 2 million dollars for something in return.
Yes Protonmail’s security claims are snake oil. Their barriers for anonymous registration and letting users make use of their own keys are problems I’ve confronted them about it on twitter. The situation has not changed since. This blog post confirms that no E2E encryption is available for protonmail and that their JS implementation can be circumvented at will, which is true:
1 Like
Someone has to test that they allow IMAP access over Tor. I don’t want to use their super duper encryption nor sign-in via their JS required web interface that loads Google fonts.
@nurmagoz would you be up for this?
1 Like
results:
- They are using cloudflare captcha which prevent Tor users to solve it (even if they did). But sometimes it can bypass you (rarely after many trails).
- Email registration will stuck and not let you passing this page:
My opinion:
Not recommended for anonymity usage. Maybe secure but nothing special with it.
3 Likes
Hey I’m here from CTemplar.
We will soon post an article about how to setup a very secure email environment directing users to Whonix’s email page. We are not affiliates however it is best to be honest with people and direct people them to the content they need.
Can you explain how cloudflare prevents Tor users from soling the recaptcha?
Currently we are not that unique. All we offer users is sincerity and hard work. We respectfully ask the community about what we can improve on. Then please allow us the opportunity to work hard to prove that we are sincere.
-Godfrey
3 Likes
We dont support IMAP or POP. We will probably add those in January. I mean no disrespect to you, we are a small team and have other tasks that are a priority right now.
Respectfully,
Godfrey
Godfrey@ctemplar.com
3 Likes
-
https://people.torproject.org/~lunar/20160331-CloudFlare_Fact_Sheet.pdf
-
https://www.zdnet.com/article/cloudflare-ends-captcha-challenges-for-tor-users/
Haven’t heard that much from the Tor/Whonix community on the last one (cloudflare-ends-captcha-challenges) so i guess it will be a - wait and see how it goes. Since Tor Project tweaked their binaries for this (or so it states??) I would imagine they will be commenting on this eventually. If they haven’t already?
BTW, Thanks for opening dialog! 
3 Likes
Thanks for chiming in.
Can you please strip out any Google scripts and allow non-JS to signup? These are two areas that would put you on par with the competition.
2 Likes
Google Scripts: We have google scripts at signup and login to prevent account abuse. We are looking for any other solution for this and we will happily replace it with something equal. The alternatives are cell phone confirmation which is anti-privacy, email confirmation which is silly for an email site, and asking for a donation for a free account which is evil. So to prevent account abuse we are stuck with using google recaptcha in those two places. It’s not ideal but we are searching for alternatives and we’ll make the correction as soon as we can. I would sincerely like to know peoples thoughts on this.
Non-JS to signup: I have always felt like using javascripts is like putting 3 ounces of sh*t in a birthday cake. It doesn’t matter if it’s a small amount, no one will eat it:) Lame joke. Our front end is built using Angular (Javascripts) because it is what does the encryption and decryption. We have added checksums so users can confirm that the code they receive is the same code that we show in github. Right now other E2E email services offer a “You can trust us not to screw you” security model. They show code in github but serve it from a private responsitiy and ask you to trust them that it wont have malcious code. We are trying to take a step in the right direction with checksums but we realize it’s a small step. Regardless we are working on a way to use our email without javascripts but it will take some time.
Whats more serious than Google Scripts are the Paypal and Stripe scripts. They are able to see into users inbox’s more than google scripts. We’re going to write a post about that in the near future. If users use the free account or pay with bitcoin/monero they can protect themselves from evil paypal/stripe scripts.
3 Likes