Advice Request Looking for a new offshore email provider?

Please provide comments and solutions that are helpful to the author of this topic.
Sine Wave said:
I've been doing some more research on Offshore providers. I've decided I don't want anything that's free since that just sounds too good to be true to me, it has to cost the provider something to offer the service so why would they give it away for free? Does anybody know anything about either of these?

Privatelayer offshore email
Surfbouncer offshore email
Click to expand...
Well, for paid options I have found these 2 options both of them seem pretty good.
mailbox.org

Your data – under your control.

Your digital workspace with email, cloud, office & meet. Secure & GDPR-compliant for businesses, public authorities and private individuals. ▶ Try us now!
mailbox.org mailbox.org

Email green, secure, simple and ad-free - posteo.de -

Posteo is an innovative email provider that is concerned with sustainability and privacy and is completely ad-free. Our email accounts, calendars and address books can be synchronised - we use comprehensive encryption.
posteo.de posteo.de
 
  • Like
Reactions: Nevi, Venustus, Thales and 1 other person
Andrew999 said:
Well, for paid options I have found these 2 options both of them seem pretty good.
mailbox.org

Your data – under your control.

Your digital workspace with email, cloud, office & meet. Secure & GDPR-compliant for businesses, public authorities and private individuals. ▶ Try us now!
mailbox.org mailbox.org

Email green, secure, simple and ad-free - posteo.de -

Posteo is an innovative email provider that is concerned with sustainability and privacy and is completely ad-free. Our email accounts, calendars and address books can be synchronised - we use comprehensive encryption.
posteo.de posteo.de
Click to expand...

Mailbox.org - Some emails from some providers just disappear and never arrive. Good features but it is a no-go.
Posteo - Even if they have no spam folder I got my emails. I used them for years. However people can't even spell posteo and that's a big part of choosing an email provider. Same as Tutanota. "Tuta what?" "tuttano... tutano... what?)
Protonmail has the "pm" option. However don't trust them! They have backddoor and it is confirmed.
 
Last edited:
  • Like
  • +Reputation
Reactions: Mercenary, Andrew999, Protomartyr and 1 other person
Sine Wave said:
Does anybody know anything about either of these?

Privatelayer offshore email
Surfbouncer offshore email
Click to expand...

Well they both look fine, privatelayer is fairly well known but whoa, $200 bucks a year is expensive. At least you can try out the other guys with one of they're cheaper short term plans.

Thales said:
Protonmail has the "pm" option. However don't trust them! They have backdoor and it is confirmed.
Click to expand...
Not surprising, that's to be expected with free services.
 
computer man said:
Not surprising, that's to be expected with free services.
Click to expand...

Yeah, but can we treat protonmail as a free service? It has payed services too and I'm sure with a lot of active members.
So, if it is not just a free service this backdoor is a more serious issue and not just in a privacy manner but security.
 
I agree proton is not secure and it should never be used for anything important or private. I just meant that if they're offering service for free, then their security probably is poor for all their services since their not likely to set up a separate, more secure system for they're paid services. And it has been said that they're owned by a data-mining company to start with, so what kind of security can you really expect.
 
  • Like
  • Wow
Reactions: Mercenary, TairikuOkami and Andrew999
Umbra said:
i use those, in order:

1- Tutanota (because the android app which is way too useful)
2- MSGsafe (used to have a beta android app but they removed it)
3- Protonmail (android app too), but i use it less since their parent company looks shady to me.
Click to expand...

Can you expand on 3- ? I looked at them a year ago but didn't see anything shady

Thales said:
Mailbox.org - Some emails from some providers just disappear and never arrive. Good features but it is a no-go.
Posteo - Even if they have no spam folder I got my emails. I used them for years. However people can't even spell posteo and that's a big part of choosing an email provider. Same as Tutanota. "Tuta what?" "tuttano... tutano... what?)
Protonmail has the "pm" option. However don't trust them! They have backddoor and it is confirmed.
Click to expand...

What backdoor? they even let you use your own PGP keys from what I recall
 
notabot said:
Thanks!, I'll take a look
Click to expand...

Proton's page lists a different CEO : About ProtonMail , the founder of Proton.
They've also provided some explanations here: The company that ‘’officially’' operates ProtonVPN is ProtonVPN AG, a Switzerlan... | Hacker News

It sounds to me that they started their VPN service with some careless outsourcing/resource sharing but everything I've read could had happened to any series-B level startup, the important thing is if they took the message home and changed course and it looks like they did.

Startups are so under-resourced that mistakes like that one are bound to happen. I've seen worse from series B's ( not in the security space ) 😂

From what I read, careless? yes - but not compromised
 
That is the problem, any other company, I won't raise an eyebrow but a VPN company who supposed to secure your datas and privacy cant afford to be careless at any point.
I still use Protonmail, but not for important stuff.
Not saying, in the past they were specifically targeted via DDOS for days by some entities. Not irrelevant.
 
  • Like
Reactions: Stopspying, CyberTech, Protomartyr and 2 others
notabot said:
What backdoor? they even let you use your own PGP keys from what I recall
Click to expand...



From cTemplar
"Users use 2 Factor Authentication (2FA) to provide greater security to their account. Some email services, like Protonmail, maintain backdoor access to all users 2FA. They say this is because they do not want the person locked out of their account if 2FA is lost. Some people want their email service to have this control. Other people do not companies having backdoor access. Users should consider this when making an email decision. "

blog.ctemplar.com

CTemplar Checksum Implementation - CTemplar: Armored Email

Encrypted Email Services Can Hack You Using JavaScript JavaScript can be used to serve malicious code, exploits, or hacks. This is illustrated by Gizmodo, USENIX, Ask Leo, Stack Exchange, ITNEXT, and it is a recurring theme at the hacker conference DEFCON. JavaScript hacks are also the primary...
blog.ctemplar.com blog.ctemplar.com

blog.ctemplar.com

Email Comparison Table - CTemplar: Armored Email

Comparison tables are often used to show the differences between services. We respect these services, we have reviewed this table with both services and even recommend to them our users when we are not able to meet demand. This is an analysis of the features we feel are important. Protonmail...
blog.ctemplar.com blog.ctemplar.com
 
  • Like
Reactions: Protomartyr and roger_m
Thales said:


From cTemplar
"Users use 2 Factor Authentication (2FA) to provide greater security to their account. Some email services, like Protonmail, maintain backdoor access to all users 2FA. They say this is because they do not want the person locked out of their account if 2FA is lost. Some people want their email service to have this control. Other people do not companies having backdoor access. Users should consider this when making an email decision. "

blog.ctemplar.com

CTemplar Checksum Implementation - CTemplar: Armored Email

Encrypted Email Services Can Hack You Using JavaScript JavaScript can be used to serve malicious code, exploits, or hacks. This is illustrated by Gizmodo, USENIX, Ask Leo, Stack Exchange, ITNEXT, and it is a recurring theme at the hacker conference DEFCON. JavaScript hacks are also the primary...
blog.ctemplar.com blog.ctemplar.com

blog.ctemplar.com

Email Comparison Table - CTemplar: Armored Email

Comparison tables are often used to show the differences between services. We respect these services, we have reviewed this table with both services and even recommend to them our users when we are not able to meet demand. This is an analysis of the features we feel are important. Protonmail...
blog.ctemplar.com blog.ctemplar.com
Click to expand...


This is about authentication, not about decrypting the data, as 2FA is irrelevant for that. It's the same with gmail, unless you go for advanced protection where the difference is 1) they enforce u2f 2) the process for resetting credentials, including 2FA, is on purpose very slow.

Protonmail should do the same, offer an advanced protection where the process for resetting credentials, including 2FA, is slow on purpose, but I don't see anything wrong with this so far
 
notabot said:
This is about authentication, not about decrypting the data, as 2FA is irrelevant for that. It's the same with gmail, unless you go for advanced protection where the difference is 1) they enforce u2f 2) the process for resetting credentials, including 2FA, is on purpose very slow.

Protonmail should do the same, offer an advanced protection where the process for resetting credentials, including 2FA, is slow on purpose, but I don't see anything wrong with this so far
Click to expand...

I disagree. It doesn't matter how strong the encryption is if they can enter into my account by disabling this or that. How do you know they can't turn off the 2nd password method too?
If an email provider can do this, that's one thing. But if they advertises itself as "private and secure email provider" that's another thing.
 
  • Like
Reactions: roger_m and Protomartyr
Thales said:
I disagree. It doesn't matter how strong the encryption is if they can enter into my account by disabling this or that. How do you know they can't turn off the 2nd password method too?
If an email provider can do this, that's one thing. But if they advertises itself as "private and secure email provider" that's another thing.
Click to expand...

To enter your account and read emails they need your decryption password, or if you only use a single password for both authentication and decryption the single password.

Even before 2FA proton could reset your password but of course you lost access to your encrypted emails as they had no way to recover those.
2FA is one of the two authentication steps, I know of no email provider who can't turn it off as this would mean there could be no account recovery. 2FA is irrelevant to decrypting your emails, it's used only for authentication.

If the question is how do you know ProtonMail despite their claims does not store your decryption password as well, then monitoring the traffic between the local javascript application and their server can answer that, tbh if someone had caught something like that, ProtonMail would probably lose all their clients, I'm not saying it could never happened but nobody has made this claim so far.
 
notabot said:
This is about authentication, not about decrypting the data, as 2FA is irrelevant for that. It's the same with gmail, unless you go for advanced protection where the difference is 1) they enforce u2f 2) the process for resetting credentials, including 2FA, is on purpose very slow.
Click to expand...
you miss the point, it is not about being able to decrypt your mails or not , it is about someone with enough infos can use this system to access your account. Protonmail isn't Gmail, you don't use encrypted services as you send basic email via Gmail to your buddies.

I use 2FA knowingly that if i lose my device or codes, I'm done. My other providers don't allow me to reset my 2FA if i lose them.
It is exactly why I use 2FA, so only me can access my account.

If they allow anyone who usurped your identity (via credentials stealing for example) and get access, what is the point of 2FA?
I use 2FA with my mobile because no one else has it.

Protonmail should do the same, offer an advanced protection where the process for resetting credentials, including 2FA, is slow on purpose, but I don't see anything wrong with this so far
Click to expand...
It is wrong, you don't see it because you don't see the big picture. They shouldn't even think about it, this is a blatant weakness and i smell some hidden agendas for doing it.
 
Last edited by a moderator:
  • Like
Reactions: Thales
Umbra said:
you miss the point, it is not about being able to decrypt your mails or not , it is about someone with enough infos can use this system to access your account. Protonmail isn't Gmail, you don't use encrypted services as you send basic email via Gmail to your buddies.

I use 2FA knowingly that if i lose my device or codes, I'm done. My other providers don't allow me to reset my 2FA if i lose them.
It is exactly why I use 2FA, so only me can access my account.

If they allow anyone who usurped your identity (via credentials stealing for example) and get access, what is the point of 2FA?
I use 2FA with my mobile because no one else has it.


It is wrong, you don't see it because you don't see the big picture. They shouldn't even think about it, this is a blatant weakness and i smell some hidden agendas for doing it.
Click to expand...

The point of 2FA is that it's a second authentication factor, it's not to be unable to recover your account, it's not meant to be non-reset-able by the service provider.
2FA if stored on a separate device, it serves as a backstop to a perpetrator who eg gains access to your password manager on your desktop or gets credentials via keylogger etc.

To make resetting credentials hard, something like Google's advanced protection is exactly what's needed and it's the reason Google created it.
E.g. if someone by hacking, social engineering or both has sufficient info to enter your account and take your identity - except your second factor, Google's advanced protection program will make it hard for them to reset it as the process is long and tenuous and involves notifications. Without the advanced protection program but with 2FA switched on, resetting is more streamlined and someone can bypass the second factor more easily.
 
notabot said:
The point of 2FA is that it's a second authentication factor, it's not to be unable to recover your account, it's not meant to be non-reset-able by the service provider.
Click to expand...
ok let see how you will react when someone will impersonate you and gain access to your most private emails. Im sorry but i wont accept it, hence i won't use such service.
what you are saying it same as "the owner of my apartment has a duplicate of my keys, and will give to anyone who ask them showing a letter from me, no problem". Really?

To make resetting credentials hard, something like Google's advanced protection is exactly what's needed and it's the reason Google created it.
E.g. if someone by hacking, social engineering or both has sufficient info to enter your account and take your identity - except your second factor, Google's advanced protection program will make it hard for them to reset it as the process is long and tenuous and involves notifications. Without the advanced protection program but with 2FA switched on, resetting is more streamlined and someone can bypass the second factor more easily.
Click to expand...
We are not talking about Google but Protonmail...
 
Last edited by a moderator:
  • Like
Reactions: Thales

You may also like...