Advice Request Looking for a new offshore email provider?

[Sine Wave]

I've been doing some more research on Offshore providers. I've decided I don't want anything that's free since that just sounds too good to be true to me, it has to cost the provider something to offer the service so why would they give it away for free? Does anybody know anything about either of these?

Privatelayer offshore email
Surfbouncer offshore email

 

[Andrew999]

I've been doing some more research on Offshore providers. I've decided I don't want anything that's free since that just sounds too good to be true to me, it has to cost the provider something to offer the service so why would they give it away for free? Does anybody know anything about either of these?

Privatelayer offshore email
Surfbouncer offshore email

Well, for paid options I have found these 2 options both of them seem pretty good.

Secure e-mail for private and business customers | mailbox.org

mailbox.org ► secure and ad-free e-mail ✓ online office & cloud storage ✓ 100% green energy ✓ server location in Germany ✓ from 1,- Euro per month ✓ free trial!

mailbox.org

Email green, secure, simple and ad-free - posteo.de -

Posteo is an innovative email provider that is concerned with sustainability and privacy and is completely ad-free. Our email accounts, calendars and address books can be synchronised - we use comprehensive encryption.

posteo.de

 

[Thales]

Well, for paid options I have found these 2 options both of them seem pretty good.

Secure e-mail for private and business customers | mailbox.org

mailbox.org ► secure and ad-free e-mail ✓ online office & cloud storage ✓ 100% green energy ✓ server location in Germany ✓ from 1,- Euro per month ✓ free trial!

mailbox.org

Email green, secure, simple and ad-free - posteo.de -

Posteo is an innovative email provider that is concerned with sustainability and privacy and is completely ad-free. Our email accounts, calendars and address books can be synchronised - we use comprehensive encryption.

posteo.de

Mailbox.org - Some emails from some providers just disappear and never arrive. Good features but it is a no-go.
Posteo - Even if they have no spam folder I got my emails. I used them for years. However people can't even spell posteo and that's a big part of choosing an email provider. Same as Tutanota. "Tuta what?" "tuttano... tutano... what?)
Protonmail has the "pm" option. However don't trust them! They have backddoor and it is confirmed.

 

[computer man]

Does anybody know anything about either of these?

Privatelayer offshore email
Surfbouncer offshore email

Well they both look fine, privatelayer is fairly well known but whoa, $200 bucks a year is expensive. At least you can try out the other guys with one of they're cheaper short term plans.

Protonmail has the "pm" option. However don't trust them! They have backdoor and it is confirmed.

Not surprising, that's to be expected with free services.

 

[Thales]

Not surprising, that's to be expected with free services.

Yeah, but can we treat protonmail as a free service? It has payed services too and I'm sure with a lot of active members.
So, if it is not just a free service this backdoor is a more serious issue and not just in a privacy manner but security.

 

[computer man]

I agree proton is not secure and it should never be used for anything important or private. I just meant that if they're offering service for free, then their security probably is poor for all their services since their not likely to set up a separate, more secure system for they're paid services. And it has been said that they're owned by a data-mining company to start with, so what kind of security can you really expect.

 

[ForgottenSeer 823865]

MSGsafe for the win, hackers' best mail providers LOL

 

[notabot]

i use those, in order:

1- Tutanota (because the android app which is way too useful)
2- MSGsafe (used to have a beta android app but they removed it)
3- Protonmail (android app too), but i use it less since their parent company looks shady to me.

Can you expand on 3- ? I looked at them a year ago but didn't see anything shady

Mailbox.org - Some emails from some providers just disappear and never arrive. Good features but it is a no-go.
Posteo - Even if they have no spam folder I got my emails. I used them for years. However people can't even spell posteo and that's a big part of choosing an email provider. Same as Tutanota. "Tuta what?" "tuttano... tutano... what?)
Protonmail has the "pm" option. However don't trust them! They have backddoor and it is confirmed.

What backdoor? they even let you use your own PGP keys from what I recall

 

[computer man]

I believe for number three he's referring to stuff like this.

 

[notabot]

I believe for number three he's referring to stuff like this.

Thanks!, I'll take a look

 

[notabot]

Thanks!, I'll take a look

Proton's page lists a different CEO : About ProtonMail , the founder of Proton.
They've also provided some explanations here: The company that ‘’officially’' operates ProtonVPN is ProtonVPN AG, a Switzerlan... | Hacker News

It sounds to me that they started their VPN service with some careless outsourcing/resource sharing but everything I've read could had happened to any series-B level startup, the important thing is if they took the message home and changed course and it looks like they did.

Startups are so under-resourced that mistakes like that one are bound to happen. I've seen worse from series B's ( not in the security space )

From what I read, careless? yes - but not compromised

 

[ForgottenSeer 823865]

That is the problem, any other company, I won't raise an eyebrow but a VPN company who supposed to secure your datas and privacy cant afford to be careless at any point.
I still use Protonmail, but not for important stuff.
Not saying, in the past they were specifically targeted via DDOS for days by some entities. Not irrelevant.

 

[Thales]

What backdoor? they even let you use your own PGP keys from what I recall

From cTemplar
"Users use 2 Factor Authentication (2FA) to provide greater security to their account. Some email services, like Protonmail, maintain backdoor access to all users 2FA. They say this is because they do not want the person locked out of their account if 2FA is lost. Some people want their email service to have this control. Other people do not companies having backdoor access. Users should consider this when making an email decision. "

CTemplar Checksum Implementation - CTemplar: Armored Email

Encrypted Email Services Can Hack You Using JavaScript JavaScript can be used to serve malicious code, exploits, or hacks. This is illustrated by Gizmodo, USENIX, Ask Leo, Stack Exchange, ITNEXT, and it is a recurring theme at the hacker conference DEFCON. JavaScript hacks are also the primary...

blog.ctemplar.com

Email Comparison Table - CTemplar: Armored Email

Comparison tables are often used to show the differences between services. We respect these services, we have reviewed this table with both services and even recommend to them our users when we are not able to meet demand. This is an analysis of the features we feel are important. Protonmail...

blog.ctemplar.com

 

[ForgottenSeer 823865]

Lol, I wasnt even aware of that!!!!
2FA point is to disallow ANYONE to access the account. Goodbye Protonmail

 

[notabot]

From cTemplar
"Users use 2 Factor Authentication (2FA) to provide greater security to their account. Some email services, like Protonmail, maintain backdoor access to all users 2FA. They say this is because they do not want the person locked out of their account if 2FA is lost. Some people want their email service to have this control. Other people do not companies having backdoor access. Users should consider this when making an email decision. "

CTemplar Checksum Implementation - CTemplar: Armored Email

Encrypted Email Services Can Hack You Using JavaScript JavaScript can be used to serve malicious code, exploits, or hacks. This is illustrated by Gizmodo, USENIX, Ask Leo, Stack Exchange, ITNEXT, and it is a recurring theme at the hacker conference DEFCON. JavaScript hacks are also the primary...

blog.ctemplar.com

Email Comparison Table - CTemplar: Armored Email

Comparison tables are often used to show the differences between services. We respect these services, we have reviewed this table with both services and even recommend to them our users when we are not able to meet demand. This is an analysis of the features we feel are important. Protonmail...

blog.ctemplar.com

This is about authentication, not about decrypting the data, as 2FA is irrelevant for that. It's the same with gmail, unless you go for advanced protection where the difference is 1) they enforce u2f 2) the process for resetting credentials, including 2FA, is on purpose very slow.

Protonmail should do the same, offer an advanced protection where the process for resetting credentials, including 2FA, is slow on purpose, but I don't see anything wrong with this so far

 

[Thales]

This is about authentication, not about decrypting the data, as 2FA is irrelevant for that. It's the same with gmail, unless you go for advanced protection where the difference is 1) they enforce u2f 2) the process for resetting credentials, including 2FA, is on purpose very slow.

Protonmail should do the same, offer an advanced protection where the process for resetting credentials, including 2FA, is slow on purpose, but I don't see anything wrong with this so far

I disagree. It doesn't matter how strong the encryption is if they can enter into my account by disabling this or that. How do you know they can't turn off the 2nd password method too?
If an email provider can do this, that's one thing. But if they advertises itself as "private and secure email provider" that's another thing.

 

[notabot]

I disagree. It doesn't matter how strong the encryption is if they can enter into my account by disabling this or that. How do you know they can't turn off the 2nd password method too?
If an email provider can do this, that's one thing. But if they advertises itself as "private and secure email provider" that's another thing.

To enter your account and read emails they need your decryption password, or if you only use a single password for both authentication and decryption the single password.

Even before 2FA proton could reset your password but of course you lost access to your encrypted emails as they had no way to recover those.
2FA is one of the two authentication steps, I know of no email provider who can't turn it off as this would mean there could be no account recovery. 2FA is irrelevant to decrypting your emails, it's used only for authentication.

If the question is how do you know ProtonMail despite their claims does not store your decryption password as well, then monitoring the traffic between the local javascript application and their server can answer that, tbh if someone had caught something like that, ProtonMail would probably lose all their clients, I'm not saying it could never happened but nobody has made this claim so far.

 

[ForgottenSeer 823865]

This is about authentication, not about decrypting the data, as 2FA is irrelevant for that. It's the same with gmail, unless you go for advanced protection where the difference is 1) they enforce u2f 2) the process for resetting credentials, including 2FA, is on purpose very slow.

you miss the point, it is not about being able to decrypt your mails or not , it is about someone with enough infos can use this system to access your account. Protonmail isn't Gmail, you don't use encrypted services as you send basic email via Gmail to your buddies.

I use 2FA knowingly that if i lose my device or codes, I'm done. My other providers don't allow me to reset my 2FA if i lose them.
It is exactly why I use 2FA, so only me can access my account.

If they allow anyone who usurped your identity (via credentials stealing for example) and get access, what is the point of 2FA?
I use 2FA with my mobile because no one else has it.

Protonmail should do the same, offer an advanced protection where the process for resetting credentials, including 2FA, is slow on purpose, but I don't see anything wrong with this so far

It is wrong, you don't see it because you don't see the big picture. They shouldn't even think about it, this is a blatant weakness and i smell some hidden agendas for doing it.

 

[notabot]

you miss the point, it is not about being able to decrypt your mails or not , it is about someone with enough infos can use this system to access your account. Protonmail isn't Gmail, you don't use encrypted services as you send basic email via Gmail to your buddies.

I use 2FA knowingly that if i lose my device or codes, I'm done. My other providers don't allow me to reset my 2FA if i lose them.
It is exactly why I use 2FA, so only me can access my account.

If they allow anyone who usurped your identity (via credentials stealing for example) and get access, what is the point of 2FA?
I use 2FA with my mobile because no one else has it.


It is wrong, you don't see it because you don't see the big picture. They shouldn't even think about it, this is a blatant weakness and i smell some hidden agendas for doing it.

The point of 2FA is that it's a second authentication factor, it's not to be unable to recover your account, it's not meant to be non-reset-able by the service provider.
2FA if stored on a separate device, it serves as a backstop to a perpetrator who eg gains access to your password manager on your desktop or gets credentials via keylogger etc.

To make resetting credentials hard, something like Google's advanced protection is exactly what's needed and it's the reason Google created it.
E.g. if someone by hacking, social engineering or both has sufficient info to enter your account and take your identity - except your second factor, Google's advanced protection program will make it hard for them to reset it as the process is long and tenuous and involves notifications. Without the advanced protection program but with 2FA switched on, resetting is more streamlined and someone can bypass the second factor more easily.

 

[ForgottenSeer 823865]

The point of 2FA is that it's a second authentication factor, it's not to be unable to recover your account, it's not meant to be non-reset-able by the service provider.

ok let see how you will react when someone will impersonate you and gain access to your most private emails. Im sorry but i wont accept it, hence i won't use such service.
what you are saying it same as "the owner of my apartment has a duplicate of my keys, and will give to anyone who ask them showing a letter from me, no problem". Really?

To make resetting credentials hard, something like Google's advanced protection is exactly what's needed and it's the reason Google created it.
E.g. if someone by hacking, social engineering or both has sufficient info to enter your account and take your identity - except your second factor, Google's advanced protection program will make it hard for them to reset it as the process is long and tenuous and involves notifications. Without the advanced protection program but with 2FA switched on, resetting is more streamlined and someone can bypass the second factor more easily.

We are not talking about Google but Protonmail...