Advice Request Looking for a new offshore email provider?

notabot · Nov 5, 2019

Umbra said:
ok let see how you will react when someone will impersonate you and gain access to your most private emails. Im sorry but i wont accept it, hence i won't use such service.
what you are saying it same as "the owner of my apartment has a duplicate of my keys, and will give to anyone who ask them showing a letter from me, no problem". Really?

We are not talking about Google but Protonmail...

What I'm saying is not that the dangers you mention are not valid but they are related to the processes for resetting credentials, not 2FA per se.
Google is one company who got it right in hardening credentials reset with their Advanced Protection Program, you lose your u2f dongle, bye bye new logins unless you pass a really long and tenuous process.
ProtonMail could learn from them in that department.

If you want to harden it even more and completely block resetting credentials, that offers a tiny bit more security compared to Advanced Protection, ( as due to the long interval and tenuous process it's hard to get through it via social engineering ) but with the risk of a huge hustle, not being able to ever again access your email.

In any case at the moment they do not have hardened processes around resetting credentials, but if/when they do, I'd expect them to adopt a credentials reset process on the merit of what most of their users deem sufficient for their needs and the inconveniences alternatives may introduce.

Gandalf_The_Grey · Nov 12, 2019

Unfortunately you can skip Tutanota: Court ruling: Secure email service Tutanota must disclose customer data:

Gerichtsurteil: Sicherer E-Mail-Dienst Tutanota muss Kundendaten preisgeben

Ausgerechnet ein E-Mail-Provider, der mit hoher Privatsphäre wirbt, muss Ermittlern in Einzelfällen Kunden-E-Mails unverschlüsselt zugänglich machen.

www.heise.de

Zartarra · Nov 12, 2019

Gandalf_The_Grey said:
Unfortunately you can skip Tutanota: Court ruling: Secure email service Tutanota must disclose customer data:

Gerichtsurteil: Sicherer E-Mail-Dienst Tutanota muss Kundendaten preisgeben

Ausgerechnet ein E-Mail-Provider, der mit hoher Privatsphäre wirbt, muss Ermittlern in Einzelfällen Kunden-E-Mails unverschlüsselt zugänglich machen.

www.heise.de

I just created an account to replace my main mail address.

JimHdy · Nov 12, 2019

Zartarra said:
I just created an account to replace my main mail address.

Well I hope you haven't used it for anything important.

Thales · Nov 12, 2019

It seems there are no real options here. Protonmail, Tutanota, same thing happened.
We can try cTemplar but I'm not sure if it is not similarly bad or will be.

ForgottenSeer 58943 · Nov 12, 2019

Umbra said:
ok let see how you will react when someone will impersonate you and gain access to your most private emails. Im sorry but i wont accept it, hence i won't use such service.
what you are saying it same as "the owner of my apartment has a duplicate of my keys, and will give to anyone who ask them showing a letter from me, no problem". Really?

We are not talking about Google but Protonmail...

Umbra is 100% correct here.

Protonmail should not, and really cannot be used at this point. Also with the revelations about Tutanota now providing a backdoor for authorities, that one can also be ruled out. Our options for private, encrypted, secured email grow thin by the week.

Apartment is a good analogy. For my access control I not only need the keys, but I need to control the ability to duplicate keys, and provide authentication to duplicate house keys. Which is why I use Bi-Locks, which require my master key (stored in safe) and my 25 digit code to cut the new key, and only a few Bi-lock key making machines exist in the world. Either you control access, or you don't.

I'll be seeking a PAID service I can trust going forward I guess.

ForgottenSeer 58943 · Nov 12, 2019

Thales said:
It seems there are no real options here. Protonmail, Tutanota, same thing happened.
We can try cTemplar but I'm not sure if it is not similarly bad or will be.

Not sure I fully trust cTemplar or some of the other ones. It might be MsgSafe, which is offshore and cannot be compelled to comply with anything or something. Options are growing slimmer and slimmer in the days of mass surveillance. I think in the future, we'll all be using some email service run on an off-shore rig in International waters or something... LOL!

Zartarra · Nov 12, 2019

And what about Mailfence and Runbox?

ForgottenSeer 58943 · Nov 12, 2019

Zartarra said:
And what about Mailfence and Runbox?

Not sure about Mailfence.

Runbox, there is an issue.. It's not encrypted at rest. I had an account, needed support, they literally logged right in and worked on my email. Then I asked about backups and was told their backups are not encrypted. I had to put in a support request for a No-Backup account. Overall, I was left with the impression they aren't really secure or hardened at all.

Neomailbox is decent. Countermail seems incredibly secure. Startmail by all accounts is very secure but also not cheap.

JimHdy · Nov 12, 2019

You can try these guys, they we're recommended to me on this forum a while back and they seem pretty good. I did a little research on them and I don't see anybody saying anything bad about them.

notabot · Nov 12, 2019

ForgottenSeer 58943 said:
Not sure I fully trust cTemplar or some of the other ones. It might be MsgSafe, which is offshore and cannot be compelled to comply with anything or something. Options are growing slimmer and slimmer in the days of mass surveillance. I think in the future, we'll all be using some email service run on an off-shore rig in International waters or something... LOL!

It can be compelled by a court in its jurisdiction, setting aside the 2FA for proton, which in my view is not a biggie, the only real solution for privacy in emails is PGP, with your keys stored locally.
But nobody uses PGP and web of trust doesn't have great adoption.

Threadripper · Nov 12, 2019

There's no "backdoor for authorities" - if there's a German court order issued for one specific person, non end-to-end encrypted emails from that point onwards will be given to law enforcement.

notabot · Nov 12, 2019

Threadripper said:
There's no "backdoor for authorities" - if there's a German court order issued for one specific person, non end-to-end encrypted emails from that point onwards will be given to law enforcement.

as was always the case really, but lack of precedence created myths.
Of course a court order can compel companies to store and provide access to data. If the data comes in unencrypted, everyone can read them. If it's encrypted it depends on the jurisdiction whether a judge can or cannot order a person to give their encryption keys.

Threadripper · Nov 12, 2019

If your threat model includes hiding non e2e emails from the German government with a valid court order, then don't use it. Unless you're a criminal, or Edward Snowden, I don't think this needs to be in your threat model.

I'm not saying "if you have nothing to hide you have nothing to fear" but calling this a backdoor is insane.

notabot · Nov 12, 2019

Threadripper said:
If your threat model includes hiding non e2e emails from the German government with a valid court order, then don't use it. Unless you're a criminal, or Edward Snowden, I don't think this needs to be in your threat model.

I'm not saying "if you have nothing to hide you have nothing to fear" but calling this a backdoor is insane.

It doesn't matter if it's the government who won the case, it could had been a private individual, it's court power that's exercised to force this, not executive power. When a company incorporates in a country the courts in that country can compel the company for a lot of things.

ForgottenSeer 823865 · Nov 12, 2019

Luckily my main provider (and soon only one) for secured email is Msgsafe.

Threadripper said:
Unless you're a criminal, or Edward Snowden, I don't think this needs to be in your threat model.

I'm not saying "if you have nothing to hide you have nothing to fear" but calling this a backdoor is insane.

The principle of using encrypted mails/messengers is to hide from everyone, government and other intelligence organizations included.
If not, and just required to have a safe email provider, I would just use Gmail which is secure enough against normal people who don't have the authority to force my emails to be disclosed.

I use Msgsafe because I don't want any law enforcement agency to read them.

After ditching Protonmail, now it is Tutanota turn. Those two are bullshitters, such a shame claiming to offer full privacy while they give access/backdoors to authorities...

Having anonymity and privacy in our time becomes an almost impossible task for the non-initiate...

As I often said in various forums, if you don't do activist/criminal/border-illegal stuff, dont bother deploying anonymity/privacy tools, too much an hassle. Just enjoy internet on Windows, common services are safe enough.

ForgottenSeer 58943 · Nov 12, 2019

Umbra said:
Luckily my main provider (and soon only one) for secured email is Msgsafe.

Wise choice. I have been advocating them because they are quite simply in a jurisdiction that nobody can force to disclose anything. That and their client is really really informative.

Umbra said:
The principle of using encrypted mails/messengers is to hide from everyone, government and other intelligence organizations included.
If not, and just required to have a safe email provider, I would just use Gmail which is secure enough against normal people who don't have the authority to force my emails to be disclosed.

Absolutely!

Umbra said:
After ditching Protonmail, now it is Tutanota turn. Those two are bullshitters, such a shame claiming to offer full privacy while they give access/backdoors to authorities...

Both have turned out to be charlatans, sadly. I guess it was to be expected.. Protonmail had questionable things going on for awhile. Tutanota was mostly a good guy, but they'll continue to market themselves as full privacy when they know they are not. So now, like you, they're both going into the trash bin. Closing them up tonight in fact after I go through the hassle of re-assigning new emails to various accounts and activities.

Umbra said:
Having anonymity and privacy in our time becomes an almost impossible task for the non-initiate...

This is true. Which is why it's wise to focus on the important and not sweat the unimportant for most people. Deciding what one views as critical and must-protect information is an individual decision but it is nearly impossible to secure everything properly so focus on what matters.

Strangely, I've been agreeing with Umbra a LOT lately around these here parts.

ForgottenSeer 58943 · Nov 12, 2019

Also, another big reason not to use Gmail type services. If you get banned from one platform they can (and sometimes will) ban you from others, and hence, lock you out of your email. People really need to learn to not do this.

Some Markiplier fans had their Google Accounts banned due to YouTube emote spam

Some fans of Markiplier this week have been banned from their entire Google Account due to spamming emotes on a YouTube stream that encouraged emotes.

9to5google.com

In addition, Google may start banning adblock users.

Watch out! YouTube could ban your account if you block ads

Watch out! YouTube could ban your account if you block ads, the world's most popular online video platform has changed its terms and conditions of service

www.gizchina.com

It's time to kick Google to the curb.

ForgottenSeer 823865 · Nov 12, 2019

ForgottenSeer 58943 said:
. So now, like you, they're both going into the trash bin. Closing them up tonight in fact after I go through the hassle of re-assigning new emails to various accounts and activities.

yep, doing it without even blinking an eye.

Strangely, I've been agreeing with Umbra a LOT lately around these here parts.

yeah, same here LOL. I guess logic and common sense overweight existing personal sentiments.

ForgottenSeer 58943 said:
Also, another big reason not to use Gmail type services. If you get banned from one platform they can (and sometimes will) ban you from others, and hence, lock you out of your email. People really need to learn to not do this.

if you do activities which may get you banned, you logically won't use your main account and rather use a disposable one.

ForgottenSeer 58943 · Nov 12, 2019

Protonmail started to feel scammy and scummy to me a few years ago so I quit using them. It was around the time they employed a specific anti-DDOS firm with a very questionable past.

But now? They are over the top... It's all marketing fluff for them now. The hype level and their excessive promotion of privacy and security absolutely smells fishy. Every website talking about secure email services the comments get bombarded by people, all using female names, extorting the virtues of Protonmail.

Like this;

Search

Advice Request Looking for a new offshore email provider?

notabot

Level 15

Gandalf_The_Grey

Level 84

Gerichtsurteil: Sicherer E-Mail-Dienst Tutanota muss Kundendaten preisgeben

Zartarra

Level 7

Gerichtsurteil: Sicherer E-Mail-Dienst Tutanota muss Kundendaten preisgeben

JimHdy

Level 1

Thales

Level 15

ForgottenSeer 58943

ForgottenSeer 58943

Zartarra

Level 7

ForgottenSeer 58943

JimHdy

Level 1

notabot

Level 15

Threadripper

Level 9

notabot

Level 15

Threadripper

Level 9

notabot

Level 15

ForgottenSeer 823865

ForgottenSeer 58943

ForgottenSeer 58943

Some Markiplier fans had their Google Accounts banned due to YouTube emote spam

Watch out! YouTube could ban your account if you block ads

ForgottenSeer 823865

ForgottenSeer 58943

Similar threads