ProtonMail, End-to-end encrypted email, based in Switzerland.

[DcoinZ]

https://protonmail.ch/
“What really sets ProtonMail apart is how easy it is to use. Unlike existing solutions, we have completely abstracted away the complex cryptography to make the encryption and decryption complete invisible to user. There’s no software to install and no keys to generate – it’s just like using Gmail, but way more secure.”
ProtonMail in the news recently:
http://www.cryptocoinsnews.com/news/inside-look-protonmail-end-end-encrypted-email/2014/05/03
http://www.networkworld.com/communi...protonmail-uses-months-server-capacity-3-days

 

[Propulsion]

https://protonmail.ch/blog/protonmail-threat-model/

Below are some examples of recommended, and not recommended use cases for ProtonMail
NOT RECOMMENDED:
Edward Snowden – If you are Edward Snowden, or the next Edward Snowden, we would not recommend that you use ProtonMail. And in case Mr. Snowden was foolish enough to try, we have already blocked the username [email protected]

lol

 

[vertoe]

Yeah, "Snowdens" are a threat for mail providers, read this http://lavabit.com/

 

[fernando]

Yeah, "Snowdens" are a threat for mail providers, read this http://lavabit.com/

Lavabit story is scary and Levison has some big balls.

 

[pbleak]

I signed up for a beta on this ages ago. Like Startmail it's OK but I found it harder to manage than expected. I think they are over-doing it these days even though I know the aim is to reach normal users. I'd much rather see Thunderbird simplify the use of PGP with enigmail allowing many users to simply encrypt the mail service they already use. I would not touch Gmail for love nor money, but try telling that to my mother or to anyone in the office.

 

[jpr]

I signed up for a beta on this ages ago. Like Startmail it's OK but I found it harder to manage than expected. I think they are over-doing it these days even though I know the aim is to reach normal users. I'd much rather see Thunderbird simplify the use of PGP with enigmail allowing many users to simply encrypt the mail service they already use. I would not touch Gmail for love nor money, but try telling that to my mother or to anyone in the office.

What mail provider would you recommend?

 

[vertoe]

I wonder how they realize end to end encryption without the user doing anything? Did anyone check out how it works?
I mean, how does someone with gmail decrypt a protonmail?

 

[pbleak]

jpr: I use autistici but you have to apply for an account (I work on some sensitive stuff so I was lucky to get one, but worth a try). It's really difficult to find a good privacy-conscious email provider for free. If you are willing to pay MyKolab (expensive) and runbox are both decent in as much as they have not been tested yet in terms of giving up information. The main thing is not the provider, though I wish better ones existed, but ensuring you use PGP encryption. I tend to set people up on GMX with Thunderbird and enigmail when I have to. I think Startmail will be a great option in the future. It's really a terrible situation we are in when there are so few options. Hushmail is one to avoid as are any PRISM partners (Yahoo, Gmail, etc.) since these all have agreements with the NSA and although it is not clear in what sense the NSA has access to the clouds they run (at least the encryption standards. Outlook provide pre-encryption access!).

 

[pbleak]

vertoe: I tried finding out before. Might dig around more later but I would suspect it's forced encryption between Proton users with ease of encryption use with other PGP users (Startmail does this really well too though it remains in Beta). What's good about it is that since the data is encrypted on the user end they can't actually hand anything over except a bunch of gibberish so that's a nice move (of course we have to trust a bunch of MIT devs setting up in Switzerland...).

 

[vertoe]

the data is encrypted on the user end they can't actually hand anything over except a bunch of gibberish so that's a nice move

But who holds the private keys if not the user?

 

[pbleak]

Here's where I am also scratching my head too. The best I can see is what the propose here:

'ProtonMail's segregated authentication and decryption system means logging into a ProtonMail account that requires two passwords. The first password is used to authenticate the user and retrieve the correct account. After that, encrypted data is sent to the user. The second password is a decryption password which is never sent to us. It is used to decrypt the user’s data in the browser so we do not have access to the decrypted data, or the decryption password. For this reason, we are also unable to do password recovery. If you forget your decryption password, we cannot recover your data.'

'Messages are stored on ProtonMail servers in encrypted format. They are also transmitted in encrypted format between our server and users’ browsers. Messages between ProtonMail users are transmitted in encrypted form within our protected server network. Because data is encrypted at all steps, the risk of message interception is largely eliminated.'

This all seems rather risky and a tad confusing to me. They send the encrypted data to the user which the user decrypts, but it's just a password that you have (rather than a private key? seems unclear), but of course you had to surely have given them it at some point (I think). My head is too tired to make sense of it but it seems to me like they are opening up a lot of problems with the passing between method. Seems to me that the risk of message interception is doubled. Maybe it won't be decrypted but that's different. That or I am too tired to be reading marketing stuff.

 

[vertoe]

If you dont control the private keys, they do.
If they control the private keys, they can obviously hand them over to any govt. Not really getting their concept.

Email in general is flawed. I suggest to switch to new services like bitmessage or xmpp-otr.

 

[pbleak]

Yeah same issue with hushmail and they did eventually help the police. No reason these won't except maybe on the basis the Swiss laws somehow protect you, but these devs are in the States...Bitmessage is current closed to new email signups. xmpp-otr would be good, but we remain stuck with the problem of getting people to use the services. Startmail is my only 'mainstream' hope (pgp with a click).

 

[jpr]

jpr: I use autistici but you have to apply for an account (I work on some sensitive stuff so I was lucky to get one, but worth a try). It's really difficult to find a good privacy-conscious email provider for free. If you are willing to pay MyKolab (expensive) and runbox are both decent in as much as they have not been tested yet in terms of giving up information. The main thing is not the provider, though I wish better ones existed, but ensuring you use PGP encryption. I tend to set people up on GMX with Thunderbird and enigmail when I have to. I think Startmail will be a great option in the future. It's really a terrible situation we are in when there are so few options. Hushmail is one to avoid as are any PRISM partners (Yahoo, Gmail, etc.) since these all have agreements with the NSA and although it is not clear in what sense the NSA has access to the clouds they run (at least the encryption standards. Outlook provide pre-encryption access!).

I checked with MyKolab and Runbox - they do not support 2FA Isn't that essential?
If I decide to use one of them is it safer to use thunderbird rather than webmail? I use thunderbird at the moment.

Also I'd like to ask you: what if you want to sell/trade some coins at the exchange? They require a passport/id address verification. I know you said in other thread not to use your real details online, I guess I made that mistake and got verified. How do you sell your coins if you don't mind me asking?

Thanks for your time.

 

[pbleak]

I don't consider 2fa essential personally (for email, but essential for exchanges). But I know a lot of people won't use anything without 2fa. (However at the same time this is because I don't keep anything major on exchanges and I keep my emails spread apart across sites to minimise exposure. This is ultra-paranoid security and not to everyone's taste!).

If GMX use 2fa that could be a great option with Thunderbird and enigmail. That way you get PGP and 2fa which would be a strong basis. It's all about weighing up what is right for you. Since you are someone trading 2fa might trump the privacy reputation of MyKolab, for instance (in reverse for me privacy wins over). I think you can get a trial with runbox, maybe Kolab. Worth testing them out.

I would never send my passport or ID to an exchange. If the site gets hacked the scans will likely end up on the darkweb markets (though most sites seem to have good security over the documents if not the actual crypto).

I'm not a trader so it's not a major issue for me. To sell Bitcoin today I sell directly to a Bitcoin ATM provider I know. In the past I contacted a localbitcoin supplier in my area and made a similar deal to sell one-on-one since, of course, he was constantly needing more. These days I don't actually have a lot of Bitcoin and I prefer to use it over fiat for online buys so it's evened out. Though I envy the ease of exchanges! In rare situations I have sold Bitcoin using paypal to a trusted friend and used to use Virwox in the old days (I think we all did this).

 

[jpr]

I have no idea why I was confident that Runbox accept bitcoin as a payment. Spent 30 min trying to choose a username which is not taken yet to find out they do not accept btc. Contacted support:

We don't currently accept bitcoin. We are monitoring the situation with bitcoin and are considering accepting it, but we don't have a date for this yet, sorry. We do have a range of other ways you can pay though.

How the hell can I stay anonymous paying for my email with my Visa or Paypal
Or am I wrong?

edit: and I've got a very nice offer $34.95 for 2 years

 

[pbleak]

Ha yes, well I don't consider privacy to be anonymity exactly. If an 'adversary' like the NSA wants to pin you down then they will regardless of how you paid. However it really comes down to whether a site hosting your email would allow an adversary access to your logs and that is usually the basis on which privacy people assess email providers (for instance, how long can one truly remain anonymous with an email before they contact friends, family, give away information in headers and so on and so on before someone knows it is you?). So the core concern is more on accepting that metadata leaks, finance is hard to get around, but you can encrypt precisely what you say and go with sites that don't log intensively (like google who have been fined in France for obsessive storage). I don't know if many email providers accept Bitcoin yet They need to catch up with the vpns. Maybe Darkcoin needs to do an email angle like Namecoin does with websites. That would rock my world.