dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
155823
share rss forum feed


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to Mchart

Re: top 5 safest and most secure email providers ?

said by Mchart:

So while the NSA may or may not have the capabilities to crack your stuff - They can't. On top of that, i'm fairly certain they have bigger fish to fry.
I know - I have several friends there. It was a joke, of sorts. As in, why are you worrying about the FBI reading your email? They either don't care, or there isn't a damn thing you can do to prevent them from reading your email.

I believe if they wish to read your email, they can offer you the choice of decrypting it for them, or going to jail for refusing to decrypt. But then again, I am not a lawyer, I'm only going on what I read via google "compelled to decrypt"
--
My place : »www.schettino.us

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

reply to Frydays


TwighlightLA
Premium
join:2010-07-03
kudos:1

1 edit
reply to Frydays
I'm certainly not an "expert" in the security of email but you also have to consider that if you are an using email client like Outlook or Thunderbird through your ISP, not all ISP mail servers are created equal in many areas including security.

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to Mele20
Ok what is this for. They also have safe haven hosting on offshore accounts for business?
If this is your concern, then have your business domain hosted with Safe-haven, our offshore service. SafeHaven is the ideal solution for businesses and groups that demand the very highest level of privacy from scrutiny while still maintaining the freedom to access their accounts from any computer with an Internet connection. Having your data located offshore means that it is virtually impossible for third parties to gain physical access to the computers on which your files and messages are held.

SafeHaven gives you all the features and benefits of Safe-mail for Business with the additional security of an offshore server at the following great value prices:

Program Max # of addresses Total disk space Annual fee
Iron 5 200MB $225/year

Bronze 10 400MB $375/year

Silver 25 1GB $825/year

Ruby 50 2GB $1500/year

Gold 100 4GB $2850/year

Their email price for extra storage is also up there. To me they are going for a questionable clientele?


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to Tempus45
said by Tempus45:

Even PGP has its limitations. If served with a warrant, the Feds would have the capability to intercept key strokes and computer snapshots.
Don't let them have access to your machine. Set up some sort of detection mechanism or keep the PC locked away in a secure room

I am a firm believer that security software nowadays have a back door that allow law enforcement to circumvent any security measures and precautions.
Nah. All good encryption software has open source code so we know that PGP/GPG are not back doored. Neither is Truecrypt.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to Mchart
said by Mchart:

NSA (Or any DoD agency for that matter) is bound by the law to not touch *anything* that has to do with any 'five eyes' citizens. The caveat to that is unless it has been legally deemed that said person is a threat to said national entities.

So while the NSA may or may not have the capabilities to crack your stuff - They can't. On top of that, i'm fairly certain they have bigger fish to fry.
There is controversy within the crypto community about what NSA can do. There's not much doubt they are several years ahead of the "rest of us" where cryptanalysis is concerned, but most expert cryptologists do not believe they can crack algorithms like RSA or AES. However, they can launch massive dictionary attacks, but that's easy to defend against (but most people probably don't since people tend to be lazy).

But you make a good point; whatever NSA's capabilities, it's highly unlikely that they would get involved in the first place, even if one were running a major criminal enterprise. They simply don't deal with anything that's not a threat to national security. We already know the FBI cannot break the public ciphers like RSA/AES since several past cases have illustrated their helplessness with cracking PGP and other crypto standards.

To the OP: the bottom line here is that it doesn't matter what e-mail provider you use if your data is not being encrypted end-to-end. I have explained why this is and how to do it in my previous posts. Don't rely on providers like Hushmail since they aren't well vetted.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to DataRiker
said by DataRiker:

This seems the best bet. 2048 seems a bit over kill though. Not sure about this but isn't over a certain bit illegal for "communication"?
Perhaps in repressive nations, but not in America. The USA does have silly export laws regarding encryption, but those don't apply to *using* encryption here. This is how they got Phillip Zimmerman (creator of PGP) back in the early 90's -- they threatened him with prosecution for sending "munitions" overseas. The govt. was not happy that he was giving the rest of the world access to strong encryption.

And 2048 bits is basically considered the normal key size now. It's not recommended to go below that if creating new asymmetric keys. if you're using 1024 bit keys, it is time to upgrade as it probably wont be too long before 1024 bits is factored in public.

I think many people get confused by asymmetric vs. symmetric key sizes. Remember that symmetric keys will have smaller key sizes for the same amount of security. Therefore, 128 bit AES is about equal to 3072 bit RSA (according to NIST).
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


Tempus45
Premium
join:2006-07-08
USA

1 edit
reply to Frydays
Click for full size
This is an excerpt in Wikipedia about Hushmail Controversy.

Until September 2007, Hushmail received generally favorable reviews in the press. It was believed that possible threats, such as demands from the legal system to reveal the content of traffic through the system, were not as imminent in Canada as they are in the United States and if data were to be handed over encrypted messages would be available only in encrypted form. However, recent developments have led to doubts among security-conscious users about Hushmail's security and concern over a backdoor in an OpenPGP service. Hushmail has turned over cleartext copies of private e-mail messages associated with several addresses at the request of law enforcement agencies under a Mutual Legal Assistance Treaty with the United States.

»en.wikipedia.org/wiki/Hushmail

--
It is true that liberty is precious, but is it so precious it must be rationed?


MineCoast
Premium
join:2004-10-06
127.0.0.1

1 edit
reply to Frydays

Moody
Premium
join:2005-07-17
NW USA
reply to Frydays
said by Frydays:

what are the top 5 most secure email providers around free or pay name the top 5 please
There's no such thing as 100% secure when you have to rely on others infrastructure, but coste's as close as you're ever going to get to it. »www.cotse.net/ Look over what all they offer and pick your poison.

Tell him RedLeg sent you!
--
Gary
"When freedom is outlawed, only outlaws will be free!"

DrGunn

join:2010-07-16
San Diego, CA
reply to Frydays
Just use Gmail. Seriously. It's free, the spamfilter can't be beat, and they use » for all connections.


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast
said by DrGunn:

Just use Gmail. Seriously. It's free, the spamfilter can't be beat, and they use » for all connections.
https only make the connection between you can Gmail secure.
--
Chris
Living in Paradise!!

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel

4 edits
reply to Velnias
said by Velnias:

Why do you think, companies like Google, spend a lot of money to maintain "free" email servers?
For the truckloads of ad revenues it gives them, which most certainly far exceeds the amount of money necessary to maintain the service.

The service is essenitally paid for through advertising. No such thing as "free".

That doesn't stop me from using AdBlock Plus though!

Back on the original topic: there is no such thing as 100% secure email unless the message is encrypted by the original sender and then decrypted by the intended recipient. The mail provider has not much to do with it.

All the mail provider can really do is ensure security of the communication between your computer and their servers (ie: SSL encryption) and keep their servers and web access free of exploits that would enable hackers to gain access to your inbox. Anything more than that is strictly the end-user's responsibility.
Expand your moderator at work


DataRiker
Premium
join:2002-05-19
00000

2 edits
reply to KodiacZiller

Re: top 5 safest and most secure email providers ?

If your absolutely paranoid set up a short cipher with a friend, they are uncrackable ( assuming the key is longer than the message )


FBIagent

@xerx.com
reply to Frydays
What I don't understand is why anyone would want to hide their email from the FBI. Why is your email so important that it needs to be hidden from them? While I do understand people want their privacy, anyone who says they want to hide email from the FBI automatically rings a bell and often gets reported to said three letter agency.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to nonymous
I thought this thread was about PERSONAL email not business. Safe-Mail is free for personal users unless you need a lot of storage space. I'd think the Israelis are good at secure mail.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast

2 edits
said by Mele20:

I thought this thread was about PERSONAL email not business. Safe-Mail is free for personal users unless you need a lot of storage space. I'd think the Israelis are good at secure mail.
I did to. Safe-Mail is good.

For free accounts they also allow IMAP and POP3, but there are restrictions. If you don't log in once a month, POP3 / IMAP is disabled. Logging in via their web interface re-enables it. I just wait until my client errors out and then log in to re-enable POP3 (what I use). Second catch is no SMTP access. You can of course log in via the web interface to send messages.

As for security, it's secure for between other Safe-Mail users, once a message leaves their system it is no longer secure. I also agree that Israelis are good at secure mail (at least one would think so), however, it is really all about who you trust.
--
Chris
Living in Paradise!!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
Geez....I have been dumb! What I don't like about it is that I thought it was web only. But, I never tried setting it up in OE. DUH.
I don't like any of the themes it uses for the web interface. So, I haven't been using it much. I'm going to go login and then set it up in OE. (I have had myrealbox set up in OE for years so I don't why I didn't I could do that with this).
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


glnz

join:2006-11-26
New York, NY
I have some relevant questions for this knowledgeable group. Please let me have your advice at

»Is Verizon email UNencrypted ??

Thanks.

Bashy

join:2009-05-20
Arlington, VA
reply to Frydays
Frydays, as caffeinator said, try hushmail www.hushmail.com. Been using Hushmail for years. As to your points, here is what my experience with them has been:

1)I have never gotten a piece of spam. Ever.
2)You can block anyone, (never had to because no-one ever spammed me).
3)$39.99/yr for a 1 gigabyte email box, (I have never gotten past 1 half of a gigabyte, I just erase stuff I don't want to keep).

But the best thing in my opinion is this simple feature: if someone hacks into your account, they will get absolutely nothing. Your emails will look like a bunch of random numbers and letters. That is what encryption does. Hushmail encrypts your stuff on their servers so no one can get any of your emails. When you log into your account and supply the correct user name and password, it 'decrypts' your emails back into English. So you can keep your receipts right in your email box without any worry. If you never give your password to anyone, your emails stay private and un-hackable, simple as that.

Hushmail does have one more 'spy' feature that I have never used, but it's worth mentioning. You can encrypt individual emails. That means that you can call someone or communicate with them in some way other than email and give them a password that will allow that person, and only that person with the password, to open that email. If anyone else tries to open it, the email will look like random letters and numbers. The only reason I mention it at all is because Hushmail asks you every damn time you send an email if you want to encrypt it.

I got Hushmail for the same reasons as you mentioned in your post. I don't care about all the super spy stuff they offer, I just want to know that the hackers can't get my emails with my receipts in it. Yahoo, Gmail, they get hacked sometimes and the people that get compromised, well, their emails can be read, not a good thing. They can't get ever get your emails if you use Hushmail. All of this is only works if you never give your email password to anyone, but you knew that already, right. ;D

The best thing is you can try Hushmail for free. Go there and sign up for a free email account and you can see if you like it or not, (the free email box is like 25 MB, quite teeny). When I decided to join, I wanted to make my password kind of secure, so I used a long password. You should use a long password too. Just combine 2 or 3 passwords you know and make a 16, 17, 24-character password, whatever, you'll get used to it fast.

Last thing. Hushmail is no good if your PC has a virus or a rootkit on it. Me, I have Deep Freeze on my PC to prevent that, but that is another story

»www.faronics.com/en/Products/Dee ··· ate.aspx


Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4
said by Bashy:

Last thing. Hushmail is no good if your PC has a virus or a rootkit on it.
+ no good when you need POP and/or IMAP. Free hushmail customers are excluded from POP/IMAP.
--
Smokey's Security Forums »www.smokey-services.eu/forums/
~ Treat other people the way you would have them treat you; be honest and ethical ~
*Member AQMRB - Alliance of Qualified Malware Removal Boards*


anon8990

@shawcable.net
reply to Bashy
You forgot to mention that they also have a backdoor built-in


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
said by anon8990 :

You forgot to mention that they also have a backdoor built-in
Can you back that up with references?
--
Chris
Living in Paradise!!


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA

1 edit
said by chrisretusn:

said by anon8990 :

You forgot to mention that they also have a backdoor built-in
Can you back that up with references?
Here's a story from three years ago:

»www.wired.com/threatlevel/2007/1 ··· iouspost

Whole lot of hyphens in that link, I see.

Another story from a couple of years ago:

»www.theregister.co.uk/2008/08/04 ··· rumours/

I don't know that it's fair to say this is a back door. It's more like saying that the concierge will cooperate with the cops.

--
Human nature abhors an empty closet.


Anon users

@anonymouse.org
reply to Frydays
Use openssl to sign your certiticates & use SMIME with OUTLOOK, Thunderbird whatsoever...

Here are the scripts:

1) setting up your own root CA (elliptic curve 521p (strongest possible )

"
openssl ecparam -rand random_seed -name secp521r1 -genkey -out ca_ec521_key.raw
openssl ec -aes256 -in ca_ec521_key.raw -out ca_ec521.key
openssl req -sha512 -new -x509 -days 9999 -key ca_ec521.key -out ca_ec521.crt
"

random_seed is just a file of random hex to 'seed' the random number generator

Now you have 'ca_ec521.crt' the CA you have to install as a ROOT CERTIFICATE

Remember to 'erase' ca_ec521_key.raw!!!

2) Sign a hybrid 4096 bit RSA certificate with this ec521p CA (why hybrid, it seems thunderbird cannot sign with an elliptic curve certificate..............)

"
openssl genrsa -aes256 -rand random_seed -out client_hybrid.key 4096
openssl req -new -key client_hybrid.key -out client_hybrid.csr
openssl x509 -sha512 -req -days 9999 -in client_hybrid.csr -CA ca_ec521.crt -CAkey ca_ec521.key -set_serial 01 -out client_hybrid.crt
openssl pkcs12 -export -out dump.pfx -inkey client_hybrid.key -in client_hybrid.crt
"

Use a different random_seed, Now 'dump.pfx' is your Personal Certificate

'HOW TO SET IT UP WITH YOUR EMAIL PROGRAM is another story'
'USE IT TO COMMUNICATE WITH ASSOCIATES IN YOUR OFFSHORE BANK '


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast
reply to rcdailey
said by rcdailey:

I don't know that it's fair to say this is a back door. It's more like saying that the concierge will cooperate with the cops.
Agree, a court order is not exactly a back door. Any service can be subject to court orders.

Thanks for the links.
--
Chris
Living in Paradise!!


anon8990

@shawcable.net
that's not the point. The point is that your info is not "secure" with hushmail like they say it is! If it is secure, there's no info to give to the cops!


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast

1 edit
said by anon8990 :

that's not the point. The point is that your info is not "secure" with hushmail like they say it is! If it is secure, there's no info to give to the cops!
You did not make that point in your post.

said by anon8990 :

You forgot to mention that they also have a backdoor built-in
You stated they have a back door, I asked for some verification of that. You provided nothing to backup that statement.

Hushmail does not promise to keep you from the cops. It does not promise that your data is 100% secure. Perhaps they did so in the past as implied in the articles referenced in rcdailey See Profile's post: »Re: top 5 safest and most secure email providers ? but I see no similar promises today.
quote:
The Limitations of Hushmail

Hushmail is the most secure webmail service on the Internet, but it is not a 100% solution for all of your security needs. There are some things that Hushmail cannot do.

Hushmail does not put you above the law

We are committed to the privacy of our users, and will absolutely not release user data without an order that is legally enforceable under the laws of British Columbia, Canada, which is the jurisdiction where our servers are located. In addition, we require that any such order refer specifically to the account for which data is required. However, if we do receive such an order, we are required to do everything in our power to comply with the law. Hushmail will not accept an order from any authority or investigative agency that is not enforceable under the laws of British Columbia, Canada. Other authorities must apply to the Canadian government through an appropriate Mutual Legal Assistance Treaty and request that the Canadian government obtain an order that is legally enforceable in British Columbia, Canada.

But I thought the data was always encrypted

When one Hushmail user sends an email to another Hushmail user, the body and attachments of that email are kept on our server in encrypted form, and under normal circumstances, we would have no access to that data. We can’t just pick an arbitrary encrypted email message off the server and read it. However, since Hushmail is a web-based service, the software that performs the encryption either resides on or is delivered by our servers. That means that there is no guarantee that we will not be compelled, under an order enforceable under the laws of British Columbia, Canada, to treat a user named in an order differently, and compromise that user’s privacy.
Source: »www.hushmail.com/about/technolog ··· ecurity/

Bottom line if you want secure email, encrypt it your self using PGP or GnuPG. Even that is not 100% secure under a court order.

--
Chris
Living in Paradise!!


DownTheShore
RIP tmpchaos
Premium
join:2003-12-02
Beautiful NJ
kudos:14

1 edit
reply to Frydays
Bank in person.

Shop in person and pay with cash.

Don't agree to any electronic notices.

Get a throwaway email address.

Email is not safe no matter what the program.