Lavabit.com and Tormail Email Alternatives...

[The 4ner]

Correct me if I'm wrong but if you want to send an encrypted mail to person A, your have to use A's pubkey. How do you encrypt all your mail if not all of your correspondent have setup their pubkey/privkey  GPG system?

It would be like calling someone who doesn't have a telephone. The solution? Encourage or force them to get one, or buy one for them and show them how to set it up.

And I'm sure that's too much of a hassle for everyone to do. That's why a service like Lavabit was perfect to the core.

[1714040899]

1714040899

[1714040899]

1714040899

[1714040899]

1714040899

[The 4ner]

ByteMail

ByteMail is a decentralized, P2P, communication protocol for sending messages over a secure connection on the internet. ByteMail was created in order to provide people with a way to send messages without worrying about a third party intercepting and reading these messages. ByteMail ships with a webUI as well as a command-line UI.

If you are a developer and would like to contribute to the ByteMail project, check out the project on Github here: http://github.com/ByteMail

Official project home: bytemailproject.org

ByteMail seems interesting but the fact that the project seems to be at its infancy is a bit of let down.
It will definitely discourage many potential users from adopting it.

[threeip]

And I'm sure that's too much of a hassle for everyone to do.

Hassle? I suppose, if you need to put down Netflix for what, an hour.....?

That's why a service like Lavabit was perfect to the core.

On my list of 'perfect', getting shut down by a federal agency is nowhere near the core.

[jedunnigan]

Like Hushmail, safe-mail has a backdoor into their backend for LE. I know this for a fact, don't ask for sources

Here's a source, also note this was a Canadian court and five years ago;

Hushmail, a longtime provider of encrypted web-based email, markets itself by saying that "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer."

But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.

http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/

Yea i was speaking RE safe-mail. but good looks on the source, thanks

[The 4ner]

And I'm sure that's too much of a hassle for everyone to do.

Hassle? I suppose, if you need to put down Netflix for what, an hour.....?

That's why a service like Lavabit was perfect to the core.

On my list of 'perfect', getting shut down by a federal agency is nowhere near the core.

They didn't get shut down by any federal agency. The owner chose to commit suicide (not literally of course) rather than to hand over private user data.
The fact that no one's data was compromised is a victory to all. Yeah they all suffered a loss but at least Lavabit kept it real to the end unlike other similar service providers
that make false promises.

Edit: Typos.

[threeip]

They didn't get shut down by any federal agency. The owner chose to commit suicide (not literally of course) rather than to hand over private user data.
The fact that no one's data was compromised is a victory to all. Yeah they all suffered a loss but at least Lavabit kept it real to the end unlike other similar service providers
that make false promises.

Well, the feds came calling and the provider shut down. It's a case of jump-or-be-pushed, however 'honorable'.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC

Such as Lavabit for example?

Levison stressed that he has complied with "upwards of two dozen court orders" for information in the past that were targeted at "specific users" and that "I never had a problem with that."

Where is your data now?

[atomium]

bitmessage has the been the best for me so far, but its kind of a hassle for frequent use

[rebuilder]

Bitmessage or something similar, built from the ground up for privacy, seems like the only answer for anyone not wanting to be snooped on. I don't see any solution that lets you both guard your privacy and be able to send messages to your non-tech-savvy mom. It doesn't matter how secure your mail provider is if your mom uses Gmail - the NSA and whoever else has access will scrape all correspondence between the two of you from your mother's end.

If you actually want to remain anonymous it's even harder - you can use proxies and convince all your contacts to use PGP all you like, but as soon as one of the people you mailed leaks your identity one way or the other, your mail address is linked to you. So you'll have to use a myriad different, rotating addresses, keeping everyone up to date on what address you're using currently... It's not reasonable. The net is broken from a privacy point of view, and a real fix is going to be very difficult to push through.

[TiagoTiago]

Isn't there something like OTR but for email?

[jedunnigan]

Isn't there something like OTR but for email?

With a diffie-heilman agreement specifically? Or are you talking about GPG/PGP?

[TiagoTiago]

Isn't there something like OTR but for email?

With a diffie-heilman agreement specifically? Or are you talking about GPG/PGP?

I mean something where the two ends negotiate an encryption over unsecure lines in a secure manner; while providing the option to fall back to plain text if the other side refuses to go secure.

[stevegee58]

Kim Dotcom of megaupload fame wants to get in on the act as well, starting an end-to-end encrypted email service:

http://yro.slashdot.org/story/13/08/11/1244209/after-lavabit-shut-down-dotcoms-mega-promises-secure-mail

[jedunnigan]

Isn't there something like OTR but for email?

With a diffie-heilman agreement specifically? Or are you talking about GPG/PGP?

I mean something where the two ends negotiate an encryption over unsecure lines in a secure manner; while providing the option to fall back to plain text if the other side refuses to go secure.

Yea for email GPG/PGP. For IM OTR, for VOIP ZRTP.

[TiagoTiago]

Isn't there something like OTR but for email?

With a diffie-heilman agreement specifically? Or are you talking about GPG/PGP?

I mean something where the two ends negotiate an encryption over unsecure lines in a secure manner; while providing the option to fall back to plain text if the other side refuses to go secure.

Yea for email GPG/PGP. For IM OTR, for VOIP ZRTP.

With GPG/PGP the email client has no clue whether the receiver has or hasn't means to read encrypted data until the user tells it...

[threeip]

Given that you have to use someone's key to encrypt a message, it would be safe to assume they had software to generate and handle said key.

[TiagoTiago]

Given that you have to use someone's key to encrypt a message, it would be safe to assume they had software to generate and handle said key.

But how would you know if they have a key in the first place?

[jedunnigan]

Given that you have to use someone's key to encrypt a message, it would be safe to assume they had software to generate and handle said key.

But how would you know if they have a key in the first place?

You'd have to negotiate that beforehand.

Isn't there something like OTR but for email?

With a diffie-heilman agreement specifically? Or are you talking about GPG/PGP?

I mean something where the two ends negotiate an encryption over unsecure lines in a secure manner; while providing the option to fall back to plain text if the other side refuses to go secure.

Yea for email GPG/PGP. For IM OTR, for VOIP ZRTP.

With GPG/PGP the email client has no clue whether the receiver has or hasn't means to read encrypted data until the user tells it...

Okay I see what you mean. Unfortunately building a system like you mentioned requires a 'failsafe' for decrypting the messege then sending plaintext if encrypted message can't be decrypted by the receiving party, an inherently insecure action.

OTR cannot do this either, so curious as to why you 'said similar to OTR for email' but then responded as you did?

[marcus_of_augustus]

Kim Dotcom of megaupload fame wants to get in on the act as well, starting an end-to-end encrypted email service:

http://yro.slashdot.org/story/13/08/11/1244209/after-lavabit-shut-down-dotcoms-mega-promises-secure-mail

This should be good ... he may come across sometimes like a big, funny guy (clownish) but you know what? ... He just goes ahead and does shit, he doesn't just talk about it.

[marcus_of_augustus]

I assume someone has already mentioned bitmessage.org (even though it's not email) it could replace email someday as a secure alternative.

Unless it becomes possible to send and receive messages to non-bitmessage users I highly doubt it will gain much acceptance. There's too much network effect to overcome.

It is already possible to configure Thunderbird mail client to route mail through the bitmessage network ... it will become just another protocol layer option like POP, IMAP, SMTP, etc.

Is there a tutorial? If so, I would love to do this.

In fact, yes there is.

http://www.youtube.com/watch?v=ppk_zzjZRIg

no guarantees on what privacy leaks this opens up regards using the mail client both over bitmessage and normal channels. To begin with I would not use a Thunderbird client configured for bitmessage transport for regular mails or vice versa ... and I have no idea what other traffic Thunderbird may send/leak out, I know it can have lots of plugins etc ... so dyodd.

[jedunnigan]

Kim Dotcom of megaupload fame wants to get in on the act as well, starting an end-to-end encrypted email service:

http://yro.slashdot.org/story/13/08/11/1244209/after-lavabit-shut-down-dotcoms-mega-promises-secure-mail

This should be good ... he may come across sometimes like a big, funny guy (clownish) but you know what? ... He just goes ahead and does shit, he doesn't just talk about it.

Yea there is no doubt he is a doer more than a talker, but don't walk into his playpen willy nilly. If you are looking for secure encrypted mail storage the only person you can trust is yourself. Using open source software or at least auditable services is key.