RuggedInbox.com - Free offshore email

[ruggedinbox.com]

Hello everyone, fresh new service: https://ruggedinbox.com
Still in BETA, currently completely free and ad-free, Tor friendly, offshore (Europe, Bulgaria), no personal details needed, no question asked, session expiration friendly (10 hours), limited number of accounts available.

If you prefer a self-signed ssl certificate, here you are: https://ruggedinbox.com:444

Also available as a Tor hidden service: s4bysmmsnraf7eut.onion

Feedback is welcome!

[1713993303]

1713993303

[SloRunner]

this would be nice

[Ufonautas]

Pretty nice, since Tor is full of feds 

[ruggedinbox.com]

Pretty nice, since Tor is full of feds  

Hi Ufonautas, we live in a post-Snowden era
which proved that we, tin foil hat ppl
were not crazy but very much on the right track.

More than that, the reality got past the imagination: the NSA has built unbelievable systems .. "PRISM", "Turbine", "XKeyscore", "Turmoil", ... (1)
it is like an evil twin of google+facebook on steroids

Anyway, Snowden leaked that the NSA is trying hard to break Tor (2) (cit. There is no evidence that the NSA is capable of unmasking Tor traffic routinely on a global scale," the report said. "But for almost seven years, it has been trying.)
but to date, they are only able to trace a given target (cit. We will never be able to de-anonymize all Tor users all the time.)
and it is an expensive and time consuming 'feature'.

Snowden himself were using Tor (the 'Tails' linux distro) and Lavabit for emails
and the NSA wasn't able to violate them (3 and 4).

Back to the feds, take the Silkroad example: there were no real hacking / big brother involved in finding the Dread Pirate Roberts (5) (cit. it didn't take technical back doors to find him; it just took a lot of solid detective work, some subpoenas, and a search engine.)

You may also notice that the number of Tor relays and exit-nodes didn't unexpectedly increase over the last 18 months:
https://metrics.torproject.org/network.html?graph=networksize&start=2013-01-01&end=2014-06-22#networksize

In short, it all depends on how dangerous you are and how big you want your enemies to be.

1. http://arstechnica.com/information-technology/2013/08/building-a-panopticon-the-evolution-of-the-nsas-xkeyscore/
2. http://arstechnica.com/security/2013/10/nsa-repeatedly-tries-to-unpeel-tor-anonymity-and-spy-on-users-memos-show/
3. http://www.engadget.com/2014/05/01/tails-linux-os-version1-0/
4. http://gizmodo.com/try-the-super-secure-usb-drive-os-that-edward-snowden-i-1563320487
5. http://arstechnica.com/tech-policy/2013/10/how-the-feds-took-down-the-dread-pirate-roberts/

and some other links to cheer up this nice sunday
http://arstechnica.com/information-technology/2014/03/nsas-automated-hacking-engine-offers-hands-free-pwning-of-the-world/
http://arstechnica.com/tech-policy/2013/08/nsas-internet-taps-can-find-systems-to-hack-track-vpns-and-word-docs/
http://arstechnica.com/security/2014/03/nsa-hacker-in-residence-dishes-on-how-to-hunt-system-admins/
http://arstechnica.com/tech-policy/2013/06/use-of-tor-and-e-mail-crypto-could-increase-chances-that-nsa-keeps-your-data/
http://arstechnica.com/security/2013/09/majority-of-tor-crypto-keys-could-be-broken-by-nsa-researcher-says/
and in general: www.arstechnica.com/series/nsa-leaks/

[ruggedinbox.com]

Hi all again and thanks for your interest!

We just introduced a brand new feature:
when sending an email using an smtp client, the following headers are now anonymized: 'Received', 'X-Originating-IP', 'User-Agent', 'X-Mailer', 'X-Enigmail' and 'Mime-Version'.
In short, your IP address will not be revealed.

(Sending with the webmail always had this feature)

Let us know if you have any questions or need support!

https://ruggedinbox.com

[SloRunner]

Hi all again and thanks for your interest!

We just introduced a brand new feature:
when sending an email using an smtp client, the following headers are now anonymized: 'Received', 'X-Originating-IP', 'User-Agent', 'X-Mailer', 'X-Enigmail' and 'Mime-Version'.
In short, your IP address will not be revealed.

(Sending with the webmail always had this feature)

Let us know if you have any questions or need support!

https://ruggedinbox.com

registered 2 acc's today (1st registered & failed to login later, same with the second one)

can you help?

[ruggedinbox.com]

registered 2 acc's today (1st registered & failed to login later, same with the second one)

can you help?

Hi SloRunner thanks for your interest and feedback.

That's strange, I've tried now to create an account and I can login properly.
Did you try using the webmail ( https://ruggedinbox.com/rc ) or an email client ?

[SloRunner]

registered 2 acc's today (1st registered & failed to login later, same with the second one)

can you help?

Hi SloRunner thanks for your interest and feedback.

That's strange, I've tried now to create an account and I can login properly.
Did you try using the webmail ( https://ruggedinbox.com/rc ) or an email client ?

still login failed, with mail i made yesterday...

[ruggedinbox.com]

still login failed, with mail i made yesterday...

Hi SloRunner please provide your ruggedinbox email address in PM
and I'll reset your password.
(You should then be able to login and change your password again).

Thank you.

[ruggedinbox.com]

Ok so, problem solved and platform updated.
"Closing the ticket"
Thanks to all for your interest and happy emailing!

[chromedome]

I'm having a frustrating problem. Today I've created three accounts. Two via Tor Bundle, and one straight through my ISP. I received a confirmation on all three,

Your new email address is: xxxxxxxx@ruggedinbox.com
Host: ruggedinbox.com
IMAP (TLS) port: 993
POP (TLS) port: 995
SMTP (TLS) port: 465
Webmail url: https://ruggedinbox.com/rsm
Webmail with self-signed ssl url: https://ruggedinbox.com:444/rc

However, when I attempt to login via Claws Mail it errors out and the log shows:

[15:15:42] POP3< +OK Welcome to ruggedinbox.com
[15:15:42] POP3> USER xxxxxxxx
[15:15:42] POP3< +OK
[15:15:42] POP3> PASS ********
[15:15:45] POP3< -ERR Authentication failed.
*** error occurred on authentication
*** Authentication failed.

When I attempt via webmail using SquirrelMail of Roundcube I receive: Unknown user or password incorrect.

I'm using a 25 character 164 bit password, this is the only thing I can think of that may cause an issue on all three.

Help.

[ruggedinbox.com]

I'm having a frustrating problem. Today I've created three accounts. Two via Tor Bundle, and one straight through my ISP. I received a confirmation on all three,

Your new email address is: xxxxxxxx@ruggedinbox.com
Host: ruggedinbox.com
IMAP (TLS) port: 993
POP (TLS) port: 995
SMTP (TLS) port: 465
Webmail url: https://ruggedinbox.com/rsm
Webmail with self-signed ssl url: https://ruggedinbox.com:444/rc

However, when I attempt to login via Claws Mail it errors out and the log shows:

[15:15:42] POP3< +OK Welcome to ruggedinbox.com
[15:15:42] POP3> USER xxxxxxxx
[15:15:42] POP3< +OK
[15:15:42] POP3> PASS ********
[15:15:45] POP3< -ERR Authentication failed.
*** error occurred on authentication
*** Authentication failed.

When I attempt via webmail using SquirrelMail of Roundcube I receive: Unknown user or password incorrect.

I'm using a 25 character 164 bit password, this is the only thing I can think of that may cause an issue on all three.

Help.

Hi thanks for reporting. Sent PM

[ruggedinbox.com]

Ok so the current maximum allowed password length is 22 characters. Sent PM

[ruggedinbox.com]

NEW FEATURES ANNOUNCEMENT:

hi all!

Recentily we got precious feedback from a number of (rightly) paranoid fellows, follows the improvements:

* availability as a Tor hidden service (over http, https with valid certificate and https with a self-signed certificate)
* installed an alternative webmail (SquirrelMail) for browsers with javascript disabled

The Tor hidden service address is: s4bysmmsnraf7eut.onion

For a more detailed description please have a look at the features page: https://ruggedinbox.com/features.php
( or as an hidden service: http://s4bysmmsnraf7eut.onion/features.php )


Thanks for your interest and let us know if you have any problem!

[ruggedinbox.com]

NEW FEATURES ANNOUNCEMENT:

you can now create disposable / temporary accounts.

If you click on top on 'Register', you will be asked if you want to create a normal or a disposable / temporary inbox.

By clicking on the latter ( direct url: https://ruggedinbox.com/createTempAccount.php OR http://s4bysmmsnraf7eut.onion/createTempAccount.php ) you will go to a specific registration page, where a random username is suggested
and where you can choose an expiration date between 1 hour and 1 year.

When the expired date is reached, the account will be removed from the database and all its files and folders are deleted.


ALSO .. we changed the log rotation policy.
Before it was the Debian default: 1 month.
1 month is too much, we don't need it and privacy-wise, the less the better.
The new policy is 1 week: system logs and web access logs are kept for 1 week.
(this can still be improved, in the near future it will be 48 hours)

Thanks to all for your interest and feedback!

[cryptofutureis]

Hello everyone, fresh new service: https://ruggedinbox.com
Still in BETA, currently completely free and ad-free, TOR friendly, offshore (Europe, Bulgaria), no personal details needed, no question asked, session expiration friendly (10 hours), limited number of accounts available.

If you prefer a self-signed ssl certificate, here you are: https://ruggedinbox.com:444

Also available as a TOR hidden service: s4bysmmsnraf7eut.onion

Feedback is welcome!

Hi, https://www.ssllabs.com/ssltest/analyze.html?d=ruggedinbox.com report is not good enough, your should specify more strict cipher policy, to have full Forward Secrecy. Roundcude is insecure (many private exploits available), but I like it better then squirrel. 
And finally after registration, I can't login. (maybe you not support some special symbols in passwords, used 21 long). With normal Forward Secrecy  self-signed certificates is just piece of useless crap. Don't forget not only select long dh param/key, but to change default curve for at least longer one(don't know is it possible or not with lighttpd).

[ruggedinbox.com]

Hi, https://www.ssllabs.com/ssltest/analyze.html?d=ruggedinbox.com report is not good enough, your should specify more strict cipher policy, to have full Forward Secrecy. Roundcude is insecure (many private exploits available), but I like it better then squirrel. 
And finally after registration, I can't login. (maybe you not support some special symbols in passwords, used 21 long). With normal Forward Secrecy  self-signed certificates is just piece of useless crap. Don't forget not only select long dh param/key, but to change default curve for at least longer one(don't know is it possible or not with lighttpd).

Hi thanks for the suggestions, we'll do the homework, fix and report back Give us a couple of days.

[ruggedinbox.com]

Hi, https://www.ssllabs.com/ssltest/analyze.html?d=ruggedinbox.com report is not good enough, your should specify more strict cipher policy, to have full Forward Secrecy. Roundcude is insecure (many private exploits available), but I like it better then squirrel.  
And finally after registration, I can't login. (maybe you not support some special symbols in passwords, used 21 long). With normal Forward Secrecy  self-signed certificates is just piece of useless crap. Don't forget not only select long dh param/key, but to change default curve for at least longer one(don't know is it possible or not with lighttpd).

Hi cryptofutureis, thanks for your detailed suggestions about ssl!

By following this howto (forward secrecy on lighttpd): https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html
score raises to A

with this parameters: https://cipherli.st
the overall rating is A+

https://www.ssllabs.com/ssltest/analyze.html?d=ruggedinbox.com

easy and very useful!

(also, today those debian packages: libssl-dev libssl-doc libssl1.0.0 libssl1.0.0:i386 openssl were updated)


About the password, we made some (manual) tests and the invalid characters are " (quote) and \ (back-slash aka 'reverse solidus')
so you can have passwords like `~!@#$%^&*()-=_+}{[];'
and ,./<>?
we didn't test symbols, anyway the only character that we really strip is " (quote)


About Roundcube, now that you say that (0-day exploits available around), you gave us the additional motivation to configure spawn-fcgi to isolate the virtual hosts (so hacking roundcube would not result in having access to the whole document root of the web server) .. we'll do that as the next thing.


Thanks for your feedback and happy emailing!

[ruggedinbox.com]

Hi we are happy to announce that recently we did the following security and privacy oriented improvements:

* enabled perfect secrecy on all ssl services, current score on ssllabs.com is A+ ( https://www.ssllabs.com/ssltest/analyze.html?d=ruggedinbox.com )

* enabled Tor peering with SIGAINT ( http://sigaintevyh2rzvw.onion ), now you can send and receive emails with SIGAINT using the hidden service address, the emails will never touch the clearnet

* roundcube now shows the emails in text-mode (before it was rendering the html version)

* roundcube now defaults to use the text-mode editor (instead of the html editor)

* ability to delete an email account (removing / destroying all the emails), you can find the link on the home page or use the direct link: http://s4bysmmsnraf7eut.onion/destroyAccount.php

Peering with other tor-friendly email providers will come soon, we'll keep you updated.


Thanks for the feedback!

[cryptofutureis]

Hi, https://www.ssllabs.com/ssltest/analyze.html?d=ruggedinbox.com report is not good enough, your should specify more strict cipher policy, to have full Forward Secrecy. Roundcude is insecure (many private exploits available), but I like it better then squirrel.  
And finally after registration, I can't login. (maybe you not support some special symbols in passwords, used 21 long). With normal Forward Secrecy  self-signed certificates is just piece of useless crap. Don't forget not only select long dh param/key, but to change default curve for at least longer one(don't know is it possible or not with lighttpd).

Hi cryptofutureis, thanks for your detailed suggestions about ssl!

By following this howto (forward secrecy on lighttpd): https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html
score raises to A

with this parameters: https://cipherli.st
the overall rating is A+

https://www.ssllabs.com/ssltest/analyze.html?d=ruggedinbox.com

easy and very useful!

(also, today those debian packages: libssl-dev libssl-doc libssl1.0.0 libssl1.0.0:i386 openssl were updated)


About the password, we made some (manual) tests and the invalid characters are " (quote) and \ (back-slash aka 'reverse solidus')
so you can have passwords like `~!@#$%^&*()-=_+}{[];'
and ,./<>?
we didn't test symbols, anyway the only character that we really strip is " (quote)


About Roundcube, now that you say that (0-day exploits available around), you gave us the additional motivation to configure spawn-fcgi to isolate the virtual hosts (so hacking roundcube would not result in having access to the whole document root of the web server) .. we'll do that as the next thing.


Thanks for your feedback and happy emailing!

Thanks, all is correct now. Tested same password without " (quote) and it works. But anyway try to choose one main and supported web interface. Also look in curve option to select better one curve:

Diffie-Hellman and Elliptic-Curve Diffie-Hellman key agreement protocols will be supported in lighttpd 1.4.29. By default, Diffie-Hellman and Elliptic-Curve Diffie-Hellman key agreement protocols use, respectively, the 1024-bit MODP Group with 160-bit prime order subgroup from RFC 5114 and "prime256v1" (also known as "secp256r1") elliptic curve from RFC 4492. The Elliptic-Curve Diffie-Hellman key agreement protocol is supported in OpenSSL from 0.9.8f version onwards. For maximum interoperability, OpenSSL only supports the "named curves" from RFC 4492.

Using the ssl.dh-file and ssl.ec-curve configuration variables, you can define your own set of Diffie-Hellman domain parameters. For example:

ssl.dh-file = "/etc/lighttpd/ssl/dh2048.pem"
ssl.ec-curve = "secp384r1"
Default is secp256r1 but we always can select curve with bigger prime.
Mozilla has a nice doc available: https://wiki.mozilla.org/Security/Server_Side_TLS