How do you know the 'government' are not ones running the tormail service ?
You say you wouldnt use my email service, but you would use tormail ? Why is that as you dont know me or the people the host or run tormail so why do you trust them ?
I am not being pernickety, I am interested as peoples perspectives on privacy and security interest me asa penetration-tester and security consultant.
Last edited by haqking; March 20th, 2013 at 04:24 PM.
Feel Free to Bitcoin Tip: 135Rp4pwwYTHEJ4u8bxKaDQiC91N9LUoV2
Backtrack - Giving machine guns to monkeys since 2006
Kali-Linux - Adding a grenade launcher to the machine guns since 2013
I'm not saying TorMail is perfect, of course there will always be security and privacy concerns, but I DO trust them more than I do the government.
Also, how is it "hard for me to find?". I've NEVER found a vulnerability in TorMail (well, I haven't tried). I'm not saying the website is hard to find!
Also, Sarah Palin used Yahoo. Remember the Sarah Palin e-mail hack? It wasn't some kind of sophisticated technical hack, it was using the service's password recovery! Password recovery is a MASSIVE flaw in anything that's meant to be secure (and TorMail doesn't even have phone or alternate e-mail based recovery). So saying famous people or people in high places in the government use such services isn't "proof" that the services are somehow more secure.
Tor protects the site there (and its users) the same way it protects TorMail. I could get more examples if you want.
Also, just something I noticed about the link. It says the hacker group "Anonymous" managed to crack Tor to post the user list from an illegal kiddie porn site. That's actually false, it turns out the user list was publically displayed on the illegal site, and all Anonymous did was copy it and put i t in pastebin (see http://fscked.org/blog/something-rotten-opdarknet). The link goes on to say that that's why Tor can be cracked, but it wasn't cracked in the first place, Anonymous just exploited the fact that obviously no one would go on such an illegal site to check for themselves. While Tor does have its share of vulnerabilities, they're extremely hard to exploit (e.g. timing attacks)
Tor is not invincible, but do you really think something like GMail is more likely to respect your privacy just because you can't trust TorMail 100%?
Now I'd like to see some evidence that the FBI IS able to break through Tor, and break through Tor easier than they can simply look at the e-mails from sites that already willingly give mail up.
Last edited by Stonecold1995; March 21st, 2013 at 02:22 AM.
What does that even mean- "break through Tor"? You mean determine the true sender of a Tor packet? It can and has been done. That affects privacy but not security. You have confused the two in your posts.
Whether the government has the knowledge to access TorMail is a separate issue from whether they're able to legally access it. Again, mixing issues.
yes complexity is the enemy of security. But your assumption about what services are running in proximity of others is without proof. It seems more likely to me that a larger organization such as google would run dedicated mail servers. Anyone could be running TorMail, and that's more likely to be a combination LAMP-type server if it's Fred in his mom's basement administering it.How is that security from obscurity? A simpler setup IS more secure, it has nothing to do with obscure (in fact, it's the opposite). Yes, it is just a mail server on the backend, but isn't that more secure than a mail server on the backend with a bunch of other vulnerable services running next to it? I think you're misunderstanding what I'm saying. Is it not true that a simple setup with very few services is more secure than a complicated setup with a bunch of unnecessary services?
I was addressing your statement refuting Google and large services as more valuable targets. My point is that where the valuable information lies depends on what you're looking for.Also, Sarah Palin used Yahoo. Remember the Sarah Palin e-mail hack? It wasn't some kind of sophisticated technical hack, it was using the service's password recovery! Password recovery is a MASSIVE flaw in anything that's meant to be secure (and TorMail doesn't even have phone or alternate e-mail based recovery). So saying famous people or people in high places in the government use such services isn't "proof" that the services are somehow more secure.
Also yeah, I may have mixed up the two terms, my mistake.
Without proof? Do I really have to get a bunch of evidence that sensitive services often run next to each other because of ignorant (yes, even in large companies) "professionals" administrating the system, and that they are often the reason sites end up being hacked?
What I don't get is why you're saying that your information is MORE safe or AS safe with something like Yahoo, or even Hushmail (which is infamous for being a security and privacy oriented service but that gave up information to law enforcement immediately when asked), than with a service like TorMail? I just don't get that. If you wanted to keep something away from the government and others, would you REALLY choose a large company over TorMail (assuming you aren't using PGP)?
This is becoming circular so I will present my final summary. For privacy use TorMail.
For maximum security stand up your own mail server.
For a mixture of security & privacy you have to compromise something, so consider the rest of the options that were mentioned.
Also, don't forget features. TorMail is very minimalist, so if you are someone who needs lots of features for maximum productivity, TorMail would be a bad idea.