You trust them ? Who do you trust then ? Do you know the hoster and admin yourself ?
How do you know the 'government' are not ones running the tormail service ?
You say you wouldnt use my email service, but you would use tormail ? Why is that as you dont know me or the people the host or run tormail so why do you trust them ?
I am not being pernickety, I am interested as peoples perspectives on privacy and security interest me asa penetration-tester and security consultant.
Last edited by haqking; March 20th, 2013 at 04:24 PM.
Backtrack - Giving machine guns to monkeys since 2006
Kali-Linux - Adding a grenade launcher to the machine guns since 2013
Yes Tormail will give you privacy. Just because it's hard for you to find doesn't make it hard for others to find. Obscurity (to you) != security. Ultimately it's just a mail server running on the back end, and it has vulnerabilities just like every other server out there. What's your evidence for saying it's harder to hack (aside from your flawed train of logic)?
Well former president Bush's family used AOL. General Patreaus used Gmail. It entirely depends on what you're looking for.
Why would you think this? What evidence do you have?
Not completely, but I trust them not to disclose my e-mails more than I trust other services. And no, I don't know them myself. Of course, if I wanted to send anything really sensitive, there's PGP.
I would be very surprized if the government willingly supported so much illegal activity.
If you made an e-mail service, kept it up long enough to prove it wasn't just a scam, and managed to be completely neutral to the content, then yes, I'd trust you more than I'd trust a big company with a reputation for not respecting user privacy.
I'm not saying TorMail is perfect, of course there will always be security and privacy concerns, but I DO trust them more than I do the government.
How is that security from obscurity? A simpler setup IS more secure, it has nothing to do with obscure (in fact, it's the opposite). Yes, it is just a mail server on the backend, but isn't that more secure than a mail server on the backend with a bunch of other vulnerable services running next to it? I think you're misunderstanding what I'm saying. Is it not true that a simple setup with very few services is more secure than a complicated setup with a bunch of unnecessary services?
Also, how is it "hard for me to find?". I've NEVER found a vulnerability in TorMail (well, I haven't tried). I'm not saying the website is hard to find!
Honestly I don't think Bush was all that bright anyways.
Also, Sarah Palin used Yahoo. Remember the Sarah Palin e-mail hack? It wasn't some kind of sophisticated technical hack, it was using the service's password recovery! Password recovery is a MASSIVE flaw in anything that's meant to be secure (and TorMail doesn't even have phone or alternate e-mail based recovery). So saying famous people or people in high places in the government use such services isn't "proof" that the services are somehow more secure.
Here:
http://www.cybercrimesunit.com/fbi-c...investigation/
Tor protects the site there (and its users) the same way it protects TorMail. I could get more examples if you want.
Also, just something I noticed about the link. It says the hacker group "Anonymous" managed to crack Tor to post the user list from an illegal kiddie porn site. That's actually false, it turns out the user list was publically displayed on the illegal site, and all Anonymous did was copy it and put i t in pastebin (see http://fscked.org/blog/something-rotten-opdarknet). The link goes on to say that that's why Tor can be cracked, but it wasn't cracked in the first place, Anonymous just exploited the fact that obviously no one would go on such an illegal site to check for themselves. While Tor does have its share of vulnerabilities, they're extremely hard to exploit (e.g. timing attacks)
Tor is not invincible, but do you really think something like GMail is more likely to respect your privacy just because you can't trust TorMail 100%?
Now I'd like to see some evidence that the FBI IS able to break through Tor, and break through Tor easier than they can simply look at the e-mails from sites that already willingly give mail up.
Last edited by Stonecold1995; March 21st, 2013 at 02:22 AM.
What does that even mean- "break through Tor"? You mean determine the true sender of a Tor packet? It can and has been done. That affects privacy but not security. You have confused the two in your posts.
Whether the government has the knowledge to access TorMail is a separate issue from whether they're able to legally access it. Again, mixing issues.
yes complexity is the enemy of security. But your assumption about what services are running in proximity of others is without proof. It seems more likely to me that a larger organization such as google would run dedicated mail servers. Anyone could be running TorMail, and that's more likely to be a combination LAMP-type server if it's Fred in his mom's basement administering it.How is that security from obscurity? A simpler setup IS more secure, it has nothing to do with obscure (in fact, it's the opposite). Yes, it is just a mail server on the backend, but isn't that more secure than a mail server on the backend with a bunch of other vulnerable services running next to it? I think you're misunderstanding what I'm saying. Is it not true that a simple setup with very few services is more secure than a complicated setup with a bunch of unnecessary services?
I was addressing your statement refuting Google and large services as more valuable targets. My point is that where the valuable information lies depends on what you're looking for.Also, Sarah Palin used Yahoo. Remember the Sarah Palin e-mail hack? It wasn't some kind of sophisticated technical hack, it was using the service's password recovery! Password recovery is a MASSIVE flaw in anything that's meant to be secure (and TorMail doesn't even have phone or alternate e-mail based recovery). So saying famous people or people in high places in the government use such services isn't "proof" that the services are somehow more secure.
By break through Tor, I mean either decrypt the content, or determine the sender and receiver. And yes, I know it can and has been done, but I'm not defending Tor as a perfect privacy solution. The only thing that matters in that case is that Tor is more secure than a big e-mail provider which is willing to hand over all your e-mails the second they're asked, often without even a warrant.
Also yeah, I may have mixed up the two terms, my mistake.
I don't get what you're saying. I said nothing about the knowledge to access TorMail or whether they're legally able to access it. I meant, they are unable to (or at least it would be very difficult) demand that the admin of the site hand over the e-mails, and also are likely unable to hack into the site and obtain them by force. I don't get where you got this knowledge to merely access the site.
Are you really saying that the complexity of the setup is not inversely correlated to its security? Plus even if Google uses separate mail servers, a sophisticated attacker could be able to gain access anyway, even if it's just using a flash drive to spread an infection (I think something like that happened with the Navy, they now ban flash drives because an attacker used one to spread some kind of backdoor).
Without proof? Do I really have to get a bunch of evidence that sensitive services often run next to each other because of ignorant (yes, even in large companies) "professionals" administrating the system, and that they are often the reason sites end up being hacked?
What I don't get is why you're saying that your information is MORE safe or AS safe with something like Yahoo, or even Hushmail (which is infamous for being a security and privacy oriented service but that gave up information to law enforcement immediately when asked), than with a service like TorMail? I just don't get that. If you wanted to keep something away from the government and others, would you REALLY choose a large company over TorMail (assuming you aren't using PGP)?
This is becoming circular so I will present my final summary. For privacy use TorMail.
For maximum security stand up your own mail server.
For a mixture of security & privacy you have to compromise something, so consider the rest of the options that were mentioned.
Agreed. Although if you are not very familiar with computers in general trying to set up your own mail server might be a bad idea.
Also, don't forget features. TorMail is very minimalist, so if you are someone who needs lots of features for maximum productivity, TorMail would be a bad idea.
Bookmarks