WHat is the most secure email service?

[tubbygweilo]

I was being sarcastic, not offering such a service </sarcasm>

Yes but how often am I able to work the word sisyphean into conversation let alone a posting in this august forum?

Keep up the good work.

[haqking]

Well, considering they've been trying to find the hackers/crackers, pedophiles, and drug dealers that use it, and failed, it seems like it's pretty secure. Sure, the NSA can read the copies of mail without a warrent through services like Google, Yahoo, etc, but cracking into a service is different. You seem so sure that they could get in, but do you have any proof that they are even remotely capable? The FBI themselves admitted that they cannot break through Tor, and Tor provides a very strong layer of protection for hidden services behind it.

Regardless of how often people claim the government is all powerful and nothing holds them back, it has yet to be shown that they are actually capable of it.

Also, by "government get to it", I meant get to the actual e-mails. Of course the government is able to get to the TorMail service itself (as in, get to it to use it).


Well, no. But I wouldn't use it either even if you were a big company CEO (especially if you were a big company CEO). Trusting the admin is another thing altogether. However, I trust the admin of TorMail far more than I trust, say, the CEO of Google (or even the head of the NSA for that matter). I highly doubt the admin will use any data for selfish malicious purposes, and they certainly don't seem like they'd just give up the mail willingly to the government.

Of course, TorMail isn't my favorite mail service. I like them, but they're far to slow for me. I'm just saying that, on the technical side of things, they are far, far more secure than many other services.

You trust them ? Who do you trust then ? Do you know the hoster and admin yourself ?

How do you know the 'government' are not ones running the tormail service ?

You say you wouldnt use my email service, but you would use tormail ? Why is that as you dont know me or the people the host or run tormail so why do you trust them ?

I am not being pernickety, I am interested as peoples perspectives on privacy and security interest me asa penetration-tester and security consultant.

[Ms. Daisy]

That's not necessarily true. TorMail is more secure as well as private. Because it's a "hidden service" on the deep web, (i.e. onion site), it is much harder to hack into. Plus, it comes with no bells and whistles, and relies almost entirely on pure HTML (no web apps or complicated setups which is what makes the other websites much easier targets). I would be exceedingly impressed if someone managed to break through Tor in order to get to TorMail. With so few options for vulnerabilities the only way you could hack TorMail would be to try and gain root by brute force, and Tor alone would slow that down to an impossible speed. The simplicity makes vulnerabilities like XSS much easier to prevent than with the giants you see rushing to patch vulnerabilities as they pop up all over the place (I'm looking at you Microsoft).

Yes Tormail will give you privacy. Just because it's hard for you to find doesn't make it hard for others to find. Obscurity (to you) != security. Ultimately it's just a mail server running on the back end, and it has vulnerabilities just like every other server out there. What's your evidence for saying it's harder to hack (aside from your flawed train of logic)?

Just look at how often Google, Microsoft, etc gets hacked, just because a company is large and popular doesn't mean it's just as secure as a small one behind an onion hidden service. And you can't really say that it's because those are bigger targets, because managing to get into TorMail would give any hacker/cracker far more valuable information than with another e-mail service.

Well former president Bush's family used AOL. General Patreaus used Gmail. It entirely depends on what you're looking for.

Considering even the American government is unable to get to TorMail, I think that makes it pretty secure, as well as private.

Why would you think this? What evidence do you have?

[Ms. Daisy]

Well, considering they've been trying to find the hackers/crackers, pedophiles, and drug dealers that use it, and failed, it seems like it's pretty secure. Sure, the NSA can read the copies of mail without a warrent through services like Google, Yahoo, etc, but cracking into a service is different. You seem so sure that they could get in, but do you have any proof that they are even remotely capable? The FBI themselves admitted that they cannot break through Tor, and Tor provides a very strong layer of protection for hidden services behind it.

Ah sorry, I missed this gem. Sometimes I wonder if it's better to let misinformation like this just stand. I certainly hope for your own sake that you're not breaking the law on TorMail because you, my friend, are going to jail.

[Stonecold1995]

You trust them ? Who do you trust then ? Do you know the hoster and admin yourself ?

Not completely, but I trust them not to disclose my e-mails more than I trust other services. And no, I don't know them myself. Of course, if I wanted to send anything really sensitive, there's PGP.

How do you know the 'government' are not ones running the tormail service ?

I would be very surprized if the government willingly supported so much illegal activity.

You say you wouldnt use my email service, but you would use tormail ? Why is that as you dont know me or the people the host or run tormail so why do you trust them ?

If you made an e-mail service, kept it up long enough to prove it wasn't just a scam, and managed to be completely neutral to the content, then yes, I'd trust you more than I'd trust a big company with a reputation for not respecting user privacy.

I'm not saying TorMail is perfect, of course there will always be security and privacy concerns, but I DO trust them more than I do the government.

Yes Tormail will give you privacy. Just because it's hard for you to find doesn't make it hard for others to find. Obscurity (to you) != security. Ultimately it's just a mail server running on the back end, and it has vulnerabilities just like every other server out there. What's your evidence for saying it's harder to hack (aside from your flawed train of logic)?

How is that security from obscurity? A simpler setup IS more secure, it has nothing to do with obscure (in fact, it's the opposite). Yes, it is just a mail server on the backend, but isn't that more secure than a mail server on the backend with a bunch of other vulnerable services running next to it? I think you're misunderstanding what I'm saying. Is it not true that a simple setup with very few services is more secure than a complicated setup with a bunch of unnecessary services?

Also, how is it "hard for me to find?". I've NEVER found a vulnerability in TorMail (well, I haven't tried). I'm not saying the website is hard to find!

Well former president Bush's family used AOL. General Patreaus used Gmail. It entirely depends on what you're looking for.

Honestly I don't think Bush was all that bright anyways.

Also, Sarah Palin used Yahoo. Remember the Sarah Palin e-mail hack? It wasn't some kind of sophisticated technical hack, it was using the service's password recovery! Password recovery is a MASSIVE flaw in anything that's meant to be secure (and TorMail doesn't even have phone or alternate e-mail based recovery). So saying famous people or people in high places in the government use such services isn't "proof" that the services are somehow more secure.

Why would you think this? What evidence do you have?

Here:
http://www.cybercrimesunit.com/fbi-c...investigation/

Tor protects the site there (and its users) the same way it protects TorMail. I could get more examples if you want.

Also, just something I noticed about the link. It says the hacker group "Anonymous" managed to crack Tor to post the user list from an illegal kiddie porn site. That's actually false, it turns out the user list was publically displayed on the illegal site, and all Anonymous did was copy it and put i t in pastebin (see http://fscked.org/blog/something-rotten-opdarknet). The link goes on to say that that's why Tor can be cracked, but it wasn't cracked in the first place, Anonymous just exploited the fact that obviously no one would go on such an illegal site to check for themselves. While Tor does have its share of vulnerabilities, they're extremely hard to exploit (e.g. timing attacks)


Tor is not invincible, but do you really think something like GMail is more likely to respect your privacy just because you can't trust TorMail 100%?

Now I'd like to see some evidence that the FBI IS able to break through Tor, and break through Tor easier than they can simply look at the e-mails from sites that already willingly give mail up.

[Ms. Daisy]

What does that even mean- "break through Tor"? You mean determine the true sender of a Tor packet? It can and has been done. That affects privacy but not security. You have confused the two in your posts.

Whether the government has the knowledge to access TorMail is a separate issue from whether they're able to legally access it. Again, mixing issues.

How is that security from obscurity? A simpler setup IS more secure, it has nothing to do with obscure (in fact, it's the opposite). Yes, it is just a mail server on the backend, but isn't that more secure than a mail server on the backend with a bunch of other vulnerable services running next to it? I think you're misunderstanding what I'm saying. Is it not true that a simple setup with very few services is more secure than a complicated setup with a bunch of unnecessary services?

yes complexity is the enemy of security. But your assumption about what services are running in proximity of others is without proof. It seems more likely to me that a larger organization such as google would run dedicated mail servers. Anyone could be running TorMail, and that's more likely to be a combination LAMP-type server if it's Fred in his mom's basement administering it.

[Ms. Daisy]

Also, Sarah Palin used Yahoo. Remember the Sarah Palin e-mail hack? It wasn't some kind of sophisticated technical hack, it was using the service's password recovery! Password recovery is a MASSIVE flaw in anything that's meant to be secure (and TorMail doesn't even have phone or alternate e-mail based recovery). So saying famous people or people in high places in the government use such services isn't "proof" that the services are somehow more secure.

I was addressing your statement refuting Google and large services as more valuable targets. My point is that where the valuable information lies depends on what you're looking for.

[Stonecold1995]

What does that even mean- "break through Tor"? You mean determine the true sender of a Tor packet? It can and has been done. That affects privacy but not security. You have confused the two in your posts.

By break through Tor, I mean either decrypt the content, or determine the sender and receiver. And yes, I know it can and has been done, but I'm not defending Tor as a perfect privacy solution. The only thing that matters in that case is that Tor is more secure than a big e-mail provider which is willing to hand over all your e-mails the second they're asked, often without even a warrant.

Also yeah, I may have mixed up the two terms, my mistake.

Whether the government has the knowledge to access TorMail is a separate issue from whether they're able to legally access it. Again, mixing issues.

I don't get what you're saying. I said nothing about the knowledge to access TorMail or whether they're legally able to access it. I meant, they are unable to (or at least it would be very difficult) demand that the admin of the site hand over the e-mails, and also are likely unable to hack into the site and obtain them by force. I don't get where you got this knowledge to merely access the site.

yes complexity is the enemy of security. But your assumption about what services are running in proximity of others is without proof. It seems more likely to me that a larger organization such as google would run dedicated mail servers. Anyone could be running TorMail, and that's more likely to be a combination LAMP-type server if it's Fred in his mom's basement administering it.

Are you really saying that the complexity of the setup is not inversely correlated to its security? Plus even if Google uses separate mail servers, a sophisticated attacker could be able to gain access anyway, even if it's just using a flash drive to spread an infection (I think something like that happened with the Navy, they now ban flash drives because an attacker used one to spread some kind of backdoor).

Without proof? Do I really have to get a bunch of evidence that sensitive services often run next to each other because of ignorant (yes, even in large companies) "professionals" administrating the system, and that they are often the reason sites end up being hacked?



What I don't get is why you're saying that your information is MORE safe or AS safe with something like Yahoo, or even Hushmail (which is infamous for being a security and privacy oriented service but that gave up information to law enforcement immediately when asked), than with a service like TorMail? I just don't get that. If you wanted to keep something away from the government and others, would you REALLY choose a large company over TorMail (assuming you aren't using PGP)?

[Ms. Daisy]

This is becoming circular so I will present my final summary. For privacy use TorMail.

For maximum security stand up your own mail server.

For a mixture of security & privacy you have to compromise something, so consider the rest of the options that were mentioned.

[Stonecold1995]

This is becoming circular so I will present my final summary. For privacy use TorMail.

For maximum security stand up your own mail server.

For a mixture of security & privacy you have to compromise something, so consider the rest of the options that were mentioned.

Agreed. Although if you are not very familiar with computers in general trying to set up your own mail server might be a bad idea.

Also, don't forget features. TorMail is very minimalist, so if you are someone who needs lots of features for maximum productivity, TorMail would be a bad idea.