Phasing out Google: alternatives to GMail

[aysiu]

Encrypted ot not, that person's email is going to sit on hardware someone else owns and controls.

Running your own mail server is a first class pain. A bit like running a restaurant to make sure you eat homecooked food.

These were the exact points I was trying to make.

[vishal2]

Hi,

I found gmail alternative forum post here but that was closed so i start new thread here.I am shifting to my services to email.biz and see what kind of services i would get there.

[Elfy]

you obviously didn't find this one then

merged

[beacon-videotron]

Look, if Google/Fastmail/GMX/HOTMAIL/ whatever doesn't have a copy of your encrypted email, then the NSA does. Have you not heard about Snowden and PRISM? Relax. Commercialization has
ruined the Internet - they have turned it into something they can control, while keeping everyone dumb and happy

[lads]

What just happened to Lavabit is a sort of sad vindication to this thread.

Over the weekend there was also this announcement:

German email providers team up for anti-snooping bid

Germany's three biggest email providers announced Friday a partnership to bolster the security of messages sent between them in the wake of revelations of US online surveillance.

Telecommunications giant Deutsche Telekom as well as GMX and Web.de, both subsidiaries of Germany's United Internet, will automatically encrypt their email traffic from now on.

Email content as well as the identity of the sender and recipient and attachments will be encrypted, Deutsche Telekom and United Internet told reporters, presenting the "Email Made in Germany" initiative.
- See more at: http://www.themalaymailonline.com/wo....kzGsJai3.dpuf

I've signed up for GMX, that has an English interface, and am now assessing its capabilities. So far looks better than others I've tried.

[1clue]

What just happened to Lavabit is a sort of sad vindication to this thread.

Over the weekend there was also this announcement:



I've signed up for GMX, that has an English interface, and am now assessing its capabilities. So far looks better than others I've tried.

What happened to Lavabit is what you have to worry about, only a thousand fold.

Speaking as somebody who has managed a mail server for years, there are a lot of issues most of you don't seem to want to consider, most of which has been mentioned on this thread already.

1. If the mail server is not on your hardware on a network you personally have the entire contract on, then somebody else is in control and you can be monitored without your knowledge.
2. If your ISP is subpoena'd then you can be monitored without your knowledge.
3. Comcast and Midcontinent and AT&T are on that list of companies who let the US government put hooks in, which covers the lion's share of high speed US connections to homes and small businesses I think.
4. Small office/home office (SOHO) routers are notoriously buggy, if you're using one then probably your security isn't as good as you were hoping.

Now, about the whole stream:

1. If you encrypt at the desktop-style client (not webmail) then, assuming you're using an encryption mode that's not cracked you can gain a certain measure of privacy.
2. That said, in order for this to work you need both ends of the chain to be encrypted, which means whoever you're talking to needs to be encrypted and careful as well.
3. By encryption I don't mean using ssl to get to the server. Encryption means that you have an encryption key with a public and private part, you've shared the public part with your friends, and they've done likewise with you. Encryption means that sending an email to Bob, I've encrypted my message such that only Bob can decrypt it without going through a cracking process. Not even you can read that message anymore.
4. Encrypting the body does not mean the entire communication is secure. They still know who mailed whom because that's in plain text, by definition.
5. Picture your brothers and sisters, and your parents in light of the above statement. How about your kids?
6. Picture your coworkers. While almost all of my coworkers could figure out encryption, absolutely none of them wants anything to do with it.
7. Using encryption to a webmail-style place does not in any way mean the entire chain is encrypted. Almost certainly not.
8. Any point where your data crosses a national boundary, you are probably going to have your email scanned. Again, if you didn't encrypt it with a key aimed specifically at the recipient it's probably plain text by the time it gets to the national boundary.

I went through the trouble to set this up awhile back, and absolutely nobody was interested. Absolutely nobody would go further than say they got an unreadable email from me, please send it in plain text.

So, everyone who wants 'secure' email needs:

1. Their own physical server, on their own physical hardware with a properly configured secure mail server on it, inside of a secure building which limits physical access.
2. A non-trivial firewall and the expertise to use it. This is an understatement, you need defense in depth.
3. An obsessive fascination with CERT and other security-based institutions.
4. An ISP who won't cave to whatever the equivalent of a federal subpoena is in your country. (Meaning they're willing to go to prison to protect your privacy)
5. Friends who are just as obsessive and careful about this as you are.

Online monitoring sucks, but the only way to fix it is overwhelmingly difficult. Skip one part and the whole thing is nothing. It's a house of cards.

[Gilad_Pellaeon]

Or you could wait until Kim Dot Com sets up an email alternative

From http://yro.slashdot.org/story/13/08/...es-secure-mail

Lavabit may no longer be an option, but recent events have driven interest in email and other ways to communicate without exposing quite so much, quite so fast, to organizations like the NSA (and DEA, and other agencies). Kim Dotcom as usual enjoys filling the spotlight, when it comes to shuttling bits around in ways that don't please the U.S. government, and Dotcom's privacy-oriented Mega has disclosed plans to serve as an email provider with an emphasis on encryption. ZDNet features an interview with Mega's CEO Vikram Kumar about the complications of keeping email relatively secure; it's not so much the encryption itself, as keeping bits encrypted while still providing the kind of features that users have come to expect from modern webmail providers like Gmail:

"'The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side,' Kumar said. 'If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side. [That’s] not quite impossible but very, very hard. That’s why even Silent Circle didn’t go there.'"

[lads]

What happened to Lavabit is what you have to worry about, only a thousand fold.

Speaking as somebody who has managed a mail server for years, there are a lot of issues most of you don't seem to want to consider, most of which has been mentioned on this thread already.

Thank you 1clue, this is the kind of detailed information I was looking for when I started this thread. Just to add: I found out recently that a colleague of mine ran his own mail server for a few years; in his case what eventually overwhelmed him was spam, at some point it was just too much work to keep it running.

Understanding the risks of having one's email stored at someone else's server, having it in a foreign country where individual privacy seems not to be a civil right, such as the US, only increases that risk further. As someone who values privacy, keeping my e-mail stored at the US by a US company seems at this stage idiotic (even if GMail actually has the best GUI out there).

E-mail secrecy is a business in the making. Just like some countries live off banking secrecy.

[buzzingrobot]

Since email, like everything else about the web, is, by intent and design, a public publishing protocol, not a private communication tool, it's always seemed to me to be naive and ill-informed to expect privacy in that environment. That so many people seem to be taken aback to find their email is not private speaks to a wide and deep ignorance of how, and why, the internet works. Getting that kind of privacy as a matter of course would mean modifying the internet to a degree most of us would not like.

Encryption can deliver a degree of privacy as long as both parties in an email exchange opt in. I doubt it will see wide acceptance in the mainstream market. People can't keep passwords straight, much less the paraphenelia of encryption. Courts will certainly require the turning over of keys in criminal cases. After a serious terror incident in which the participants conspired via encrypted email, legislation banning it will stand a good chance of passage.

[kurt18947]

What just happened to Lavabit is a sort of sad vindication to this thread.

Over the weekend there was also this announcement:



I've signed up for GMX, that has an English interface, and am now assessing its capabilities. So far looks better than others I've tried.

I wonder if this is true of GMX.com as well. GMX.com appears to be hosted by 1+1 in the U.S. I've signed up for it after the demise of lavabit.com. I'm not terribly concerned about privacy on this account but it'd be nice if it's at least secure enough that it'd take the resources of an state sponsored organization to read my mail. The things I receive there Uncle can find from other sources with little effort if he's interested.