Silk Road forums
Discussion => Security => Topic started by: rem0ved on August 06, 2013, 04:35 pm
-
so with the tormail situation, this has left a huge hole...what can we use for email?
i know some other alternatives i've heard about over the last bit are safemail and lavabit but i'm curious as to other people's opinions on these 2 providers or if there are any others that would be better.
i do know that with lavabit, you would need tor + proxy, as it seems to block TOR ip's, but i have read that this was the provider snowden used, which must mean there is something useful about it.
-
A thread about this topic just slipped onto the second page. You gotta dig a little deeper.
http://dkn255hz262ypmii.onion/index.php?topic=196538.0
-
my bad. not sure how i didnt see it when i was looking before.
thanks astor
-
I've been trying to get an educated answer to this as well seeing as all tormail bridges are now burned. Ive seen the list of suggestions on the other thread astor has pointed out but I'd love to know what people are actually using... a tried & tested tor friendly email provider, preferably free?
The tech talk goes over my head in that thread a bit, although i have done all i can to protect myself with regard to anonymity & research so far on the road, i am now at a brick wall when it comes to finding a semi-anonymous provider. This is the last hurdle before i feel as safe as i can in actually going ahead & buying something.
please help, my brain hurts
-
so after reading around some more one suggestion is https://www.vmail.me/en, but this needs java enabled to work properly.
Should I enable java in order to use this email provider?
Just need a new email to register on localbitcoins & blockchain etc. really.
Am also wondering why there are not ALOT of other people asking these questions right now seeing as ALOT of people will be needing an alternative email provider in light of recent events, am I missing something?
-
so after reading around some more one suggestion is https://www.vmail.me/en, but this needs java enabled to work properly.
Should I enable java in order to use this email provider?
think of what just happened. do you really want to enable java?
-
no i suppose not.. so the search continues!
-
Java is not JavaScript.
-
I have switched over to countermail after looking at a bunch of them...I have no review for them yet but they seem on their game.
mm
-
my bad - JavaScript!
thanks medicineman, ill have a looky at countermail
-
hmm, looks like countermail isn't free
it's turning into a bit of a headache finding a new email provider right now. Think im gonna have to go with safe-mail.net as it's the only one i can find that's free and doesn't require javascript
-
shit, after searching around for threads on safe-mail all i hear is bad things. I really don't know what to do & have hit a big fat brick wall.
does anyone have any information on an email provider that has the following:
Free sign up
Tor friendly
Does not need javascript
I am, or want to be, a buyer & need the email for registration on localbitcoins. Without this last link in the chain I can't go ahead any further, as far as I can tell anyway.
would really appreciate some advice!
-
shit, after searching around for threads on safe-mail all i hear is bad things. I really don't know what to do & have hit a big fat brick wall.
You cannot rely on ANY third-party mail service. If you encrypt all your sensitive info (as you always have to do) and delete messages from the server ASAP then safe-mail will be fine.
The positive of safe-mail is that you don't need any javascript both to register and check mails and it works without issues with TOR. I use it myself atm until a better option comes out.
-
thanks BlackIris, you've put my mind at rest to a degree, ill take your advice & go with it as the options are extremely limited at the moment.
-
hmm, looks like countermail isn't free
it's turning into a bit of a headache finding a new email provider right now. Think im gonna have to go with safe-mail.net as it's the only one i can find that's free and doesn't require javascript
Use Safe-Mail.net if you want, however be warned that they reportedly turn over information on suspected drug users to law-enforcement.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Thanks nightcrawler, this was one of my concerns with safemail, it would prob be helpful if you could tell us what you use?
-
Use Safe-Mail.net if you want, however be warned that they reportedly turn over information on suspected drug users to law-enforcement.
If you encrypt your info how can they know you are a drug user? I wouldn't trust ANY third party to read my mail, not only safe-mail for that point.
I actually think that it would be very difficult (if not impossible) to find a clearnet mail site that would not give out your mails to officers in case of trouble, so that's not only an issue with safe-mail.
Just use good security and intelligence and you will be fine. Even in the case a service gives away your info to LE and you encrypted all communications, deleted old mails ASAP and use ToR you have nothing to worry about.
-
Use Safe-Mail.net if you want, however be warned that they reportedly turn over information on suspected drug users to law-enforcement.
If you encrypt your info how can they know you are a drug user? I wouldn't trust ANY third party to read my mail, not only safe-mail for that point.
I actually think that it would be very difficult (if not impossible) to find a clearnet mail site that would not give out your mails to officers in case of trouble, so that's not only an issue with safe-mail.
Just use good security and intelligence and you will be fine. Even in the case a service gives away your info to LE and you encrypted all communications, deleted old mails ASAP and use ToR you have nothing to worry about.
Yep. Pretty much what it comes down to. Though some may save your emails in a "recycle" bin for a time (maybe up to 30 days) even if you delete them. So PGP sensitive info.
If someone rats you out and you lose your email acct, you can just start another at the same place or another. As long as they are TOR friendly, they can be used. The email header will have your Tor IP addy.
If you're even more paranoid, use a VPN which you tunnel Tor traffic to.
-
Turns out Tormail was no safer from LE than safe-mail.net.
This is why I've always argued it doesn't matter which clearnet email provider you use, as long as you encrypt every email.
They can still get metadata about who you communicated with, and sometimes in aggregate that metadata can tell a story, but that will always be a risk as long as we are using email.
-
Use Safe-Mail.net if you want, however be warned that they reportedly turn over information on suspected drug users to law-enforcement.
If you encrypt your info how can they know you are a drug user? I wouldn't trust ANY third party to read my mail, not only safe-mail for that point.
I actually think that it would be very difficult (if not impossible) to find a clearnet mail site that would not give out your mails to officers in case of trouble, so that's not only an issue with safe-mail.
You're right, Safe-Mail is not alone in that regard, far from it. That said, I was told some while back by someone I consider trustworthy, that Safe-Mail were doing this.
Now, you say, "If you encrypt your email how do they know you're a drug user?" Fair point. The problem is, how do you ensure that ALL your email coming into your account is encrypted? You have 100% control (barring accidents) of what _you_ do, but you have ZERO control over what other people do. If some bonehead sends you unencrypted email regarding drugs, there is nothing you can do to stop it, unless you take extraordinary measures (like using a nymserver) which is well beyond the capabilities of most people here. Remember, multiple vendors have stated over the last year or so that upwards of 80% of address information they receive is NOT encrypted.
Just use good security and intelligence and you will be fine. Even in the case a service gives away your info to LE and you encrypted all communications, deleted old mails ASAP and use ToR you have nothing to worry about.
If all your incoming traffic is encrypted (and anonymized to boot) then you have little to fear, even if your email is turned over to LEA. It has long been recognized that end-to-end encryption is the best protection; the problem is that so few people are willing to use it.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Turns out Tormail was no safer from LE than safe-mail.net.
Ironic, isn't it? It will be interesting to see what details come out at trial. I have a sneaking suspicion that they got to the FH owner because he was careless.
This is why I've always argued it doesn't matter which clearnet email provider you use, as long as you encrypt every email.
As I said to someone else, you can control what _you_ do, but you have no control over what someone else does. THat's why I like nymservers -- they automatically
encrypt all incoming email, and anonymize it to defeat relationship/traffic analysis.
They can still get metadata about who you communicated with, and sometimes in aggregate that metadata can tell a story, but that will always be a risk as long as we are using email.
Not if you use a nymserver. All Subject: lines are replaced wiht (No Subject) or a hashed value, and all senders are shown as Anonymous.
(The original information is still contained in the PGP envelope, so it is available when decrypted.)
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Why would it matter what other people send you? There's no proof that you're involved? I get spam emails from porn sites acting as if the girl on the cam knows me from Facebook. Starts off with something like "Hey remember me? We chatted on Facebook 3 months ago? Remember I said I was moving near your town? Well I did it! It would be cool if we could link up..." Or some shit like that.
All the sender did is maybe fuck themselves over. Don't reply to it. If it leads to your account being banned, just start up a new one and don't let that idiot know about the new one.
I think people are getting a little too paranoid. The most important thing is protecting the real you and where the real you lives and making sure the dots to illegal shit don't connect back to the real you.
-
Not if you use a nymserver. All Subject: lines are replaced wiht (No Subject) or a hashed value, and all senders are shown as Anonymous.
(The original information is still contained in the PGP envelope, so it is available when decrypted.)
Yeah, but they are complicated to use compared to webmail or even a desktop mail client. I don't think they'll ever have wide adoption, so good luck finding parties to correspond with.
-
Ugh, since I never had much need to utilize TorMail for SR business, I think I'll just do without.
Another idea I had was possibly using the fake Yahoo! e-mail account I have that I use for cashing out, sub-account my vendor e-mail address or something. But it sounds iffy.
-
Bitmessage P2P client run through TOR seems interesting. Also a service that turns those messages into emails that is a .onion site: http://bitmailendavkbec.onion
Seems promising. Although I would still do my own PGP encryption.
-
Bitmessage P2P client run through TOR seems interesting. Also a service that turns those messages into emails that is a .onion site: http://bitmailendavkbec.onion
Seems promising. Although I would still do my own PGP encryption.
You should read this before you use it: https://bitmessage.org/forum/index.php/topic,1666.0.html
-
astor, I only understood a portion of the audit report. Though, can't all of that risk of the new/buggy/ tech be greatly limited by using the onion site, with the squirrel mail, that is the gateway to the bitmessage network for you and self pgp all communications?
-
Not if you use a nymserver. All Subject: lines are replaced wiht (No Subject) or a hashed value, and all senders are shown as Anonymous.
(The original information is still contained in the PGP envelope, so it is available when decrypted.)
Yeah, but they are complicated to use compared to webmail or even a desktop mail client. I don't think they'll ever have wide adoption, so good luck finding parties to correspond with.
Good luck finding parties to correspond with? Hardly. The nymserver doesn't require the other people that I correspond with to use PGP (or even be aware that PGP exists.) From the other parties' perspective, it's just another email address, like Tormail, or Lavabit, or what have you. The idea of using a nymserver is for _MY_ protection, not so much the other guy's. I used a Tormail account as a reply-block destination -- as a result, when the authorities attempt to read its contents, they will not be able to determine who was writing to me, or what about. The entire reason for using a nymserver is to protect oneself in the case of an email server compromise like what happened to Tormail.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
subbing
-
It really is a bitch that LavaBit had to be destroyed in order to keep Snowden's info safe from the feds, but I admire that the LavaBit admin wouldn't be pressured to give in.
Anyway, as regards keeping your communications private I wouldn't feel safe connecting to an email site via clearnet. If the feds suspect that (for example) SellerX@safe-mail.net is the email account of someone selling narcotics, and they can get the admin of Safe-mail.net to hand over all records for the SellerX account then they'll see who the SellerX account has been communicating with. If SellerX is communicating with you, and the IP you were assigned can be traced to you IRL, then you may have a problem.
Even if the messages are encrypted and unable to be deciphered, there's still going to be a question about why you and a suspected seller are exchanging messages. That's why if you're emailing someone about a deal that could land you in jail, it's important to remain anonymous when connecting to the email account you use for that deal.
-
@CaptainSensible
That's why Silent Circle shut down their email service. As a protocol it isn't safe to use for sensitive communication.