Secure email?

[CheapestCocaine]

I cannot seem to find ANY email services that dont require javascript, at least to sign up. The only one that does work is safe-mail, but I have continuous problems with it to the point where its not even an option anymore. What other email service can I use that I can sign up with and use from Tor? Even hushmail requires java

[bookittymew]

http://torbox3uiot6wchz.onion

[orange]

Bitmessage.

Register here:  http://bitmailendavkbec.onion/register/
When you load the above page, all you have to do is enter a password and the system will assign you a long email address. Make sure you remember both the email address and password.

Login without javascript here:  http://bitmailendavkbec.onion/squirrelmail/src/login.php

This.

Depending on your requirements anonbox by the Chaos Computer Club (CLEARNET: https://anonbox.net/index.en.html) might also be an option.

[orange]

http://torbox3uiot6wchz.onion

Can I send email messages to people outside like gmail.com, yahoo.com?
No. You can only send and receive email to/from other users within TorBox service and the mail servers which relays email with us.

I am an email server administrator in TOR. How can we interchange email?
You have to add to your MTA a rule that all the email which destination is TorBox must be forwarded to torbox3uiot6wchz.onion and you must contact us (postmaster@torbox3uiot6wchz.onion) to add your domain in our MTA rules in order to correctly forward all the messages sent from TorBox to your domain.

Will you relay email to the internet in the future?
Yes. We are working on a secure and private way to relay email to and from internet. We mut be very careful to keep guaranteeing the privacy and security of our users, and ourselves.

Viable for darknet only communication for now.
I seriously hope they'll be doing clearnet relaying soon.

[CheapestCocaine]

Thank you guys. One more question, several people have given me their email, which is a gmail account. Is there a security threat here?

[orange]

Thank you guys. One more question, several people have given me their email, which is a gmail account. Is there a security threat here?

You don't want to show up in their address books even if they encrypt their messages to you and you encrypt yours:
(CLEARNET) http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html

Tell people to use a different email provider, to encrypt their mails with your key and to give you their public key. Don't accept orders from people not using PGP.

[Rastaman Vibration]

One more question, several people have given me their email, which is a gmail account. Is there a security threat here?

Just because its a gmail, doesnt automatically mean its insecure. Plenty of people use fake gmails.

If you do use it, make sure you PGP everything. I would keep the subject line blank too, thats one thing they can easily subpoena without a warrant (also address used to send said email). It would probably be good security practice to create a fresh email account to use just for communicating with gmails, if you feel up for the extra effort.

[red5]

You can use lelantos, so long as you use the Squirrelmail there is no javascript used at all

lelantoss7bcnwbv.onion

[Nightcrawler]

Thank you guys. One more question, several people have given me their email, which is a gmail account. Is there a security threat here?

You don't want to show up in their address books even if they encrypt their messages to you and you encrypt yours:
(CLEARNET) http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html

Tell people to use a different email provider, to encrypt their mails with your key and to give you their public key. Don't accept orders from people not using PGP.

Excellent advice, although I would hasten to point out that most of the large clearnet email providers, e.g. Yahoo, Gmail, Hotmail (or whatever they're calling themselves these days) are all in the same boat, in that the NSA is collecting address books from all of them.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

[OperationsSecurity(OPSEC)]

If you absolutely have to use email

http://www.trilightzone.org/securemail.html no javascript, takes litecoin/bitcoin and variety of offshore servers.
https://www.mutemail.com/ looks promising, at least no data retention. In Bahamas
https://www.neomailbox.net/ in Switzerland let's you make unlimited aliases, so always give out a new one to each customer, if they become psycho and try to spam you just cancel that alias.

Don't bother with Shinjiru, they are a partner of Hushmail

https://pond.imperialviolet.org/ is an email replacement, with forward secrecy. Problem is it's not audited and in alpha stage. What I like about it is you invite people to message you, so no spam, you can use PGP with it wrapped inside the PFS encryption, and it's decentralized but again not even close to being ready for use if privacy is crucial (it is on here)

[oracle]

Torbox : http://torbox3uiot6wchz.onion
in conjunction with PGP is rather secure.

You're welcome.

[jack2324]

I would say at this point (especially after Tormail fiasco, Lavabit, and the new Snowden leaks about email contacts) that you should use email only as needed and with PGP.  Anything you send via email you should automatically assume will have the NSA cc'd on.

[oracle]

Just to put some perspective on how important it is to use PGP in conjunction with a TOR based email service (or email accessed via TOR) -

(taken from the old Cypherpunks mailing list)

"..if we assume that the NSA can factor any number with the speed of the special number sieve, and has 10^9 mips of computing power (doubling every 1.5 years) we can make the following estimations:_1_

Using these assumptions, the NSA could crack a 1024 bit key in ~11 days, a 1536 bit key in 10 years and a 2048 bit key in 26 years. _2_ Note that this would require the full resources of the NSA, however. Thus, even the mighty resources of the NSA could only crack 42 1024 bit keys in 1996

Now, comes 4096 bit. It would take the combined processing power of every computer in the world thousands of years to crack 4096-bit encryption."

Personally I never use anything below 4096 bit PGP encryption. This is in addition to TOR.

Here's the rub (devils advocate) - PGP encrypted data with 4096 bit encryption could still be compromised within seconds. How? Human stupidity. Easy pass-phrase, written down pass-phrase, re-used pass-phrase (lets say you use the same password to access your Gmail. If you're under such heavy scrutiny that some government is diverting resources and funds to find a way to see what you don't want them to see.. they WILL get your Gmail/Facebook/Hotmail/Twitter passwords one way or the other. And they will try those first. So don't), key-loggers, cameras, whatever. And if you're just so important.. then who knows, even thermal/heat detection technology to capture your finger movements on your keyboard from a short distance.
Not to mention decrypting and leaving the plain text lying around/saved...

(I'm by no means an expert in computer security, cryptography, RSA, password entropy etc.. but these stats are pretty basic).

Trust the technology, but never trust the weak link - the user.

tl;dr - no such thing as "secure email". use 4096 bit PGP for anything "secure" and don't fuck around with pass-phrases


edit: shitty grammar

[oracle]

Yes, should be. Even non personal information should probably be encrypted. Doesn't take any more time on your part.. and you would be amazed the kind of identifiers even seemingly 'non personal information' might potentially reveal.

Your scenario is an acceptable method given both your safe-mail password is complex, your PGP password is extremely complex.

There's no point in even starting an email with "Hi.. sorry I've been busy with work/family (whatever). Here's my address and shipping information -----BEGIN PGP MESSAGE----- etc"

It should be more like:
-----BEGIN PGP MESSAGE-----..etc  and nothing else. Encrypt your pleasantries.. you'll be better served.

[oracle]

By 'thing' I hope you're referring to safe-mail. PGP should be used religiously on the new SR server messaging system regardless.

Remember on the previous site.. many vendors would insist or demand that only sensitive messages be encrypted, and that they don't have the time to decrypt non sensitive information. Frankly, my advice is to ignore that and explain that you will only be using PGP. Even an "are you in stock?" should be encrypted IMHO.

A few extra seconds of a vendor's oh-so-precious time is not something you should accommodate at the expense of your own security. Always assume that any communication can be read and analyzed at any point in time present or future.

[oracle]

Or send an encrypted message with a privnote link to another encrypted message. Wouldn't be the first time.

[palmergbl]

here is a list and I quess those email provider might be considered safe: http://prxbx.com/email/  ...although always use PGP

[Wonton]

For no javascript on tor only choice is lelantos email if you want to reach clearnet users have to pay a few bitcents though

For no javascript on clearnet free bitmessage.ch just have to register an alias so others can reach you easily

[orange]

For no javascript on tor only choice is lelantos email if you want to reach clearnet users have to pay a few bitcents though

For no javascript on clearnet free bitmessage.ch just have to register an alias so others can reach you easily

Bitmessage is accessible via TOR as well:
http://bitmailendavkbec.onion

[Nightcrawler]

And so how would you propose sending encrypted messages? People trusted SilkRoad the online drug market to keep their messages from the hands of LE, and they have an image of most if not all of those messages encrypted or not...

Anyone who trusted the Silk Road messaging system to keep their messages out of the hands of the Feds was (and is) a fool. The entire point of using PGP was to protect the message traffic in the event of server compromise.  Even PGP-encrypted messages are subject to compromise should one of the communicating parties be apprehended, and their computer(s) seized.  Even if you were to have PGP-encrypted some messages to Ross/DPR, now that he is in custody, you have to presume that the Feds have access to his PGP keyring(s) including his private keyring. Given his other security lapses, and weak PGP skills, it is unlikely that he chose a strong passphrase to protect his private PGP key(s).  Accordingly, people should assume that any correspondence with Ross/DPR, even PGP-encrypted, is now compromised.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B
 

[ModernLove]

Even when vendors strongly recommend or insist on buyers using PGP, often buyers do not. So how can vendors protect themselves? If someone sends me an unencrypted message with incriminating info, I don't even know it's unencrypted until I open it. And then there it is on the servers, waiting to be read by the feds. Even if I don't reply, the damage is already done. Sorry, I know this does not address the thread's original topic.

[SaLuS]

I have found lelantos lelantoss7bcnwbv.onion
ITs very simial to tormail, they ask you for a 0,05 fee for a lifetime subscription. However you are suggested to encrypt sensitive information.

[Wonton]

For no javascript on tor only choice is lelantos email if you want to reach clearnet users have to pay a few bitcents though

For no javascript on clearnet free bitmessage.ch just have to register an alias so others can reach you easily

Bitmessage is accessible via TOR as well:
http://bitmailendavkbec.onion

Was listing traditional email services. Bitmessage is preferred and should only be accessed by tor of course but many just want email.

[XDFM]

anybody can set up a hidden service, it can be just a much of a honeypot as it is a safe haven. considering tormail is down everybody needs to go some where. it would be just the perfect chance for more honeypots, be suspect of everything. always use PGP.

[OperationsSecurity(OPSEC)]

Even when vendors strongly recommend or insist on buyers using PGP, often buyers do not. So how can vendors protect themselves? If someone sends me an unencrypted message with incriminating info, I don't even know it's unencrypted until I open it. And then there it is on the servers, waiting to be read by the feds. Even if I don't reply, the damage is already done. Sorry, I know this does not address the thread's original topic.

Yep, and buyers drop opsec all the time "HEY I GOT THAT LETTER FROM JERSEY BUT blah blah blah"
What you need is a box for them to free-type their idiocy and it automatically encrypts with your key, and is only accessible over Tor. https://globaleaks.org/ and https://github.com/ZeitOnline/briefkasten are good candidates.

[Milkdud]

bitmessage is the least anonymous form of email. it works like bitcoin in that everyone has a copy of everything. sure use pgp but then whats the point of using a shit address like bitmessages 98jf0823f982j3f82u3f98j239fj823@bitmessage

[Wonton]

bitmessage is the least anonymous form of email. it works like bitcoin in that everyone has a copy of everything. sure use pgp but then whats the point of using a shit address like bitmessages 98jf0823f982j3f82u3f98j239fj823@bitmessage

sorry sir you are not correct, all bitmessages are encrypted and only the recipient can read a message from a sender. Once a message is sent the sender can not even decrypt.

yes all messages are stored in the messages.dat file then deleted after two days but only recipient can read a message

encryption bitmessage uses is 4X stronger than 4096 bit RSA, no need to use PGP with bitmessage, that is the beauty of the protocol