Author Topic: Secure email?  (Read 686 times)

CheapestCocaine

  • Vendor
  • Full Member
  • *****
  • Posts: 152
  • Karma: +12/-13
    • View Profile
    • Personal Message (Offline)
Secure email?
« on: October 15, 2013, 08:15:05 pm »
I cannot seem to find ANY email services that dont require javascript, at least to sign up. The only one that does work is safe-mail, but I have continuous problems with it to the point where its not even an option anymore. What other email service can I use that I can sign up with and use from Tor? Even hushmail requires java
« Last Edit: October 15, 2013, 08:37:58 pm by CheapestCocaine »
You want coke? I have it. Fire goddamn fish scale, about $92/g.

Will ship international with FE at buyers risk. Shipped intl many times and never lost to seizures. Will make exceptions with loyal aussies.

bookittymew

  • Full Member
  • ***
  • Posts: 197
  • Karma: +10/-24
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #1 on: October 15, 2013, 09:01:31 pm »
http://torbox3uiot6wchz.onion

orange

  • Jr. Member
  • **
  • Posts: 90
  • Karma: +3/-6
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #2 on: October 15, 2013, 09:03:52 pm »
Bitmessage.

Register here:  http://bitmailendavkbec.onion/register/
When you load the above page, all you have to do is enter a password and the system will assign you a long email address. Make sure you remember both the email address and password.

Login without javascript here:  http://bitmailendavkbec.onion/squirrelmail/src/login.php

This.

Depending on your requirements anonbox by the Chaos Computer Club (CLEARNET: https://anonbox.net/index.en.html) might also be an option.
As usual: Just saying.

orange

  • Jr. Member
  • **
  • Posts: 90
  • Karma: +3/-6
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #3 on: October 15, 2013, 09:07:46 pm »
http://torbox3uiot6wchz.onion

Quote
Can I send email messages to people outside like gmail.com, yahoo.com?
No. You can only send and receive email to/from other users within TorBox service and the mail servers which relays email with us.

I am an email server administrator in TOR. How can we interchange email?
You have to add to your MTA a rule that all the email which destination is TorBox must be forwarded to torbox3uiot6wchz.onion and you must contact us (postmaster@torbox3uiot6wchz.onion) to add your domain in our MTA rules in order to correctly forward all the messages sent from TorBox to your domain.

Will you relay email to the internet in the future?
Yes. We are working on a secure and private way to relay email to and from internet. We mut be very careful to keep guaranteeing the privacy and security of our users, and ourselves.

Viable for darknet only communication for now.
I seriously hope they'll be doing clearnet relaying soon.
As usual: Just saying.

CheapestCocaine

  • Vendor
  • Full Member
  • *****
  • Posts: 152
  • Karma: +12/-13
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #4 on: October 15, 2013, 09:51:10 pm »
Thank you guys. One more question, several people have given me their email, which is a gmail account. Is there a security threat here?
You want coke? I have it. Fire goddamn fish scale, about $92/g.

Will ship international with FE at buyers risk. Shipped intl many times and never lost to seizures. Will make exceptions with loyal aussies.

orange

  • Jr. Member
  • **
  • Posts: 90
  • Karma: +3/-6
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #5 on: October 15, 2013, 10:03:24 pm »
Thank you guys. One more question, several people have given me their email, which is a gmail account. Is there a security threat here?

You don't want to show up in their address books even if they encrypt their messages to you and you encrypt yours:
(CLEARNET) http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html

Tell people to use a different email provider, to encrypt their mails with your key and to give you their public key. Don't accept orders from people not using PGP.
As usual: Just saying.

Rastaman Vibration

  • Hero Member
  • *****
  • Posts: 604
  • Karma: +102/-11
  • ...Babylon makes the Rules...
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #6 on: October 15, 2013, 11:36:35 pm »
One more question, several people have given me their email, which is a gmail account. Is there a security threat here?

Just because its a gmail, doesnt automatically mean its insecure. Plenty of people use fake gmails.

If you do use it, make sure you PGP everything. I would keep the subject line blank too, thats one thing they can easily subpoena without a warrant (also address used to send said email). It would probably be good security practice to create a fresh email account to use just for communicating with gmails, if you feel up for the extra effort.
« Last Edit: October 15, 2013, 11:41:49 pm by Rastaman Vibration »
“One has a moral responsibility to disobey unjust laws.” - Dr. Martin Luther King Jr.

Join the Revolution. Teach someone PGP!

Microdosing LSD (and other psychedelic substances)  => http://silkroad5v7dywlc/index.php?topic=626.0

red5

  • Jr. Member
  • **
  • Posts: 88
  • Karma: +9/-2
    • View Profile
    • Personal Message (Online)
Re: Secure email?
« Reply #7 on: October 15, 2013, 11:45:23 pm »

You can use lelantos, so long as you use the Squirrelmail there is no javascript used at all

lelantoss7bcnwbv.onion

Nightcrawler

  • Hero Member
  • *****
  • Posts: 1127
  • Karma: +292/-28
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #8 on: October 16, 2013, 01:03:56 am »
Thank you guys. One more question, several people have given me their email, which is a gmail account. Is there a security threat here?

You don't want to show up in their address books even if they encrypt their messages to you and you encrypt yours:
(CLEARNET) http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html

Tell people to use a different email provider, to encrypt their mails with your key and to give you their public key. Don't accept orders from people not using PGP.

Excellent advice, although I would hasten to point out that most of the large clearnet email providers, e.g. Yahoo, Gmail, Hotmail (or whatever they're calling themselves these days) are all in the same boat, in that the NSA is collecting address books from all of them.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

OperationsSecurity(OPSEC)

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +11/-3
  • Learn OPSEC
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #9 on: October 16, 2013, 01:55:39 am »
If you absolutely have to use email

http://www.trilightzone.org/securemail.html no javascript, takes litecoin/bitcoin and variety of offshore servers.
https://www.mutemail.com/ looks promising, at least no data retention. In Bahamas
https://www.neomailbox.net/ in Switzerland let's you make unlimited aliases, so always give out a new one to each customer, if they become psycho and try to spam you just cancel that alias.

Don't bother with Shinjiru, they are a partner of Hushmail

https://pond.imperialviolet.org/ is an email replacement, with forward secrecy. Problem is it's not audited and in alpha stage. What I like about it is you invite people to message you, so no spam, you can use PGP with it wrapped inside the PFS encryption, and it's decentralized but again not even close to being ready for use if privacy is crucial (it is on here)
« Last Edit: October 16, 2013, 02:02:34 am by OperationsSecurity(OPSEC) »
Learn Counter Surveillance, CI, OPSEC and Tradecraft
http://grugq.github.io/resources/

oracle

  • Full Member
  • ***
  • Posts: 203
  • Karma: +64/-36
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #10 on: October 16, 2013, 07:15:42 am »
Torbox : http://torbox3uiot6wchz.onion
in conjunction with PGP is rather secure.

You're welcome.
if this account of my goes "incommunicado" - I can be reached at oracles@safe-mail.net

jack2324

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #11 on: October 16, 2013, 08:11:33 am »
I would say at this point (especially after Tormail fiasco, Lavabit, and the new Snowden leaks about email contacts) that you should use email only as needed and with PGP.  Anything you send via email you should automatically assume will have the NSA cc'd on.

oracle

  • Full Member
  • ***
  • Posts: 203
  • Karma: +64/-36
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #12 on: October 16, 2013, 08:44:08 am »
Just to put some perspective on how important it is to use PGP in conjunction with a TOR based email service (or email accessed via TOR) -

(taken from the old Cypherpunks mailing list)

"..if we assume that the NSA can factor any number with the speed of the special number sieve, and has 10^9 mips of computing power (doubling every 1.5 years) we can make the following estimations:_1_

Using these assumptions, the NSA could crack a 1024 bit key in ~11 days, a 1536 bit key in 10 years and a 2048 bit key in 26 years. _2_ Note that this would require the full resources of the NSA, however. Thus, even the mighty resources of the NSA could only crack 42 1024 bit keys in 1996

Now, comes 4096 bit. It would take the combined processing power of every computer in the world thousands of years to crack 4096-bit encryption."

Personally I never use anything below 4096 bit PGP encryption. This is in addition to TOR.

Here's the rub (devils advocate) - PGP encrypted data with 4096 bit encryption could still be compromised within seconds. How? Human stupidity. Easy pass-phrase, written down pass-phrase, re-used pass-phrase (lets say you use the same password to access your Gmail. If you're under such heavy scrutiny that some government is diverting resources and funds to find a way to see what you don't want them to see.. they WILL get your Gmail/Facebook/Hotmail/Twitter passwords one way or the other. And they will try those first. So don't), key-loggers, cameras, whatever. And if you're just so important.. then who knows, even thermal/heat detection technology to capture your finger movements on your keyboard from a short distance.
Not to mention decrypting and leaving the plain text lying around/saved...

(I'm by no means an expert in computer security, cryptography, RSA, password entropy etc.. but these stats are pretty basic).

Trust the technology, but never trust the weak link - the user.

tl;dr - no such thing as "secure email". use 4096 bit PGP for anything "secure" and don't fuck around with pass-phrases


edit: shitty grammar

« Last Edit: October 16, 2013, 08:46:26 am by oracle »
if this account of my goes "incommunicado" - I can be reached at oracles@safe-mail.net

oracle

  • Full Member
  • ***
  • Posts: 203
  • Karma: +64/-36
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #13 on: October 16, 2013, 09:51:13 am »
Yes, should be. Even non personal information should probably be encrypted. Doesn't take any more time on your part.. and you would be amazed the kind of identifiers even seemingly 'non personal information' might potentially reveal.

Your scenario is an acceptable method given both your safe-mail password is complex, your PGP password is extremely complex.

There's no point in even starting an email with "Hi.. sorry I've been busy with work/family (whatever). Here's my address and shipping information -----BEGIN PGP MESSAGE----- etc"

It should be more like:
-----BEGIN PGP MESSAGE-----..etc  and nothing else. Encrypt your pleasantries.. you'll be better served.
if this account of my goes "incommunicado" - I can be reached at oracles@safe-mail.net

oracle

  • Full Member
  • ***
  • Posts: 203
  • Karma: +64/-36
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #14 on: October 16, 2013, 10:01:30 am »
By 'thing' I hope you're referring to safe-mail. PGP should be used religiously on the new SR server messaging system regardless.

Remember on the previous site.. many vendors would insist or demand that only sensitive messages be encrypted, and that they don't have the time to decrypt non sensitive information. Frankly, my advice is to ignore that and explain that you will only be using PGP. Even an "are you in stock?" should be encrypted IMHO.

A few extra seconds of a vendor's oh-so-precious time is not something you should accommodate at the expense of your own security. Always assume that any communication can be read and analyzed at any point in time present or future.
if this account of my goes "incommunicado" - I can be reached at oracles@safe-mail.net

oracle

  • Full Member
  • ***
  • Posts: 203
  • Karma: +64/-36
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #15 on: October 16, 2013, 10:10:45 am »
Or send an encrypted message with a privnote link to another encrypted message. Wouldn't be the first time.
if this account of my goes "incommunicado" - I can be reached at oracles@safe-mail.net

palmergbl

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +1/-1
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #16 on: October 17, 2013, 11:04:18 am »
here is a list and I quess those email provider might be considered safe: http://prxbx.com/email/  ...although always use PGP

Wonton

  • Full Member
  • ***
  • Posts: 126
  • Karma: +11/-2
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #17 on: October 18, 2013, 05:07:06 pm »
For no javascript on tor only choice is lelantos email if you want to reach clearnet users have to pay a few bitcents though

For no javascript on clearnet free bitmessage.ch just have to register an alias so others can reach you easily

orange

  • Jr. Member
  • **
  • Posts: 90
  • Karma: +3/-6
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #18 on: October 18, 2013, 06:21:30 pm »
For no javascript on tor only choice is lelantos email if you want to reach clearnet users have to pay a few bitcents though

For no javascript on clearnet free bitmessage.ch just have to register an alias so others can reach you easily

Bitmessage is accessible via TOR as well:
http://bitmailendavkbec.onion
As usual: Just saying.

Nightcrawler

  • Hero Member
  • *****
  • Posts: 1127
  • Karma: +292/-28
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #19 on: October 18, 2013, 09:34:38 pm »
And so how would you propose sending encrypted messages? People trusted SilkRoad the online drug market to keep their messages from the hands of LE, and they have an image of most if not all of those messages encrypted or not...

Anyone who trusted the Silk Road messaging system to keep their messages out of the hands of the Feds was (and is) a fool. The entire point of using PGP was to protect the message traffic in the event of server compromise.  Even PGP-encrypted messages are subject to compromise should one of the communicating parties be apprehended, and their computer(s) seized.  Even if you were to have PGP-encrypted some messages to Ross/DPR, now that he is in custody, you have to presume that the Feds have access to his PGP keyring(s) including his private keyring. Given his other security lapses, and weak PGP skills, it is unlikely that he chose a strong passphrase to protect his private PGP key(s).  Accordingly, people should assume that any correspondence with Ross/DPR, even PGP-encrypted, is now compromised.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B
 

« Last Edit: October 18, 2013, 09:42:20 pm by Nightcrawler »

ModernLove

  • Vendor
  • Sr. Member
  • *****
  • Posts: 291
  • Karma: +57/-8
  • Come for the revolution; stay for the drama!
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #20 on: October 18, 2013, 10:00:05 pm »
Even when vendors strongly recommend or insist on buyers using PGP, often buyers do not. So how can vendors protect themselves? If someone sends me an unencrypted message with incriminating info, I don't even know it's unencrypted until I open it. And then there it is on the servers, waiting to be read by the feds. Even if I don't reply, the damage is already done. Sorry, I know this does not address the thread's original topic.
Alternate Contact: modernlove@safe-mail.net
Please, encrypted messages only. Public key in forum profile.

SR Vendor Page: http://silkroad6ownowfk.onion/users/modernlove

SaLuS

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #21 on: October 21, 2013, 12:13:49 am »
I have found lelantos lelantoss7bcnwbv.onion
ITs very simial to tormail, they ask you for a 0,05 fee for a lifetime subscription. However you are suggested to encrypt sensitive information.

Wonton

  • Full Member
  • ***
  • Posts: 126
  • Karma: +11/-2
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #22 on: October 21, 2013, 05:27:03 pm »
For no javascript on tor only choice is lelantos email if you want to reach clearnet users have to pay a few bitcents though

For no javascript on clearnet free bitmessage.ch just have to register an alias so others can reach you easily

Bitmessage is accessible via TOR as well:
http://bitmailendavkbec.onion

Was listing traditional email services. Bitmessage is preferred and should only be accessed by tor of course but many just want email.

XDFM

  • Newbie
  • *
  • Posts: 11
  • Karma: +2/-1
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #23 on: October 22, 2013, 01:34:08 am »
anybody can set up a hidden service, it can be just a much of a honeypot as it is a safe haven. considering tormail is down everybody needs to go some where. it would be just the perfect chance for more honeypots, be suspect of everything. always use PGP.

OperationsSecurity(OPSEC)

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +11/-3
  • Learn OPSEC
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #24 on: October 22, 2013, 01:40:34 am »
Even when vendors strongly recommend or insist on buyers using PGP, often buyers do not. So how can vendors protect themselves? If someone sends me an unencrypted message with incriminating info, I don't even know it's unencrypted until I open it. And then there it is on the servers, waiting to be read by the feds. Even if I don't reply, the damage is already done. Sorry, I know this does not address the thread's original topic.

Yep, and buyers drop opsec all the time "HEY I GOT THAT LETTER FROM JERSEY BUT blah blah blah"
What you need is a box for them to free-type their idiocy and it automatically encrypts with your key, and is only accessible over Tor. https://globaleaks.org/ and https://github.com/ZeitOnline/briefkasten are good candidates.
Learn Counter Surveillance, CI, OPSEC and Tradecraft
http://grugq.github.io/resources/

Milkdud

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +6/-49
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #25 on: October 22, 2013, 01:42:10 am »
bitmessage is the least anonymous form of email. it works like bitcoin in that everyone has a copy of everything. sure use pgp but then whats the point of using a shit address like bitmessages 98jf0823f982j3f82u3f98j239fj823@bitmessage

Wonton

  • Full Member
  • ***
  • Posts: 126
  • Karma: +11/-2
    • View Profile
    • Personal Message (Offline)
Re: Secure email?
« Reply #26 on: October 22, 2013, 03:53:24 am »
bitmessage is the least anonymous form of email. it works like bitcoin in that everyone has a copy of everything. sure use pgp but then whats the point of using a shit address like bitmessages 98jf0823f982j3f82u3f98j239fj823@bitmessage

sorry sir you are not correct, all bitmessages are encrypted and only the recipient can read a message from a sender. Once a message is sent the sender can not even decrypt.

yes all messages are stored in the messages.dat file then deleted after two days but only recipient can read a message

encryption bitmessage uses is 4X stronger than 4096 bit RSA, no need to use PGP with bitmessage, that is the beauty of the protocol