Silk Road forums
Discussion => Security => Topic started by: astor on August 20, 2013, 07:58 am
-
Just came across this:
>>> This isn't gonna cut it. A Tormail replacement that's any good,
>>> that's reliable, that's censorship-resistant, that's hardened ...
>>> that will require professionals to set it up.
I don't want to imply that we are professionals, but we will soon run a
mail gateway for .onions.
The idea is that you can email @xyz.onion.to, and the mail gateway will
forward the mail to @xyz.onion. The gateway will only accept PGP mails,
and I'm thinking about enforcing TLS.
For the other way round, xyz.onion will be able to register and receive
a passphrase. With the passphrase, xyz.onion will be able to relay/send
emails as @xyz.onion.to. The gateway will also rewrite outgoing
@xyz.onion to @xyz.onion.to.
Maybe we should use client certificates instead.
Another open question is what we should do with headers. At the moment,
the configuration file (onion_anonymize_headers) explicitly removes
User-Agent, X-Enigmail, X-Mailer and X-Originating-IP, whitelists
((Resent-)?From|To|Cc|Date|Return-Path|Message-ID|Reply-To|Bcc), and
then throws away any other header. This is obviously not the final
configuration. If anyone wants to contribute, feel welcome.
I hope that with the modified torsocks that has an option to only torify
.onion I can simply put it in front of postfix and be done. We'll see.
I invite everyone to contribute to the postfix configuration, and,
eventually, to run more mail gateways.
https://github.com/moba/tor2mail
No documentation yet, but I will make it ready before we launch.
That's a message to the tor-talk mailing list by the guy who runs Torservers, so he's not some clueless newb with pie in the sky goals that are abandoned half way through development (like Bitwasp). Someone still needs to run a hidden service email server, but that's the easier part. Interfacing with clearnet anonymously was the hard part that Tormail solved before.
Interestingly, a Tor-only email server already exists:
http://365u4txyqfy72nul.onion/mail/
http://365u4txyqfy72nul.onion/wmail/notice.html
So the pieces are in place, if this mail gateway could send messages to the TSZ mail server, we effectively have a Tormail replacement.
What I really like is that they will scan and discard emails that are non PGP encrypted.
-
Just came across this:
What I really like is that they will scan and discard emails that are non PGP encrypted.
Personally I think that's pretty anti-intelligent user oriented. Anyone with half a brain would PGP incriminating or otherwise revealing information, if the website verified that you knew how to use PGP like onion bank used to do before the FH massacre then I have a feeling that it would have good results while not forcing someone to encrypt to even users who they are having innocent conversations with.
This sort of handholding is something that we don't need. If a user cares about their privacy they will learn PGP and use it. If they do not care about their privacy and just unconciously say, "You know this whole privacy thing is a lot of work....I think i'll just take the jail time" then let them. Social darwinism will unfortunately run it's course regardless of how much PGP they are forcefed.
-
Thanks for this post astor. I was wondering why it seemed that tormail was the only .onion mail service, and this explains.
Likewise, I'm sure you've heard it before, but thanks for all the great posts you put up here on the SR forum. Your posts have been nothing short of a treasure trove of great information.
-
clever setup
-
@Psyche
Maybe this is less about forcing users to use PGP but more about preventing the FBI/NSA harrassing him. If he can't decrypt the emails there is no point in targeting him.
-
Astor you really are a fucking angel....a brilliant brilliant little angel aren't you? come here and let me squeeze you
Ryno
-
where is the login page of http://365u4txyqfy72nul.onion/mail/ ?
-
where is the login page of http://365u4txyqfy72nul.onion/mail/ ?
From the looks of it, there's no webmail. just pop and imap.
-
@Psyche
Maybe this is less about forcing users to use PGP but more about preventing the FBI/NSA harrassing him. If he can't decrypt the emails there is no point in targeting him.
Good point. Oh, also: subbing.
-
@Psyche
Maybe this is less about forcing users to use PGP but more about preventing the FBI/NSA harrassing him. If he can't decrypt the emails there is no point in targeting him.
I believe that is exactly why they want to drop all unencrypted emails.
where is the login page of http://365u4txyqfy72nul.onion/mail/ ?
From the looks of it, there's no webmail. just pop and imap.
It's the second link I posted: http://365u4txyqfy72nul.onion/wmail/notice.html
I like that they put the Postfix configuration files on Github, so anyone can run a gateway. There could be multiple gateways relaying for multiple hidden service email providers, so there isn't a central point of failure like Tormail.
-
whats wrong with bitmessage? tor only and can be used tor-clearnet in browser.
-
whats wrong with bitmessage? tor only and can be used tor-clearnet in browser.
bitmessage cannot send email to other non bitmessagge email address, and canote received too
-
@astor..
i believe it is time for us to touch one another..
i have waited long enough for you..
<3<3
/thumbs
-
whats wrong with bitmessage? tor only and can be used tor-clearnet in browser.
bitmessage cannot send email to other non bitmessagge email address, and canote received too
yes it can.
https://bitmessage.ch/
-
There is webmail I believe. The link for login is:
http://365u4txyqfy72nul.onion/wmail/
-
whats wrong with bitmessage? tor only and can be used tor-clearnet in browser.
bitmessage cannot send email to other non bitmessagge email address, and canote received too
yes it can.
https://bitmessage.ch/
This is awesome! As good a replacement to Tormail that you'll find right now.
-
subbed
-
subbing for later read