Quote from: sony111 on July 31, 2011, 07:18 pmSafemail will show your ip-address in the headerNo it won't. See further below: the full headers of test and reponse I just performed.EDIT: I assumed you meant your real IP address. If you meant your TOR exit node IP address, well of course every email header contains the initiating address, that's part of the RFC. The point is, if you are using TOR properly with any email provider, your REAL IP address is safe. Emphasis on the PROPERLY part.Quote from: sony111 on July 31, 2011, 07:18 pmtheir encryption is likely backdoored, as with hushmail etc.Exactly. You better believe their encryption is back-doored.Sites like safe-mail and hushmail are offering you security from an 'outside attacker' gaining access to your email. Government agencies aren't outside attackers.Anyways, the tests. Running TOR with malicious javascript hooks disabled, of course, and noscript, on a windows boxen.In neither email is anything close to my real IP revealed, merely the exit nodes used.email addy's have been changed to protect the innocent, but nothing else.One email is from an external hotmail account to safe-mail, and the other is forwarded from within safe-mail to another safe-mail account.There is about an eight minute difference between them as I took the time to set up a second safe-mail test account to forward to.QuoteFrom xxtestxxaccountxx@safe-mail.net Sun, 31 Jul 2011 15:33:30 -0400Received: from gefen.safe-mail.net ([192.168.13.74])by tapuz.safe-mail.net with smlocal (smtas 1.2);Sun, 31 Jul 2011 15:33:38 -0400DomainKey-Status: not-signed (failed-get-policy)X-SMTests: G00nmp0i0b0ar00uReceived: from mailout-us.gmx.com ([74.208.5.67])by gefen.safe-mail.net with esmtp (smtpd 1.0)id N1G-4qyJM5JTl4for xxtestxxaccountxx@hotmail.live.com; Sun, 31 Jul 2011 15:33:30 -0400Received-SPF: no-spfReceived: (qmail 24710 invoked by uid 0); 31 Jul 2011 19:33:30 -0000Received: from 78.31.70.182 by rms-us017 with HTTPContent-Type: multipart/alternative;boundary="========GMXBoundary53781312140810100682"Date: Sun, 31 Jul 2011 19:33:28 +0000From: xxtestxxaccountxx@safe-mail.netMessage-ID: <20110731193330.53780@gmx.com>MIME-Version: 1.0Subject: HeadersTo: xxtestxxaccountxx@hotmail.live.comX-Authenticated: #118378635X-Flags: 0001X-Mailer: GMX.com Web Mailerx-registered: 0X-GMX-UID: O5wTZiuyiDz7bqN0ZGxpq5drZml1ZFiU--========GMXBoundary53781312140810100682Content-Type: text/plain; charset="utf-8"Content-Transfer-Encoding: 8bitHeaders.How do they work?--========GMXBoundary53781312140810100682Content-Type: text/html; charset="utf-8"Content-Transfer-Encoding: quoted-printableQuoteDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;s=N1-0105; d=Safe-mail.net;b=d9Vi2+AeInZtNvk3U3vJN492sqVzbqrxhSzF8Pjs9LpWMHtHOKCUaB8fcSfu8UDrFJoiqkT857jAhvf00Jwy50bEmw5FjfdEzj6EnC/6+Vf2CMN+JufThH0JIixKthELgSP8Zz5q0iivkXWnUNMyq8U/DJ/bsljQDvuQF617zvw=;Received: from pc ([94.103.170.233]) by Safe-mail.net with httpsSubject: Re: HeadersDate: Sun, 31 Jul 2011 15:41:42 -0400From: xxtestxxaccountxx@hotmail.live.comTo: xxtestxxaccountxx@safe-mail.netX-SMType: RegularX-SMRef: N1-EvzV8HrzerMessage-Id: MIME-Version: 1.0Content-Type: multipart/alternative;boundary="-----5KVYT3G4Q6BC2-4E35AFF6.7AD9-L9Y0JA6PWR4JQ-----"X-SMSignature: mkSHbAnuhyZAIzsyTBgWgTSHK7ZZPbKU0U2NYx2RsuW/xk7P2tm530HEega2GV3P/eupRnxJLMe42CJzQD7RTCY/8Q6Fap4aNoOzppaBrc3ggH7TUAaZdFWUv+0dr74klgA5FfgzSlitow2m7WXNj2pcxcH41kjpd1cbykhXK2s=This is a multi-part message in MIME format.-------5KVYT3G4Q6BC2-4E35AFF6.7AD9-L9Y0JA6PWR4JQ-----Content-Type: text/plain; charset=us-asciiContent-Transfer-Encoding: 7bit-------- Original Message --------From: xxtestxxaccountxx@hotmail.live.comTo: xxtestxxaccountxx@safe-mail.netSubject: HeadersDate: Sun, 31 Jul 2011 19:33:28 +0000> Headers.>> How do they work?-------5KVYT3G4Q6BC2-4E35AFF6.7AD9-L9Y0JA6PWR4JQ-----Content-Type: text/html; charset=us-asciiContent-Transfer-Encoding: 7bitHushmail deserves a thread on its own, and that's something I'll get to in the next day or so, but the short version is DO NOT EVER USE HUSHMAIL.If you allow the javascript hooks that are required to download and run the hushmail java applet, it reports back your true IP address.If you don't allow the javascript applet, even once, your account is forever comprimised as hushmail stores the symetric key (the important thing your Public Key wrapper protects!) required to decrypt your messages. Changing your password doesn't make a difference.Any email account should be treated like a post card.Anyone can read it.If YOU don't encrypt it yourself, it is vulnerable to unwanted third parties reading it.You CAN NOT rely on a third party safely encrypting data for you.TL:DRNeither safe-mail or hotmail reveal your true IP address when you are using TOR properly.Neither safe-mail or hushmail encryption is a substitute for encrypting things yourself before you send them.Their encryption is a marketing ploy, and not a substitute for safe data handling habits.