Secure Webmail Providers? 56
Rainier Wolfecastle asks: "I am looking for information on any webmail providers that support PGP/GnuPG encryption. Up until now I have been using Lok Technology's excellent service, but it appears that they have gone out of business, since their site has been unreachable for over two weeks now. I am aware of Hushmail, but that doesn't work well under Linux. I am considering using Name.Space's LokMail service (based on Lok Technology's..er...technology) but I was wondering if anyone out there has any other suggestions. Free email is coming to an end, and if I'm going to pay for it (which I don't mind at all) then I want a decent product."
What's the point... (Score:1)
Re:What's the point... (Score:5, Informative)
Re:What's the point... (Score:1)
Unless I have been overrated personally?
Re:What's the point... (Score:1)
I posted this at score 3 for an example.
Re:What's the point... (Score:4, Insightful)
Because while you can moderate up for being informative or insightful, you can't (at present) moderate down for being dumb or wrong. As long as the down-mod options are limited to troll, off-topic, flamebait, and overrated, expect to see comments that are just plain stupid moderated "overrated."
Seems to me that if there's a "+1, Informative," there ought to be a "-1, Misinformative."
Not just that (Score:2)
I strongly agree with "Misinformative", though I think I'd change it to "Incorrect", since "Misinformative" implies an attempt to deliberately spread misinformation (like the insidious Professor Collins [slashdot.org], for instance). "Misinformative" has a time and a place, but perhaps not serving the place of a term that simply means "wrong".
Re:Not just that (Score:2)
I wouldn't know. I haven't been asked to metamoderate since I started using this new account. I posted under a previous account for a few years, but grew sick of the user name and haven't been invited to participate in either form of moderation since. I have no idea if I'm deliberately being excluded, or if I'm just still in that "new user" phase. Don't know if there's any way to find out, either.
I strongly agree with "Misinformative", though I think I'd change it to "Incorrect", since "Misinformative" implies an attempt to deliberately spread misinformation
Yeah, you've got a point, but I'm not sure "incorrect" covers it either. I'd like a moderation that I could assign (in theory, if I ever were to get mod points again) to posts that are (1) wrong or (b) moot. Because sometimes a post can be technically correct, but wrong anyway because it doesn't apply to the situation at hand. The post that spawned this thread qualifies thus: it's true (transport-layer encryption [such as SSL] is less useful if other segments of the message path are unencrypted), but it doesn't apply to this discussion (we're not talking about transport-layer encryption, but rather message-layer encryption).
I don't know what the right answer is, but I do know that Troll, Offtopic, Redundant, and Flamebait don't apply.
Re:What's the point... (Score:2)
Of course you've already thought of this... (Score:1, Redundant)
I would be interested in this, also, thank you for asking.
Hushmail? (Score:4, Informative)
Re:Hushmail? (Score:1, Informative)
1) Please mod the parent down. It is the opposite of informative.
2) Hushmail is only supported on IE under Windows. Yes, the client is a Java applet, but it's "MS-Java". The applet doesn't work under Linux or Mac OS X. I haven't tried it under Mac OS 8.x or 9.x, but I'm not exactly optimistic.
Re:Hushmail? (Score:1)
"Will HushMail run on my Macintosh(TM) computer?
Regrettably, HushMail does not work on "Macs". This is due to problems with the way Java works in browsers availablefor the Macintosh. We are hoping that future web browsers for Macintoshwill resolve these problems."
Well, I never give up without a try. But with Mozilla 1.1 under MacOS 9.2.2 I was NOT able to set up an account. Time to set up that Linux partition...
- Uffe
Hushmail in linux (Score:5, Informative)
Oh, and remember -- hush security is only as good as your passphrase. Diceware!
Problems with Encrypted Webmail (Score:5, Interesting)
Consider that the webserver admin(s) will have access to the encrypted private key. Also consider that the webserver (process) has read access to the key. The upshot is that if anyone gets root access to the box, gets a shell under the webserver's UID, or convinces the webserver to serve up a file that it is supposed to have read access to, the only thing between your private key and an attacker is your passphrase.
I find all this unsettling to the point of believing that it can't be safely done.
If anyone knows any better, please fill me in.
-Peter
Re:Problems with Encrypted Webmail (Score:2, Interesting)
You're correct, but I don't think that it necessarily has to be that much of a problem, if it is made clear that the passphrase for your key is far more important than most others. You would have to ask people to remember a long, randomly choosen passphrase. Do not give them a choice. If you get 128 bits of random data, turn it into radix 64, thats a 22 letter passphrase (upper & lowercase, plus 2 other characters). Now, perhaps not everybody could memorize that, but even if it were written down & kept secure, it would keep most people's key reasonably secure.
Another solution could be to have 128 bit (22 character) key that is again encrypted by a memorized passpharse. The user could write down the key, but even if this were compromised, it would still be at least secure for long enough to generate anohter key (not public/private key) & passphrase.
Re:Problems with Encrypted Webmail (Score:3, Interesting)
I can barely remember my phone number. It is only 10 digits, and the first three are a gimme. I'm supposed to remember "iDclyWnIxwaJcSOWNLcj" or some junk?
And this has no real impact on the trust issue. What prevents the webserver admin from having the webmail software log all incoming passphrases?
I harp on this becasue if I can trust my mail admin (and you trust yours) half the battle is already won.
-Peter
Re:Problems with Encrypted Webmail (Score:2, Interesting)
Yes, I'm serious. Have a java applet which does enccryption on the client computer. This is what hushmail does.
If you read my post, you'd realize that I suggested that a person could write down their key. I myself don't consider this much of a problem if you keep it secure on your person. Or if the key one writes down is encrypted with a passphrase which could be memorized.
Re:Problems with Encrypted Webmail (Score:4, Insightful)
It's worse than that. If they root the webmail server (or a little more difficult if they just get the webserver UID), they can read the SSL traffic, including your passphrase. In short the only way to have securely encrypted email is to store the private key on your own private local machine - a webmail service simply cannot gaurantee you jack.
Re:Problems with Encrypted Webmail (Score:2, Interesting)
Re:Problems with Encrypted Webmail (Score:2)
Fucktard spelling nazi. Websters recognizes "guarantee" as well as "guaranty", which means in my typing haste I swapped the initual "ua" to "au", not a bad mistake at all, especially seeing as I don't give a shit about small grammar and spelling mistakes (see my journal). It has been my experience that the "ee" ending is used more commonly in the US. And don't bitch at me for being US-centric either, there's a US-centric population here, get used to it.
Web mail with i18n support - any? (Score:2, Interesting)
Has anyone found any web mail service that handles texts in various character encodings - notably Unicode - correctly (or at all)?
I'm really amazed how badly Hotmail et.al. handle i18n. Any message is treated as if it's in "iso-8859-1" (Latin 1, Western), and all information about the actual character encoding is just stripped off.
Correctly would of course also mean "without using HTML in e-mail messages".
Re:Web mail with i18n support - any? (Score:5, Informative)
It is totally paranoid about HTML email.
Even comes with a bunch of translations.
So, either set up your own mailserver (like a real man!) or find a provider that uses SquirrelMail. I use Fairplay Communications [fpcc.net] here in Colorado. They rock, and provide SquirrelMail. (And the only affiliation I have with them is that I am a paying customer.)
SquirrelMail is where it's at. (But I am a little biased
-Peter
Re:Web mail with i18n support - any? (Score:1)
Thanks for the tip! I'll check it out.
I did however get a little suspicious when I found the following page:
http://www.squirrelmail.org/wiki/en_US/SquirrelMai lRequirements [squirrelmail.org]
The character encoding is a total mess on that page. Maybe it's the Wiki's fault. I've seen that kind of mess on Wiki pages before.
Re:Web mail with i18n support - any? (Score:2)
Have no fear about SM itself, though. I believe that well over half of the SM installations out there are non-english. XS4All.nl was the "biggest" user for a long time, probably still is.
-Peter
Re:Web mail with i18n support - any? (Score:1)
OK. I have no fear...
But I did find an entry in the wish list, that UTF-8 support should be added in the future:
http://www.squirrelmail.org/wiki/en_US/WishList [squirrelmail.org]
So, is there Unicode support, or not, in SM?
Re:Web mail with i18n support - any? (Score:2)
I don't know all the subtleties of using non-US character sets . . . but there has been a "i18n guy" making SM work with all sorts of languages for a long time.
The only thing that was outstanding when I last checked (which was a while ago) was multi-byte character sets. I don't know what the status is on those.
So, does it work with UTF-8? I'm not completely sure, because I'm not completely sure I'd recognize UTF-8 if I saw him on the street. But it does work with all sorts of extended western character sets, Cyrillic, and several single-byte Asian sets, whatever that means.
Subscribe to the mailing list, or even go out on a limb and install it!
-Peter
No, that would be stupid... (Score:4, Informative)
Webmail is for roaming. If you're roaming, then you don't trust the client. PGP is useless if you don't trust the client.
And don't say signed java applets 'cause (1) if you trust the provider's signature then just use https (I'll give you an account at inbox.org) and (2) if you don't trust the computer then you can't store your private key.
Replying to my own question (Score:1)
The reason I stated that I don't want to use Hushmail is precisely because of the need for Java. The reason I want webmail is so that I can access it from anywhere, and I don't want to have to rely on the presence of Java on the machine I happen to be using.
On a side not, I got an email from the CTO of Lok Technology today, and it appears that they will be back up by the end of the week.
Re:Replying to my own question (Score:2)
The reason I stated that I don't want to use Hushmail is precisely because of the need for Java. The reason I want webmail is so that I can access it from anywhere, and I don't want to have to rely on the presence of Java on the machine I happen to be using.
If you don't use java then you have to provide your webmail provider with your private key. That's not a smart idea.
Re:Replying to my own question (Score:1)
At Lok, which I was using, the private key is generated and stored on the server at sign-up, using hints that make sure that you provide a decent passphrase. Neither the email account password nor the GPG passphrase are stored by the company. They specifically tell you not to be a dumbass and forget it, because they can't get you back in if you do.
Also, there is a login history available (logs time and IP address) that you can use to make sure that no one else has accessed your account.
Re:Replying to my own question (Score:1)
IMP (Score:2)
Novell to the rescue... (Score:2)
Only downside is occasional downage for software and hardware upgrades...
-jag
Re:Novell to the rescue... (Score:1)
Re:Novell to the rescue... (Score:1)
-jag
My solution (Score:1)
I have it set up to use GPG [gnupg.org] for automatic signing -- all I do is type up an e-mail, press the send key, enter my GPG passphrase at the prompt (which is 35 alphanumeric chars,), and press Enter. My e-mail gets signed and mailed. When I receive a PGP-encrypted/signed mail, Mutt automatically decrypts it for me, again using my passphrase.
It's very convenient (setting it up is the hardest part, and that's also easy with online documentation) and very self-reliant: no special provider to go out of business, no browser to block Java, and always encryped.
Cryptoheaven (Score:1)
"All services fully encrypted using the latest technology including an AES symmetric cipher Rijndael with 256 bit encryption keys, SHA-256 message digest function, and asymmetric encryption with keys of 2048-4096 bits in length."
Re:Cryptoheaven (Score:1)
Hushmail doesn't work in Linux? (Score:2)