Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Which Free Encrypted Webmail Isn't An Intelligence Agency Front?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Which Free Encrypted Webmail Isn't An Intelligence Agency Front?

edited August 2021 in General

I've read that intelligence agencies like the CIA, the FSB of Russia, & China's Ministry of State Security (aka: Guoanbu): like to create free "encrypted" email front companies to trick the public into handing over their data.

How do we know which ones are not front companies?

Is it possible that "encrypted" email services like ProtonMail.com are CIA front operations? How does ProtonMail make enough money to give away millions of free email accounts if it's not funded by some nation's secret service?

@Francisco & @Jar, what are your best guesses as to which non-usa encrypted email services are not intelligence agency fronts?

Comments

  • @Offshore_Solutions said: @Francisco & @Jar, is it possible that free "encrypted" email services like ProtonMail.com are CIA front operations?

    It's entirely possible, see for example: https://en.wikipedia.org/wiki/ANOM

  • Sigma rule #1 in privacy and security: Trust no one.

  • edited August 2021

    @stevewatson301 said:

    @Offshore_Solutions said: @Francisco & @Jar, is it possible that free "encrypted" email services like ProtonMail.com are CIA front operations?

    It's entirely possible, see for example: https://en.wikipedia.org/wiki/ANOM

    Exactly! Even worse, 100's of nations were trusting the CIA's secret "Swiss" front company, Crypto AG to "encrypt" their email. For years this front company had fooled nations like Germany into signing up! Read more here:
    https://www.forbes.com/sites/daveywinder/2020/02/12/cia-secretly-bought-global-encryption-provider-built-backdoors-spied-on-100-foreign-governments/

  • Don't forget Guoanbu from your list.

  • jarjar Patron Provider, Top Host, Veteran

    If encrypted email that intelligence agencies can't get into was my thing, I'd avoid all service providers. Even if they're fine today, a quiet takeover or acquisition could be all it takes to flip it the other way. Remember the FBI has actively hosted child porn to catch people, what wouldn't they do? Seize servers, arrest the owners, leave it online and introduce vulnerabilities to catch when you decrypt your mail. Nothing is too low for them.

    Avoid email entirely to avoid intelligence agencies. It's not a friendly protocol for the purpose.

  • @Offshore_Solutions said:
    I've read that intelligence agencies like the CIA, the FSB of Russia, & China's Ministry of State Security (aka: Guoanbu): like to create free "encrypted" email front companies to trick the public into handing over their data.

    How do we know which ones are not front companies?

    Is it possible that "encrypted" email services like ProtonMail.com are CIA front operations? How does ProtonMail make enough money to give away millions of free email accounts if it's not funded by some nation's secret service?

    @Francisco & @Jar, what are your best guesses as to which non-usa encrypted email services are not intelligence agency fronts?

    I think you should start your quest with a more important question:

    • what's so important about what you are doing to warrant any intelligence agency's time? ;)

    And if you do manage to persuade yourself that you're worth their time, you should ask:

    • what the heck are you doing communicating, sending anything of importance via email? ;)
    Thanked by 1AlwaysSkint
  • FranciscoFrancisco Top Host, Host Rep, Veteran
    edited August 2021

    @jar said: If encrypted email that intelligence agencies can't get into was my thing, I'd avoid all service providers.

    Yep. Self host, fully encrypted drive, etc.

    FDE inside of cloud instances can still be a problem since your keys in memory.

    If it's really a problem, do it on your own metal.

    Francisco

  • LordSpockLordSpock Member, Host Rep

    @Francisco said:
    If it's really a problem, do it on your own metal.

    That's the most sensible answer. You can't have full control over anything unless you own it or have full control over it.

    Run something like MailPile on your own box if you're so concerned about intelligence agencies snooping on you but you would like encrypted webmail, it is licensed under the AGPLv3 and as such is fully free & open source so you can inspect the code for backdoors.

    Or better yet, use a desktop e-mail client (a FOSS one) with PGP support.

  • edited August 2021

    @Francisco said:

    @jar said: If encrypted email that intelligence agencies can't get into was my thing, I'd avoid all service providers.

    Yep. Self host, fully encrypted drive, etc.
    FDE inside of cloud instances can still be a problem since your keys in memory.
    If it's really a problem, do it on your own metal.

    Francisco

    For those not wanting to create their own solution @Francisco, would your new Lux company (registered offshore) be willing to provide a paid encrypted email alternative to ProtonMail?

    I happily use @Jar for email but not for our organization because he's one FBI search warrant away from no privacy since he's located in the USA.

    @aglodek said:

    • what's so important about what you are doing to warrant any intelligence agency's time? ;)

    I don't think it's far fetched for any of us to have our emails be of interest in a future investigation. If we become a suspect in a crime or if a future government decides to look for a reason to detain us, the first thing they do is search our online history. Protect your future by encrypting your present-self.

    I'm part of an organization that believes that Tucker Carlson is right, that the Georgia Senate race was stolen by fraudulent ballots/counters and that the mainstream media looked the other way because "It was done for the higher purpose of getting rid of Trump at any cost." I believe media outlets like CNN use a "Ends Justifies the means" attitude.

    The Biden Administration has made it nearly criminal to espouse that the Georgia Senate race (that determined which party would be in charge of the Senate) was stolen.

    Even Tucker Carlson's emails were leaked by the NSA at the behest of a paranoid Biden Administration:

    The National Security Agency has quietly admitted that the identity of Fox News prime-time host Tucker Carlson was “unmasked” and leaked as he alleged earlier this month, according to a report.

    “For the NSA to unmask Tucker Carlson or any journalist attempting to secure a newsworthy interview is entirely unacceptable and raises serious questions about their activities as well as their original denial, which was wildly misleading,” a Fox News spokesperson told The Record, a cybersecurity news site.

    Source: https://nypost.com/2021/07/24/tucker-carlsons-unmasking-claim-confirmed-by-nsa-investigators-report/

  • So, basically you're a paranoid conspiracy theorist. You've got nothing to worry about.

    In the rare case you would have something to worry about, hosting your own mailserver is the only remedy. And with 'hosting your own' I mean buying a server, encrypting the hell out of it and colocating it in either:

    a) Your own datacentre with your own uplink.
    b) The independent datacentre of a bullet proof hoster.
    c) Russia.

  • TejyTejy Member
    edited August 2021

    @infomaniac, based in Switzerland, no doubt on these guys.
    edit: not encrypted, unfortunately

    Thanked by 1Offshore_Solutions
  • LeviLevi Member
    edited August 2021

    "Encrypted email" is a marketing fuss. There is no such thing. Said multiple times by tutanota, protonmail and others. True encryption only in p2p.

  • Email is just sending message from point 'A' to point 'B'. You may encrypt the message in transit, but when it's stored, it is not encrypted. If the message itself is stored encrypted, then the server has the key, to display it to you, so the encryption is useless at this point anyhow.

    The only way to encrypt email is to have beforehand a prior conversation with receiver, establish an encryption software for the message, send the message encrypted, and receiver decrypts it based on the encryption-decryption software (protocol) established earlier.

    However, if the message is encrypted beforehand, nothing guarantees that the encrypted data does not stay on the datacenter, in some backup, even if you delete the message from email account. In such scenario the intelligence agencies will decrypt it later, as computing power evolves, so they might still have proof actually.

    Thanked by 1Offshore_Solutions
  • Always remember, email is NOT SECURE by design. If you need decent encryption, look for alternatives. If you have to use email anyway, use full GPG encryption. It's stupid to believe those "encrypted" email providers.

    Thanked by 1Offshore_Solutions
  • raindog308raindog308 Administrator, Veteran

    @Offshore_Solutions said:
    How do we know which ones are not front companies?

    Since you're encrypting your email with PGP using the recipient's public key before you send them, and hence only the recipient can read the message, why do you care?

    Oh, you're not encrypting your email before you send it over an unknown network you have no control over? Well then you don't care about your privacy so your question is silly.

    Seriously, people who think provider X is secure while provider Y is not are only advertising their own cluelessness. Tools for encrypting your email have been available since the 1990s. The problem is people don't want to use them because they're not convenient.

    Sounds like you prioritize convenience over security, so that's what you'll get.

  • FranciscoFrancisco Top Host, Host Rep, Veteran
    edited August 2021

    @Offshore_Solutions said:
    For those not wanting to create their own solution @Francisco, would your new Lux company (registered offshore) be willing to provide a paid encrypted email alternative to ProtonMail?

    No, I'm too smooth brained to deal with mail properly. I leave that to the professionals like @jar.

    I would never want to get into email on my own. There's many markets I stay out of (physical locations, services, etc) out of respect for providers I like. No point eating off their plates. At most I'd partner with @jar or something.

    Francisco

  • MannDudeMannDude Host Rep, Veteran
    edited August 2021

    Just use your own PGP Encryption. It's something we actually offer by default on all shared hosting services, though I don't believe many people take advantage of it and it has it's own downfalls (requires keys to be kept on the server). But the idea is that it'll get people to atleast practice secure email use and they can always use an Enigma or similar desktop mail client plugin to keep keys offline.

    I attach my public key to all emails I send and rarely does anyone take advantage of it as well. I think only one of our upstreams does, and it's nice that they do ( https://www.urdn.com.ua/ ).

    With that said, you can always use something like I2PMail and a clearnet gateway if you want to send/receive email from the I2P network to the clearnet, though the only existing one that I'm aware of now is painstakingly slow so it may take 8 hours for whatever is sent to the clearnet domain to arrive to your I2P network inbox.

    For private communication between two people who are on the same page (privacy focused) I'm just using Signal and I2PChat or IRC over I2P or Yggdrasil.

    Thanked by 1Offshore_Solutions
  • citizen0citizen0 Member
    edited August 2021

    Has anyone tried CTemplar?
    I've been using it for a while. It has outstanding features and is crowdfunded.

    Thanked by 1fluffernutter
  • jsgjsg Member, Resident Benchmarker

    @Offshore_Solutions asked:
    Which Free Encrypted Webmail Isn't An Intelligence Agency Front?

    You start with the wrong question and with the worst Eve and a wrong concept.

    Governments are by far the worst Eves, in part because they have the best and vastest resources in every sense (cryptologists, mathematicians, systems, money, etc.) - plus they have most routes available, from tainting crypto, over basically forcing parties to use those tainted algos (e.g. via FIPS), and up to using entirely different routes like e.g. using a rubber hose.

    You on the other hand have virtually nothing relevant on your side - "free" means "less choice" and is irrelevant anyway because any provider, free or not, can be turned against you if he isn't an asset already, possibly even without knowing it. Plus you, with very high likelihood do not even have the basics like really good and trustworthy crypto algos and the knowledge required.

    In reality your best protection is mass, as in 'getting and reading 1 persons cleartext messages' is very, very, very different from 'getting and reading the cleartext messages of billions of people'.

    Every other means, just forget about it. You have not even begun to understand your own question. Plus, chances are that you or the people having written the software used on both ends or even the people who wrote the library use(d) questionable constructs (like quite a few AES modes) and questionable practices (like not excluding the possibility to re-use a nonce), plus ...

    And Eve needs but one single weak point among hundreds, most of which you do not even see, to successfully f_ck you, highly likely without you even noticing it.

    But then, again, why would the NSA or the FSB or the Guoanbu even care about your little secrets more than you care about a single ants secret in the forrest? That is your best protection. And your second best protection is to not trust all the sakkurity blah propagandized by the modern apostles, 99.9% of whom are not even beginning to really understand the field themselves and are but virtue signalling.

    If you want to feel good and safe make the effort and use PGP or some such, preferably in a reasonable way.

  • @Offshore_Solutions said:
    I'm part of an organization that believes that Tucker Carlson is right

    Oh, Jesus Christ on bike. Tucker is a fucking moron.

    Thanked by 1fluffernutter
  • jsgjsg Member, Resident Benchmarker

    How about some verifiable arguments instead of "Tucker is [insert expletive]"?

    Thanked by 1Offshore_Solutions
Sign In or Register to comment.