Hi,

what are the good available alternatives (security/privacy) for gmail
you're using?

Cheers!

[ message continues ]

I believe privacy and gmail cannot coexist ...

Giannis

[ message continues ]

!gmail


[ message continues ]

hotmail or live of course.


-- 
Sending from my Computer.

[ message continues ]

supossedly hushmail but no pop/imap (free version)

however, hushmail will get you laughed at


[ message continues ]

A box you own and control.
Gmail is NOT secure OR private.
I don't expect hotmail, yahoo, etc. to be so either.
Also, a few times hotmail released new versions of their web interface, 
they only worked for IE for about a week or two.

As long as you don't own and control the mail server, someone else has 
physical access to it; hence it's not really secure.
Personally, I run my own mail server on a VPS I rent (to ARP Network, by 
the way).  Not the BEST of choices, but I sure trust them more than GOOGLE.

If you *really* need privacy for emails, start using something like GPG.

[ message continues ]

+1

Very happy and safe running my own mailserver.

-- 
I must not fear. Fear is the mind-killer. Fear is the little-death
that brings total obliteration. I will face my fear. I will permit it
to pass over me and through me. And when it has gone past I will turn
the inner eye to see its path. Where the fear has gone there will be
nothing. Only I will remain.

-- Bene Gesserit Litany Against Fear.

[ message continues ]

As many others suggested, using your own mail server that you control is 
the *best* way, but that doesn't answer your question.

I know people that use Lavabit.com for free email and they swear by it. 
(I use my own mail server, thank-you.)

The lavabit page boasts of privacy ("a system so secure 
<http://lavabit.com/secure.html> that even our administrators cant read 
your e-mail") but you can never really know unless you're an admin 
there. They offer encrypted connections/ports to send/receive on top of 
port 25.

HTH,

- Scott

[ message continues ]

Their encryption is only for paid users, not free accounts.

I have an "enhanced" account with them that I use for my personal email. 
I have the asynchronous encryption option enabled, but yeah, there's no
real way of knowing for sure.

No complaints about the service though.

Josh

[ message continues ]

How do they deal with legal jurisdiction?  Technically the government can
still subpoena and they'd have to turn over the documents in the persons
account, including backups.  I "pine" for "Sealand" but even then one would
have to trust the owners of Sealand not to snoop.  Again, the best solution
is probably run your own.


[ message continues ]

Unfortunately it appears that lavabit isn't accepting new users at the
moment.  Their service does look interesting tho.

Thanks,
Josh Smith
KD8HRX
email/jabber:  juicewvu@gmail.com
phone:  304.237.9369(c)





[ message continues ]

Use GPG so all the ISP could do is hand over the encrypted bits. You
hold the key.

Brad

[ message continues ]

IANAL but can't they hold you in jail for contempt or "insert charge here"
until you hand it over.  I thought I remember something similar in the news
recently.


[ message continues ]

On Thu, 09 Dec 2010 21:10:04 -0000, Adam M. Dutko <dutko.adam@gmail.com>  

Depends where you live and where you store the data. But in the UK you can  
be held in contempt and jailed for not releasing keys to the police. Hence  
the need for encryption with plausible denial.


-- 
Robert Bronsdon

[ message continues ]

There are such laws in UK, I read about a kid jailed for not wanting to
give them the pass to his encrypted partitions, I think. But not in US,
for example, they recently caught a hacker (Moxie Marlinspike - maybe
many people here know the story), he refused to give them the pass, but
they could not do him anything but temporarily confiscating his
cellphone and laptop (IIRC) for investigations, or something.

Btw of Marlinspike, people who don't know it already (again, I fear that
I'm coming with old news :P) might find this interesting:
http://www.youtube.com/watch?v=ScMl2_9Duao
- he basically puts into words what people can just perceive about the
subversive information control methods.

On Thu, 9 Dec 2010 16:10:04 -0500

-- 
Mihai Militaru <mihai.militaru@xmpp.ro>

[ message continues ]

On Thu, 09 Dec 2010 15:38:59 -0500

gpg doesn't touch the headers,
so Alice is still tied to Bob and might be fkd nevertheless.

[ message continues ]

So use Mixmaster or Tor+$FREE_WEBMAIL (in either case, with GPG).

		Joachim

-- 
PotD: misc/xkcd-viewer - XKCD comic viewer
http://www.joachimschipper.nl/

[ message continues ]

On Thu, 9 Dec 2010 15:03:42 -0500, Adam M. Dutko <dutko.adam@gmail.com>

Yes, this is along the lines of what happened to Hushmail, if you
remember them.  They had a Java applet-based webmail system where
encryption was performed locally on the user's computer, and they
liked to advertise that the Hushmail servers never even handled
plaintext copies of users' OpenPGP encrypted messages.

But the problem was that the authorities could still compel Hushmail
to serve a malicious Java applet to specific users:

http://en.wikipedia.org/wiki/Hushmail#Controversy

That's not Hushmail's fault of course -- as a service provider, you
can only promise so much privacy to your users unless you're willing
to secede and maintain your own army.  This means that as a user, you
can only get strong privacy if you're willing and able to roll your
own.  (Whether you actually *need* that kind of privacy is another
matter...)

--
Mark Shroyer
http://markshroyer.com/contact/

[ message continues ]

From their services page:

5. Secure mail services (smtp-auth w/ TLS, IMAPs/POP3s)

I don't actually make use of this, as the "killer app" for a shell account
was a place where I could run (al)pine against local mail service (it is not
all that nice as a pop3 client, in my experience).


[ message continues ]

No, I'm referring to the encryption of the actual email saved on their
disks.  See http://lavabit.com/secure.html.

[ message continues ]

a) you have to trust their process of key-gen and login (they are able 
to get in the way if they want)
b) you have to trust them that their servers are secure in order for 
your mail to be private. If they 're hacked then a fake login.php can be 
installed that sends your password to the attacker when you login. 
Tampered imap server can also do that.

Besides that, ECC with 521bits for the messages is quite paranoid :)
Also AES-256 for your private key (which resides there and not here) is 
very nice.

Giannis

[ message continues ]

Hurray for amateur crypto and proprietary mail servers!

[ message continues ]

Lave bit seems to be having a few problems of their own:

"Due to a recent increase in the number of accounts being created for 
abusive purposes we have decided to suspend new user registrations until 
further notice".

[ message continues ]

On Thu, 9 Dec 2010 15:01:03 +0000

If you aren't a cheapskate you could ask henning@ for a quote.
(check bsws.de for the contact info)
Hosting on OpenBSD by an OpenBSD dev, hard to beat.

PS: Mention your coming from misc@ for a 200% markup. *eg*

[ message continues ]

A drop-in replacement to it I consider to be gmx.com - I used it for
quite some years now and have no doubt about their reliability. About
security... dunno.

My final option - for now, at least - was to find a cheap hosting in
Switzerland and run my personal email service there - payed 82b, or so
for 5 +1 years.

On Thu, 9 Dec 2010 15:01:03 +0000

-- 
Mihai Militaru <mihai.militaru@xmpp.ro>

[ message continues ]

Colo box (I'll toss the various virtual machine and chroot jail hosting
solutions into that).

Some flavor of VPN account where you can keep a nice static IP address
for your mail server with proper forward and reverse DNS.

Business class account with your ISP.

Some other 3rd party mail provider.

Warning... even if you secure your email, the idiots on the other end
won't.
I deal with lawyers that still insist on POP3 in the clear for their
crack berry to retrieve email.
I deal with lawyers and accountants that think a boilerplate disclaimer
will prevent someone from forwarding on a mis-directed email.

[ message continues ]

On Thu, 09 Dec 2010 22:19:00 -0500

OMG

I've never even looked closely at the crackberry's (my brother laughed
a long time at that) because the server was obviously designed by
retards.

Are you saying the easily attacked server decrypts the message and then
insists on a plain text connection (they're stupid but I doubt they
are that stupid). Or that the crackberry can only use an encrypted
connection with a blackberry server?

[ message continues ]

Certainly not; at my previous job, *all* of our Blackberry
email traffic to/from our non-Blackberry mail server was
encrypted.

Benny


-- 
"I'm no meteorologist, but I'm pretty sure it's rainin' bitches!"
                                 -- Cleveland, "Family Guy"

[ message continues ]