Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure Webmail Providers?

Posted by Cliff on from the a-little-paranoia-is-a-healthy-thing dept.

Rainier Wolfecastle asks: "I am looking for information on any webmail providers that support PGP/GnuPG encryption. Up until now I have been using Lok Technology's excellent service, but it appears that they have gone out of business, since their site has been unreachable for over two weeks now. I am aware of Hushmail, but that doesn't work well under Linux. I am considering using Name.Space's LokMail service (based on Lok Technology's..er...technology) but I was wondering if anyone out there has any other suggestions. Free email is coming to an end, and if I'm going to pay for it (which I don't mind at all) then I want a decent product."

9 of 56 comments (clear)

  1. Hushmail? by penguin_punk · · Score: 4, Informative

    Hushmail was the first and obvious choice when I read the headline, but you mentioned that it doesn't work well under linux??? What's up with that? I believe it uses java. (to lazy to check) Do you not know how to install the java plugin under mozilla/netscape/konqueror?

    --
    HURD - Hurd's Under Research & Development
  2. Re:What's the point... by crow · · Score: 5, Informative

    The server-to-server communication is not in plaintext if you use PGP or GPG. Of course, the headers are, so an observer can see who you're talking to, just not what they're saying.

  3. Hushmail in linux by rocketfairy · · Score: 5, Informative

    Hushmail works fine for me in linux; it runs on java, so you need a browser (Mozilla works swimmingly) and a working virtual machine. Grab the latest one from Sun, make sure there's a link to it in the mox plugins dir. If it keeps breaking, try making the account on a windoze machine, and then accessing it in linux -- that worked for me the 1st time when my jvm was crashy.

    Oh, and remember -- hush security is only as good as your passphrase. Diceware!

  4. Problems with Encrypted Webmail by pete-classic · · Score: 5, Interesting

    Encrypted webmail is a tricky issue. In the final analysis you basically have to use a passphrase that is so good that you don't mind having your (encrypted) private key publicly available.

    Consider that the webserver admin(s) will have access to the encrypted private key. Also consider that the webserver (process) has read access to the key. The upshot is that if anyone gets root access to the box, gets a shell under the webserver's UID, or convinces the webserver to serve up a file that it is supposed to have read access to, the only thing between your private key and an attacker is your passphrase.

    I find all this unsettling to the point of believing that it can't be safely done.

    If anyone knows any better, please fill me in.

    -Peter

    1. Re:Problems with Encrypted Webmail by pete-classic · · Score: 3, Interesting

      Are you serious?

      I can barely remember my phone number. It is only 10 digits, and the first three are a gimme. I'm supposed to remember "iDclyWnIxwaJcSOWNLcj" or some junk?

      And this has no real impact on the trust issue. What prevents the webserver admin from having the webmail software log all incoming passphrases?

      I harp on this becasue if I can trust my mail admin (and you trust yours) half the battle is already won.

      -Peter

    2. Re:Problems with Encrypted Webmail by photon317 · · Score: 4, Insightful


      It's worse than that. If they root the webmail server (or a little more difficult if they just get the webserver UID), they can read the SSL traffic, including your passphrase. In short the only way to have securely encrypted email is to store the private key on your own private local machine - a webmail service simply cannot gaurantee you jack.

      --
      11*43+456^2
  5. Re:What's the point... by Twirlip+of+the+Mists · · Score: 4, Insightful

    Hey... how can the parent comment be "overrated" if it hasn't been moderated by anybody else?

    Because while you can moderate up for being informative or insightful, you can't (at present) moderate down for being dumb or wrong. As long as the down-mod options are limited to troll, off-topic, flamebait, and overrated, expect to see comments that are just plain stupid moderated "overrated."

    Seems to me that if there's a "+1, Informative," there ought to be a "-1, Misinformative."

    --

    I write in my journal
  6. No, that would be stupid... by anthony_dipierro · · Score: 4, Informative

    Webmail is for roaming. If you're roaming, then you don't trust the client. PGP is useless if you don't trust the client.

    And don't say signed java applets 'cause (1) if you trust the provider's signature then just use https (I'll give you an account at inbox.org) and (2) if you don't trust the computer then you can't store your private key.

  7. Re:Web mail with i18n support - any? by pete-classic · · Score: 5, Informative

    SquirrelMail has handled this for years.

    It is totally paranoid about HTML email.

    Even comes with a bunch of translations.

    So, either set up your own mailserver (like a real man!) or find a provider that uses SquirrelMail. I use Fairplay Communications here in Colorado. They rock, and provide SquirrelMail. (And the only affiliation I have with them is that I am a paying customer.)

    SquirrelMail is where it's at. (But I am a little biased ;-)

    -Peter