Chandler CarruthMar 6

RE: https://furry.engineer/@soatok/116180293728354163

Unsurprised, but :sigh:

So, if I wanted to explore an email provider, any suggestions? My current criteria, in roughly descending order:

1) Paid - I want to pay good money for a good product here. Email is too important.
2) Superb account access security - support for hardware 2FA, etc.
3) No scammy nonsense, crypto-currency snake oil, etc.
4) Reasonable privacy policy.
5) Excellent web and mobile interfaces.
6) Minimize retained data to the (tragically limited) extent possible given email.

Bonus: encrypted storage that provider doesn't have keys for. Not sure this is realistic given the ... hilarity of email protocols. But would be happy to accept limitations in how I access email if needed to get this.

My threat model doesn't even come close to trying to prevent governments from seeing my email, but I'm happy to support a service that tries to provide some support this or similar threat models. A cursory read of ProtonMail made it appealing as a consequence, but as in the quote post, it doesn't hold up and seems largely scammy rather than security.

FWIW, also open to suggested changes to my criteria.

Show threadMatthäus "Anteru" Chajdas
@chandlerc Posteo.de or mailbox.org?
Mar 6 at 8:16amWeb
Show threadDani ( Antifascista)Mar 6

@anteru @chandlerc

My first thought as well.

They do comply with German law and hand over all existing information they happen to have. But if there is nothing even remotely meaningful ...

Show threadChandler CarruthMar 6

@DanielaKEngert @anteru Yeah, these are two of the better options I've seen as well.

I wish that they took steps to have less unencrypted email stored permanently in their system, even though it would break POP/IMAP and such. But maybe that's too much to hope for.

I've heard mixed things about the web interface quality for both, curious if anyone has detailed thoughts there. Similarly for mobile apps.

Show threadMatthäus "Anteru" ChajdasMar 6
@chandlerc @DanielaKEngert Do you really want a mobile interface and not rather use Thunderbird on your phone? Mailbox.org at least did an UI refresh recently so worth trying. It's all based on https://www.open-xchange.com/products/ox-app-suite-cloud anyways.
OX App Suite Cloud

OX App Suite Cloud, a fully hosted and managed email platform. It has outstanding UI, and excellent features to drive activation and reduce churn.

Show threadJann HornMar 6
@chandlerc @DanielaKEngert @anteru posteo does have a thing where incoming email is cryptographically protected when being stored to disk, in a way that ties back to the user's password; https://posteo.de/en/site/encryption#cryptomailstorage documents this and Posteo's interpretation of what they can be compelled to do under german law.
Of course, something more comprehensive that also protects mail in transport would require protocol changes...
Email green, secure, simple and ad-free - posteo.de - Encryption

Posteo is an innovative email provider that is concerned with sustainability and privacy and is completely ad-free. Our email accounts, calendars and address books can be synchronised - we use comprehensive encryption.

Show threadChandler CarruthMar 6

@jann @DanielaKEngert @anteru Ooo, nice, I had missed this in prior perusals of Posteo's website.

Someone else pointed at tuta.com as also having this.

I would love to hear from cryptographic community the current assessment of these two companies' approaches.