Home » Articles » Which Secure Email Provider Is the One For You?
Click Here To Hide Tor

Which Secure Email Provider Is the One For You?

As privacy consciousness has increased, phrases like “zero knowledge” and “end-to-end encryption” have become buzzwords of sorts. Many businesses, products, and online services have sprung up in the wake of Edward Snowden hoping to get a slice of the rapidly expanding market for privacy-enhancing technology. But which ones are all talk and which deliver? Let’s take a look at a few email providers who might fit the bill.

>>Hide Your Tor usage from your ISP – Click here for the best VPN’s<<

ProtonMail

Started in 2013, ProtonMail specifically cites Edward Snowden as an inspiration for their service. They make a big deal out of two things: the fact that they are based in Switzerland, and their two password system. The gist is that ProtonMail is marketing themselves as the “Swiss bank account” of email providers. Indeed, they say just that on the page detailing their security measures: their servers “are colocated in some of the same secured and guarded datacenters used by Switzerland’s famed private banks”. Elsewhere they boast of a “secure datacenter facility hidden inside a Swiss granite mountain” and that this is a “former military command center deep inside the Swiss Alps”.

This all sounds very impressive, but what’s the nitty gritty? The touted two password system works as follows: the first password logs the user into their account. This leads to a page titled “Decrypt mailbox” prompting them to enter a second password. This password unlocks the user’s symmetrically encrypted 2048 bit private RSA key which in turn decrypts their mailbox. The decryption process happens entirely locally in the client’s browser using JavaScript so that there is no room for ProtonMail to intercept the passphrase protecting the secret key. The private key and mailbox are both encrypted using AES-256. It is an implementation of OpenPGP.js.

ProtonMail is still in beta but the user experience is on the whole very smooth and mature. There may be a short wait if you request an account at the moment, as a sudden spike in popularity coinciding with their IndieGoGo campaign maxed out their servers.

In the meantime many exciting features are in the pipeline. While they strive to make the encryption and decryption invisible in the name of usability, optional key management is on its way allowing users to import GPG keys of non-ProtonMail users so that the security can interoperate with other services. Aliases are also coming soon.

If you and a non-ProtonMail user can agree on a passphrase beforehand, you can also exchange end-to-end encrypted messages with people who have no knowledge of cryptography whatsoever. ProtonMail’s code is not yet open source but they have announced plans to release it in the future.

Tutanota

If you’re looking for a service that’s a little more mature than ProtonMail, the German provider Tutanota may be for you. Founded in 2011, they officially left beta on the 24th March 2015. Notably, Tutanota does not utilise the popular PGP method for encrypting messages. Instead, they explain, theirs is a custom solution using 2048 bit RSA keys and AES-128 created on the compelling grounds that PGP does not encrypt the subject line of emails. If you are wary of using cryptography that’s less tried and tested, some reassurance may be found in the fact that Tutanota, unlike ProtonMail, has already open sourced its code. Tutanota also has apps for iOS and Android, and a plugin for Outlook so that users don’t have to access their accounts using a web browser – all developments that are still on the cards for ProtonMail.

However Tutanota logs users in and decrypts their mailboxes using the same passphrase, which means a little more trust is required if you are to believe the claim that they can’t and won’t access users’ messages. Nonetheless the user experience is just as smooth as ProtonMail’s and Tutanota also allows email exchanges encrypted by passphrase for private correspondence with users of other services.

If you need your account immediately, Tutanota is probably the best choice as there is no longer a waiting period to take advantage of their services. When creating your account you can also choose from a variety of domains: tutanota.de, tutanota.com, tutamail.com, keemail.me, and my personal favourite: tuta.io. Tutanota warns that the account creation process freezes if you use Tor Browser inside Windows, so watch out if that is your intention, but they are working on fixing this.

Lavaboom

Also from Germany is Lavaboom which started in 2013 and might be described as a cross between ProtonMail and Tutanota in that it utilises OpenPGP.js but uses a single password system. The similarly named Lavabit famously shut down rather than hand over its private SSL key to the US government as part of its investigation into Edward Snowden’s leak. Lavaboom, which came about shortly afterwards, is clearly named in its honour.

Lavaboom has opted to use 4096 bit RSA keys – twice the size of ProtonMail’s and Tutanota’s. If a strong key is the most important thing to you, this may be the best choice. When creating your account, you are offered to choose between using “Lavaboom sync”, meaning Lavaboom’s servers store your private keys encrypted or saving your keys to your browser’s cache. The downside of the latter method is that in the event your cache is wiped, you will no longer be able to access your emails unless you have saved a back up of your key and re-upload it when you next log in, so be careful that you don’t lose access to your inbox by destroying your keys.

I did find that Lavaboom’s user experience isn’t quite as mature as Tutanota’s and ProtonMail’s. When creating my account and sometimes when logging in using Tor Browser inside Linux, the loading page freezes at “Initializing OpenPGP.js” requiring me to refresh the page until it works properly. Nonetheless, Lavaboom is still in beta so we can expect quirks like this to be ironed out. I hope that in the course of this, the process of choosing between caching your keys or using Lavaboom sync is made clearer, as it was initially a bit confusing for a provider whose aim is make encryption easy. However it could be appealing if you’re looking for more fine-grained control than ProtonMail and Tutanota can offer.

Honourable Mentions

You may notice that not only do the three providers reviewed here all use JavaScript-based encryption and decryption, but they are also all hosted on the clearweb. Though they are Tor-friendly, you may be looking for providers that host their own Tor-hidden services.

If so, Lelantos is a paid though cheap service on Tor who may interest you. It is a little more advanced than the other three but it offers some impressive features like allowing users to import their own public key so that, if they are sent unencrypted emails, they are encrypted automatically on entering the server. While it is much better if the sender encrypts the message before sending, it is still preferable to no encryption at all. Members are also allowed to register over 100 aliases and create temporary addresses. A lifetime account costs 0.136BTC, or about $32.

Sigaint offers both free and paid versions of their service. Their upgrade page explains the difference between the two plans: a $30 lifetime subscription grants you increased storage, SMTPS/IMAPS/POP3S support, full disk encryption, easier PGP integration, Bitmessage support, and priority customer service.

Ruggedinbox.com is a fully free email provider offering both clearweb access over TLS/SSL and a Tor onion site. If you’d like a privacy-friendly email provider and don’t mind managing your own PGP keys, this is an attractive choice. IMAP, POP3, and SMTP are all free of charge and you can also create temporary accounts with a pre-set expiry date. When logging in to web mail, you can choose between the JS-less SquirrelMail or the more modern RoundCube which requires JS. While free, users are encouraged to donate to their BTC address on their homepage. RuggedInbox also sells VPSes to those who want their own private email servers.

While it may be a nuisance, the best security is always offered by being in control of your own private key. Services that simplify key management often sacrifice a large amount of that control, but for the purpose of emailing people without knowledge of cryptography, the increase in security and privacy is significant when compared to providers like Hotmail or Gmail. Therefore, if all you are looking for is to go about your daily activities with greater privacy, providers like ProtonMail, TutaNota and Lavaboom offer you just that. For extraordinary protection, never trust your key management to a third party.

37 comments

  1. Nice start on the article. The website link I included can be used to add more depth.

    • Protonmail is from CERN.
      Since 1954 is CERN active on the Boson Higss particle, with over 12000 people now.
      The annual report states the same every year.

      Boson/Higgs for over 60 years.
      Germany spend a few hundred billion euro’s as did France and Italy and England.
      They are only dancing at CERN.

      What do nuclear scientist have for knowledge about security of email.
      It does not make any sence.

      CERN has to be a dark secret agency, working against your security as they have always done.

      I’ll bet you, they made a backdoor in Protonmail and read all content of your mails.

      • sweety

        It does not make any sense.

      • What is this, Stein’s;Gate?

        Background radiation from the LHC could possibly be used as “randomness” for encryption algorithm keys.

        I’m not sure if they actually use it for that but there’s a good chance that they aren’t reading all your emails in a backoor. And if they are what makes you certain that the other email providers listed here aren’t doing something similar?

  2. #1 i2pbote. server-less end-to-end encrypted email. SMTP POP3 enabled.

    #2 i2pmail. postman has been operating this i2p anonymous email service since 2004 far longer than anyone else by a wide margin. This service can send and receive emails from the clearnet.

    but don’t expect any coverage. keep on pimping clearnet services and pretend that i2p doesnt exist. just know that you are categorically wrong, this article clearly lacks research.

    • DeepDotWeb

      I’d actually love to have an article reviewing I2p based services – i think the author wasn’t really familiar with them. if you want to provide such article, contact me.

      • Maybe Im being a little harsh. But i think my concerns are valid. I enjoy reading deepdotweb.. I truly greatly appreciate coverage and incite. However I think this article is exceptionally poor quality.

        The article title is “Which Secure Email Provider Is the One For You?”

        I would assume from this than the writer has a privacy focus. However the “Reccomended” email providers are closed source JS clearnet services. In addition to not being familiar with many reputable existing services. If they totally ignored i2p that would be upsetting but this article has many issues. Has he never heard or riseup or bitmessage gateways? Well then why is he writing about something he knows little about? Publishing poorly informed opinions is harmful to the community and to the reputation of deepdotweb.

  3. “You may notice that not only do the three providers reviewed here all use JavaScript-based encryption and decryption, but they are also all hosted on the clearweb.”

    1) fuck javascript. havent we learned our lession the hard way already?
    2) fuck clearnet services. maybe you meant to submit to gawker or vice or something.
    3) what about riseup.net and bitmessage + email-bridges

    this article is total shit.

    dear editor, fire this crank.

  4. Use the Mixmaster network with QuickSilver Lite:

    https://www.quicksilvermail.net/

    Been around a lot longer than anyone else. Be sure to use with Tor.

  5. Here is much detailed table:
    prxbx.com/email/

  6. tutanota wants me to enable scripts? wtf?

  7. I recommend Sub Rosa Email from novo-ordo.com. They do not use javascript, they use only secure links, located in Panama, and have been around since long before anyone ever heard of Snowden.

  8. bunch of sites which require javascript or say they’re at user capacity and ask for your email to let you know when you can establish an account.

    safe-mail has cert fail (possible mitm).

  9. I found Invmail to be more secure when i compared against Protonmail etc its also they use 4096 bit RSA’s invmail.io they are in open beta, they also offer private solutions as well as Video/Voice Calls, and Messaging over encryption channels.

  10. I have read that ProtonMail has joined FaceBook so it is no longer free from US intervention, i.e. it is no better than Gmail, Yahoo or any other server based in the US and so can be accessed by NSA etc. Is this correct?

  11. That is a decent list although it’s too bad it requires javascript to see it. :(

    Here is a nice list of Tor accessible hidden webmail services: https://www.reddit.com/r/emailprivacy/comments/3gf2ta/email_providers_with_onion_tor_hidden_service/

    And two other directories with a good list of privacy oriented email providers:
    https://www.privacytools.io/#email
    http://www.prxbx.com/email/

  12. Anoninbox.net / ncikv3i4qfzwy2qy.onion.top is commercial darknet mailserver with proxy to clearnet. No questions asked.

  13. The all is very attractive. How do you decide which to choose? I have in mind MailFence because it’s european and based on Belgium. But I hesitate..
    Someone can help me?

  14. Indeed an informative list – but do not include some of the other remarkable players, that does everything on the client-side and truly provides end-to-end encryption (which by far is the only way that can ensure one’s online data confidentiality and integrity during transit).
    Following are two of those outstanding services.
    > https://mailfence.com/ (a pure end-to-end encryption service – that does not only provide confidentiality and integrity but also authentication via the capability of digital signatures, based on OpenPGP – it provides user full control over their keys and does it all in a very user-friendly manner)
    > https://scryptmail.com/ (another nice end-to-end service – that provides great reliability and hot features like disposable email addresses etc, based on OpenPGP and has a nice descriptive interface)
    > https://riseup.net/ (one of the most famous group of people who are not only providing great privacy solutions, but also helping like-minded people to grasp their OpenPGP understanding in a better and effective manner)
    Now, the ultimate tool when it comes to OpenPGP and end-to-end encryption – is always have been GnuPG, though the reason it never really get lifted up is due to its complexity in terms of usability from a typical user standpoint (however, implementations like Gpg4Win, GPGSuite, Seahorse does come in handy).
    Lastly, the article is not bad at all, the only loose-end is not mentioning some of the key players. Nevertheless, it always drops down to one’s preferences and requirements (I personally use mailfence which is free, interoperable, without ads, completely locally hosted and provides an entire collaboration suite i.e. messages, contacts, calendar, documents, polls, tags ….)
    Again, its a matter of personal preference and the extent to which one understand end-to-end encryption technologies (OpenPGP, S/MIME etc, which most of the people don’t) – that contributes in the rightness and wrongness of their online privacy decisions.

  15. Why is there no mention of Ghostmail?

    • Dear GhostMail user/visitor,

      GhostMail in its current form will be closed down as per 1. of September 2016.

      Since we started our project, the world has changed for the worse and we do not want to take the risk of supplying our extremely secure service to the wrong people – it’s simply not worth the risk.

      In general, we believe strongly in the right to privacy, but we have taken a strategic decision to only supply our platform and services to the enterprise segment.

      We hope you understand this decision and we refer to other free services available, as an alternative to our platform i.e. Protonmail.

      Best regards,

      The GhostMail Team.

      If you are interested in our enterprise solution, please click here.

      https://www.ghostmail.com/info

  16. How come the ones that seem more secure don’t have imap?
    Is it not possible to have both security / encryption and imap?
    Thanks.

  17. RIP @aol.com when before people became drones

  18. TOPIC: PROTON MAIL

    I have been using Proton Mail for over a year. What has made me greatly dislike it is when I changed my passwords because I thought I had been hacked. IT encrypts ALL YOUR MAIL so you cannot see it either ever again. They tell you if you go back to your old passwords you can see your old mail again. (odd?) Not true any more.

    So everything you thought you were putting in a secure place is destroyed on 1 simple password change. Nothing transfers over with your new passwords

    I have questioned them about this several times and this is how they say their system now works.

    Lastly – and minor – their font is small and light grey and hard to see when reading mail. Minor but a pain. You cannot change the color or the size.

  19. I have also been using ProtonMail…especially because of their superior 2-password entry requirement. I’d always recommend using “3-4 word dice passwords” to access ANY of the email services. The longer and “stranger” the password, the safer the user. Like the last person’s comment, I hate being forced by Proton to small font. Such a simple fix! Otherwise, I feel most safe with this Swiss email provider. I’m using their free version and plan to move to the paid version when they fix their font problem.

  20. ruggedinbox.com and lavaboom doesn’t exists anymore… also, protonmail routes all traffic through the network of “Bynet Data Communications”, an Israelic firm for traffic analysis, network exploitation of users, cryptographic monkeying etc. and should be avoided because of that.

    • Put some substance to your claim about Bynet Data Communications. Your statement can be said for many intermediaries, but are they all doing erroneous things, we wont really know unless there is tangible proof. Your statement can be true for any highly secure email service. Its data, it routes through lots of places. It all comes down to securing that data, and that is what any topic of this kind is all about.

  21. ProtonMail looks nice. Sagiant seems a little sketchy, but it might work for some people. I’ve used it just to talk to people. Legit vendors often request that you use something specific and you have the choice to just go with it or find another vendor.. Fortunately, the usually don’t ask you to use hushmail or something stupid. If so I probably wouldn’t be writing this post now.

    When conversing with people on the darknet, it’s my opinion that it’s best to move around and change usernames at the very least and also e-mail providers, but only use the good ones (although if one is hacked you might not know until it’s too late). I tried out protonmail, but never really found people to talk to on it. Not that people have to share the same mail client, but sometimes it’s good to use what the vendor does to give them more confidence.

    On sagiant, I’ve talked to a few vendors. I can honestly say I’ve never done a private sale off the markets (excluding IRL of course). A lot of people do most of their business through email and a few people used encrypted IM. It makes sense. Cut out the big server, although that server is like ebay giving the vendor a seller rating. A buyer rating can also help too for escrow purchases. I don’t know much about the multi-sig escrow option or if it requires a server, but I should look into that. Then again, if you find a good vendor, sending them the BTC up front is not a big deal. It’s just finding new people that can be costly and dangerous. The main advantage to the markets is seller ratings, I think and the fact that vendors can make more sales of course.. Otherwise private sales through email or secure IM might be the way to go.

    I haven’t heard of many people using IM, but with the OTR plugin (off the record) it gives you encryption on top of a plain text protocol such as gtalk, or even shit like aim, facebook and servers you’d steer clear of otherwise. It’s a little buggy, but it uses key based auth and seems to do the job.

    If certain markets get shut down, there will be an influx of people doing private sales. Lots of people will get ripped off, but a rating system like grams is a good solution. Then again, dealers will be targeted by law enforcement if they just give out their e-mail. Things will get a lot more private. Right now is probably the time to try to get an emails or a connectin method for the vendors you care about using. One day you just might not be able to get in touch with them! Maybe doing this before the election is over is a good idea.

    Maybe vendors should share their PGP public key on grams and then tell people which email providers they allow, obviously telling users they have to GPG encode all messages they send and if they can’t figure out how to do that, then they’ll have to get back on the internet and learn more.. Giving out their email alone might not get them busted, the darknet scene is big but I think the government agencies are still mostly after the big fish.

    While people are often changing their screen names, some people keep it the same just for their reputation.

    Using GPG is really not that hard. I don’t claim to be a guru, but I could definitely conduct business without the need for a market. The only thing I’d need is a good place to buy BTC. I wish I also knew more about monero becuase it allows you to be your own node to avoid the blockchain. They need to add some monero tools to the tails iso. I know of IRC channels where you can get bitcoins using various methods. I’ve also read about some ways to do it on sites that let you buy lots of currencies. Grams has a good tutorial on that. It tells you how to buy credits for second life, then eventually convert them to bitcoins. Then I think you’d still need to mix them, but that is still perfectly legal.

    I’d like to know of other secure and legit websites for buying and moving around BTC. I hear there are kiosks in cities that let you feed money in the machine and it gives you a wallet ID that you can scan via QR code (or just type in the number that it probably prints). That would be sweet to use, but I’ve never seen one of those kiosks, I’ve just heard about them on the news.

    Anyway, we should take advantage of things while they are like this and prepare for a massive crackdown. They’ll never stop online dealing, and I think that tor + a vpn as well as cryptocurrency is the way to go.. It’s not like we should revert to using greendot money packs again. Those worked for a little while. I don’t know what their legit purpose was. I mean you could already get a CC gift card..

  22. I think that a lot of darknet transactions will go underground via secure email and also encrypted IM. I wrote this huge message, but I lost it, anyway, it just says that you should probably get in touch with the vendors you deal with now and see if they’re willing to talk about what to do if the market you use with them goes down. Especially with the US election coming up.

    Vendors could choose to give up an email address publicly (or just give them out privately to trusted people and make it like an invite system) then have their public PGP key posted on a site like grams and force GPG communications of course. The same could be done with IM clients, although if you use OTR, adding another layer such as GPG might even be overkill, but it can’t hurt. You email/IM the person, share keys, and the vendor sends you their menu and you take it from there. They can also let you know what they accept for cryptocurrency such as just BTC, Monero and the other ones that exist.

    It’s easy enough to use and manage GPG on your own in Windows, Linux, or OS/X. However, I’d like to learn more about Monero. From what I understand, it basically lets you run your own node so you don’t have to show up on the blockchain and I assume you’d run it through onion of course. They’ll have to build some tools into Tails Linux. I guess you can also just get a wallet, then I’m not sure who’s node you’re using.

    I remember doing this so many different ways, first just wiring money, then getting the greendot money packs, then finally using cryptocurrency plus tor. That seems to be the best combo, especially if you can throw a VPN in the mix and keep it as secure as possible.

    I’d like to know about some sites that let you buy BTC, don’t rip you off and don’t ask for a lot of personal info. I know you can use IRC to get BTC trading various ways, but that can be a hassle and more dangerous than just using websites as far as losing your money and getting busted. Grams (the best rating system for vendors) and grams helix (a good BTC mixer) has a tutorial on how to use some site and buy second life currency, then follow a bunch of steps and eventually turn everything you bought into BTC making it harder to trace. I think you’d still need to mix the coins, but I’ll have to find that tutorial again. It might be on reddit too. Most things are.

    Also, I heard there were kiosks that let you buy bitcoins and you could insert money. I guess it gave you a wallet ID printed on paper and it also included a QR code for security. I don’t know if it also just gave you the wallet ID too or what.

    They can shut down the markets, but trading on the darknet is not going to stop, it will just make it so only the more tech savvy people can do it. Eventually more tutorials will come out, and things will have to change again. I’ve watched things evolve for years, but BTC + TOR (+VPN) has stayed about the same since SR1.. I’d also like to learn more about multi-sig escrow.

    Cutting out a market would be sweet. Of course you’d have to trust the person you were buying from, but a market just gives you an ebay like environment where the vendor has a seller rating, grams already has that. I could see people still giving ratings, but not talking at all about how they did the transactions. That might be the future of the darknet.

    I need to learn a bit more about BTC, GPG is easy, but I want to know how you can still transfer BTC wallet IDs and how you own them temporarily, and then the ID is put back into the pool. I guess I just don’t know the sites to use to transfer BTC from wallets other than the few sites I do use.. To be honest, I don’t fully understand that whole process but I do understand maybe 67% of it and would definitely learn if all the markets were shut down. Online trading could definitely survive that. It’s like stopping napster or something stupid easy. You end up having to just do things the more in-depth way and new methods like torrents came into the picture.

  23. IMHO anything that needs a script to run is not trustworthy. The only way to go is IMAP config with a secure socket layer SSL. You can add further security using digital certificates or whatever else you choose to use to run locally on your OS.GMX.com german mail exchange will allow multiple IMAP configuration within your email client of which I prefer thunderbird email client. There has been so much ransomware executed through web based scripts which encrypt your HD and hold your machine hostage. Keep in mind this only happens in windows. So therefore I do not trust anything www
    I liked the internet when it was simple before the www using NNTP usenet. I am an old timer and still remember the dot com boom like it was yesterday Win NT 4.0 Win 3.1
    Novell Network OS. Man what have we become. A bunch of zombie phone drones….. borrring !! lol

  24. mailfence is a disaster. I couldn’t even login to my trial account. 20 emails back and forth to support yield nothing. POS.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *