[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: e-mail and anonymity
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 17/08/08 12:46, Charles.F wrote:
> So what good free e-mail webmail account would you recommend for most
> practical use and best anonymity ?o
I recommend (and use) lavabit's services (see: https://lavabit.com).
They have a webmail interface that doesn't require javascript (although
cookies are required for technical reasons). And of course they use
https, so all communication with their servers are encrypted and
authenticated.
For free you'll get 128 MB storage and no advertisements (neither in the
interface nor injected in mails). If you don't care about ad injection
(beware that it breaks detached PGP signatures) you could go for a free
account with 1024 MB of storage. They also have pay subscriptions with
additional storage and features, but that's a no-no for anonymous usage.
In addition they also have a pretty nice privacy policy, but I'm not
sure how much that's worth since they are operating in the US (a
non-western country is to be preferred IMHO). So, as always, use
end-to-end encryption (Firefox+FireGPG works in an acceptable manner
with their webmail interface). Lastly, I'm pretty sure I confirmed that
they use MTA TLS (encrypted server-to-server transport) but that's of
course completely worthless compared to end-to-end encryption.
Personally I prefer using a real email client (lavabit supports POP3,
IMAP and SMTP, all with optional SSL) as that gives superior PGP
integration among other things. From my investigations, Thunderbird
using the old Torbutton 1.0 series works pretty nicely. Note that
without Torbutton you will leak your host and/or real IP address to
their server's in the HELO/EHLO messages. Useragent and other things can
be set manually in the config editor to whatever is thought less
identifying than the truth. Note that lying about email client might
only attract additional suspicion as it's probably possible to identify
Thunderbird just by looking at how it creates the email headers.
One problem with this approach is that there are only a handful of exit
nodes that accepts smtp(s), so sending mail might need a few retries
and/or building new circuits sometimes, but mostly it just works.
I wouldn't trust using email clients in combination with Tor if my
personal life depends on that I remain anonymous though. More research
is definitely needed in order to rule out or identify (and mitigate)
additional possibilities for leaks. YMMV.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkioO7wACgkQp8EswdDmSVj8NACfdgbT/akPr2Mj0ejpI75IT+5h
2+0AnjswGZ0YkyDxEVeaU9gjYuULdPIA
=Fg+n
-----END PGP SIGNATURE-----