Grizzled long-time Tor user here. I seek basic, reliable POP/IMAP/SMTP service with an option to use my own domain (to avoid lock-in with a provider), from a well-established provider who will not likely disappear *and* will never block my account for Tor logins, demand selfies with gov-id, etc. I am willing to pay a reasonable amount, because TANSTAAFL. I will NOT use credit cards, Paypal, or any such horrible monstrosity. Here is what I found so far. The following list is not in any way intended to be comprehensive. I've spent many hours searching the web, winnowing things down. I invite discussion. Observed TLSA (DANE) implementation status is listed, due to this being (unfortunately) the only standardized means to prevent STARTTLS downgrade attacks. When multiple currency-of-account options are offered, I list prices in the currency most favorable to the user at current exchange rates. Much as I can, I try to list the effective *actual* cost to the user, per month, if paid on an annual basis. This may differ from the advertised price. I am not affiliated with any of the below-listed companies; I receive no compensation if you sign up for any of them. Without further ado, here is my current shortlist: # https://mailbox.org/en/ - Effective price: €1.01/month (€1 + 1% Bitpay fee; prepay annually) - By: Heinlein Support GmbH - Jurisdiction: Germany (EU; Fourteen Eyes) - .onion site (POP3/IMAP/SMTP/XMPP; no web): kqiafglit242fygz.onion - Working DNSSEC/TLSA: https://dane.sys4.de/smtp/mailbox.org I found this through the Tor trac,[0] which is probably the very best advertising for them. Everything looks pretty good from a technical perspective. Price is reasonable. I like how the signup form asks for a name, but explicitly says it does not need to be your "real name". Though I have not yet tested this, it looks like you can attach one domain to the account for each alias; and the €1/month account provides three aliases. This could make a cost-effective home/work identity solution for an individual with a limited budget. A 30-day trial account limits features, but allows POP/IMAP/SMTP access. I will give this a spin, and pay them money if it works out. I do wish that they were not in a Fourteen Eyes country. [0] https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor # https://mailfence.com/ - Effective price: About $3.25/month (prepay annually) - By: ContactOffice Group sa - Jurisdiction: Belgium (EU; Fourteen Eyes) - .onion site: Promised, but not actually existing.[1] - No DNSSEC, thus no TLSA: https://dane.sys4.de/smtp/mailfence.com Before I found mailbox.org, I signed up for this and almost paid for an account. For the most inexpensive account, I was offered payment options of €2.50/month or $2.77/month, both paid annually. That exchange rate is moderately favorable to USD; so I selected $2.77/month. *Then*, I saw the amount of Bitcoin they demanded: 0.005142968 BTC, allegedly for $33.30. That works out to a Bitcoin exchange rate of $6474.86/BTC. At that exact moment, my desktop ticker was showing an average exchange rate of $7591.24/BTC. Thus, they offered me a HORRIBLE exchange rate, almost 15% under market! This makes the effective account price $39.04/year, or $3.25/month. How many people use a desktop calculator to check the exchange rate? Well, you need to wake up pretty early to fool me. Mailfence's free accounts do not offer POP/IMAP/SMTP access; so I am unable to fully test their services without paying. I prefer Mailbox's arrangement with a time-limited trial account. I am totally uninterested in webmail; how am I supposed to test a service without POP/IMAP/SMTP access? [1] https://blog.mailfence.com/send-email-anonymously-mailfence-tor/ Text: "Note: we also plan to release an onion domain for Mailfence in the future." Comments: "Yes, we do plan to provide a Tor hidden service. However, this currently is not in our priority list." (2017-02-27) # https://protonmail.com/ - Effective price: $4.00/month (prepaid annually) - By: Proton Technologies, SA - Jurisdiction: Switzerland - Standard PGP, standard algorithms: No homebrew crypto! - Can communicate with GPG users. - POP/IMAP/SMTP access requires "Bridge" proxy software. - .onion site (mail login only): https://protonirockerxow.onion/login - DNSSEC, but no DANE/TLSA: https://dane.sys4.de/smtp/protonmail.ch Ok, everybody knows Protonmail. As a longtime PGP/GPG user, I love Protonmail 3.14 because I can direct n00bs to it as a user-friendly PGP mail solution[2] which Just Works. However, it does not meet *my* needs. I need my local GPG. I need a dropbox which can be accessed through POP/IMAP and polled from my crontab, with sending via SMTP. No web browsers, no "Bridge". Also: The price is reasonable for the full-featured service they offer; however, it is way too high for the services I myself need. If Protonmail offered a no-frills POP box on their Swiss servers for $2/month, or even $3/month for a Swiss price premium, I would jump for that in a heartbeat. **PSA: Non-technical people, PLEASE sign up for Protonmail and STOP SENDING UNENCRYPTED PERSONAL COMMUNICATIONS.** Seriously. Die-hard Gmail fans I unsuccessfully badgered about this for years have fallen in love with Protonmail. It is that easy. [2] "Introducing Address Verification and Full PGP Support" (2018-07-25) https://protonmail.com/blog/address-verification-pgp-support/ # Hushmail (beneath linking) If you compromise your allegedly encrypted mail service even once, *ever*, even for the account of an alleged heinous criminal, then I will not even look at you. That just shows all your fancy software is so much security theater -- a waste of CPU cycles. AVOID. Mentioned only because a disturbing number of sites are still linking to this as "private e-mail". No, thanks. I would rather use Gmail and have my privacy raped openly, without illusions. [3] Many sites/articles, example: "Encrypted E-Mail Company Hushmail Spills to Feds" (2007-11-07) https://www.wired.com/2007/11/encrypted-e-mai/ # https://runbox.com/ - Effective price: About $3/month (prepaid annually), including a stamp - By: Runbox Solutions AS - Jurisdiction: Norway (EU; Nine Eyes) - No Bitcoin payments (they do accept cash in the mail) - No .onion site - No DNSSEC, thus no TLSA: https://dane.sys4.de/smtp/runbox.com Mentioned because I have experience with them. Some good, some bad. According to their support@, "Using Tor is no problem at all" (2017-03-01). User report: I never had any problems with Torified logins. They do have very good support. # https://unseen.is/ - Price: High - Jurisdiction: Iceland - Apparently custom crypto protocol (?) - Apparently no POP/IMAP/SMTP - No DNSSEC, thus no TLSA: https://dane.sys4.de/smtp/unseen.is Mentioned because Iceland. Does anybody know a reliable, well-established Icelandic company offering no-frills POP boxes for €1/month? I have searched... # (lots of results for search query "swiss e-mail") - Price: High - Jurisdiction: Switzerland (allegedly) - Other characteristics: ??? I stopped looking when I saw the price. I am willing to pay for e-mail; but my needs are very basic, and I do not want to be ripped off for a simple POP box. I listed this just to demonstrate a point: I searched for Swiss e-mail (to get outside E.U./Fourteen Eyes territories), and found a bunch of sites offering basic e-mail for $10-20/month. WTF? I know Switzerland is expensive; but it is not 10x as expensive as Germany! ---- Any good ones I missed? Please tell me, before I commit to something! Sent with ProtonMail Secure Email.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk