the_simple_computer

A Resource for Infosocial Awareness

Free Webmail for Better Privacy

Updated June 21, 2016.

In the wake of 2013′s Summer of Surveillance, demand for privacy-respecting email services has skyrocketed. Email is a dinosaur technology though, designed long before the word privacy was part of the internet’s lexicon. Email as we know it today was never intended to obscure metadata or require end-to-end encryption. Message encryption was a rough afterthought and peer-to-peer connections aren't even possible with conventional email protocols.

Nevertheless, a handful of new services have given rise to what we could call Email 2.0. Or if you prefer, you could call it what email should have been 20 years ago. Open source PGP encryption and key management is being baked into conventional webmail, easily usable by the non-dedicated. Service providers are forcing browsers into HTTPS connections with forward secrecy and requiring encryption between other mail servers. IP addresses in mail headers are being left behind as well.

Today, reasonable privacy and security are possible with email and while easier than ever, we're pushing the limits of expansion. A new breed of services are blending email, instant messaging and social networks with decentralized protocols and default-on encryption so as to be usable by anyone.

These advancements are sitting out toward the horizon though; accessible for the dedicated, but still maturing. Adoption and community support will be the biggest hurdles faced by projects like Bitmessage, Pond and Tent, and personal platforms like Enigmabox. Of course there are more than just these.

In the meantime, here is a list of email providers whose free services are a practical starting point (and some more than others). There are reputable paid options as well, while anyone would welcome your donation. Regardless of your choice, know that no service or technology can address the root problem of mass surveillance. They are only forms of sidestepping it.


Autistici/Inventati

https://www.autistici.org

Advertising: No
Aliases: 5
Allows signup through Tor: Yes
Attachment size: 10 MB
Authentication: SPF Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs test results – autistici.org, mail.autistici.org.
HTTP Strict Transport Security (HSTS): No
Import/export address book: CSV, vCard
Inactive account termination: 180 days
Inbox size: Unlimited (within reason)
Location: Organization in Milan, Italy. Servers with Copyleft Solutions in Oslo, Norway, XS4ALL in Amsterdam, Netherlands and OVH in Paris, France.
Mobile access: Main site
POP3, IMAP: Yes
Requires JavaScript: Yes
Spam/Virus filtering: Clam AV, SpamAssasin
Terms of use & privacy policy: Link
Your IP address in mail headers: No, webmail and SMTP.

A/I is a small organization in Italy which was started and is managed by volunteers. In addition to email, an A/I account includes XMPP and VPN access and you can also ask for web hosting. You get a choice of about 25 different domains, Roundcube is used for the webmail interface, two-factor authentication is offered and you can temporarily suspend your account if you think you won’t use it for more than 6 months.

A/I does not store server logs and their SMTP headers also filter out mail client user agents. A/I uses their own self-signed TLS certificates and while not necessary for email, it must be installed on your computer to use their XMPP or VPN services.

You must request an A/I account and because you’ll receive a response with a temporary password, you need to provide an email address that won’t quickly expire. A/I account passwords are limited to 60 characters and no special characters. A password can be recovered from a link on the login page and to close an A/I account, you must contact them.


GhostMail

https://www.ghostmail.com/

Advertising: No
Aliases: No
Allows signup through Tor: Yes
Attachment size limit: 20 MB
Authentication: DKIM, DMARC, SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results.
HTTP Strict Transport Security (HSTS): Yes
Import/export address book: No
Inactive account termination: 12 months
Inbox size: 1 GB
Location: Headquartered in Zug, Switzerland, branch office in Copenhagen, Denmark. Servers with Bahnhof AB in Stockholm, Sweden.
Mobile access: Main site. Android and iOS apps in development.
POP3, IMAP: No
Requires JavaScript: Yes
Spam/Virus filtering: No
Terms of use & privacy policy: Link
Your IP address in mail headers: No

ghostmail

GhostMail provides an end-to-end encrypted email, chat and file storage service which boasts zero-knowledge architecture and overall priority of user privacy. GhostCom, the company which formed behind GhostMail, is funded by it's ("wealthy" says the FAQ) owners and paid services will be offered shortly.

GhostMail uses a proprietary backend and open source frontend to encrypt messages and uploaded files with AES-256 and RSA 2048 for key exchanges. Message body, attachments and metadata are encrypted between GhostMail accounts and an overview of their crypto processes can be found here. While GhostMail can not yet receive emails from non-GM accounts (this will change shortly), unencrypted mail can be sent to them. MailChimp's Mandrill is used for this, as well as account email notifications, but GhostMail is working on their own system to take Mandrill's place in their mail stack.

The mail service gives you HTML composing, carbon copy and blind carbon copy sending. Messages to other GhostMail addresses can be set for self-destruction with a range of 1 hour to 7 days. You can view sent messages, save drafts and mark messages with Starred or Business tags, but there is no option to view or compose messages in plain text (non-HTML). No trash either, so messages are deleted immediately. GhostBox, the file storage end of GhostMail, shares storage space with GhostMail messages.

In an account's Settings you can change time zone and your password, disable auto-add for contacts, set up two-factor authentication for Android and iOS using Google Authenticator, and add an additional email account to be notified when you receive messages to your GhostMail account. You can also add an HTML signature to messages. GhostCom provides a warrant canary and transparency report. To close an account, follow the instructions on their help page.

Unique to GhostMail is their High Frequency Erasing process (see Data Deleting in the link). When you delete a message or contact, or log out of your account, that hard drive and memory space which was previously used is overwritten "multiple times" on their servers to ensure no remnants survive the session. GhostMail underwent a security audit in February 2015 by a Danish IT security company and the result was a positive review.

Messages contain a GhostMail tag line at the bottom with a link to their website. In mail headers to non-GhostMail addresses will be an X-Mandrill-User ID. Since Mandrill is a separate mail service, GhostCom has an account with MailChimp to provide that service. The Mandrill ID is that of GhostCom's Mandrill account. It will be the same across all GhostMail addresses but only present when sending to outside mail domains. GhostMail is still in Beta and additional features are on the roadmap.


Lavabit

https://lavabit.com - Lavabit is gone for the foreseeable future after legal battles with the United States government. The founder chose to pull the plug rather than "become complicit in crimes against the American people." All respect to Ladar and good luck.


Mail.Ru

https://www.mail.ru

Advertising: Yes, not mail content-aware.
Aliases: No
Allows signup through Tor: No
Attachment size limit: 25 MB in mail messages, up to 1 GB on cloud.mail.ru.
Authentication: DKIM, SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results - mail.ru, e.mail.ru.
HTTP Strict Transport Security (HSTS): Yes
Import/export address book: CSV, vCard
Inactive account termination: 6 months
Inbox size: Unlimited

Location: Headquartered in Moscow with offices throughout Russia. Servers at LLC Mail.Ru in Moscow.
Mobile access: https://e.mail.ru/, Android and iOS apps.
POP3, IMAP: Yes
Requires JavaScript: Yes
Spam/Virus filtering: Kaspersky
Terms of use & privacy policy: Link
Your IP address in mail headers: Yes, webmail and SMTP.
mailru

Mail.Ru is a popular online services provider in Russia and Eastern Europe. They’re Russia’s biggest email service and do online gaming, search, news, ecommerce...there’s a long list. Mail.Ru owns both Vkontakte and Odnoklassniki and it's available in the languages of ex-Soviet areas, English, Romanian and Spanish.

You get a calendar, file storage and there's the option of using a security question or phone number for password recovery. An additional email isn't required to sign up. There are options to only allow one session, only allow signin from a single IP address and others for displaying info about the most recent session. The Mail.RU Agent, a messaging service, has its own security and privacy settings. To close an account, Mail.ru has a link but if you then try to log back in within 3 months, the account will be reactivated.

Of interest could be that Mail.Ru was one of the foreign email providers specifically shown in the United States NSA’s XKeyscore training slides. It's also mentioned again in a presentation from a 2012 conference which mentions the "moderate" risk Mail.ru poses to SIGDEV operations (page 20).


Mailoo

https://www.mailoo.org

Advertising: No
Aliases: Yes
Allows signup through Tor: Yes
Attachment size: 5 MB
Authentication: SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results – mailoo.org, mail.mailoo.org.
HTTP Strict Transport Security (HSTS): Yes (webmail access only).
Import/export address book: CSV, vCard
Inactive account termination: Yes (time not mentioned)
Inbox size: 1 GB
Location: Servers with Online SAS in Paris and Lost Oasis in Marseille, France.
Mobile access: Main site
POP3, IMAP: Yes
Requires JavScript: Yes
Spam/Virus filtering: No
Terms of use & privacy policy: This and a general terms of use on the registration page.
Your IP address in mail headers: Webmail, no. SMTP, yes.

Mailoo exists to be a privacy friendly email service running entirely on free and open source software. Roundcube is the web interface which includes the OpenPGP plugin and Mailoo removes user IP addresses from mail headers, but only for webmail. Their SMTP server does remove the mail client’s user agent. You need to wait up to 24 hours for your account to be approved because they want to check that the address meets "certain ethical standards." To close an account, you must contact Mailoo.

mailoo.org redirects to HTTPS but the webmail server uses HSTS. The downside to this is that you must register from mailoo.org so it's during the account's creation that you can be exposed to a man-in-the-middle attack. To remedy this, you should change your password immediately when you first log in at mail.mailoo.org. mailoo.org also appears to have an unconfigured cipher suite list for the web server while mail.mailoo.org preferrs AEAD suites. This isn't too big of a deal for modern web browsers will always start by telling the server to give it the most secure cipher suite the browser supports. However, it could force older browsers into weak connections.


OpenMailBox

https://www.openmailbox.org

Advertising: No
Aliases: 1
Allows signup through Tor: Yes
Attachment size limit: 500 MB
Authentication: DKIM, DMARC, SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results.
HTTP Strict Transport Security (HSTS): Yes
Import/export address book: CSV, vCard
Inactive account termination: 6 months
Inbox size: 1 GB
Location: Servers with Online SAS in Paris, France.
Mobile access: Main site
POP3, IMAP: Yes
Requires JavaScript: Yes
Spam/Virus filtering: Clam AV, SpamAssassin
Terms of use & privacy policy: Link
Your IP address in mail headers: No, webmail and SMTP.

OpenMailBox is one of the new mail providers born since the Snowden leaks. The service is privately owned and has high claims of user privacy. OpenMailBox uses full disk encryption on its servers. IP addresses accessing the servers are logged and mail sent from a mail client will show it’s user agent but some mail clients can disable it.

There are four components to an OpenMailBox account. First is Roundcube for webmail, including Roundcube's OpenPGP plugin with key generation/import/export up to 4096 bits in size. Keys are kept in the browser's DOM storage. Second is the User Interface, where you can expand your storage size as a paid service, create an @openaliasbox.org address as an alias, change your password or delete the entire account. Third is OwnCloud served by OpenMailBox which integrates with Android, iOS and desktop apps and allows you to import your own SSL certificate. Fourth is an XMPP handle.


Privat DE Mail

https://privatdemail.net (redirects to pvtdm.net) | https://ybfg5ma65ug63ipj.onion

Update August 2014: Servers are unreachable through http/s. It seems Privat has closed off to new accounts.


ProtonMail

https://protonmail.ch/

Advertising: No
Aliases: No
Allows signup through Tor: Yes
Attachment size limit: 10
Authentication: DKIM, DMARC, SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results.
HTTP Strict Transport Security (HSTS): Yes
Import/export address book: Import CSV and vCard.
Inactive account termination: None
Inbox size: 3 GB
Location: Company Proton Technologies AG and primary servers in Geneva. Redundancy servers also in Switzerland.
Mobile access: Main site, Android and iOS apps.
POP3, IMAP: No
Requires JavaScript: Yes
Spam/Virus filtering: Yes (spam).
Terms of use & privacy policy: Terms, privacy
Your IP address in mail headers: No
protonmail

ProtonMail is the brainchild of a handful of CERN scientists and development continues as a joint effort between CERN (one source which gave us Scientific Linux) and MIT. In addition to open source libraries for AES and RSA, ProtonMail uses a JavaScript implementation of OpenPGP to encrypt mail (including attachments) and manage keys entirely in the browser. For messages to non-ProtonMail accounts, you encrypt with a pre-shared password. The recipient gets an automated message with a link which decrypts your message in their browser after entering the shared password. From ProtonMail 2.0, their front-end is open source.

A ProtonMail account has two passwords: Login (for the obvious) and MailBox to decrypt everything in your account. Encrypted messages can have a lifespan assigned in increments of hours. Inter-ProntonMail messages won't expire by default but encrypted messages to outside mail services expire after 4 weeks and mail sent as plaintext can't use this feature. Account settings let you set a display name, signature, mail labels, display layout and notification address. There are options for auto-loading images, auto-saving contacts, authentication logging levels and an area for password changes. Sent messages are capped at 1000 per month.

To get a ProtonMail account, you must submit an invite request. During signup (separate from the invite request), a second email address is required but this address can be changed or removed after the account is created. ProtonMail has a transparency report, HTML compositioning, a contacts list, mail drafts and arciving. To delete a ProtonMail account, you must write to them and ask it to be.


Riseup

https://www.riseup.net | .onion addresses

Advertising: No
Aliases: Unlimited but within reason
Allows signup through Tor: Yes
Attachment size limit: 2 MB
Authentication: DKIM, SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results – riseup.net, mail.riseup.net.
HTTP Strict Transport Security (HSTS): Yes
Import/export address book: CSV, vCard
Inactive account termination: 6 months
Inbox size: 25 MB – 92 MB
Location: Organization Riseup Networks and servers in Seattle, United States.
Mobile access: Main site or SyncML
POP3, IMAP: Yes
Requires JavaScript: No (SquirrelMail option).
Spam/Virus filtering: Clam AV, SpamAssassin
Terms of use & privacy policy: Link
Your IP address in mail headers: No, webmail and SMTP.

Riseup gives you the choice of Roundcube or SquirrelMail, an on-screen keyboard for login, XMPP and even full VPN access. IP addresses are removed from mail headers, as are mail client user agents.

While the mail server's subdomain uses an HSTS header, Riseup's TLD does not. Instead, it's preloaded into Chromium browsers, Firefox and Safari. This means that help.riseup.net will be forced over HTTPS too. To open a Riseup account, you must either request one and be approved or know two people already with Riseup accounts who can send you invitation codes.

Yes, Riseup has strong political overtones to its literature and I’ve read responses from people being denied an account after describing their political beliefs in the request info. Whether that was direct cause for denial, I don’t know. What you choose to write is up to you, however I’ll say that when requesting this account, I made no political references or affiliations whatsoever. Don’t feel that you must do so. Your mileage may vary. A Riseup account can be closed through the user control panel.


RuggedInbox

https://ruggedinbox.com/ | .onion addresses (multiple options)

Update: Since March 2016, RuggedInBox is no more.


Scramble

https://scramble.io

Advertising: No
Aliases: No
Allows signup through Tor: Yes
Attachment size limit: n/a
Authentication: SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results.
HTTP Strict Transport Security (HSTS): Yes
Import/export address book: No
Inactive account termination: ???
Inbox size: ???
Location: Servers and all 3 current key notaries with Linode in Galloway, NJ. United States.
Mobile access: Main site
POP3, IMAP: No
Requires JavaScript: Yes
Spam/Virus filtering: No
Terms of use & privacy policy: None given.
Your IP address in mail headers: No
scramble

Scramble runs OpenPGP.js and scrypt entirely client-side in your web browser for zero-knowledge message encryption. Message body, attachment and subject line are encrypted, leaving To, From and timestamps as the only plaintext metadata. Scramble's backend is open source, hosted on GitHub and there you'll find a summation of the service: "GPG for the masses."

Scramble is still in very early stages so at this time, it's a basic encrypted message service. The webmail interface gives you a contact list and HTML mail can be viewed but not composed. You can also view your OpenPGP key pair, manage contacts, archive messages and Scramble has a list of keyboard shortcuts to streamline working in an account.

Unique to Scramble is its notary service which is intended to make public key exchanges more secure. Instead of asking one keyserver, a group of notaries are queried for a Scramble user's public key and if they all agree on the key's integrity, it's assumed safe to use by the client-side application.

Importing keys isn't possible yet and there are only 3 notaries now, all in the U.S. but a system like this needs many notaries all over the world to reach its full potential. Scramble's info page mentions that a mail client is in the works, seemingly in the form of a browser extension.


SCRYPTmail

https://scryptmail.com/ | https://ninja.scryptmail.com/ (self-signed cert)

Advertising: No
Aliases: 3
Allows signup through Tor: Yes
Attachment size limit: 10 MB
Authentication: DKIM, SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results - scryptmail.com, react.scryptmail.com (RapidSSL cert).
HTTP Strict Transport Security (HSTS): Yes
Import/export address book: No
Inactive account termination: 3 months for free accounts.
Inbox size: 200 MB
Location: Servers with SoftLayer Technologies Inc. in Dallas, TX. United States.
Mobile access: Main site
POP3, IMAP: No
Requires JavaScript: Yes
Spam/Virus filtering: Yes (spam)
Terms of use & privacy policy: Terms, privacy
Your IP address in mail headers: No
scryptmail-inbox

SCRYPTmail is a zero-knowledge client-side encrypted mail service with client code on GitHub. Email body and attachments are encrypted using AES-256 and RSA-2048. RSA-4096 will be available as part of a paid service or you can instead import your own keys. Your private RSA key is encrypted with AES-256 and then Twofish-256 before being stored server-side but future plans are to store private keys entirely on the local client.

When you create your account, you'll be prompted to download it's secret token. This is SCRYPTmail's solution to resetting your password or PGP passphrase without actually storing them. An account token is a hexadecimal conversion of a hashed random string created when the account is opened. A reset requires this token, the account's email address and either the account password or PGP passphrase (whichever of the two you do have).

When receiving mail from other SCRYPTmail users, their public key signature (a hash) is checked for authenticity and will let you know if there's a mismatch. When communicating with outside mail accounts, you select the message for encryption and give it a PIN number. The recipient gets a link to open in a browser and they enter that same PIN to decrypt the message. Messages encrypted with a PIN expire after 4 weeks or the recipient can delete them instantly, and if a PIN is entered incorrectly 3 times in a row, the message is deleted. PINs are unique for each email or they can be saved with other recipient info in your contacts list.

Account settings let you change passwords or add a second, edit/add a new RSA keypair, change or disable session timeout, enable 2-factor authentication, create an alias or disposable mail address, create/sort folders and labels, edit a contact list and create mail filters. Displaying mail can be toggled between HTML and plaintext and there is HTML composing.

SCRYPTmail gives you the choice of a self-signed TLS certificate or one issued by RapidSSL. Their KeePass SafeBox works with KeePass's online password database feature to store your db within your SCRYPTmail account, and account passwords have a maximum length of 80 characters, including special characters. All metadata is encrypted between SCRYPTmail accounts, including To and From headers, and SCRYPTmail has a warrant canary.


Senditonthenet

https://www.senditonthenet.com

Advertising: No
Aliases: No
Allows signup through Tor: Yes
Attachment size limit: 80 MB
Authentication: n/a
Connection security: TLS 1.2, supports but does not prioritize Perfect Forward Secrecy and AEAD cipher suites. SSL Labs results.
HTTP Strict Transport Security (HSTS): No, redirects.
Import/export address book: n/a
Inactive account termination: No
Inbox size: 80 MB
Location: Company in Manchester and servers with iCloudHosting, United Kingdom.
Mobile access: Main site
POP3, IMAP: No
Requires JavaScript: Yes
Spam/Virus filtering: No
Terms of use & privacy policy: Link
Your IP address in mail headers: n/a
senditonthenet

Senditonthenet transports RSA encrypted files between users. It works entirely through a web browser and you get an 80 MB attachment limit. You can enter messages to accompany your packages and while the text is not RSA encrypted, though the whole message is still sent over HTTPS. You can only send files to users in your contact lists because without a Senditonthenet account, your recipients won’t have your public key. After activating your account, you receive an email at the confirmation address with your public key as an attachment.

Senditonthenet has their security information documented in a single, easy-to-digest page of their website. The service has what it calls a drop box (no connection to Dropbox). You can give your drop box link to people without a Senditonthenet account and they can upload encrypted files and an unencrypted message to you. Senditonthenet's server doesn't set any cipher suite priorities so it's up to the browser to decide. Modern browsers will specify strong cipher suites, old ones generally will not.


Tutanota

https://tutanota.com/

Advertising: No
Aliases: No
Allows signup through Tor: Yes
Attachment size limit: 25 MB
Authentication: DANE, DNSSEC, SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results - tutanota.de, app.tutanota.de.
HTTP Strict Transport Security (HSTS): Yes (for wembail access).
Import/export address book: No
Inactive account termination: No
Inbox size: 1 GB
Location: Company in Hannover, servers with Hetzner Online AG and Hostway in Germany.
Mobile access: Main site, Android and iOS apps.
POP3, IMAP: No
Requires JavaScript: Yes
Spam/Virus filtering: Yes (spam)
Terms of use & privacy policy: Link
Your IP address in mail headers: No
tutanota

Tutanota wrote their own GPL licensed client for a mail service which provides zero-knowledge end-to-end encryption using AES-128 and RSA-2048 with a salted bcrypt for password hashing.

The Tutanota client is a web application, not a mail client like Thunderbird and the only integration with traditional mail clients is their Outlook plugin, a paid feature. The Tutanota client is loaded into the browser cache, lives in local storage only and doesn't use browser plugins like Flash or Java. Unique to Tutanota is the use of DANE and DNSSEC which reduces the risk of MITM attacks and the possibility of falsifying the service's TLS certificate.

Key generation and message encryption take place on your computer and your private key is locally encrypted with your password before being stored on their servers. Mail to non-Tutanota accounts is encrypted with a pre-shared password or you can choose plaintext. The recipient gets an automated message with a link which they open in a browser, enter the shared decryption password and read your message.

Account settings let you set a display name, signature, basic filtering rules and change the account passwords. You can view the last login time and any failed login attempts, change auto-saving of contacts and whether messages are sent encrypted by default or as plaintext. You can delete your account, upgrade to Premium and there's an address book. There is no policy against inactive account time and though HTML mail can be viewed, there's no HTML composition yet. There are Archives and Drafts folders, push notifications to the web browser and any mail message can be exported as a .eml file to local storage.

A free account can send up to 100 emails per day and a paid Premium account and/or storage expansion plans are available. Tutanota's home pages (.com and .de) redirect to HTTPS instead of using HSTS. The only information being submitted on this page is for the contact form though. The login and account access domain (app.tutanota.com) does use HSTS. You have the choice of 5 different domains at registration, Tutanota has a transparency report and warrant canary as well.


Unseen

https://www.unseen.is

Advertising: No
Aliases: No
Allows signup through Tor: Yes
Attachment size limit: 50 MB
Authentication: SPF
Connection security: TLS 1.2, uses Forward Secrecy but only a 1024 bit Diffie-Hellman key, prioritizes AEAD cipher suites. SSL Labs results – unseen.is, mail.unseen.is.
HTTP Strict Transport Security (HSTS): Yes
Import/export address book: CSV, vCard
Inactive account termination: No
Inbox size: 100 MB, free. 2 GB paid.
Location: Company in Reykjavik, Iceland; servers with Advania.
Mobile access: Main site, Android or iOS app.
POP3, IMAP: Yes
Requires JavaScript: Yes
Spam/Virus filtering: Amavis, Clam AV
Terms of use & privacy policy: Terms, privacy
Your IP address in mail headers: No, webmail and SMTP.

Unseen is a different animal from the others listed here. An Unseen account gives you access to both their webmail and VoIP services. For webmail, they offer Roundcube with OpenPGP encryption while you'd access their VoIP service either through a web browser or their multi-platform client program. Using one service isn't reliant on the other so you can use Unseen only for email if you choose.

Unseen strongly asserts that conventional, publicly available cryptography has been broken by multiple governments around the world. Unseen developed its own modified versions of AES which they call xAES and NTRU based on open source libraries. NTRU is used to send account passwords both from the browser and Unseen client and xAES is currently only for chat message encryption (XMPP), not email messages.

To help pay for the free services, Unseen generates revenue by offering Premium and Business accounts. They more recently got into web hosting and are currently developing their own network perimeter device for sale. Unseen as an email/VoIP service is currently still in a Beta phase. They do not plan to support Internet Explorer for VoIP chat and video.


VFEmail

https://www.vfemail.net | https://344c6kbnjnljjzlz.onion

Advertising: Yes, footer message in free account. Not message content-aware.
Aliases: No
Allows signup through Tor: Yes
Attachment size limit: ~50 MB (measured by bandwidth quota which depends on your account level)
Authentication: DKIM, SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results.
HTTP Strict Transport Security (HSTS): Yes (but mixed content).
Import/export address book: CSV, vCard, LDIF, Pine, Mullberry.
Inactive account termination: 180 days – disabled, 280 days – deleted.
Inbox size: 50 MB free. 1-15 GB paid.
Location: Company in Milwaulkee, WI. United States. Primary servers with TSR Solutions Inc. also in WI. One server in Amsterdam for load balancing.
Mobile access: Main site or SyncML
POP3, IMAP: Yes
Requires JavaScript: Yes
Spam/Virus filtering: Yes
Terms of use & privacy policy: Link
Your IP address in mail headers: Yes & no, webmail (see below), yes SMTP.
vfemail

VFEmail is a privately owned service started in 2001 with the priority of email security. You get the choice of Roundcube or Horde’s IMP (versions 3 or 5) for a webmail interface. There are multiple account levels available and the free Copper account puts a small VFEmail text ad and the footer of each message with a link to vfemail.net.

VFEmail has server space available in the Netherlands but it’s intended to be load balancing for European customers, not a privacy shield. VFEmail’s priavacy features like PGP encryption, IP address masking, aliases and its Metadata Mitigator are for paid accounts but there are two exceptions if you’re on a free account. The first is that if you send webmail using Roundcube, the originating IP address won’t be visible in your mail headers. With either version of IMP, it will.

Second is that PGP encryption can be done (keys generataed and messages encrypted) through IMP version 3, but not version 5 or Roundcube. Both are basically loopholes which go against VFEmail’s business model. The owner is aware of them, so don’t rely on those loopholes always being available. Closing an account can be done through the user control panel.


Vmail.me

https://www.vmail.me

Advertising: No
Aliases: No
Allows signup through Tor: Yes
Attachment size limit: 25 MB
Authentication: SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results.
HTTP Strict Transport Security (HSTS): Yes
Import/export address book: CSV, vCard
Inactive account termination: 9 months
Inbox size: 500 MB
Location: Servers with Iliad Datacenter in Paris, France.
Mobile access: Main site
POP3, IMAP: Yes
Requires JavaScript: Yes
Spam/Virus filtering: Yes
Terms of use & privacy policy: Terms, privacy
Your IP address in mail headers: No, webmail and SMTP.

Vmail is a few years old and privately owned in France. It has a rocky history with periods of downtime and domain blacklisting for spam abuse but despite this, the owner has been determined to correct the problems, strengthen Vmail's reputation and improve the service. Roundcube is the interface used and you can optionally add a password recovery email but this is not required at signup.

Vmail's code base is available on GitHub, the service uses full disk encryption on its servers and removes mail client user agents. Vmail uses Pikwik, an open source alternative to Google Analytics, but Pikwik anonymizes the last 2 digits of user IP addresses and respects Do Not Track settings. Closing an account can be done from within Roundcube.


Yandex Mail

https://www.yandex.com/mail

Advertising: Yes, but can be turned off in webmail interface and aren't message content-aware.
Aliases: No
Allows signup through Tor: Yes
Attachment size limit: 30 MB in mail, up to 10 GB to yandex.disk with a download link.
Authentication: DKIM, DMARC, SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results - mail.yandex.com, passport.yandex.com.
HTTP Strict Transport Security (HSTS): Yes
Import/export address book: vCard
Inactive account termination: 180 days, then deleted.
Inbox size: 10 GB to start but increases in size when you get close to the start limit. No hard limit.
Location: Headquartered in Moscow, Russia with satellite office in Amsterdam, Netherlands. Servers at Yandex LLC in Moscow.
Mobile access: https://mail.yandex.com, Android and iOS apps.
POP3, IMAP: Yes
Requires JavaScript: No, there's a lite version that works without.
Spam/Virus filtering: Dr. Web
Terms of use & privacy policy: Terms, privacy
Your IP address in mail headers: No, webmail and SMTP.
yandex

Yandex is one of Russia’s major search engines with email, news, translations and social portals. A mail account includes 10 GB of storage on Yandex Disk and the interface is available in the languages of ex-Soviet areas, English, Romanian and Turkish. There's an account access log so you can see the locations and changes made from previous sessions.

An additional email or phone number is not required and while both the Yandex mail and signup domains include HSTS headers, passport.yandex.com is also preloaded into Chromium browsers, Firefox and Safari. Starting from December 2014, IP addresses are no longer present in mail headers. An account can be deleted from within the webmail interface settings.


Zoho Mail

https://www.zoho.com/mail

Advertising: No
Aliases: No
Allows signup through Tor: No
Attachment size limit: 20 MB
Authentication: DKIM, SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, prioritizes AEAD cipher suites. SSL Labs results – zoho.com, mail.zoho.com.
HTTP Strict Transport Security (HSTS): Yes
Import/export address book: CSV, LDIF, vCard.
Inactive account termination: 120 days
Inbox size: 5 GB
Location: Headquartered in India, offices in China, India, Japan and United States. Mail servers with Internap Network Services Corporation in the United States.
Mobile access: https://m.zoho.com, Android and iOS apps.
POP3, IMAP: Yes
Requires JavaScript: Yes
Spam/Virus filtering: Yes
Terms of use & privacy policy: Terms, Link
Your IP address in mail headers: Yes, webmail and SMTP.
zoho

The Zoho Lite account is not the same as the Zoho personal use mail account. If you only want an @zoho email address, then the free personal account is what you are looking for (it's in the small sized font).

Even for the free account you get Zoho’s office apps for creating documents, spreadsheets, and presentations which can integrate with Google Docs. There's two-factor authorization, chat and personal organizers, and you can blacklist IP addresses allowed to access your account. Zoho requires a 2nd email address for activation and to be stored with the account. The service used to not include IP addresses in mail headers when sending through webmail, but now they do.

Zoho was mentioned in the same 2012 SIGDEV conference presentation as Mail.ru, only Zoho was shown as a "major" risk to impeding insight into target communications (page 20).


The Denied List

Now come several services which I often see recommended as alternatives to Gmail, Yahoo, etc. For various reason, these should be avoided.

GMX & Mail.com

https://www.gmx.com | https://www.mail.com

GMX and Mail (as well as gmx.de, gmx.at and gmx.ch) are owned by United Internet AG, one of Germany’s larger internet service providers and they do give you advertisements. User IP addresses are included in mail headers for both webmail and SMTP and it’s not possible to open an account over Tor. Though both GMX and Mail have very good connection security available, they don't support HSTS and default to an unencrypted HTTP connection.

Both services have a contact auto-add which automatically adds recipients of recent emails to a Recent Contacts window. This isn’t the same as your address book, which is easily edited. There is no way to delete these recent contacts, nor is there an option to disable the auto-add ‘feature’. Then there's this shit they pulled with telling people their computer's security was compromised due to browser extensions the company didn't like.

HideMyAss

https://hidemyass.com/anonymous-email

HMA mail is a one-way mail service; it can only receive emails. If you use the HideMyAss VPN, you can get them to open the SMTP ports so HMA Mail becomes a full email service when paired with a mail client. The minuses for privacy are that registration and account info, including password, is stored for "no more than 2 years" after you delete the account. They do, however, give you a strong HTTPS connection but it's via a server redirect instead of HSTS.

SAFe-mail

https://www.safe-mail.net

Public key encryption is the main perk of SAFe-mail but no information is given about their cryptography, Safe-Mail only states it is "patent pending". The company is based in Israel and of interesting note is that Israeli companies which use encryption are required to register with the Ministry of Defense. IP addresses are in mail headers and SAFe-mail has abysmal connection security (safe-mail.net, mx1.safemail.net, mx2.safemail.net, mx3.safemail.net). However, there are no advertisements, JavaScript isn't required to read mail (but is to send) and SAFe-mail allows signup over Tor.


Seznam.cz

https://www.seznam.cz

Seznam means "list" in Czech and seznam.cz is a Czech web portal, similar to GMX or Yahoo. Seznam leaves IP addresses in the headers and gives you advertising which is not message content-aware. Creating an account with Tor depends on your exit node’s location. Seznam's homepage seznam.cz actually uses good connection security. Though the encrypted connection to any of these pages is over TLS 1.2, it's a redirect, not HSTS at work. It's also nice to see that Seznam is a bronze partner of the Debian LTS effort.

I put Seznam on the list of undesirables because their webmail server only supports two TLS cipher suites. Neither use forward secrecy and both are far behind what is currently supported by servers and browsers. This is a step in the right direction though. Originally I had Seznam on the Denied list because their registration server was badly configured and forced browsers into RC4 connections. This has been fixed but the mail server is still a problem.

Web.de

https://www.web.de

Web.de is owned by 1&1 Media, a subsidiary of United Internet AG and the same company which owns GMX and Mail.com. Only permitted IP addresses in Austria, Germany and Switzerland are allowed to register, there's no signup allowed from Tor, IP addresses are in mail headers and Web.de was part of the browser extension scandal along with GMX. No HSTS either for the encrypted connection.

Now what if you want a short-term, throwaway email address? What if you want end-to-end encryption with your new mailbox? What if you want to use a mail client and send all your traffic through the Tor network?

Part II: Disposable Addresses & Mail Clients

Share this article.