Free Webmail for Better Privacy

Page 2

This site is no longer being maintained so anything below could still be accurate, or very outdated.

Disposable Email/Message Services

This topic wouldn’t be complete without mentioning some of these. More are in a link at the bottom of the page but be careful, your IP address is incldued in mail headers from some of these sites.

10 Minute Mail Deadaddress Guerilla Mail Mailcatch Mailinator Tempinbox

Mail Clients & Secure Connections

Modern mail clients are usually easy to deal with but even in 2015, their connection security is a mess of bad choices and inaccurate terminologies. Specifically, 'SSL' vs. StartTLS. Mail clients give you the choice of sending and receiving messages either through an encrypted connection to the mail server or entirely in the clear, which means that even your login credentials are sent unenctypred.

You always want to set your mail client to use what's generally referred to as SSL, or more accurately, Implict SSL or Implicit TLS. The term SSL has evolved into a misnomer these days because an "SSL" encrypted connection to a mail server will use whatever encryption is prioritized by the server that also the client is capable of. This can be anything from SSL versin 2 (bad) to TLS v1.2 (good). On top of that, with SSL3 now blacklisted due to POODLE and TLS 1.0 having scared people away because of BEAST, TLS 1.1 is now the comfortable starting place for safe connections.

The other option for encrypting mail server connections is STARTTLS (sometimes called Explicit SSL or Explicit TLS). You do not want this because it begins as an unencrypted connection and upgrades to an encrypted one during authentication. The result is your email address and some extra client/server conversation bits being sent in plaintext, and more data transferred between client and server in general.

STARTTLS has an unnecsssary amount of complexity, uncertainty and compatibility issues which can result in your client trying to log in before the connection is upgraded, thus sending your credentials in cleartext. Additional is the ease with which downgrade attacks can be performed to force plaintext logins, and your mail client won't even notify you about it.

What you want is to establish a fully encrypted connection before the mail protocol is handled by either client or server. Only use Implict SSL/TLS in mail clients.

Roll Your Own

Encrypting your mail before sending is the highest level of security for conventional email. If you use Thunderbird, Icedove or SeaMonkey, then Enigmail is the GPG encryption plugin you want. GPG4Win integrates with Microsoft Outlook and Claws Mail in Windows, and Claws has other GPG plugins too. There are plenty of guides on how to set up Enigmail and GPG4Win (here are two: [1] [2]) and there are also GPG apps for mobile devices.

However, be aware that GPG or PGP will encrypt the message body and attachments but not the message’s ‘envelope’, so to speak. The message's metadata (subject line, mail timestamps, sender & recipient) are still unencrypted, though the newer encrypted mail services like ProtonMail and SCRYPTmail encrypt some of the metadata too. GPG encryption is not commonly used either, but for webmail providers who offer PGP/GPG encryption through their interface, all of this can be combined seamlessly.

Alternatives to GPG/PGP encryption are the many programs available to encrypt files on your computer, tablet or phone. GPG4Win, Encfs, OpenSSL and eCryptfs are some open source options to encrypt indivudual files while Truecrypt (or whichever fork you prefer) and Tomb will create a container you can stash multiple files in, then upload the container as an attachment to plaintext emails. You can also use these encryption programs on anything you upload for cloud storage.

The downsides to all this are: 1) Slightly more time consuming, must manage decryption keys/passwords. 2) Again, plaintext metadata. 3) To decrypt your message, often your recipient needs to have the same program you used to encrypt it.

Since security does not automatically mean anonymity, if you don’t want your location appearing in your mail provider’s server logs, then access your account through Tor, I2P or any other anonymity network, a VPN or a trusted elite proxy. Thunderbird and its forks can be configured to use TorBirdy, which routes all your mail through the Tor network before being delivered. This will randomize the IP address in your mail headers but remember, always be sure to use Implicit SSL with mail clients. Also for Thunderbird and friends, you can easily remove its user agent string from headers.


The only email address for this website is Don’t try to contact tSc by any of the addresses from the pictures in these pages. You will only be writing to a deactivated account.

One last thing: don’t make the mistake of assuming that just because you use an “offshore provider” or “private” service, you’re shielded from government surveillance. You’re not. Also useful to know is that encrypted communications increases the likelihood of governments storing it. That's not to say you should avoid encryption, no not at all, but just sayin...

Share this article.