Starting a new thread, since this is going into new territory.
On Monday 30 April 2018 00:21:23 deloptes wrote:
William Morder wrote:
On Saturday 28 April 2018 23:33:39 deloptes
wrote:
William Morder wrote:
So far it's the best option for private,
secure email. You'll have to
do some reading about it (and compare with other email services) to
know why. Either you want end-to-end encryption, and other
privacy/security features, or you don't (yet) care that much.
My only other option seems to be to roll my own (that is, host my own
email server on my own machine). I know of several people who do that
(such as Richard Stallman, if I recall), but it's a pain in the
behind, and a lot of work just to host your own email accounts with
your own domain, etc.
I will try to make some enquiries about what is involved, if anybody
else really wants to know. So far, I've just been doing a lot of
reading, and it seems a little too much trouble. In lieu of that kind
of hassle, then, there is ProtonMail.
You are welcome to use the hosting service of a friend or so. If you
don't have such, we have one here, just let me know. I pay for 5 domains
140/y.
Thanks, but no money to spend at present.
What I do not understand in the whole picture is
how you get "encryption
end to end" - it means the other end must also be encrypted. So what is
the difference between this ProtonMail and using normal GnuPG.
I think the problem here (and in another email you answer to somebody
else, dep, I think) is the conflation of two ideas: 1. end-to-end
encryption (which you're right, Kmail offers, but you have to do some
work yourself, whereas Proton is encrypted by default); and 2. a secure
email service where all emails are encrypted, and content or contact
information cannot be read even by the admins. And it is much better to
download emails to my own computer, rather than to leave them on the
server where they could be read by who knows?
How is it encrypting by default, when it does not have access to your
private key? You always provide password to use the private key. IF it is
not the case, it is not secure - so I guess you somehow misunderstand what
ProtonMail is (not that I understand properly what it is). In theory it is
not possible to have encryption by default without providing the passphrase
for the private key - all of this is supported in kmail - I can tell kmail
to always encrypt for specific recipient(s).
Gmail, for example, can be used with Kmail, and
properly encrypted; but
if any emails are left on the server, all data is gathered and reused by
Google, as I have discovered myself due to some targeted ads - which were
obviously related to recent emails that I had received.
Our querent here, dep, as a journalist, would like to keep his sources
and contacts confidential. And while I am not a journalist as such, I am
engaged in research and writing (mostly history, anthropology, etc.),
which, in the wrong hands, might be twisted and misused to make my work
appear to be something it is not.
Did you try OTR? AFAIK it is the one that journalists use and I think OTR
is also supported in Kopete, but there are also other tools. You basically
don't communicate things via mail except when to meet someone and where -
that's it.
Lavabit used to offer a similar service, and got
shut down. ProtonMail,
because they are located in Switzerland, promise (or hope) not to succumb
to pressure to snoop on users, or to create backdoors, etc.
Yes I think a friend was looking into it because it is in Switzerland. But
this has nothing to do with the way how encryption works. So I think you
have to distinguish between location of mail server and actual encryption.
I have no clue if they are as good as they
promise, but my mode of
operation is first to do a little research, then usually to try them out,
and find out by experience. Until I get a 32-bit bridge package and a
free account, ProtonMail is out for me, but I'll be watching what others
have to say.
Someday, we can only hope, secure, private emails will be the norm,
rather than the exceptions.
I follow GnuPGP since I uplifted kpgp to gnupg2 last year and there are
discussions in making keys distribution more accessbile. In fact they did
change few things regarding sks lately and it is much easier to find the
public keys of some one to import and encrypt.
Finally you have to have your servers under your control - anything else is
not likely to be secure enough - even in Switzerland, although it is much
better than somewhere else, it does not guarantee much.
To sum up - you have few additional steps when using TDEs kmail+kpgp, but
it is for free.
I think that's what I said. There are two (or maybe three) different issues
here, which it seems are getting conflated by how we keep talking about it.
Number 1 is encrypting our own emails sent by TDE's version of Kmail, using
our own private keys. Number 2 is using an encrypted email service, which not
only encrypts emails in transit, but also encrypts everything on the server,
as well as Number 3, (which was pointed out by others) encrypting headers,
addresses, etc.
My own problem is that I have correspondents who talk about wanting to use
encryption, but don't seem to know how to do it. I can send encrypted emails,
but they don't seem to be able to read them. They can send encrypted emails,
but then I can't read them. And those who claim to know what they are doing
are generally too busy to spend time on getting it right.
So perhaps a few of us (here on the TDE list) could work this out among
themselves, if they can find somebody that they trust?
Otherwise, you have right there the need for using ProtonMail or a similar
email service.
Bill