I have been using Countermail for over a year on a weekly basis and this review is based on my experience with them during this time. The service is free to try for a few days, after that you will be asked for payment which can be done with credit card, Paypal, wire transfer or Bitcoin.
Credit card corporations force businesses to keep payment details stored for two weeks, Countermail claims to automatically destroy the records after that length of time but the credit card company and Paypal will likely preserve payment details for years although they will not be able to link them to any specific Countermail account or nick. If you pay with Bitcoin you will make tracing payment origin much more difficult but there is a surcharge.
Signing up is simple, not requiring any personal information other than choosing a username and password, you only need Java installed in your computer, after account creation you can get rid of Java and use IMAP and SMTP with Thunderbird and Enigmail. There is a tutorial in Countermail help pages explaining how to set it up. It took me a few hours, demanding lots of reading and testing, it wasn’t very easy to do.
Be very careful to remember your password because if you lose it, it can not be recovered and your data will be lost for ever.
Anonymous email provider Countermail
Countermail webservers are live CD powered web servers, there is no hard drive, powering it off to install monitoring software will eliminate all data held in RAM, including encryption keys, and without any hard drive present computer forensics would be a waste of time. For further surety, encryption is executed in the user’s computer, Countermail does not store any password. By default it will keep your private encryption key (although the encrypted version only!) but not the password and you need bot of them to decrypt messages. If you are not comfortable with having your private keys in the server, you can delete them and store the keys in your computer or send Countermail your public encryption key. A second mail server with a hard drive stores messages and files but this is only accessible using the diskless webserver and no IPs are leaked.
The email service is based on a custom Squirrel email interface. You have the ability to automatically sign and encrypt email messages in your browser within webmail, including attachments, with the standard OpenPGP.
In Countermail settings you can import and export encryption keys, when you email someone Countermail will automatically encrypt the message with the key found in your keyring and if none is found you will be notified. Communicating with other Countermail or Hushmail users does not require you to have the receiver’s key, it will be automatically fetched for you.
You can create aliases under the countermail.com or cmail.nu domain name and distribute these disposable email addresses without never revealing your main inbox, it is best to do this from day one and if you receive spam you can delete the address. I advice you to choose a cryptic alias because after you erase it someone can register it straight away and any emails meant for you will go to that other person, it happened to me that I registered a very common alias @countermail.com address and I received messages meant to be for someone else, I never abused the content but I could have done.
The company claims to keep no logs of when you log in and out, email back ups are kept encrypted in Countermail servers for 7 days and rotated, the company headquarters and mail servers are all based in Sweden, your usage of their service is subjected to Swedish law.
Countermail webmail encryption keys
When you send a webmail message your computer IP will be stripped from the headers and swapped by 127.0.0.1, if you use SMTP an anonymous German or Swiss tunnel IP will show in the headers. Other Countermail security practises include disabling HTML messages by default, you have to click on view HTML if someone sends embedded images.
If you click on a URL inside an email message it will be automatically deferred to stop the website server from seeing how you got there and clicking on the escape key on your keyboard will log you out of Countermail and take you to the page of your choice, this is meant to be an emergency log out key.
I wanted to play the paranoid card and I did not want Countermail to hold my encryption keys and it is necessary to note here that my Countermail private keys are created in my own computer and only send to their servers after they have been encrypted, but it did not feel right to trust someone else with something as important.
I communicated with other people deploying my own keys and it reduced webmail functionality, if the private encryption key is not uploaded to Countermail server you will get a Java error and you will not be able to view the message, you will have to download as attachment to your hard drive and save as text before decrypting it locally.
I contacted Countermail staff a couple of times about a problem I had importing a PGP public key and they replied to my support email in under 24 hours with helpful advice about how to get copy and paste right.
There are non email features included with the package, a bookmark and notes storage inside what they call “Safebox“, I found it very basic but no harm being there. You also get a calendar and an XMPP chat server compatible with Jabber clients like Jitsi and you can use Countermail portable downloading the prebuild Firefox Portable browser with Java from Countermail servers or set the email service with your own domain name for a one time fee.
Countermail.com Java login screen
Another option is to buy a USB key from Countermail that will be used as keyfile to login into your account, if your password is stolen nobody will be able to login unless they physically have the USB key in their power. I only used the email service during all this time, I can’t comment too much about the rest, I only glanced at it.
Overall, I think that this is one of the very few email services that not only protects your privacy with encryption but also makes your IP untraceable by not keeping logs. There are a dozen other encryption email services out there in the market and Countermail is one of the very few being very clear about not keeping any logs.
If you don’t need high level anonymity and are only concerned about email encryption (privacy), you might find cheaper and simple to use email services, but if you care about how long for your email provider keeps logs, about being able to pay in Bitcoins, and about your email service taking proactive measures to stop state surveillance as well as your email provider being located outside the USA, I don’t think there are too many competitors to choose from, it is either Countermail or Anonymous Speech, and I think that Countermail has better security with their diskless servers and by only keeping your private encryption keys after they have been first encrypted in your computer before they are uploaded to the server.
Assuming Countermail does everything as they say, it seems to be good value for money for those after a high degree of email privacy and anonymity.
And if you want a free anonymous email alternative, download Tor, OpenPGP Studio and combine it with any email provider, it will also get the job done.
Tomasz
Thanks for the review again. I’m using countermail for almost a year now and I’m also pretty happy with the service. The amount of features is outstanding for the price ok.
Notconvinced
Countermail like Hushmail is maybe “easier” at taking care of encryption/decryption for you but it is NOT anonymous except to a regular person receiving email. A regular person may not be able to track you and that is all the anonymity it provides. Encrypting your mail provides some degree of security that no one but you or the intended recipient can read it, however, for real anonymity I would stay far away from. If your anonymity quotient equals google/yahoo + a tiny then it is great.
Whats wrong?
1. Countermail has your IP address.
2. Software and system is not open or distributed
3. Identity can be compromised by countermails USB when used.
4. State operator can watch inbound/outbound traffic TO/From Countermail to obtain IP address.
5. If you have ever used Countermail from an IP in anyway related to you your anonymity was compromised long ago.
Corporate solutions will NEVER be able to provide true anonymity and make money at the same time.
Countermail seemingly is at least okay with making sure its own internal logs are deleted, but that is minimal security. If you acquire the service through VPN/Tor and always access it through that channel without installing software or hardware to your box (or having it mailed to you), then maybe Countermail might by you some security, maybe. Sweden is NOT a bastion of freedom and our government gives open pipe to USA.
A Swedish guy who sold on SilkRoad 1.0 used Countermail. In my opinion, that is why they new to look and watch him in the first place the setup full time surveillance of him going to post boxes, his stash house, and other places that led to his arrest.
There is no anonymity painless pill you can set and forget. You must understand the software, hardware, and risks you specifically are up against. This takes time and requires study. There is really no way around it or you will mistakenly reveal yourself through one method or another, even speech and writing patterns and styles. I am bad at English but still it has a signature so I use software to change my pattern even here in comments.
Steve
I’ve been using Countermail for quite some time and it’s a fantastic alternative to Gmail/Yahoo/et al.
As the person pointed out above, there is no “magic pill” for anonymity and security; whenever one connects to the Internet, that activity is recorded somehow by somebody; whether it can be traced to you or not is another matter.
As far as email is concerned, the best one can do is encrypt their email: locally, in transit, and on the server. So far, Countermail is the ONLY services that does all three. Further, it does NOT use a Javascript container, which is completely worthless for secure email communication, but rather a full-blown Java environment; while that is not perfect, it is one of the best out there; the emails are encrypted on their diskless system and email passwords are sent encrypted. Runbox does NOT send their email passwords in an encrypted form.
Using a local email client presents another problem. Is your local disk encrypted? If so, how? Is it full-disk encryption? Countermail does force the user to use GPG/PGP, which is fantastic. It also separates the web-based email password with an IMAP key.
Practically, email should be completely avoided if one were to want a secure, private online presence; however, if one needs an email address, Countermail seems to be a good compromise between security and usability.
Anonymous
Hello!
I would just like to recommend this magic pill.
Use Startpage, DuckduckGo and IxQuick. In your browser you can check for never remember history etc. You can use TorBrowser and VPN. VPN and Tor is awesome. But if you still doubt in your safety, then get 2 VPN’s or even more. But remember, don’t connect to your E-mail without a VPN. Your IP will be logged and you will leave IP and traces from your ISP.
I highly recommend using a VPN since it is the best way to prevent any trace back to you. You can read some more about anonymous surfing or how a VPN works on the Internet.
Web Guy
Sorry, but any email service HAS to use hard drives to store client information. If they didn’t, and they had to power off their servers, or had a hardware or power failure, they would lose everything–including all messages, account access keys/passwords, knowing who had paid accounts, even usernames, etc. That would obviously be completely unacceptable to users (especially paying users).
Hacker10
Hello Web Guy,
One part of the post was not worded properly, I have now modified it to reflect that Countermail mail service has two servers, one without a hardrive running on a live CD and a separate mail server storing messages and files where data is kept encrypted in a hard drive, it can only be accessed using the diskless server and no IPs are leaked.
Countermail has an illustrated diagram reflecting their email system set up here: https://countermail.com/?p=server
I modified your initial comment because it no longer makes sense quoting parts of the article that have been erased. Thank you for the feedback.
hacker10
Tim
I appreciate this review and its previous commenters. Just curious, “NotConvinced”, is there any email service you do recommend (of course in addition to other supplementary measures such as Tor)?
Rod L.
some of the email review sites don’t care for countermail’s interface, it is actually one of the things i realy like about them, it’s old school, not tailored to smartphones per say. another thing to remember about any encrypted email provider is simply this: don’t trust any 3rd party with data that may or may not cause legal jeopardy. always take care of your encryption with such data yourself, meaning encrypt anything that important on a ‘cold storage’ style computer, offline. this helps the email provider in many respects and helps protect the integrity of the data. the other reason is obvious, any sesnsitive data, that gets large, look at the news online, becomes a target, or mistakes happen. i personally have a rule of thumb as they say, and don’t always follow it myself, but i try, whether gmail or countermail i try not to say or send anything that first can be taken out of context, second i wouldn’t want recited back to me in a court of law. again, one look at news and folks who are celebrities, politcians, famous sports players etc folks who have access to highly skilled attorneys fail to practice that, because the compromise may not come from the email provider themself but from the folks getting the email or the devices they used. i’m very happy with countermail, been with them for a while and for 30 bucks every 6 months it’s just nice to know i got someone real that emails me back when i fubar something and nice to know i got someone who actually cares about my privacy. nobody stays in their business for any length of time unless they are pro and actually care about their customer’s privacy, even when the customer might not.