Hacker 10 – Security Hacker

Tag: anonymous email provider

  • Review privacy email provider Posteo

    Review privacy email provider Posteo

    Posteo is a paid privacy email provider based in Germany. I signed up with them after a recent Fastmail price increase and my concern about Fastmail being an Australian company with servers in the USA.

    I briefly considered Yandex, a free Russian email service with interface in English, but it does no good to me to trade NSA illegal spying for Russian Federal Security Service (FSB) illegal spying.

    I came to the conclusion that all countries spy and the only way I was going to protect myself from that is by using an email service that is transparent about logs, has encrypted storage with the email provider locked out of them, with no access to the keys, and end to end encryption. What is known in the privacy industry as zero knowledge, and if the company is based out of the Five Eyes wiretapping alliance (UK,US,CA,AUS and NZ) even better.

    Posteo fulfilled all the requirements I had in mind and I also liked that they do not have a Facebook page, it shows they really care about customers privacy.

    How to open a Posteo account

    Opening an account with Posteo took me around one minute, the company does not want to know your name, address, back up email or phone number.

    You only need three things to sign up for a Posteo account:

    1. Pick a username
    2. Pick a password
    3. Pay with cash, Paypal, wiring, credit card or voucher (payment methods are anonymised)

    Posteo payment

    I used Paypal to buy the account, I know Paypal stores all transactions for years and the NSA probably has a direct feed to them but the transaction does not show your Posteo email address, the only available record in Paypal is the date and amount of money you sent to Posteo, your inbox or username is never printed anywhere in the receipt.

    Posteo Paypal payment
    Posteo Paypal payment (5 years prepaid)

    Futhermore, Posteo payment system automatically assigns a code to the inbox so that usernames can never be linked by the company with a payment. Tax laws compel Posteo to keep payment information for 10 years, this includes your name if you used bank transfer o Paypal to buy the account, but it never includes what your email address is and if the company was asked for this they are unable to provide the information, there is no law forcing Posteo to keep that data.

    Specific details on how your payment is anonymized is very well explained with screenshots within Posteo’s FAQ.

    One of my favourite things from this company is that their help pages disclose in plain English (German&French) the security measures they take to protect customers from illegal spying by government agencies, what logs Posteo keep, how long for and what happens if they receive a subpoena, as well as some background  information about Germany privacy laws.

    There are no trial Posteo accounts, payment is taken from day one, but if you are not happy with the service you have the right to revoke it within 14 days and credit will be refunded.

    If I had to criticise anything from the payment system is that they do not accept Bitcoins.

    Posteo email basics

    You can access your email via web, IMAP or POP3, attachments are a generous 50MB and the initial inbox is 2GB with a couple of aliases, all of this can be increased according to needs.

    Posteo has a single basic email package that is prepaid, if you feel like you need more storage space or more email aliases you can go to account settings and move a slider bar to add extras, as you do this the screen shows you how much more this will cost you, for example, an alias currently costs €0.10 a month, if you need four email aliases that is €0.40 more a month, if you no longer need them next month, you delete it and monthly price comes down again.

    The way Posteo pricing is set up you don’t have to pay for things you don’t need, you customize it to your needs, it works out cheaper than paying for an oversized email package that subsidizes heavy or business email users.

    The account includes a decent online calendar, that can be optionally be shared with a public URL, address book and notes, all of which can be encrypted, in which case sharing is no longer be possible.

    Posteo email calendar
    Posteo email calendar

    Consider carefully if you need your inbox encrypted, after you enable it some functions like email searching will no longer work and if you lose your password Posteo support can reset your account but you will not be able to read your old email messages without your old password as Posteo has no way to decrypt them.

    For example, because I only plan on using Posteo in the browser I activated the additional email account protection that eliminates IMAP access, and this stopped notes from autosaving so I had to reactivate it. Next to each encryption setting you will see a box that tells you what features stop working if you choose security over functionality.

    Posteo email security

    There are a ton of security measures, and nearly all of them can be configured, Posteo is ideal for advanced privacy email users that like to have control and spend time tinkering with their security settings. It took me a good couple of hours of reading understanding all that Posteo had to offer.

    This company is one of the first email providers to implementing DANE, a DNS based authentication method that checks the digital certificate fingerprints of other email providers, this detects bogus certificates replaced by sophisticated hackers, state sponsored operatives have been known to do this trick in the past.

    For DANE to work other email providers must support it too, when sending an email to somebody a small green check box in Posteo let’s you know if the server you are communicating with is DANE compliant. Tutanota supports it and Protonmail has plans to have DANE this year, but the big NSA back doored email providers, like Gmail, Yahoo and Outlook, have no DANE support.

    Encrypted email provider Posteo
    Encrypted email provider Posteo

    Another setting activates a TLS-sending guarantee, with the checkbox ticked your messages will not be delivered to any TLS insecure email server, if Posteo comes across one you get a warning and have the option of sending the message without proper encryption in transit or not sending it.

    To use PGP you need to install MailVelope addon browser, after that a new button that says “Compose&Encrypt” magically appears in the webmail interface.

    You can add your public encryption key to Posteo keyserver and activate “encrypt all incoming email“, this means that all messages you receive will be automatically encrypted with your own PGP key at the door, on top of the encrypted inbox.

    You might want to do this if you don’t trust Posteo’s own encryption, you add an extra layer with your own keys, however if you lose your private keys you will not be able to read the messages again and every time you click on an email in your inbox you are required to to enter the decryption password in MailVelope.

    I found incoming encryption too burdensome, I would only propose it to the most paranoid kind not concerned with quick email access.

    Posteo PGP encryption Mailvelope
    Posteo PGP encryption Mailvelope

    Hat tip to Posteo for automatically bouncing my public encryption key back to my inbox with a warning that it did not conform to security.

    During key generation I made the mistake of adding my first name to the public encryption key and Posteo very rightly rejected it in their keyserver as the name can be used to track down your identity, I was only able to add the key to the server after changing the name field with a non descriptive text, like my email address.

    Two factor authentication is possible too, Posteo works with any open standard TOTP app, like Google Authenticator, but the company recommends FreeOTP because it is open source (developed by Fedora), or if you own a Yubikey you can use it for two factor authentication, the help pages come with clear instructions and screenshots about how to set it up.

    Posteo downsides

    It put me off Posteo that they don’t own the .com of their email address, I had people in the past sending me messages to a .com version of my address, it is a common mistake many people do. I find it very short sighted that a company like Posteo, offering a choice of 30 different domain names for your email aliases, does not have a single neutral .com that you can pick for an email address. You can have a @posteo.af address, country code from Afghanistan, and a @posteo.jp country code from Japan, but .com is not an option.

    I would have appreciated a non descriptive .com domain which URL does not resolve to Posteo homepage that can be used as an alias.

    Another downside for me is that Posteo does not have a Spam folder and you can not have one. Posteo drops all spam silently and you must trust they do it correctly.

    My experience with email providers so far has been that no spam filter is 100% perfect and I have no way of finding out if a message is not getting to my inbox because it was flagged as spam by mistake or because it was never sent.

    You can whitelist addresses in the filter but there is no way of whitelisting something you don’t know about.

    Posteo advantages

    Posteo comes with Mailvelope preconfigured, after installing the addon in my browser a new encryption button appears in the webmail interface and this gives me the ability to communicate with other PGP users holding my own encryption keys instead of Posteo doing that.

    The encrypted email inbox and being able to encrypt all incoming messages with my own private encryption keys is a huge perk too.

    Posteo message filtering
    Posteo message filtering

    It takes time time to encrypt messages yourself, entering passwords, selecting the right keys, etc, if you are tight on time and security is not that important for you it might be best that your email provider does all of that, but if you want to err on the cautious side and trust nobody with your encryption keys, owning your own keys is they right way to do it.

    I also liked the email filtering, being able to file messages into folders as they arrive, according to subject, sender, etc.

    Posteo support

    Support is not suited for businesses, but I think that an individual will be ok waiting one or two days for a reply. You can contact Posteo by email during German working hours.

    I sent Posteo support an email to ask a question about my settings and it took 24 hours to get a reply that solved my question.There is no ticketing system, this might unnerve some people, because you keep wondering if the email was ever received, but not having a ticketing system is advantageous for those who value privacy and a very good idea

    The company barely keeping records of anything means that the information can not be lost or stolen and you can always check the “sent receipt” box if you email support, this way you will know they have received your inquiry.

    Posteo vs Protonmail

    I like Protonmail design and them forcing two different passwords to access the encrypted inbox. The main reason why I did not buy a Protonmail premium account is that their paid accounts cost five times more than Posteo. Protonmail has a bigger inbox but I wasn’t going to use it.

    It also put me off a bit knowing that in 2015 Protonmail had paid ransom to some cybercriminals DDoS their servers, it shakes my trust on how much of a fight the company is willing to put up for what it is right when I see Protonmail selecting the easy way and pay up to avoid problems.

    Posteo vs Tutanota

    I was really close to buying a Tutanota premium account, they offer more aliases than Posteo, both companies are based in Germany, and cost the same, plus I like a couple of features Tutanota not found in Posteo, like being able to send links to password protected messages.

    I finally went for Posteo because of their Mailvelope pre-configuration and because I wanted a company that will not go bust. Posteo has been around for more years than Tutanota and they do not offer loss making free accounts which makes it more likely that they will survive.

    Posteo review conclusion

    If you are comfortable managing your own PGP encryption keys, want an email service with an encrypted inbox that does not keep logs or records your identity and it comes with lots of features at a cheap price, I think that Posteo is unbeatable, far cheaper than other paid providers (€12/year).

    You should also pick Posteo for an email provider with calendar, notes and aliases that will respect your privacy and if you need a mailing list provider, this is still in beta but it should be rolled out soon.

    But if you rather have your email provider do to all PGP encryption for you at the back end don’t pick Posteo and if you wish to pay with Bitcoins Posteo should be out of limits for you too.

    Visit Posteo email

  • One year review of anonymous email service Countermail

    One year review of anonymous email service Countermail

    I have been using Countermail for over a year on a weekly basis and this review is based on my experience with them during this time. The service is free to try for a few days, after that you will be asked for payment which can be done with credit card, Paypal, wire transfer or Bitcoin.

    Credit card corporations force businesses to keep payment details stored for two weeks, Countermail claims to automatically destroy the records after that length of time but the credit card company and Paypal will likely preserve payment details for years although they will not be able to link them to any specific Countermail account or nick. If you pay with Bitcoin you will make tracing payment origin much more difficult but there is a surcharge.

    Signing up is simple, not requiring any personal information other than choosing a username and password, you only need Java installed in your computer, after account creation you can get rid of Java and use IMAP and SMTP with Thunderbird and Enigmail. There is a tutorial in Countermail help pages explaining how to set it up. It took me a few hours, demanding lots of reading and testing, it wasn’t very easy to do.

    Be very careful to remember your password because if you lose it, it can not be recovered and your data will be lost for ever.

    Anonymous email provider Countermail
    Anonymous email provider Countermail

    Countermail webservers are live CD powered web servers, there is no hard drive, powering it off to install monitoring software will eliminate all data held in RAM, including encryption keys, and without any hard drive present computer forensics would be a waste of time. For further surety, encryption is executed in the user’s computer, Countermail does not store any password. By default it will keep your private encryption key (although the encrypted version only!) but not the password and you need bot of them to decrypt messages. If you are not comfortable with having your private keys in the server, you can delete them and store the keys in your computer or send Countermail your public encryption key. A second mail server with a hard drive stores messages and files but this is only accessible using the diskless webserver and no IPs are leaked.

    The email service is based on a custom Squirrel email interface. You have the ability to automatically sign and encrypt email messages in your browser within webmail, including attachments, with the standard OpenPGP.

    In Countermail settings you can import and export encryption keys, when you email someone Countermail will automatically encrypt the message with the key found in your keyring and if none is found you will be notified. Communicating with other Countermail or Hushmail users does not require you to have the receiver’s key, it will be automatically fetched for you.

    You can create aliases under the countermail.com or cmail.nu domain name and distribute these disposable email addresses without never revealing your main inbox, it is best to do this from day one and if you receive spam you can delete the address. I advice you to choose a cryptic alias because after you erase it someone can register it straight away and any emails meant for you will go to that other person, it happened to me that I registered a very common alias @countermail.com address and I received messages meant to be for someone else, I never abused the content but I could have done.

    The company claims to keep no logs of when you log in and out, email back ups are kept encrypted in Countermail servers for 7 days and rotated, the company headquarters and mail servers are all based in Sweden, your usage of their service is subjected to Swedish law.

    Countermail webmail encryption keys
    Countermail webmail encryption keys

    When you send a webmail message your computer IP will be stripped from the headers and swapped by 127.0.0.1, if you use SMTP an anonymous German or Swiss tunnel IP will show in the headers. Other Countermail security practises include disabling HTML messages by default, you have to click on view HTML if someone sends embedded images.

    If you click on a URL inside an email message  it will be automatically deferred to stop the website server from seeing how you got there and clicking on the escape key on your keyboard will log you out of Countermail and take you to the page of your choice, this is meant to be an emergency log out key.

    I wanted to play the paranoid card and I did not want Countermail to hold my encryption keys and it is necessary to note here that my Countermail private keys are created in my own computer and only send to their servers after they have been encrypted, but it did not feel right to trust someone else with something as important.

    I communicated with other people deploying my own keys and it reduced webmail functionality, if the private encryption key is not uploaded to Countermail server you will get a Java error and you will not be able to view the message, you will have to download as attachment to your hard drive and save as text before decrypting it locally.

    I contacted Countermail staff a couple of times about a problem I had importing a PGP public key and they replied to my support email in under 24 hours with helpful advice about how to get copy and paste right.

    There are non email features included with the package, a bookmark and notes storage inside what they call “Safebox“, I found it very basic but no harm being there. You also get a calendar and an XMPP chat server compatible with Jabber clients like Jitsi and you can use Countermail portable downloading the prebuild Firefox Portable browser with Java from Countermail servers or set the email service with your own domain name for a one time fee.

    Countermail.com Java login screen
    Countermail.com Java login screen

    Another option is to buy a USB key from Countermail that will be used as keyfile to login into your account, if your password is stolen nobody will be able to login unless they physically have the USB key in their power. I only used the email service during all this time, I can’t comment too much about the rest, I only glanced at it.

    Overall, I think that this is one of the very few email services that not only protects your privacy with encryption but also makes your IP untraceable by not keeping logs. There are a dozen other encryption email services out there in the market and Countermail is one of the very few being very clear about not keeping any logs.

    If you don’t need high level anonymity and are only concerned about email encryption (privacy), you might find cheaper and simple to use email services, but if you care about how long for your email provider keeps logs, about being able to pay in Bitcoins, and about your email service taking proactive measures to stop state surveillance as well as your email provider being located outside the USA, I don’t think there are too many competitors to choose from, it is either Countermail or Anonymous Speech, and I think that Countermail has better security with their diskless servers and by only keeping your private encryption keys after they have been first encrypted in your computer before they are uploaded to the server.

    Assuming Countermail does everything as they say, it seems to be good value for money for those after a high degree of email privacy and anonymity.

    And if you want a free anonymous email alternative, download Tor, OpenPGP Studio and combine it with any email provider, it will also get the job done.

    Visit Countermail homepage

  • List of the best Tor email hidden services updated 2025

    List of the best Tor email hidden services updated 2025

    The following is a list of email services hosted in hidden services to send and receive anonymous email through Tor. A few of them can only be accessed using the Tor browser and have a Clearnet address only for information purposes.

    If you are serious about security you must install the official Tor browser but if you are not paranoid about anonymity, you can download the Brave browser, this privacy browser is able to access .onion sites and Tor offering less security than the official browser, it has JavaScript enabled.

    Cock.li (http://rurcblzhmdk22kttfkel2zduhyu3r6to7knyc7wiorzrx5gw4c3lftad.onion/): A free email and XMPP anonymous service funded with donations that allows registration with Tor , VPN and proxies. There are over a dozen domains to choose from when you sign up for a cock.li email address, other known domains used by this provider are Airmail.cc and firemail.cc

    Morke (http://6n5nbusxgyw46juqo3nt5v4zuivdbc7mzm74wlhg7arggetaui4yp4id.onion/): Using the domain names Morke.ru and Morke.org with a SquirrelMail interface, registration is free but it can only be done using the Tor browser.

    ProtonMail (https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion): Fully encrypted Switzerland based privacy email provider that allows registration using Tor, the free version of ProtonMail provides for a decent service and includes extra features like an encrypted calendar, and cloud storage.

    OnionMail.org (http://pflujznptk5lmuf6xwadfqy6nffykdvahfbljh7liljailjbxrgvhfid.onion/): Anonymous email provider that encrypts email with your own key, they have a multi language free service where you can test it and upgrade to a paid plan with more storage space, cryptocurrency is accepted and there is support live chat in their website.

    OnionMail.info: Clearner directory listing OnionMail email providers, you have to be careful who you pick, nobody knows who is running the service and a few of them that I checked had the mail server misconfigured.

    DanWin1210 (http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/): Personal website providing free anonymous Jabber and email account that can be accessed in the clearnet or Tor.

    CS email (http://csmail3thcskmzvjicww3qdkvrhb6pb5s7zjqtb3gdst6guby2stsiqd.onion/): Disposable email address with v3 Tor hidden access, ideal to receive registration email details or brief communications, you can reply using the interface but emails are only kept for one hour. Sponsored by VPN provider CryptoStorm.

    Email providers that can be accessed with Tor

    The following email providers do not have a .onion email address but are privacy and Tor friendly, you should be able to sign up for their webmail service using the Tor browser which will provide with nearly as much a privacy as accessing them using a hidden service.

    MailFence: Based in Belgium, with support for PGP encryption and free plan. It is impossible for the email provider to read your emails if you use your own PGP encryption key.

    Tuta: German email provider specialised in privacy, it has implemented quantum resistant encryption to future proof your privacy and metadata scrubbing.