Hacker 10 – Security Hacker

Tag: Hushmail alternative

  • List of the best free webmail privacy services

    List of the best free webmail privacy services

    One of the most private email communication systems consists in using Tor or a VPN to connect to a free webmail service and encrypt the messages yourself with PGP, this method gives you privacy and anonymity. Thunderbird+Enigmail, or GPG4Win can do that and it won’t cost you a cent, the problem is the time and learning curbe it takes to do this.

    Encryption built-into the webmail service might not as secure as doing it yourself but if the company claims are true, encryption secure and their privacy policy trustworthy, it is a really easy way to secure your email messages.

    Atomic Mail: Free encrypted email service with aliases, zero access encryption and no advertising. Atomic Mail is a new privacy email service based in Estonia compliant with European GDRP privacy laws. You can use it to send password protected emails to people using an insecure email providers, when you send a password protected email only the link to the message hosted in a secure server is sent and not the content.

    Proton Mail: Company keeps minimum logs and can not read your data as the inbox is encrypted. Servers are based in Switzerland. Communicating with other Protonmail users is end to end encrypted, and emailing other email providers is done in plain text, to make the best of this service your friends should ideally be using too. the company itself can’t read your data.

    Tuta Email: Email privacy service based in Germany, messages are encrypted in your browser and nobody can access the encryption keys, Tuta staff has no decryption keys, they keep no login IPs and have no way to identify customers or decrypt data. They also publish transparency reports showing how many court orders they had and what it was done about it, like, handing over encrypted data.

    Tutanota free privacy email
    Tuta free privacy email service

    VFEmail: With support for PGP encrypted webmail using the interface and anonymous sign up using Tor, this service has a Tor hidden node from where you can access your account. Metadata is scrubbed from emails and your computer IP removed from the headers.

    Mailfence: Email service hosted in Belgium that supports sending OpenPGP encrypted messages and two factor authentication.  Seamless keystore integration.  All encryption happens in the browser.  Service includes a calendar and cloud document storage with paid for accounts giving you access to Android and iPhone apps to access your email using a portable device.

    NOTICE: List only includes services with free option. If you are willing to pay for a privacy email service other companies you should look at are Posteo (Germany), Countermail (Sweden), StartMail (Netherlands), CodaMail (USA) and KolabNow (Switzerland).

    Webmail services hiding your IP

    The following email services do not encrypt your messages but hide your computer IP in the headers. I tested all of them and the sender’s IP is replaced with a neutral IANA (Internet Assigned Numbers Authority) private IP address, a range of IP addresses not linked to any country or person reserved for use in private networks, the only way to find out who sent the email is to contact the company and ask them.

    Yandex: Russian email provider offering Email accounts in multiple languages, with huge storage space (10GB), beautiful interface of interchangeable themes, spam and virus filter and free storage for files and documents. Yandex strips your email from the headers but this is not a privacy service they keep internal logs of the real IP in case of abuse.

    GMX Mail: Free German email provider with PGP encryption, large attachments, filter rules and mail collector as well as 10 free aliases to be able to compartmentalize different online identities. GMX finances the free email service with advertising being displayed on their page.

    NOTE: Some email services will only strip your computer IP from the headers for webmail and include the computer IP in messages sent using SMTP.

  • Free encrypted webmail service Tutanota

    Free encrypted webmail service Tutanota

    Tutanota, meaning secure message in Latin, is a German based free webmail service with end to end encryption. Your email messages, attachments and subject are all encrypted in your browser using Javascript with a cipher combination of RSA 2048-bit and AES-128-bit before uploading data to Tutanota mail servers in Germany. The encryption keys remain in your power at all times, the company can’t see anything in plain text, they can’t restore your password or reset your account, anybody forgetting their password loses access to the messages.

    If German authorities ever serve Tutanota with a court order to hand over a customer’s email inbox content, the company will of course comply with the warrant but all they will be able to deliver will be ciphered files with no decryption key. According to the email exchange I had with Matthias Pfau, one of Tutanota founders, they do not log IP addresses and only keep timestamps, the details are stored anonymously without any reference to your user account. Each mail in your inbox also contains the mail addresses of the recipients in clear text, kept until you delete the email, Tutanota has some ideas about how to hide the recipients address but it has not been implemented yet.

    Encryped webmail Tutanota
    Encryped webmail Tutanota

    You can open a Tutanota email account with minimal details, choose a username and password and that is it. During the very short registration you will find a link to a Wikipedia page with instructions on how to choose a strong password, a coloured meter on the page lets you know if your password is secure enough to withstand brute force attacks.

    I appreciated the clean smooth webmail interface giving one click access to the different tabs and folders, with a security tab where you can see a list of of the successful and failed account logins with timestamps, no computer IPs are associated with customer accounts since no IP logs are kept.

    Sending an encrypted email in Tutanota is effortless, it does not require customers to manage encryption keys or know much about security. The system is compatible with insecure email services like Gmail or Yahoo. When you send a secure email to somebody who is not on Tutanota, instead of receiving the full text, they receive a message with a link inviting that person to visit Tutanota servers to read the encrypted email, only readable with the correct password and decrypted locally in the browser.

    By not sending the email message body, any organisation monitoring Internet traffic will not be able to intercept a copy of the encrypted data. A terrific way to stop mass surveillance on the Internet is to never let the data out on the wild web. The same security system that CIA director General Petraeus was using to communicate for an extramarital affair, he used a dead drop email account and never allowed messages to travel the Internet.

    One can assume that the CIA director has classified knowledge to know how to best avoid surveillance, and presumably General Petraeus applied that privileged information to protect his own life, it is possible to learn a lot from observing the experts and copycat them.

    Tutanota encrypted email exchange
    Tutanota encrypted email exchange

    Tutanota free email service is a major improvement over the dead letter box communication system, the company adds an encryption layer, and the people you communicate with do not have to change anything, they can securely reply to you using the same window where they are reading the received message.

    Another important security fact about Tutanota is that they hired a German penetration testing company called SySS to try to find security vulnerabilities in their mail service, like cross site scripting. Tutanota was given an all clear certificate attesting that during the network scan and manual hacking that was attempted by security experts it was not possible for SySS to access any confidential data. If that is not reassuring enough, Tutanota source code is available for download released under the GPL license, you can use it to build your own email client or check it for bugs.

    The zero knowledge approach of this email service, their no logs no decryption keys available policy, located outside of the UK and USA, very easy registration and utilization make Tutanota one of the best alternatives to Hushmail.  If I have to complain about anything, is that, not being German myself, I do not like getting a .de email address (@tutanota.de), I prefer a .com domain to stop people from assuming I am German.

    This security model is the future, spy agencies are not going to stop monitoring data travelling across the Internet, so, you just don’t send it, leave it on the server for others to  fetch, superb.

    Visit Tutanota homepage

  • Review encrypted email service ProtonMail

    Review encrypted email service ProtonMail

    ProtonMail is a Switzerland based privacy email provider, the company stores your data encrypted in their servers and they claim that computer IPs used to connect to the account are not logged. I looked at the email headers sending myself a test message and I could see that ProtonMail does not include sender’s IP inside email metadata.

    When you first open up and account (took me a few days to get an invite), you will be asked for two different passwords, one is the email login password and the second one, not known to ProtonMail, is the password used to encrypt email messages in your browser before uploading them to the server. There is no password length check or anything forcing people to use a complicated passphrase to stop new users from being negligent and making up a short guessable pass.

    I also noticed that there is no automatic logout, you can easily forget about logging out of your account in a public computer and the person behind you could get access to your account two hours later.

    Encrypted Swiss email service ProtonMail
    Encrypted Swiss email service ProtonMail

    If you correspond with other ProtonMail users, encryption is end to end, messages never leave the ProtonMail server network, they will not travel the Internet where encrypted messages could be intercepted by the NSA international fibre optic cable wire-tapping operation to attempt postliminary cracking with their supercomputers.

    To interact with an external email account, like Gmail, you have the option to send the message in clear text, with no protection at all, or send a password protected link where the receiver will have to click on to read the message directly from ProtonMail encrypted servers. The link can be set to expire after just a few hours or two weeks, the message will no longer exist once the expiration date is reached.

    There are a few weaknesses to sending emails in this fashion, one is that you will need to transmit the password to the other part, this will slow you down and is open to interception.  Another security weakness is that there isn’t any kind of brute force protection, after somebody has read the message it will not be automatically self-destroyed as it should be. I could not see any counter on the page letting you know if the message has been previously displayed before you read it.

    The good part of sending email messages with password protected links is that the receiver only needs javascript enabled in their browser to be able to read them and that the messages can’t be scanned en route.

    ProtonMail settings and compose screen are simple but enough to get the job done. I appreciated a button to permanently delete all account and messages, regrettably this did not work for me when I tried it, it would do nothing when I clicked.

    ProtonMail security model is based around owning their own hardware, storing it offshore outside USA and European Union laws, and fully encrypting their disks with the decryption keys split in between various individuals, with server integrity checks to detect illicit changes in the software, like somebody installing a key logger, but those checks can not stop a hardware keylogger in the data center, although since data is encrypted by the user browser, the most an unauthorised third party could do is to monitor computer IP connection logs.

    This is an easy to use email service, perhaps the only free email service that claims to keep no user logs. The company implements well known open source cryptolibraries and they allege to be audited by computer security staff at CERN (European Center for Nuclear Research). The only problem I have with ProtonMail is that there isn’t a built-in system to send messages with your own PGP keys, this is the main reason why I can’t use them as my primary email provider.

    PGP is the default standard for email encryption and I can’t ask anybody to stop using PGP encryption keys and switch to a ProtonMail account for javascript OpenPGP encryption, ideally, my perfect encrypted email provider must be able to import a PGP key from one of my friends and use it to secure data.

    Visit ProtonMail homepage

  • ETHICmail, the legal resistant email service

    ETHICmail, the legal resistant email service

    ETHICmail is a secure email service that aims at stopping massive and illegal surveillance orders. ETHICmail secures your connection to their servers with SSL Perfect Forward Secrecy, 4096-bit digital certificates and their proprietary SecureStorage AES 192-bit encryption engine for data storage.

    One unique ETHICmail feature not found elsewhere is emergency remote full data wipe of your email messages by sending a mobile phone SMS code to your account. ETHICmail also has a specialist legal team that reviews and challenges unfounded surveillance orders, Gmail claims to have that too so I would not call the last feature unique but ETHICmail notifies the individual when they receive a warrant against him whenever it is possible.

    ETHICmail legal resistant email
    ETHICmail legal resistant email

    ETHICmail email login interface has a banner on top listing a help phone number in Switzerland and displaying how many surveillance warrants have been served to them up to date, divided by interception and data seizure warrants.

    Their email interface is clearly a customized cPanel UI, offering you Horde, RoundCube, SquirrelMail and ETHICmail logins, each one with a different layout, if you have used cPanel before you feel comfortable using it. If you wish, you can use your own domain name, it is easy to add, ETHICmail customer panel is based on WHM, a standard administrative web host manager deployed by most hosting companies.

    Your emails are kept encrypted with ETHICmail SecureStorage but you have to encrypt messages before sending them out, this is not done by ETHICmail for you like Hushmail or Countermail do, you need to be familiar with PGP encryption and manage the whole process.

    ETHICmail headquarters are in the Seychelles, a very privacy friendly jurisdiction, but I found out that part of their staff is is based in Gibaltrar, a territory ruled by British law. Being Britain NSA best buddy and a country where mass surveillance is routinely carried out with full government support, I wasn’t exactly thrilled. I am not sure how it affects legal subpoenas having the distribution centre offices in the United Kingdom.

    A disturbing problem with ETHICmail is that the company claims that they only accept 10 type of surveillance orders, ranging from terrorism to copyright infringement. The accepted interception orders cover every single kind of crime, from the most severe to the most minor.

    ETHICmail SecureStorage IP restriction
    ETHICmail SecureStorage IP restriction

    I don’t believe that any email service should help break the law, but when you start accepting surveillance orders for crimes that do not even carry a prison sentence, what is the point of paying extra for a self-proclaimed “legally resistant email service“. Not surprisingly law enforcement has been know to lie, there is no way ETHICmail can know if the copyright infringement really occurred or if it is something made up by a spy agency to get hold of the data.

    Positive ETHICmail points are that emails are stored encrypted with your own private key to which the company has no access and they claim to be unable to recover encrypted data, you can wipe your account remotely with an SMS message and there is computer IP control restriction to whitelist account access.

    Negative ETHICmail points are having part of their business in British soil, not providing automatic OpenPGP encryption when you send email like some of their competitors do and very expensive prices. ETHICmail legal assistance addon worth thousands of dollars is only affordable to big corporations.

    If you are an individual, you can find better price and features in Countermail, Hushmail or AnonymousSpeech. If you are corporation with a huge budget maybe you want to consider ETHICmail but not managing OpenPGP keys would bother me because the average employee does not have a clue about PGP and without it you are open to illegal in transit email wiretapping, another big blunder is that I could not see the interface being mobile device friendly

    Visit ETHICmail homepage

  • One year review of anonymous email service Countermail

    One year review of anonymous email service Countermail

    I have been using Countermail for over a year on a weekly basis and this review is based on my experience with them during this time. The service is free to try for a few days, after that you will be asked for payment which can be done with credit card, Paypal, wire transfer or Bitcoin.

    Credit card corporations force businesses to keep payment details stored for two weeks, Countermail claims to automatically destroy the records after that length of time but the credit card company and Paypal will likely preserve payment details for years although they will not be able to link them to any specific Countermail account or nick. If you pay with Bitcoin you will make tracing payment origin much more difficult but there is a surcharge.

    Signing up is simple, not requiring any personal information other than choosing a username and password, you only need Java installed in your computer, after account creation you can get rid of Java and use IMAP and SMTP with Thunderbird and Enigmail. There is a tutorial in Countermail help pages explaining how to set it up. It took me a few hours, demanding lots of reading and testing, it wasn’t very easy to do.

    Be very careful to remember your password because if you lose it, it can not be recovered and your data will be lost for ever.

    Anonymous email provider Countermail
    Anonymous email provider Countermail

    Countermail webservers are live CD powered web servers, there is no hard drive, powering it off to install monitoring software will eliminate all data held in RAM, including encryption keys, and without any hard drive present computer forensics would be a waste of time. For further surety, encryption is executed in the user’s computer, Countermail does not store any password. By default it will keep your private encryption key (although the encrypted version only!) but not the password and you need bot of them to decrypt messages. If you are not comfortable with having your private keys in the server, you can delete them and store the keys in your computer or send Countermail your public encryption key. A second mail server with a hard drive stores messages and files but this is only accessible using the diskless webserver and no IPs are leaked.

    The email service is based on a custom Squirrel email interface. You have the ability to automatically sign and encrypt email messages in your browser within webmail, including attachments, with the standard OpenPGP.

    In Countermail settings you can import and export encryption keys, when you email someone Countermail will automatically encrypt the message with the key found in your keyring and if none is found you will be notified. Communicating with other Countermail or Hushmail users does not require you to have the receiver’s key, it will be automatically fetched for you.

    You can create aliases under the countermail.com or cmail.nu domain name and distribute these disposable email addresses without never revealing your main inbox, it is best to do this from day one and if you receive spam you can delete the address. I advice you to choose a cryptic alias because after you erase it someone can register it straight away and any emails meant for you will go to that other person, it happened to me that I registered a very common alias @countermail.com address and I received messages meant to be for someone else, I never abused the content but I could have done.

    The company claims to keep no logs of when you log in and out, email back ups are kept encrypted in Countermail servers for 7 days and rotated, the company headquarters and mail servers are all based in Sweden, your usage of their service is subjected to Swedish law.

    Countermail webmail encryption keys
    Countermail webmail encryption keys

    When you send a webmail message your computer IP will be stripped from the headers and swapped by 127.0.0.1, if you use SMTP an anonymous German or Swiss tunnel IP will show in the headers. Other Countermail security practises include disabling HTML messages by default, you have to click on view HTML if someone sends embedded images.

    If you click on a URL inside an email message  it will be automatically deferred to stop the website server from seeing how you got there and clicking on the escape key on your keyboard will log you out of Countermail and take you to the page of your choice, this is meant to be an emergency log out key.

    I wanted to play the paranoid card and I did not want Countermail to hold my encryption keys and it is necessary to note here that my Countermail private keys are created in my own computer and only send to their servers after they have been encrypted, but it did not feel right to trust someone else with something as important.

    I communicated with other people deploying my own keys and it reduced webmail functionality, if the private encryption key is not uploaded to Countermail server you will get a Java error and you will not be able to view the message, you will have to download as attachment to your hard drive and save as text before decrypting it locally.

    I contacted Countermail staff a couple of times about a problem I had importing a PGP public key and they replied to my support email in under 24 hours with helpful advice about how to get copy and paste right.

    There are non email features included with the package, a bookmark and notes storage inside what they call “Safebox“, I found it very basic but no harm being there. You also get a calendar and an XMPP chat server compatible with Jabber clients like Jitsi and you can use Countermail portable downloading the prebuild Firefox Portable browser with Java from Countermail servers or set the email service with your own domain name for a one time fee.

    Countermail.com Java login screen
    Countermail.com Java login screen

    Another option is to buy a USB key from Countermail that will be used as keyfile to login into your account, if your password is stolen nobody will be able to login unless they physically have the USB key in their power. I only used the email service during all this time, I can’t comment too much about the rest, I only glanced at it.

    Overall, I think that this is one of the very few email services that not only protects your privacy with encryption but also makes your IP untraceable by not keeping logs. There are a dozen other encryption email services out there in the market and Countermail is one of the very few being very clear about not keeping any logs.

    If you don’t need high level anonymity and are only concerned about email encryption (privacy), you might find cheaper and simple to use email services, but if you care about how long for your email provider keeps logs, about being able to pay in Bitcoins, and about your email service taking proactive measures to stop state surveillance as well as your email provider being located outside the USA, I don’t think there are too many competitors to choose from, it is either Countermail or Anonymous Speech, and I think that Countermail has better security with their diskless servers and by only keeping your private encryption keys after they have been first encrypted in your computer before they are uploaded to the server.

    Assuming Countermail does everything as they say, it seems to be good value for money for those after a high degree of email privacy and anonymity.

    And if you want a free anonymous email alternative, download Tor, OpenPGP Studio and combine it with any email provider, it will also get the job done.

    Visit Countermail homepage

  • List of the best Tor email hidden services updated 2025

    List of the best Tor email hidden services updated 2025

    The following is a list of email services hosted in hidden services to send and receive anonymous email through Tor. A few of them can only be accessed using the Tor browser and have a Clearnet address only for information purposes.

    If you are serious about security you must install the official Tor browser but if you are not paranoid about anonymity, you can download the Brave browser, this privacy browser is able to access .onion sites and Tor offering less security than the official browser, it has JavaScript enabled.

    Cock.li (http://rurcblzhmdk22kttfkel2zduhyu3r6to7knyc7wiorzrx5gw4c3lftad.onion/): A free email and XMPP anonymous service funded with donations that allows registration with Tor , VPN and proxies. There are over a dozen domains to choose from when you sign up for a cock.li email address, other known domains used by this provider are Airmail.cc and firemail.cc

    Morke (http://6n5nbusxgyw46juqo3nt5v4zuivdbc7mzm74wlhg7arggetaui4yp4id.onion/): Using the domain names Morke.ru and Morke.org with a SquirrelMail interface, registration is free but it can only be done using the Tor browser.

    ProtonMail (https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion): Fully encrypted Switzerland based privacy email provider that allows registration using Tor, the free version of ProtonMail provides for a decent service and includes extra features like an encrypted calendar, and cloud storage.

    OnionMail.org (http://pflujznptk5lmuf6xwadfqy6nffykdvahfbljh7liljailjbxrgvhfid.onion/): Anonymous email provider that encrypts email with your own key, they have a multi language free service where you can test it and upgrade to a paid plan with more storage space, cryptocurrency is accepted and there is support live chat in their website.

    OnionMail.info: Clearner directory listing OnionMail email providers, you have to be careful who you pick, nobody knows who is running the service and a few of them that I checked had the mail server misconfigured.

    DanWin1210 (http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/): Personal website providing free anonymous Jabber and email account that can be accessed in the clearnet or Tor.

    CS email (http://csmail3thcskmzvjicww3qdkvrhb6pb5s7zjqtb3gdst6guby2stsiqd.onion/): Disposable email address with v3 Tor hidden access, ideal to receive registration email details or brief communications, you can reply using the interface but emails are only kept for one hour. Sponsored by VPN provider CryptoStorm.

    Email providers that can be accessed with Tor

    The following email providers do not have a .onion email address but are privacy and Tor friendly, you should be able to sign up for their webmail service using the Tor browser which will provide with nearly as much a privacy as accessing them using a hidden service.

    MailFence: Based in Belgium, with support for PGP encryption and free plan. It is impossible for the email provider to read your emails if you use your own PGP encryption key.

    Tuta: German email provider specialised in privacy, it has implemented quantum resistant encryption to future proof your privacy and metadata scrubbing.

  • Autonomy Central email encryption and secure notes

    Autonomy Central email encryption and secure notes

    Autonomy Central is a cross platform and portable Java based email service to encrypt email messages, files and notes using 2048-bit RSA key and AES 256-bit, that level of security should stop well funded attackers. Creating an account is a fast five step process for beginners, or you can choose a “Control Mode” for power users giving you more options.

    You will be given a @valeso.com email address that can be used to securely communicate with other users, encryption and decryption will be automatic. If someone is using a Outlook or Yahoo address and does not have an Autonomy Central account, you can send them a Special Delivery message with a link to an online SSL viewer where the recipient can decrypt the information entering the right password that could be transmitted via SMS or phone call.

    Autonomy Central Valeso encrypted email
    Autonomy Central Valeso encrypted email

    Other features of this security suite include a secure notes section where you can keep personal reminders encrypted, and a file storage service that will encrypt any file you drag and drop inside the Window. Data will be stored locally in your computer or in Valeso cloud servers depending on settings.

    Autonomy Central is a highly configurable email service, advantageous for those who like to decide every single detail of their email habits but it could complicated for beginners given how many options it has.The default settings are safe for everyone in case you don’t want to spend time reading the manual or playing around with the software.

    This service could be an alternative to Hushmail, with some  important differences that one should consider, like not being able to use your own encryption keys, which means you have to trust the company behind Autonomy Central, and not being able to use webmail.

    Visit Autonomy Central homepage

    Update 2014: Program no longer supported, link erased.