Free email providers

61 replies [Last post]
talbers
Offline
Joined: 01/29/2017

Currently I'm using google's email service but I would like to move onto a provider that respected my freedom, but I do not know any alternatives, could you suggest some? The only requirement is that it has to be free (in cost) as I have no way of paying for it.

ivanB1975
Offline
Joined: 08/29/2017

Long time ago, I bought a raspberry pi for 35 dollars, and I installed on it citadel. At the same time for 50 dollars I bought my own domain name for 10 years and in a week I had my personal email set up on the pi. The best way to respect your freedom and pocket is to learn how to do things yourself :)

talbers
Offline
Joined: 01/29/2017

Yes, I had the same idea as I also wanted to have my own web page, the problem is, my internet really sucks (disconnects all the time) and I don't have an static IP either (I guess there are some alternatives to this point). Maybe it's time to talk with my internet provider ...

jxself
Offline
Joined: 09/13/2010

"The best way to respect your freedom and pocket is to learn how to do things yourself :)"

For sure. It's too bad that I can only upvote this once.

heyjoe
Offline
Joined: 01/09/2018

Ir RPi needs nonfree software to boot (afaik). Such a device cannot possibly respect your freedom.

GrevenGull
Offline
Joined: 12/18/2017

One thing I don't understand about "buying" domain names is... who owns them in the first place?

Also.. what is raspberry pi? And citadel?

mason

I am a member!

Offline
Joined: 07/07/2017

On 02/12, name at domain wrote:
> Long time ago, I bought a raspberry pi for 35 dollars, and I
> installed on it citadel. At the same time for 50 dollars I bought
> my own domain name for 10 years and in a week I had my personal
> email set up on the pi. The best way to respect your freedom and
> pocket is to learn how to do things yourself :)

I've considered doing this. I already have a domain name and a C.H.I.P. Have you managed to avoid getting blacklisted? I read here

https://mailinabox.email/guide.html

that this is a risk of using a server in your home.

s1lv3r
Offline
Joined: 10/29/2017

https://www.fsf.org/resources/webmail-systems you can find something here, sigaint is closed but the others are viable.
I think these two are the best you can find https://posteo.de (you have to pay a small fee for this one) or https://riseup.net/.
You can ask for an account on this site https://www.autistici.org/, autistici inventati is a famous site you probably already heard of it.
More info for your privacy here: https://prism-break.org/en/.
More email providers: https://prism-break.org/en/subcategories/gnu-linux-email-accounts/
Hope this is helpful!

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

I can only recommend two: riseup and cock.li (the latter has several domains if a mail with cocks does not fit your standards)

talbers
Offline
Joined: 01/29/2017

I checked riseup's site but I don't know how to get an invitation ticket :/

MSuzuqi
Offline
Joined: 01/22/2018

If I remember correctly, I sent them a email, then they gave me an invitation code. But I couldn't make login since unknown error. Then I sent some emails to them, they told me that that cause is perhaps the browsers, I have no device except this iPhone. So I gave up. If I get a PC, I am going to try it again.

heyjoe
Offline
Joined: 01/09/2018

> provider that respected my freedom

The question is: which online service provider runs on RYF hardware with FOSS firmware and software?

And the answer is: none (to the best of my knowledge).

Option 1: The closest you could get to it is by purchasing your own server without Intel ME and with libreboot, install proper free software on it and make sure it is online 24/7/365 at a high speed internet connection. But that costs a lot and is still far from perfect. It is even worse when you think that you will actually be buying yet another CPU with hardware bugs and proprietary microcode.

* Caveat: Of course you will also have to provide such computers to everyone who you want to communicate with. It hardly makes sense to send from a clean system to a PRISM owned one. And because in most cases this is impossible you are doomed.

Option 2: stay with whatever you use, communicate using end-to-end encryption (if your recipients know how). Then it doesn't matter much who the carrier is. The caveat still remains.

Option 3: Do like J. Assange who says "I don't use email, it is too dangerous". Of course this leads to other kinds of caveats.

GrevenGull
Offline
Joined: 12/18/2017

I encourage the person who downvoted this comment to explain why said person downvoted.
I upvoted to somewhat spread the balance, but I would very much like to upvote again.

edit: typo

mason

I am a member!

Offline
Joined: 07/07/2017

I've learned that the voting system is silly and up/down votes shouldn't be read into too much. The appropriate use of downvotes is to flag posts that are inappropriate. If you see a post that has been downvoted even though it does not violate community guidelines, you can do exactly as you did here and cancel it out.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>I don't use email, it is too dangerous

Why is email dangerous?

heyjoe
Offline
Joined: 01/09/2018

> Why is email dangerous?

Because when you expose governments you don't want to use a system with many potential attack vectors.

Abdullah Ramazanoglu
Offline
Joined: 12/15/2016

[heyjoe]
> Option 2: stay with whatever you use, communicate using end-to-end encryption (if your recipients know how). Then it doesn't matter much who the carrier is. The caveat still remains.

I think the same. Regardless of which SAAS service is used, backbone routers and fiber-optics are still owned. So it does't matter at all whether you use a PRISMed server or a home brewed server, unless you *encrypt* your communications.

As for the caveat, if a correspondent doesn't use encryption, then there's nothing that can be done. Again it doesn't matter if you've secured yourself or not. So my suggestion would be using any mail service pragmatically convenient, and then using encryption whenever possible.

[SuperTramp83]
> Why is email dangerous?

I believe J Assange doesn't trust in encryption as well. He may have a reason for that.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Edit: I misread.

heyjoe
Offline
Joined: 01/09/2018

> As for the caveat, if a correspondent doesn't use encryption, then there's nothing that can be done.

Even if he does the encryption may be flawed through access to the private key (through something running at ring -2 or -3). Speaking of which: I would rather trust Google because they have surely done more about removing iME (https://www.youtube.com/watch?v=iffTJ1vPCSo) than Kolabnow. Here is an excerpt from my email question and answer to Kolabnow:

-----------------
> 4. How do you address the issue with Intel ME, proprietary BIOS and
> similar?
> (because obviously running free OS and software is not enough any more)

It is not something that will happen soon, but we are learning to ride
the bike.
-----------------

But I don't read anything about that bike here:

https://kolabnow.com/feature/confidence

So it is again - a gimmick which would attract only people who are technically ignorant and willing to buy the trendy "free" and "privacy respecting" things.

Personally I was quite interested in migrating from G.Apps to Kolabnow but I am reluctant now (+ their service is much more expensive).

quantumgravity
Offline
Joined: 04/22/2013

> The question is: which online service provider runs on RYF hardware with FOSS firmware and software?

No, that's not at all the question.
It's always the same thing: once you send data to other peoples computers, you gave away control over this data anyway and it doesn't matter at all what
software this other computer claims to run.
It's not *your* computer but theirs, and so asking for an email provider that runs only free software on their servers is actually being concerned about *their* freedom.
You already gave away control over your data anyway and can never be sure what software the mail provider really runs.
Even if he does run only free software, he could still mistreat you by copying your mails, reading them, selling your data etc (just examples here).

Now, don't get me wrong: we have to give away control over our data to some extent in order to do certain jobs.
For instance, I can't search the web with my own computer alone. I have to connect to a search engine and transmit my query.
There are other examples were I *could* do the job on my own computer, and if I still send the data to some server in order to get processed, it's called
"Service as a software substitute":
https://www.gnu.org/philosophy/who-does-that-server-really-serve.en.html

Note that in the case of "service as a software substitute", it's not important what kind of software actually runs on the server, since you don't own it.

An email provider that "respects your freedom" is most likely one that allows you to use his service without the need of proprietary software.
I think this holds for all providers I know of.
An email provider that "respects my privacy" is a separate question, since freedom and privacy are two distinct yet connected topics.
It's always a matter of trust... unless you use encryption.
After all, this whole "we will not log anything and won't read your mails" is nothing but a promise.
As others have pointed out, running your own email server is the best but inconvenient way.

heyjoe
Offline
Joined: 01/09/2018

> It's not *your* computer but theirs, and so asking for an email provider that runs only free software on their servers is actually being concerned about *their* freedom.

The email provider does NOT run only free software. NO computer in this world does that as of today. I wonder why it is so difficult for most people here to understand this. Firmware (Intel ME, microcode, BIOS) IS a program and it is NOT free. And there is NO online service provider running on CPUs without Spectre and Meltdown. NONE. It has been demonstrated by top security experts that all these systems are extremely vulnerable and to this moment there are only mitigations because fixes require actual new hardware. You won't fix that with recommendations, endorsements, theories, philosophies or links from gnu.org.

The problem is much bigger than your petty little computer. I wonder why you don't see it. There is no real freedom or respect for it in is such environment because there are no devices which do this, i.e. it is physically impossible. If you don't have the freedom to communicate privately - who cares about anything else? The biggest issue today is surveillance.

Accept it or create something new and give it to humankind.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

The email provider does NOT run only free software. NO computer in this world does that as of today. I wonder why it is so difficult for most people here to understand this.

I wonder why it is so difficult for you to understand that it is *not* quantumgravity's point. He even started his reply to your question ("which online service provider runs on RYF hardware with FOSS firmware and software?") with "No, that's not at all the question". The central point of his reply is:

Even if he does run only free software, he could still mistreat you by copying your mails, reading them, selling your data etc (just examples here).

quantumgravity
Offline
Joined: 04/22/2013

Did you even read my post?
It almost feels as if you're replying to somebody else... you completely missed my point.

dsj19
Offline
Joined: 12/05/2013

> The question is: which online service provider runs on RYF hardware with FOSS firmware and software?

Vikings [1] will soon lunch their librehosting service and I asked them at FOSDEM when they will be ready to deliver. They said that they would start in April 2018 with email hosting first and afterwards continue with the librehosting service.
They run on free hardware [2] (Talos 1 and Talos 2) + FOSS software

[1] https://vikings.net/
[2] https://www.raptorcs.com/TALOSII/

heyjoe
Offline
Joined: 01/09/2018

Interesting. Thanks for sharing.

I hope it won't be a 1.April joke :)

GrevenGull
Offline
Joined: 12/18/2017

protonmail?

heyjoe
Offline
Joined: 01/09/2018

Here is also an excerpt from the answer by protonmail about the same questions put to Kolabnow. The answer came 6 days later with an excuse they have too many emails (which I read as a hint about what support you can expect):

------------
Unfortunately, we have hundreds of emails per day to answer.

For how and why we are superior to Lavabit I encourage you to find an unbiased source (not us or them) and see for yourself.

As for CPU's being vulnerable, that is possible but we offer the best possible security. We dont intend to manufacture our own chips. Not sure what answer you're looking for.

As for quantum, we are adding EC support to OpenPGPJS and to ProtonMail as well in the coming months.

Sorry for the sparse answers.

Best regards,
The ProtonMail Security Team
------------

After further questioning:
------------
Our threat model is here:
https://protonmail.com/blog/protonmail-threat-model/

Obviously if you don't trust your device you can't trust anything that runs on it. So we don't propose to be immune to device level compromise.

We offer encrypt-for-outside for non-protonmail users.
------------

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

If it comes down to using other email providers,

Disroot.org is the best free one.

If you are doing it yourself, that's good too...

But yeah... if you know how to do it yourself, that is the best option.

But if you don't, then go for disroot.org.

That one is copyleft. Though I wish I knew which license it was. :0

Aristophanes
Offline
Joined: 10/05/2017

What do you think of Autistici/Inventati? I've done some research, and they seem to be solid in terms of the security and privacy they offer.

heyjoe
Offline
Joined: 01/09/2018

> Disroot.org is the best free one.

Which others have you compared, on what criteria and how do they handle the ring -2 and -3 issues?

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

ring -2 and ring -3?

hmm... I don't know much about ring,

I just know for desktops its pretty freakin decent.

I should also add 4gb cloud storage and also, it costs nothing unless you donate.

Its copyleft and also,

Oh, not that this helps you persay, but,

https://www.ssllabs.com/ssltest/analyze.html?d=disroot.org

A+

I use Hyperbola and use their email through icedove 52.6.0 works good for me.

I still haven't figured out how to add a gpg key to it yet, but someday it will be easier I am sure.

That's my thoughts anyways.

but they do have good ciphers in general.

heyjoe
Offline
Joined: 01/09/2018
CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Interesting, its worth looking up I am sure. I don't quite know the answer at this time.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I still haven't figured out how to add a gpg key to it yet

Have you tried following the steps on https://emailselfdefense.fsf.org/en/index.html ?

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Ah you misunderstand, I meant within the website itself. Kind of like posteo.de's method of doing so.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

You want your GPG private key to stay on *your* machine, not on that of the service provider.

CalmStorm

I am a member!

Offline
Joined: 12/31/2014

Hmm, I never thought of it from that perspective. That is a good point.

Abdullah Ramazanoglu
Offline
Joined: 12/15/2016

[TIC]
I believe email security is generally exaggerated to no extent. It shouldn't be quite so difficult to achieve reasonable security in terms of email messaging (ignoring other uses of internet for the sake of discussion).

If you simply merely...

* Use only pure libre and audited hardware
* Use only pure libre and audited software
* Encrypt your emails with GPG
* Ensure that there is no back doors to the encryption algorithm you use
* Ensure that your keys are safe
* Ensure that all of the above also true for your correspondents

...then you can expect to have reasonably good email security and privacy.
It's quite as very simple as that!
It is beyond me why people make a fuss about it.
[/TIC]

heyjoe
Offline
Joined: 01/09/2018

What you list is only valid if all the nodes in the network have the qualities you listed.

Suppose you have:
- node A (perfect clean ultimate libre)
- node B (containing spyware)

A sends encrypted message to B. The spyware on B decrypts everything because it steals B's private key. So what good is A's perfectly secret private key? - Nobody cares about it or its secrecy because the info you transmit has been hacked through the other node.

That's the big fuss (to my mind).

(of course you know all that)

MSuzuqi
Offline
Joined: 01/22/2018

Good, notjoe. I am used to that. Don't mind. You have good friends. Let's die for next people and for our boring.
I can tell you just
1. Somebody pays Abusolutely.
2. You can reincanate the top exist again, more beauty. ( in a other star?)
3. You can live the best life, even if.
4. I have several ESP. I win. My last name is Masaru, that means victory.

Abdullah Ramazanoglu
Offline
Joined: 12/15/2016

> What you list is only valid if all the nodes in the network have the qualities you listed.

I had addressed it with;

>> * Ensure that all of the above also true for your correspondents

Node B is one of your correspondents.

> That's the big fuss (to my mind).

[TIC]
Oh no, ensuring encryption-suitability of your correspondents is not so difficult that you seem to think. All you have to do is prepare a simple checklist, send it to your correspondents in plain text while you're exchanging public keys. And decline exchanging encrypted mails if one of the requirements in the checklist is not met by your correspondent.

In order to make things easier for non-tech people, this checklist should *not* ask questions like "[ ] Is your hardware comprised of only pure libre and audited parts?" That's a tough question for the casual user. Some people may not know what "pure and libre parts" means. Each question regarding encryption suitability (that I have given in my previous message) should be translated into much easier sub-lists, such as;

For hardware:
[ ] Is your CPU Shakti? (if not, please give its name and model)
* What is the name and serial number of your BIOS? [__________]
* What is the name and model of your GPU? [__________]
* What is the name and model of your NIC? [__________]
* What is the name and model of your WiFi? [__________]
* What is the name and model of your modem? [__________]
* What is the name and model of bluetooth adapter? [__________]
[ ] Are your USB connectors stuffed with glue? (silicon gum or the like would also do)

A plain and easy sub-list similar to the above should be prepared for each of hardware, software, GPG usage, algorithm security, and key security. Shouldn't take more than a couple of minutes of your correspondent. Given the stakes involved, what's a minute?

A small utility might be written, even, to streamline the process. For me, I would have found it most helpful if Debian main repository included such a package. Then all I would have to do would be, quite simply, asking my correspondent "Please run freedom-police and pass me the output".
[/TIC]

heyjoe
Offline
Joined: 01/09/2018

> I had addressed it with;

Sorry. I may have missed that. Anyway my clarification is probably still relevant and necessary :)

What is TIC?

The bullet lists you show are still only for experts. I can't imagine doing it with clients who use iMac/iPhone and are utterly proud of it and closing one's source of income because of that would be insanity.

Abdullah Ramazanoglu
Offline
Joined: 12/15/2016

> What is TIC?

Tongue in cheek. :)

Abdullah Ramazanoglu
Offline
Joined: 12/15/2016

> The bullet lists you show are still only for experts. I can't imagine doing it with clients who use iMac/iPhone and are utterly proud of it and closing one's source of income because of that would be insanity.

Exactly.

With [TIC] paragraphs I was indirectly saying that true email security is practically out of reach for the time being. Non-existent (yet) libre CPU, non-existent libre GPU, non-existent libre networking hardware, pure libre audited software, ensuring that all the parties are the same...

MSuzuqi
Offline
Joined: 01/22/2018

>Non-existent (yet) libre CPU, non-existent libre GPU, non-existent libre networking hardware, pure libre audited software, ensuring that all the parties are the same...

So there is not a perfect method.
How difficult is it?

Abdullah Ramazanoglu
Offline
Joined: 12/15/2016

> So there is not a perfect method.
> How difficult is it?

I am afraid there is no *perfect* method, but there are *good* methods. I sctratched the surface of it in the other thread you started. (Is there a perfect method to guard our communication?)

heyjoe
Offline
Joined: 01/09/2018

We are still working on it :P

MSuzuqi
Offline
Joined: 01/22/2018

What is the best way for reduce your friend's risk.

MSuzuqi
Offline
Joined: 01/22/2018

What is the best way for reduce your friend's risk.

MSuzuqi
Offline
Joined: 01/22/2018

What is the best way for reduce your friend's risk.

MSuzuqi
Offline
Joined: 01/22/2018

What is the best way for reduce your friend's risk.