Cock.li safe?

Does email provider cock.li safe? They provide .onion address and do not require any registration data

No. If you look at the domain names they are offering you will find that the service appears to be catering to racists, fascists, misogynists and the like.

Aside from the question if you want to use a service like that it will undoubtedly attract extra attention by the authorities.

In addition to the questionable targeted userbase, the home page makes alarming statements about encryption and email privacy, and it’s very clear that there is 0 attention paid to transparency and data security.

I would advise you don’t use them under any circumstance.

Not according to people who run it, from their website:

How can I trust you?
You can’t.

I’d advise you take their advice. There is no technical reason to trust them, nothing built into the software that solves the trust problem. So its up to you whether you have a reason to trust them or not.

The name alone is enough for me not to trust the seriousness of the project or consider using it. But that’s my personal opinion based on a name alone.

My perspective (and also an earnest question for you): When there are technically superior, more reputable and trustworthy options available, why even consider a provider like cock.li?

It is safe, private and anonymous service with a long history. Their transparency is better, than most mail providers and trusting them is same, as any other mail provider.

There is no technical reason to trust them, nothing built into the software that solves the trust problem.

No rebuttal to what @xe3 said? Because that’s a big part of email – sure they can flaunt their 4chan credz around and have their funny domain names, but when it comes down to it, they’re basically just saying “trust me bro” unlike say, proton, who actually has a technical solution and demonstrably cannot access your email (see: the french activist case where all they could provide was a login IP)

In addition, regardeless of the host wish (Been a nice chap to talk too btw, and i donated for their service quite a long time ago), they did got their server forcefully seized. Two times.
2015 :

Cock.li was reportedly used last week to send a bogus bomb threat e-mail from “madbomber@cock.li” to several school districts nationwide, which led to the closure of all schools in the Los Angeles Unified School District.

2016 : (The service is now operating in Romania, Haven’t found any details on the reason of that year seizing)

Also, random funny article about it

Cock.li is great. I have a bunch of emails from them, from throwaway purposes to serious use.

They are completely anonymous, require no phone number or payment info to sign up. You can access them through Tor (.onion site). They also support IMAP which is a must-have for me. 100% donation-funded with no ads.

The downside is that - like 99% of email providers - they don’t have built-in zero knowledge encryption (like e.g. Protonmail) but they’re compatible with PGP if you set it up yourself in your email client. So you need to be aware that the contents of the emails (unless you encrypt them yourself) can be read by Cock.li and therefore can also be demanded by the authorities.

I use them for stuff where I want to be anonymous or pseudonymous vis-a-vis the people I email with, or for making online accounts. But of course that doesn’t mean you should share sensitive or incriminating information - but to be honest, while Protonmail or Skiff might be better in that regard due to their zero knowledge encryption, email is just not the right medium for this, as 99% of your correspondents will not use PGP and therefore most of your emails will end up stored in plain text on some Gmail/Outlook/GMX/Yahoo server anyway, and the metadata (from… to…) is never encrypted in the first place.

says who? I bet you there is logging to prevent abuse/spam the domains being blacklisted. (Which they probably are in a lot of places anyway).

The owner is not anonymous and there’s quite well the possibility that Vincent Canfield, could very well decide to work with authorities if he felt like it for some reason or another, so I wouldn’t take any promise of anonymity too seriously, not any more than signing up to any other provider through Tor etc.

I don’t even think there is any promise of not logging you or keeping you safe when the police comes knocking.

What I mean is that you can sign up to an account via Tor and not give them any personally identifiable information (phone number, alternative email address, name, payment details). So it is possible to sign up to Cock.li without ever revealing who you are. Even if you want to donate, they accept Monero.

This is not possible with any mainstream email provider, and as far as I know not even with the PG recommended providers (e.g. Protonmail afaik asks for your phone number if you sign up through Tor, and you can’t pay with Monero).

Even just a quick look at cock.li reveals that they don’t take security seriously, they don’t even have DMARC configured. Their email setup seems very amateur for a service that claims to have been running for 10 years.

Other things that I found that were concerning, the cock.li session cookie isn’t using the “Secure” cookie attribute which means it could be intercepted by an attacker. This doesn’t apply to their webmail because they are using roundcube which does enforce this cookie attribute.

image1224×52 3.72 KB

Their mail server also appears to be using out of date ciphers which can affect the security of mail transfers, the are also using a non-standard Diffie Hellman key exchange parameter.

They don’t use modern standards for email security such as MTA-STS, TLS-RPT, DANE and DNSSEC to ensure that transport layer security is applied during SMTP connections.

Their lack of a DMARC policy means that it is trivial for an attacker to impersonate their domain, they appear to have an SPF record set however this is useless without a DMARC policy.

There are also other minor problems that I noticed such as their referrer policy and their cache controls not being as secure as they should be.

Proton Mail and Tutanota both excel in these areas, I don’t really see any reason to use this email provider when better alternatives exist, it seems to be overhyped if I am being honest.

As far as I know, no e-mail provider claims to be, intends to provide or is “Completely Anonymous”. And I don’t see what would make cockli any more “anonymous” than any other e-mail service that supports Tor.

In which case the service doesn’t (can’t) provide “Complete Anonymity.”

As you noted, any anonymity is only attained if a user knows to seek out and use an external service (Tor) which is unrelated to cockli.

The only other thing left is not requiring SMS verification for anti-spam/abuse purposes (since cockli is likely not interested in spam prevention). It is a distinction that will matter to some people in some contexts, but falls well short of “complete anonymity”, and comes with its own downsides (services with no anti-abuse/anti-spam strategy are most likely to get blacklisted, flagged, or go straight to the spam folder, and are a magnet for bad actors).

(also, getting a phone number for a one time verification is not nearly as hard as people make it out to be, there are various approaches that would work for most threat models, short of some very specific and rather extreme threat models.

Basically, in my eyes this service has no pros that matter anywhere near enough to outweigh the many cons of the service compared to other options. But admittedly I’ve not looked deeply at this service, and don’t intend to.

I get your point, but I just don’t know any alternatives for this use case. Are there any other providers that allow you to sign up with: no phone number needed, no secondary email needed, completely free*, accessible through Tor or VPN, and supports IMAP?

*and supports Monero payments for premium features or donations

Hmm, off the top of my head, I am not aware of any provider that fits that fits that specific list of requirements, but that doesn’t mean there are not options. Your requirements are significantly different than mine, so its not something I have specifically looked into.

I think one difficulty with the specific set of characteristics you are looking for, is that it is also the same set of characteristics that spammers, scammers, and other bad actors are looking for, so it’ll be pretty difficult to find a reputable provider that allows all of these things. because it takes away some of the main points of friction or verification providers use to prevent abuse/spam and protect the reputation of their service (which is important for staying off blacklists and out of the spam folder).

I don’t know your threat model, but I’d suggest taking a step back and thinking about your broader goals as opposed to that specific set of requirements as I think some of the things you listed could be “soft requirements” (specifically SMS or email verification, and whether you need to use Tor for initial signup). But that depends on the depth of anonymity required and I don’t know your requirements. But my thinking is that there are plenty of ways to source a phone number for SMS verification, not directly connected to your true identity (at least in my country). If that is the only barrier that keeps you from considering more secure and reputable services, you may want to investigate those options.

Or consider whether signing up via Tor is necessary, if you can sign up with a non-Tor/non-VPN IP address, you can likely find many services that won’t require SMS verification, and there are plenty of ways to do so without using your true IP (Cafe’s, Libraries, stores, etc). For some extreme threat models this would still be a risk (signing up at a cafe would potentially give an indication of your rough geographic area). And after signup I believe you could use Tor without issue on many different services.

There are very few places where it makes sense to be opening new mailboxes, where an aliasing service like SL or addy.io would be sufficient to prevent account correlation by ad industry.

Monitoring many mailboxes is a complete pain unless you’re using something like imapfilter to automatically log into all those accounts and shift the emails somewhere.

The only real usecase that makes sense is if you’re expecting your activities to run afoul with the law in countries with an otherwise reasonable legal jurisdiction (burden of proof required for prosecution etc). If that were the case then there are simply better things to use than email to communicate anyway that don’t have all the metadata.

Also you should probably re-evaluate your choices. You only have to mess up once, and then you’re not anonymous anymore.

Providers like Cock.li, cyberfear.com, and onionmail.org aren’t meant to be used as your primary personal email account. The primary use case for them is when you are signing up to a service, for example via Tor, and they require an email address, but you have no interest in linking it to your real identity. For a while there was also the possibility of using a cyberfear.com address to sign up at proton.me via Tor, since they require some additional verification when signing up via Tor. Unfortunately, they apparently caught onto it.

The difference between those above and some disposable email service is that disposable email services have no password protection, so anyone can just hijack your account unless you have 2 FA enabled.

A good example for a use case here is if you want to rent a VPS anonymously via Tor. You can quickly make an account at any of the above, give the email to the VPS provider, pay for the VPS with Monero, and there you go. You now have attained a VPS entirely via Tor and as anonymously as it gets.

I should point out that they aren’t like Proton Mail or Tutanota. I wouldn’t recommend the above three to my grandma. The ones I mentioned have a much greater darknet application. There’s a reason a lot of malicious actors, especially referring to ransomware, use the above email providers. Think of them as fire and forget vs proton or tutanota which provide you a long term solution to email.

Proton definitely will be better, but it doesn’t allow for example IMAP for free.

Tuta not really trustworthy (IMHO) because of proprietary encryption (not PGP) and Germany location (14 eyes). But if you are not paranoid - it won’t be a problem

Answering OP: Cock.li is NOT private (no E2EE) nor secure (no 2FA), but it is anonymous (Tor service). For switching addresses it is good enough.

But Proton better.

Being based in an “eyes” country really doesn’t mean much these days. Those countries still generally have fairly decent judicial systems, so unless you’re doing something which is going to result in a court issuing a warrant, there is nothing to worry about.

There is a reason why the site doesn’t mention “eyes” anymore, and that is because it implies that other countries not a part of that agreement are better, which there are dozens of examples where that simply isn’t the case. It is a very 2013 way of thinking that isn’t all that relevant anymore.

Also regarding Tutanota, the client is still open source and is E2EE on the device.

The thing is it’s not the only agreement and many countries have these agreements, (which simply are classified and don’t have names) or they just do whatever they want regardless. The position we take on Privacy Guides, is E2EE is really the only way to ensure privacy and jurisdiction shopping is a pointless case of badness enumeration. It would also imply that countries that are not a part of that agreement are actively better places to use services. I can think of two major examples (China, Russia etc) where that simply is not true.

As a alternative we suggest people should look for countries which do have good privacy legislation, for example things like GDPR, courts where burden of proof is necessary to convict, and where companies can be transparent about the number of requests they receive and from where.

Nowadays the “eyes” thing is mostly marketing used by shady VPN companies. They still pretend that nearly every website isn’t https.

Also the eyes sharing agreements are not just “about the internet surveillance”, while there may be some part of that the data sources they use are a wide range of things including human intelligence, informants etc and very specifically targeted approaches which you cannot do anything about anyway except try to stick to services which have audited E2EE and have limited metadata.

Edit: for transparency, above user has been banned for producing LLM replies and arguing about it in DM with me. Guys, please don’t do this you’re not clever.