Yes, I meant to say it doesn’t encrypt emails that go to sent folder. I just tested with a new account, and it doesn’t I think. Sent an email to an alias address and that email in a sent folder can be accessed without a password (password wasn’t saved), also no padlock icon.
And I can’t find anything on their website mentioning zero knowledge, doesn’t that mean an employee can technically access an email? I don’t think they would but just like their contact and calendar.
Mailbox does have the option of dumping a public key, so logging in will reveal mail that cannot be decrypted, unless you also supplied the private key to Guard, you can use different keypairs there and they are encrypted (require a passphrase) anyway.
Setting>Mail> Inbox encryption, enabling this option generates a filter rule (Setting>Mail>Filter Rules) that encrypt new incoming mail to inbox. So, I don’t think it’s mailbox.org that does that, but it might be your setup. I’m not sure.
Yes , unless they implement some kind of client-side encryption script on their mail website like Proton mail does , they still have acces to the private key and could decrypt your mails in theory.
They themselves disclose this on their website -
Since mailbox.org Guard offers a browser-based solution, we do not need any keys to be stored on the device itself, yet can still provide secure access to your e-mails at any time.
However, as the processes of encrypting and decrypting happen exclusively on the server, mailbox.org Guard can not offer true end-to-end encryption. This means the level of security offered here will not be sufficient for users with extremely high security requirements (like whistleblowers, for example). The primary aim of mailbox.org Guard is to combine security and convenience to facilitate so-called “sufficient security”.
It would be neat if they could provide proton level zero knowledge encryption
I am not very sure if Skiff mail does support client side encryption in reality . Though PG recommendation page does mention that skiff mail does zero access encryption.
There are lists of sites which should give any info about their users if FSB requests it. Obviously mailru and yandexru is in this list, same with mailbox and startmail, but proton and skiff are both in another list, they are blocked and could be accessed only with vpn, so they refused to deal with FSB requests? I dont know how it works exactly, maybe someone could explain it better?
I would just assume any business in a country friendly to the current Russian government is likely to be in that boat. Surprisingly these countries, China, India, Iran, South Africa likely are not good places to host anything anyway.
Of course it entirely depends on the nature of the request, how important it is, and how much they’re likely to try to bribe people with access in those countries etc.
Another indicator might be if it’s a foreign company and Roskomnadzor has banned it’s services for not handing over encryption keys, that would likely be a good indicator that they won’t just do whatever the government there asks.
If I lived in Russia I’d have a “low security” email that I use with Russian businesses/stuff tied to “known identity” that I keep squeaky clean, and a separate email outside of the reach of Russia I use for everything else that I can.
So like, if you’re emailing your bank, or someone who personally knows you in real life you’d use the known identity, otherwise you’d use the higher security one (particularly if you think they are using something that isn’t accessible to government of Russia anyway).
The reason for this is, you can have the best provider, but if you send it to say a friend with a mail.ru account, (for example) and they have a copy in their inbox, then the FSB could just go there for it.