These are some cons of mailbox.org. Please correct me if I’m wrong.
It does when the emails are put in the sent folder.
Just remember none of these “zero knowledge” things are a substitute for encrypting an email before it leaves your PC.
When a email leaves mailbox.org it won’t be encrypted unless the other person also supports PGP.
Yes, I meant to say it doesn’t encrypt emails that go to sent folder. I just tested with a new account, and it doesn’t I think. Sent an email to an alias address and that email in a sent folder can be accessed without a password (password wasn’t saved), also no padlock icon.
And I can’t find anything on their website mentioning zero knowledge, doesn’t that mean an employee can technically access an email? I don’t think they would but just like their contact and calendar.
I find when I move mails to the sent folder, they get encrypted/original gets replaced.
If you (or someone else) logs in and sees all your encrypted emails that encryption means nothing, like 0. PGP is the only way.
Mailbox does have the option of dumping a public key, so logging in will reveal mail that cannot be decrypted, unless you also supplied the private key to Guard, you can use different keypairs there and they are encrypted (require a passphrase) anyway.
Setting>Mail> Inbox encryption, enabling this option generates a filter rule (Setting>Mail>Filter Rules) that encrypt new incoming mail to inbox. So, I don’t think it’s mailbox.org that does that, but it might be your setup. I’m not sure.
That’s correct, it’s an optional feature
Mailbox.org works with russian FSB same as Yandex or other russian services The registry of blocked websites
Seems not very good…
Doesn’t look good, but what exactly does it mean?
Yes , unless they implement some kind of client-side encryption script on their mail website like Proton mail does , they still have acces to the private key and could decrypt your mails in theory.
They themselves disclose this on their website -
Since mailbox.org Guard offers a browser-based solution, we do not need any keys to be stored on the device itself, yet can still provide secure access to your e-mails at any time.
However, as the processes of encrypting and decrypting happen exclusively on the server, mailbox.org Guard can not offer true end-to-end encryption. This means the level of security offered here will not be sufficient for users with extremely high security requirements (like whistleblowers, for example). The primary aim of mailbox.org Guard is to combine security and convenience to facilitate so-called “sufficient security”.
It would be neat if they could provide proton level zero knowledge encryption
I am not very sure if Skiff mail does support client side encryption in reality . Though PG recommendation page does mention that skiff mail does zero access encryption.
The private key is encrypted, so that would require additional code to unwrap the key on the client and send it back to them.
What I mean is when it passes through external SMTP to say a gmail account that email won’t be encrypted unless you organized it with said gmail user (and they use thunderbird or something with PGP).
The same applies to Proton, in the above scenario and Skiff.
There are lists of sites which should give any info about their users if FSB requests it. Obviously mailru and yandexru is in this list, same with mailbox and startmail, but proton and skiff are both in another list, they are blocked and could be accessed only with vpn, so they refused to deal with FSB requests? I dont know how it works exactly, maybe someone could explain it better?
I would just assume any business in a country friendly to the current Russian government is likely to be in that boat. Surprisingly these countries, China, India, Iran, South Africa likely are not good places to host anything anyway.
Of course it entirely depends on the nature of the request, how important it is, and how much they’re likely to try to bribe people with access in those countries etc.
Another indicator might be if it’s a foreign company and Roskomnadzor has banned it’s services for not handing over encryption keys, that would likely be a good indicator that they won’t just do whatever the government there asks.
Also mailbox.org can be used regardless of what Russia does, as you can connect directly to it with their .onion. (You may need to use a Tor Bridge.
If I lived in Russia I’d have a “low security” email that I use with Russian businesses/stuff tied to “known identity” that I keep squeaky clean, and a separate email outside of the reach of Russia I use for everything else that I can.
So like, if you’re emailing your bank, or someone who personally knows you in real life you’d use the known identity, otherwise you’d use the higher security one (particularly if you think they are using something that isn’t accessible to government of Russia anyway).
The reason for this is, you can have the best provider, but if you send it to say a friend with a mail.ru account, (for example) and they have a copy in their inbox, then the FSB could just go there for it.
There is a blogpost from mailbox.org which clarifies this whole issue. In short: they state: "
we would never comply if such a request was made in the future. For us, it is not acceptable to hand over user data to the authorities in this manner."
They are clear that they answer government request (see also their transparency reports).
"[…] we will consider requests for information that are valid on the basis of German and European law, or legally correct international letters of request. "
Why they are on that list ist that they would otherwise be blocked in Russia and they took legal action against a block.