Riseup Email

What do you think about Riseup and their email service?

I have personally used Riseup mail and know it is regularly used by many people under severe threat models, like activists and journalists. However, I rarely see it brought up in online infosec circles. Here’s some information about their service:

Technology

About encryption, Riseup writes:

Our physical servers are protected in ways that do not allow anyone other than Riseup to access them. […] As an additional measure, all of our servers use full disk encryption that can only be unlocked by Riseup. Additionally, all communications between our servers is also always encrypted.

They provide onion services, and when sending an email to another activist email provider, it will be delivered over Tor Onion Services.

To my knowledge, there is no support for custom domain names.

Privacy

When you send email with Riseup, your internet address (IP address) is not embedded in the email.

Their service is free, so there’s no need for anonymous payment. They operate through very limited invite codes. There also isn’t any PII besides username and password.

Security

There are no MFA options available.

Again, on encryption:

Your e-mails are encrypted individually on our servers, and can only be unlocked and read using your password. This means that Riseup does not have the ability to read your stored emails. Encryption of incoming email is automatic, and only when you login does the mail become decrypted so it can be read. This takes place on the server, which then becomes temporarily trusted while you are authenticated.

Unless you use the Mailvelope browser plugin, or your own OpenPGP solution, our e-mail system is not end-to-end encrypted or client-encrypted.

Then sending an email to another secure email provider or another Riseup user, everything remains encrypted.

Trust

Unless Riseup is run by actual birds, the Riseup Collective is anonymous. It can be argued that their history and orientation still provides some trust.

They have a canary.

Marketing

What they write about themselves on their website seems quite honest, and I doubt their marketing extends much further than that. They are not making money, so there is little interest in making anyone use their service if it doesn’t fit their requirements.

I’d almost be amused if they used Google Analytics.

Their documentation, like their service in general, isn’t the most extensive in the world, but I find that it covers everything that is needed and would be expected for someone using Riseup.

Thoughts

I see some clear weaknesses of Riseup email, for example the lack of MFA options. However, because Riseup has a much more specific user with a clear threat model in mind than your usual email service has, I don’t see this as a bad thing in every case. Some of the requirements (like custom domains or public facing leadership) imo just do not fit riseup because they probably were made with a different type of service in mind.

So, do I think Riseup Email should be added? Probably not, but I’m not completely sure. I put this under Tool Suggestions because I can see an argument for adding them in some way. But even if adding them is out of the question, I would still like to hear your opinion on the service they provide and how you think it stacks up to the alternatives, especially for activists and journalists.

Besides email, Riseup also provides the following services, which you might want to take a look at:

  1. They don’t offer “zero knowledge encryption” like Protonmail / Tutanota / Skiff / Mailbox.org do. Data is encrypted at rest but they have the key.
  2. While their terms of service seem okay, they definitely give me some Antifa vibes. Wouldn’t trust them to keep hosting my email if I had the “wrong” political opinions.
4 Likes

It seems to me that your statement above and the below statement from riseup are in conflict, Can you reconcile these two statements?

Personally encrypted email storage
Your e-mails are encrypted individually on our servers, and can only be unlocked and read using your password. This means that Riseup does not have the ability to read your stored emails. Encryption of incoming email is automatic, and only when you login does the mail become decrypted so it can be read. This takes place on the server, which then becomes temporarily trusted while you are authenticated. Because of this feature, your password is critical to your data. If you lose your password, and recovery code, you will not be able to access your account, nor will anyone be able to decrypt your emails. For technical details, see the TREES project.

2 Likes

From their privacy policy:

All of your data is stored in an encrypted format, and only Riseup has the keys to decrypt the data. Additionally, as of March 2017, the storage for all new accounts is personally encrypted. Riseup is unable to read any of the stored content for these accounts.

Isn’t that zero-knowledge encryption? Or what is missing to qualify as such?

I mean, they are Antifa. Still, I highly doubt that they are outright trying to vet their users or “attack” you them for having the wrong political opinion. I mean they hardly have the ability to link your identity to your account in the first place, especially if you use their onion services. Riseup Mail is almost tailored to be used through Thunderbird on Tails, which they encourage and which has an automatic setup. After the account creation which requires nothing besides an invite code, you probably won’t hear or see much from riseup, and it should be the same the other way around.

There was an incident in 2017 where they complied with two FBI gag orders. Lots of articles about this are linked on their press page. Here are some quotes from one of them:

After exhausting our legal options, Riseup recently chose to comply with two sealed warrants from the FBI, rather than facing contempt of court (which would have resulted in jail time for Riseup birds and/or termination of the Riseup organization). The first concerned the public contact address for an international DDoS extortion ring. The second concerned an account using ransomware to extort money from people.

Extortion activities clearly violate both the letter and the spirit of the social contract 1 we have with our users: We have your back so long as you are not pursuing exploitative, misogynist, racist, or bigoted agendas.

We have taken action to ensure that Riseup never again has access to a user’s stored email in plaintext. Starting today, all new Riseup email accounts will feature personally encrypted storage on our servers, only accessible by you. In the near future, we will begin to migrate all existing accounts to use this new system (for technical details, see 3).

To be absolutely clear, this type of encryption is not end-to-end message encryption. With Riseup’s new system, you still put faith in the server while you are logged in. For full end-to-end email encryption, as before, you must use a client that supports OpenPGP (and is not web-based).

I personally don’t trust them less because of this, I think they chose a good path, were very transparent about it (once they were legally allowed to be) and they took measures to make the same scenario impossible in the future. This certainly doesn’t outweigh any other weaknesses, but I think of riseup as one of the very very few services which might actually endure negative consequences to protect users. Which is not something to rely on, but still a positive.

3 Likes

Additionally, we don’t add anonymous-run providers for email.

1 Like

They suck

1 Like

They suck

Can you be more specific. I’m not informed enough about the test you linked to or running an e-mail service generally to feel confident interpreting all the subcategories of the test, but looking just at the overall ratings from that test, Riseup doesn’t seem to be drastically different than other privacy-centric mail providers or Gmail.

Addy – 100%
Simplelogin – 87%
Tuta – 85%
Posteo – 81%
Proton – 75%
Riseup – 73%
Gmail – 73%
Mailbox 71%

2 Likes

Not having DMARC policy means anyone can spoof the email. You can read each description by clicking on it, internet.nl explanation is very detailed.

Riseup doesn’t seem to be drastically different than other privacy-centric mail providers or Gmail

Internet.nl really degrade the rating by a lot for some reason if they don’t offer IPv6 support. Which doesn’t provide any privacy improvements etc, for example proton.me

I noticed that, it does seem weird how heavily weighted IPV6 is. And as you say, that isn’t really a privacy issue. That said, DMARC seems pretty unrelated to privacy as well. A good practice to have a strict policy for anti-spam/anti-abuse and domain reputation, but I can’t see any practical impact on privacy.

Also for reference, Gmail appears to have an equally lax DMARC policy (p=none) according to the test.

An actual criticism of riseup is that they are still invite only (they were originally open to registrations but moved to invite only after having abuse issues), that alone should be enough not to recommend them.

They clearly fill a very needed niche, but I don’t think that they should be used as a normal email provider, for activism activities and provided you align with their values it could be a great non-commercial option though.

They are anarcho-communists, their logo is literally a star with the anarcho-communist flag colours.

4 Likes

Interesting results.
Disroot.org get 87%.
And Murena.io and Soverin.net get 100%!