www.startmail.com i was curious why I have seen this email service located on associated sites but not on this site. What is the problem with this email. Sorry, I a newbie
jonah
February 18, 2024, 5:18am
2
privacyguides:main ← privacyguides:pr-remove_startmail
opened 03:34PM - 21 May 23 UTC
Changes proposed in this PR:
As per the requirements of "Zero Knowledge" we s… houldn't really be listing Start Mail.
- https://discuss.privacyguides.net/t/minimum-tls-requirements-for-email-providers/11830/18
Closes: https://github.com/privacyguides/privacyguides.org/issues/1433
Summary:
- Uses 3072 ElGamal/DSA keys which are not default anywhere. No option for RSA, ed25519 etc. ElGamal hasn't been the default in [GnuPG since 2009](https://lists.gnupg.org/pipermail/gnupg-devel/2009-May/025079.html)
- You cannot import your own PGP Keypair
- Mail which is received while you're logged out, is encrypted with a separate keypair, and then when you log in, copied to a LUKS volume. That means all of your email is available to the server when you log in. It is only zero knowledge if you stay logged out.
<!-- SCROLL TO BOTTOM TO AGREE!:
Please use a descriptive title for your PR, it will be included in our changelog!
If you are making changes that you have a conflict of interest with, please
disclose this as well (this does not disqualify your PR by any means):
Conflict of interest contributions involve contributing about yourself,
family, friends, clients, employers, or your financial and other relationships.
Any external relationship can trigger a conflict of interest.
-->
- [x] I have disclosed any relevant conflicts of interest in my post.
- [x] I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project.
- [x] I am the sole author of this work.
- [x] I agree to the [Community Code of Conduct](https://www.privacyguides.org/en/code_of_conduct/).
<!-- What's this? When you submit a PR, you keep the Copyright for the work you
are contributing. We need you to agree to the above terms in order for us to
publish this contribution to our website. -->
opened 03:03PM - 09 Jun 22 UTC
closed 11:40PM - 24 May 23 UTC
c:providers
status:research required
Hello there,
I am a happy StartMail user - however, their "user vault" has s… ome drawbacks, which should be mentioned on PG with a warning, to make users more conscious about the product.
**Link affected:** https://www.privacyguides.org/email/#startmail
**The issue:** Privacyguides decription of StartMail does not mention the fact that if you are logged in, LUKS container with your data is mounted and readable by StartMail.
In short, when you are logged-out, your data is encrypted and not cannot be accessed. This changes with the moment you log into StartMail - LUKS container is decrypted - which store user emails, PGP keys (including private key, which is NOT additionally password-protected, like in Protonmail), recovery codes etc., which can be accessed by StartMail employee, or an unsolicited person if the StartMail servers have been compromised.
**Outcome of the issue:** False expectations.
**Solution:** Describe User Vault somewhere in the StartMail section.
Received a reply from Mailbox.org
Thank you very much for your message. We had already blocked the two protocols for transport encryption, but in practice we had to realize that this is unfortunately not yet practical, because we also want to accept mails for our customers. We therefore prefer to accept messages that are poorly encrypted than not encrypted because no transport encryption standard could be negotiated. Please note that in the case of mail communication, the sender and the recipi…
https://www.reddit.com/r/PrivacyGuides/comments/r9vqtp/startmail_user_vault_how_much_security_does_it_buy/