Thoughts on StartMail as a email service

jonah · February 18, 2024, 5:18am

github.com/privacyguides/privacyguides.org

Remove Startmail, as it's not zero-knowledge

privacyguides:main ← privacyguides:pr-remove_startmail

opened 03:34PM - 21 May 23 UTC

Changes proposed in this PR: As per the requirements of "Zero Knowledge" we s…houldn't really be listing Start Mail. - https://discuss.privacyguides.net/t/minimum-tls-requirements-for-email-providers/11830/18 Closes: https://github.com/privacyguides/privacyguides.org/issues/1433 Summary: - Uses 3072 ElGamal/DSA keys which are not default anywhere. No option for RSA, ed25519 etc. ElGamal hasn't been the default in [GnuPG since 2009](https://lists.gnupg.org/pipermail/gnupg-devel/2009-May/025079.html) - You cannot import your own PGP Keypair - Mail which is received while you're logged out, is encrypted with a separate keypair, and then when you log in, copied to a LUKS volume. That means all of your email is available to the server when you log in. It is only zero knowledge if you stay logged out.  - [x] I have disclosed any relevant conflicts of interest in my post. - [x] I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project. - [x] I am the sole author of this work. - [x] I agree to the [Community Code of Conduct](https://www.privacyguides.org/en/code_of_conduct/).

github.com/privacyguides/privacyguides.org

StartMail: Add a warning explaining drawbacks of the User Vault

opened 03:03PM - 09 Jun 22 UTC

closed 11:40PM - 24 May 23 UTC

TrashPandaCodingGarbage

c:providers status:research required

Hello there, I am a happy StartMail user - however, their "user vault" has s…ome drawbacks, which should be mentioned on PG with a warning, to make users more conscious about the product. **Link affected:** https://www.privacyguides.org/email/#startmail **The issue:** Privacyguides decription of StartMail does not mention the fact that if you are logged in, LUKS container with your data is mounted and readable by StartMail. In short, when you are logged-out, your data is encrypted and not cannot be accessed. This changes with the moment you log into StartMail - LUKS container is decrypted - which store user emails, PGP keys (including private key, which is NOT additionally password-protected, like in Protonmail), recovery codes etc., which can be accessed by StartMail employee, or an unsolicited person if the StartMail servers have been compromised. **Outcome of the issue:** False expectations. **Solution:** Describe User Vault somewhere in the StartMail section.

https://www.reddit.com/r/PrivacyGuides/comments/r9vqtp/startmail_user_vault_how_much_security_does_it_buy/

Topic		Replies	Views
Thoughts on EtherMail? Questions website	1	246	March 5, 2024
What do you think about Migadu? Off Topic	2	680	September 2, 2023
Email provider msgsafe.io Privacy	2	515	August 23, 2023
Cock.li safe? Questions	32	1883	February 19, 2024
Custom Domain + PurelyMail Questions	6	362	January 8, 2024

Thoughts on StartMail as a email service

Related Topics