

Ask HN: What do you use for email? - chishaku

What do you use for email?<p>In light of current events (Snowden&#x2F;NSA&#x2F;Lavabit&#x2F;SilentCircle&#x2F;etc.), a few &quot;secure&quot; email solutions are getting increased exposure:<p><pre><code>  * https:&#x2F;&#x2F;countermail.com&#x2F;
  * https:&#x2F;&#x2F;www.neomailbox.com&#x2F;
  * http:&#x2F;&#x2F;flowingmail.com&#x2F; 
  * https:&#x2F;&#x2F;protonmail.ch&#x2F;
  * https:&#x2F;&#x2F;mailbox.org&#x2F;en&#x2F;
  * https:&#x2F;&#x2F;www.virtru.com&#x2F;how-it-works
  * https:&#x2F;&#x2F;www.lavaboom.com&#x2F;en&#x2F;
  * https:&#x2F;&#x2F;www.parley.co (DEAD?) 
  * https:&#x2F;&#x2F;www.darkmail.info&#x2F;
</code></pre>
From my perspective, it seems widely assumed that email is inherently insecure and there will never be an ideal solution.<p><i>So, what do you use for email then?</i>  What are the security&#x2F;usability tradeoffs?  Do any other options look potentially promising now or in the future?
======
conorgil145
Virtru engineer here. Very excited to see Virtru included in the list!

As you say, there is always a balance between security and convenience. Virtru
tries to make it as easy as possible to send encrypted email. We do this by
integrating with your existing email client (eg, Gmail) so that you can send
encrypted email from your existing email address with the tools that you are
already familiar with. All you have to do is click a switch to turn the
security on and then compose your email as you normally would.

One reason that some consider email inherently insecure is that the metadata
(to/cc/bcc, subject line, etc) is not protected even when the message content
(email body, attachments) is protected. It is critically important to define
the term “secure”. One must understand both what they are trying to protect
and why, and what the tools they are using actually do protect.

There are many use-cases in which the goal is to secure only the message
content. For example, someone emailing their lawyer about a case, doctor about
an appointment, or accountant about their tax filing. Also, consider a
business sending sensitive intellectual property to its partners or even its
own employees. In these examples, the sender may not care about protecting the
fact that they communicated with the other party, but they certainly want the
message content (personal, financial, sensitive, etc) secured so that it is
shielded from prying eyes.

Obviously, there are many other use-cases where protecting the metadata may
matter a great deal. In that case, one must consider their goals and make sure
that the tool being used meets their criteria. If completely anonymous
communication is the goal (protecting both who is talking to whom and what is
being said), then email may not satisfy the requirements (certainly not in its
current implementation).

I think that many would agree that email is here to stay for the foreseeable
future. It is pervasive and the de-facto communication platform, especially in
business settings. I think there is great value in individuals using tools
which implement end-to-end encryption to increase the security of the emails
they send so that the message content can only be read by the intended
recipients. This protects the email both in transit (eg, routing from SMTP
server to SMTP server) and at rest (eg, sitting in a user’s inbox on Yahoo’s
server).

Do you think the general tech community appreciates the distinction between
the degrees of “security”? Often, I hear the “all or nothing” mantra, which I
think can impede the adoption of reasonable email security tools depending on
the goals trying to be met. Thoughts?

------
blueflow
I have access to some private servers, together with friends we try new stuff
or just get services working for fun (we are students). That results in some
mailaccounts for me. Access over imap. I use geary and claws-mail

Mail should be considered insecure because the cert infrastructure is kind of
broken. I dont know why, but for some reason mailserver's server-to-server
certs are quite short. You barely get over 256/512 bit key length.

------
Spoom
Fastmail. If I needed a secure path for email, I'd encrypt it myself with GPG
and exchange keys out of band.

------
gregmorton
[https://runbox.com](https://runbox.com) \+ gpg in (thunderbird (icedove)+
enigmail add-on) + VPN

------
raelmiu
Gmail and Fastmail, both in Mail.app on my mac and iPhone

------
drakmail
own hetzner dedicated server + thunderbird

