
End to end encrypted email, based in Sweden - jstalin
https://countermail.com/
======
grey-area
Two problems with this:

Based in Sweden, which has been cooperating with the NSA and sends them at
least all russian traffic and probably other traffic too:

[http://www.stockholmnews.com/more.aspx?NID=6402](http://www.stockholmnews.com/more.aspx?NID=6402)

 _Easy installation with a certified Java applet_

This could too easily be back-doored or exploited without your knowledge, if
they're going to use a binary it has to be open source at least.

~~~
alipang
Given that the email is encrypted, the FRA laws don't really matter though,
right?

The question is rather if the Swedish authorities can coerce them into handing
over their data (including gagging them on even letting people know it
happened) like in the US.

~~~
grey-area
_The question is rather if the Swedish authorities can coerce them into
handing over their data_

I don't think there's any question that a sovereign government can coerce its
citizens and corporations into handing over data. The answer to that is that
yes they can, and if they cite national security it's hard to argue against
them in court, or you might never be allowed to see a court, or even know
about it. Depending on where the encryption happens, obviously if the company
is compromised your data might be too. In this case they get you to install a
java applet which you can't know the workings of, so I think it'd be pretty
easy to subvert the encryption.

So I see the cooperation of Sweden on collecting and handing over data as in
indicator that they would go farther if required by the NSA (as the UK would
for example), and that other jurisdictions less subservient to the US would be
a better place to store data.

------
mpyne
Sweden, the country that is said to be such a US lapdog that they have
invented charges against Assange out of thin air. You can try it though...

~~~
anologwintermut
Supposedly even more of a lap dog than the British. Who, despite the fact that
we literally payed then 100 million dollars for intelligence, could not be
persuaded to do anything to Assange including extraditing him to the US to
face the secret espionage charges that our lap dogs in Sweden wanted to
extradite him to. Next time we should give Sweden the doggy treats

~~~
read
Can HN suggest a good country to trust for hosting servers (if there is such a
thing)?

EDIT: I just noticed RyanZAG put together a map for crowdsourcing unsafe
hosting countries.

[https://news.ycombinator.com/item?id=6182001](https://news.ycombinator.com/item?id=6182001)

~~~
gasull
Switzerland has strong privacy laws.

~~~
workhere-io
As has Norway.

~~~
vidarh
Norway also has extensive history of PST (police security service) carrying
out illegal politically motivated surveillance.

Including against one of the members of parliament (Berge Furre) tasked to
investigate their abuses _while he was investigating them_ (as part of the
Lund commission).

While it's been a while since the last revelations and perhaps they've gotten
better, keep in mind that for about 4 decades the official story was that the
members of the various predominantly left wing groups that alleged illegal
surveillance were all just paranoid and delusional. Then it was revealed that
not only were they right - the surveillance was in many ways substantially
worse than they thought.

And what they thought was pretty bad. I personally know someone who was
followed to and from work every day (he was a member of the communist party,
and his route to work took him past the then Soviet embassy), as well as
someone who was more than once taunted by high ranking members of PST who gave
him details about his private conversations at home with his wife to make it
clear they listened to everything he did.

In other words, while Norway might seem "safe" now, I'd be cautious given our
relatively recent past history combined with the very cozy relationship
between Norway and the US.

------
benmmurphy
kind of worrying you need to run java to use the service. also, it is a signed
applet that requests full permissions, has obfuscated code and contains a
native module (or native executable). i realise it probably needs full
permissions on java for usb key support. but i wouldn't use this service. the
only 'online' email service i would trust would be one that shipped its
product as a browser extension that was opensource.

~~~
SimHacker
Would you trust it more if it required JavaScript instead of Java?

Why or why not?

Would it matter if the JavaScript code was un-obfuscated and open source?

Java is now owned by Oracle, which has always been and will always be evil.

But there are multiple JavaScript implementations available, so it would be
harder for the code to be compromised by a back door in the VM.

And the people developing JavaScript interpreters are generally not as shady
and untrustworthy as Oracle. (Although one of them is known to be inexplicably
homophobic...)

~~~
dragonwriter
> Java is now owned by Oracle, which has always been and will always be evil.

> But there are multiple JavaScript implementations available

These are posed as if they are a contrast, but they are not. There are
multiple Java implementations available, as well.

~~~
SimHacker
But how many people actually use non-Oracle Java VMs as the default Java VM in
a web browser? Or even as a non-default Java VM?

~~~
stormbrew
To the former, everyone who uses an Android device (Dalvik).

~~~
lvh
Dalvik isn't a JVM. It's a virtual machine for which someone has written a
compiler from JVM bytecode to its native bytecode.

~~~
stormbrew
I think this is more of a legal convenience than anything else. It probably
would be an extended JVM if Google weren't concerned about Sun/Oracle's
litigious nature when it comes to extending the JVM.

Really it's a VM that runs JVM code, even though it needs an extra translation
step. It's not like there's anything else that targets it afaik.

------
subsystem
"President Barack Obama has canceled a planned meeting in Moscow with Russia's
President Vladimir Putin - a diplomatic snub that follows tensions over NSA
leaker Edward Snowden. [...] In place of the canceled Putin meeting, Obama
will visit Sweden, according to a White House statement that called Sweden 'a
close friend and partner to the United States.'"

[http://worldnews.nbcnews.com/_news/2013/08/07/19912184-obama...](http://worldnews.nbcnews.com/_news/2013/08/07/19912184-obama-
cancels-meeting-with-putin-amid-russia-tensions?lite)

------
gfosco
Wouldn't all of your recipients also need to be using countermail? Email is
just not the answer, if you want any privacy at all... We need a whole new
communication protocol, or a new platform where people go for ephemeral and
encrypted communication.

~~~
gasull
[https://bitmessage.org](https://bitmessage.org)

~~~
galapago
+1

~~~
Ackley
-1

~~~
junto
It would be quite useful if both of you explained your +1 and -1. Is
Bitmessage bad, or did you just dislike the +1?

~~~
Ackley
You should be aware by now that comments are organized in a tree-like
structure. But thanks.

------
nilved
Good idea, but I'm not going to go install Java to try your service. Remove
that giant, monolothic and irritating dependency if you want anybody to use
this: I shouldn't need to install 200 MB of software to connect to your
servers through IMAP.

------
timc3
I wouldn't trust this at all. If the Swedish police are really interested they
will confiscate the servers and worry about whether its lawful at a later date
ala Bahnhof raid

[http://associatedepress.org/swedish-police-confiscated-
three...](http://associatedepress.org/swedish-police-confiscated-three-
servers-during-raid-on-former-pirate-bay-host/)

Or they will get a warrant that they believe is related and take them:
[http://en.wikipedia.org/wiki/The_Pirate_Bay_raid](http://en.wikipedia.org/wiki/The_Pirate_Bay_raid)

Plus the problems other's have pointed out.

Norway would be a better end destination if you want your servers in North
Europe.

~~~
zik
The servers are diskless. If they confiscate the servers they get nothing.
Mind you if they keep the servers in place and take control of them it'd be
hard to stop them from doing whatever they like.

------
sprucely
Rather than use java, why not use a javascript implementation such as
[http://openpgpjs.org](http://openpgpjs.org) ?

------
dfc
Given how prominently they feature the diskless servers I was a little
surprised that I did not see any mention of the power infrastructure. Did I
miss the page with the details? What happens during a power failure?

A related question: what percentage of the nodes can lockup/hang/freeze
without losing user data?

------
tehwalrus
This is orders of magnitude more expensive than Lavabit was, and simply
disallows you sending non-PGP email (i.e. email to anyone other than 2 or 3
very geeky friends.)

I don't think I can pay $100/year to host my email if I can't actually host
_all_ my personal email there[1].

[1] (of course, I still have a gmail account for spam, "personal" here means
"from an actual person".)

------
DavideNL
Sweden is part of the European Union. If i'd host my own e-mail server
anywhere i'd definitely pick a non-European Union country.

For example, how on earth does 'giving the US access to ALL my bank transfers'
contribute to catching terrorists? (i live in the EU.)

Seriously, I'm more afraid of the US government than i am of terrorists. This
mass surveillance thing is going way too far.

~~~
raverbashing
"how on earth does 'giving the US access to ALL my bank transfers' contribute
to catching terrorists"

If I'm not mistaken what happens there is that bank transfers using the SWIFT
system pass through the US as the service is ran from there.

From what I've heard about SWIFT it's a system designed in the 70's with the
corresponding security mindset. Think "Windows 3.1" security.

------
coldcode
This doesn't support iOS which makes it pointless. Requiring Java is a non
starter anyway. I think the only way this will be at least somewhat palatable
if it was an open source native application with the servers in a country
likely to not interfere with them. Is there such a place?

------
fenesiistvan
I think that java is perfectly fine for these kind of tasks. What else do you
have if you wish to run something a bit complex from browser? Someday
javascript will be also capable for these kind of tasks, but I don't see how
it will have less exploits than java has now...

------
butler14
Sweden: the country that has a history of bending over for the yanks.

------
chmike
So well. And what if terrorist or people with evil goal or activity use this
system ?

These types of services solve only a little piece of the equation.

I now also tend to think that people focusing only on privacy are
individualists. A good example of individualism is defending the right to
freely own and carry weapons. For rational, well balanced and honnest peoples,
it sounds right and harmless as a mean of defense. Like privacy. But it is
well know and demonstrated by the numbers that pople are abusing this right
and using the guns for bad goals. The trust given to them, not only by the
authority, but from nightbours and all honnest citizen as well has been
betrayed. In europe where guns are banned and under very tight control, life
is much safer. This is very counter intuitive. See ?

I now tend to assume, privacy is very similar. If we give up privacy we may
become much safer. Of course there must be exceptions, but with tight controls
as exist for weapons in europe. Privacy should be available to lawyers and
doctors for instance.

Finally, a last missing piece of the solution is a feedback loop to control
the controllers so that no one can abuse the system, and this includes the
government.

~~~
00rion
I somewhat agree. However, it's incredibly dangerous for everyone to give up
privacy while the government continues doing things secretly. If we all must
be forced to be exposed, so should the government.

~~~
chmike
Yes, I understand but I honnestly don't see how it can be possible to detect
misbehaviors or threats without surveilliance. There is a dilemma there I
can't yet dealth with.

Surveilliance methods are easy to defeat once you know how they work and where
they are applied. This is why they are kept secret. Maybe the cummunication
capacity and the terrorist threat has developped to fast for taking the time
tothink of the optimal approach in terme of efficiency and respect of privacy
and rights. The strategy used so far is not ok. I fully agree and we need
methods to ensure there is no abuse like for the civil forfeiture law.

This is the role of the feedback control loop. With such a loop Abuse or
inadequacy cab be detected ASAP and corrected ASAP. Secrecy, and keeping the
control to some arbitrary authority, is preventing to have such objective and
independent feedback control loop. This is in my opinion the true problem in
what happens with the NSA and in Europe too.

