Free Webmail for Better Privacy (part 1)
Autistici/Inventati
Advertising: No
Aliases: 5
Allows signup through Tor: Yes
Attachment size: 10 MB
Authentication: SPF Connection security: TLS 1.2, Perfect Forward Secrecy, HSTS, prioritizes AEAD cipher suites. SSL Labs test results: autistici.org, mail.autistici.org.
Import/export address book: CSV, vCard
Inactive account termination: 180 days
Inbox size: Unlimited (within reason)
Legal: Policy
Location: Organization in Milan, Italy. Servers with Copyleft Solutions in Oslo, Norway, XS4ALL in Amsterdam, Netherlands and OVH in Paris, France.
Mobile access: Main site
POP3, IMAP: Yes
Requires JavaScript: Yes
Spam/Virus filtering: Clam AV, SpamAssasin
Your IP address in mail headers: No, webmail and SMTP.
A/I is a small organization in Italy which was started and is managed by volunteers. In addition to email, an A/I account includes XMPP and VPN access and you can also ask for web hosting. You get a choice of about 25 different domains, Roundcube is used for the webmail interface, two-factor authentication is offered and you can temporarily suspend your account if you think you won’t use it for more than 6 months.
A/I does not store server logs and their SMTP headers also filter out mail client user agents. A/I uses their own self-signed TLS certificates and while not necessary for email, it must be installed on your computer to use their XMPP or VPN services.
You must request an A/I account and because you’ll receive a response with a temporary password, you need to provide an email address that won’t quickly expire. A/I account passwords are limited to 60 characters and no special characters. A password can be recovered from a link on the login page and to close an A/I account, you must contact them.
Mailfence
Advertising: No
Aliases: No
Allows signup through Tor: Yes
Attachment size limit: 10 MB
Authentication: DKIM, SPF, S/MIME
Connection security: TLS 1.2, Perfect Forward Secrecy, HSTS, prioritizes AEAD cipher suites. SSL Labs results.
Import/export address book: CSV, vCard
Inactive account termination: 210 days
Inbox size: 200 MB
Legal: Privacy, Terms of Use
Location: Headquartered in Brussels, Belgium. Servers with Level3 Communications in Brussels.
Mobile access: https://mailfence.com/pocket/
POP3, IMAP: Yes
Requires JavaScript: Yes
Spam/Virus filtering: Yes
Your IP address in mail headers: No
Mailfence is a service by the Belgian company ContactOffice Group SA, which created a suite of online office applications similar to Google Apps or Zoho. The right to internet privacy has long been a tenet of ContactOffice and it is this belief, fueled with inspiration from the Snowden revelations, which sparked the Mailfence project to life in 2013.
The project developed with the goal of providing end-to-end encryption for their email service without the need of 3rd-party apps or plugins. Mailfence defined a threat model and even put in the effort to implement an SSL certificate which contains no American issuers in the certificate chain. Fifteen percent of the proceeds of their Pro subscription are also donted to the Electronic Frontier Foundation and the European Digital Rights Foundation.
Mailfence is different from the other providers here in that when you sign up, you don't choose an email address which is synonymous with your account name. With Mailfence, you create an account and with this you have access to the calendar, file storage, polls and other office applications, but you still need to choose an email address for the account. The pre-decided choices range from your account name to variations of the first and last name fields you filled out during registration.
In account settings you can change timezones, reset passwords, view quotas for messages (emails), storage, etc., access WebDAV, manage the calendar and contacts, import .eml files from Outlook Express, set mail filters and delete the account. An email address must be provided at signup to receive an immediate confirmation with activation link. There's two-factor authentication with a QR code, server-side encryption using RSA-4098 and AES-256 so messages are not stored in plaintext, and Mailfence is currently working on concealing all mail header metadata between Mailfence accounts.
Messages can be composed in plaintext or HTML but only be recieved as HTML. They can include signatures and have read receipts, and are sent unencrypted by default but can be OpenPGP encrypted. For OpenPGP features, you can import a keypair or can create keys in Mailfence. You can set the exipration date, export keys, upload to a public key server, change key passphrase, revoke and create a revocation certificate. Mailfence can be used with Gmail, Outlook, Hotmail and Yahoo mail, or other accounts by POP or IMAP.
Mailoo
Advertising: No
Aliases: Yes
Allows signup through Tor: Yes
Attachment size: 5 MB
Authentication: SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, HSTS, prioritizes AEAD cipher suites. SSL Labs results – mailoo.org, mail.mailoo.org.
Import/export address book: CSV, vCard
Inactive account termination: Yes (time not mentioned)
Inbox size: 1 GB
Legal: Legal notice
Location: Servers with Online SAS in Paris and Lost Oasis in Marseille, France.
Mobile access: Main site
POP3, IMAP: Yes
Requires JavScript: Yes
Spam/Virus filtering: No
Your IP address in mail headers: Webmail, no. SMTP, yes.
Mailoo exists to be a privacy friendly email service running entirely on free and open source software. Roundcube is the web interface which includes the OpenPGP plugin and Mailoo removes user IP addresses from mail headers, but only for webmail. Their SMTP server does remove the mail client’s user agent. You need to wait up to 24 hours for your account to be approved because they want to check that the address meets "certain ethical standards." To close an account, you must contact Mailoo.
mailoo.org redirects to HTTPS but the webmail server uses HSTS. The downside to this is that you must register from mailoo.org so it's during the account's creation that you can theoretically be exposed to a man-in-the-middle attack. To remedy this, you should change your password immediately when you first log in at mail.mailoo.org.
OpenMailBox
Advertising: No
Aliases: 1
Allows signup through Tor: Yes
Attachment size: 500 MB
Authentication: DKIM, DMARC, SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, HSTS, prioritizes AEAD cipher suites. SSL Labs results.
Import/export address book: CSV, vCard
Inactive account termination: 6 months
Inbox size: 1 GB
Legal: ToS
Location: Servers with Online SAS in Paris, France.
Mobile access: Main site
POP3, IMAP: Yes
Requires JavaScript: Yes
Spam/Virus filtering: Clam AV, SpamAssassin
Your IP address in mail headers: No, webmail and SMTP.
OpenMailBox is one of the new mail providers born since the Snowden leaks. The service is privately owned and has high claims of user privacy. OpenMailBox uses full disk encryption on its servers. IP addresses accessing the servers are logged and mail sent from a mail client will show it’s user agent but some mail clients can disable it.
There are four components to an OpenMailBox account. First is Roundcube for webmail, including Roundcube's OpenPGP plugin with key generation/import/export up to 4096 bits in size. Keys are kept in the browser's DOM storage. Second is the User Interface, where you can expand your storage size as a paid service, create an @openaliasbox.org address as an alias, change your password or delete the entire account. Third is OwnCloud served by OpenMailBox which integrates with Android, iOS and desktop apps and allows you to import your own SSL certificate. Fourth is an XMPP handle.
ProtonMail
Advertising: No
Aliases: No
Allows signup through Tor: Yes
Attachment size: 10
Authentication: DKIM, DMARC, SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, HSTS, prioritizes AEAD cipher suites. SSL Labs results.
Import/export address book: Import CSV and vCard.
Inactive account termination: None
Inbox size: 3 GB
Legal: Terms and Conditions, Privacy Policy
Location: Company Proton Technologies AG and primary servers in Geneva. Redundancy servers also in Switzerland.
Mobile access: Main site, Android and iOS apps.
POP3, IMAP: No
Requires JavaScript: Yes
Spam/Virus filtering: Yes (spam).
Your IP address in mail headers: No
ProtonMail is the brainchild of a handful of CERN scientists and development continues as a joint effort between CERN (one source which gave us Scientific Linux) and MIT. In addition to open source libraries for AES and RSA, ProtonMail uses a JavaScript implementation of OpenPGP to encrypt mail (including attachments) and manage keys entirely in the browser. For messages to non-ProtonMail accounts, you encrypt with a pre-shared password. The recipient gets an automated message with a link which decrypts your message in their browser after entering the shared password. From ProtonMail 2.0, their front-end is open source.
A ProtonMail account has two passwords: Login (for the obvious) and MailBox to decrypt everything in your account. Encrypted messages can have a lifespan assigned in increments of hours. Inter-ProntonMail messages won't expire by default but encrypted messages to outside mail services expire after 4 weeks and mail sent as plaintext can't use this feature. Account settings let you set a display name, signature, mail labels, display layout and notification address. There are options for auto-loading images, auto-saving contacts, authentication logging levels and an area for password changes. Sent messages are capped at 1000 per month.
To get a ProtonMail account, you must submit an invite request. During signup (separate from the invite request), a second email address is required but this address can be changed or removed after the account is created. ProtonMail has a transparency report, HTML composing, a contacts list, mail drafts and archiving. To delete a ProtonMail account, you must write to them and ask it to be.
Riseup
https://www.riseup.net | .onion addresses
Advertising: No
Aliases: Unlimited but within reason
Allows signup through Tor: Yes
Attachment size: 2 MB
Connection security: TLS 1.2, Perfect Forward Secrecy, HSTS, prioritizes AEAD cipher suites. SSL Labs results – riseup.net, mail.riseup.net.
Import/export address book: CSV, vCard
Inactive account termination: 6 months
Inbox size: 25 MB – 92 MB
Legal: Policy
Location: Organization Riseup Networks and servers in Seattle, United States.
Mobile access: Main site or SyncML
POP3, IMAP: Yes
Requires JavaScript: No (SquirrelMail option).
Spam/Virus filtering: Clam AV, SpamAssassin
Your IP address in mail headers: No, webmail and SMTP.
Riseup gives you the choice of Roundcube or SquirrelMail, an on-screen keyboard for login, XMPP and even full VPN access. IP addresses are removed from mail headers, as are mail client user agents.
While the mail server's subdomain uses an HSTS header, Riseup's TLD does not. Instead, it's preloaded into Chromium browsers, Firefox and Safari. This means that help.riseup.net will be forced over HTTPS too. To open a Riseup account, you must either request one and be approved or know two people already with Riseup accounts who can send you invitation codes.
Yes, Riseup has strong political overtones to its literature and I’ve read responses from people being denied an account after describing their political beliefs in the request info. Whether that was direct cause for denial, I don’t know. What you choose to write is up to you, however I’ll say that when requesting this account, I made no political references or affiliations whatsoever. Don’t feel that you must do so. Your mileage may vary. A Riseup account can be closed through the user control panel.
Scramble
Advertising: No
Aliases: No
Allows signup through Tor: Yes
Attachment size: n/a
Authentication: SPF
Connection security: TLS 1.2, Perfect Forward Secrecy, HSTS, prioritizes AEAD cipher suites. SSL Labs results.
Import/export address book: No
Inactive account termination: ???
Inbox size: ???
Legal: None given.
Location: Servers and all 3 current key notaries with Linode in Galloway, NJ. United States.
Mobile access: Main site
POP3, IMAP: No
Requires JavaScript: Yes
Spam/Virus filtering: No
Your IP address in mail headers: No
Scramble runs OpenPGP.js and scrypt entirely client-side in your web browser for zero-knowledge message encryption. Message body, attachment and subject line are encrypted, leaving To, From and timestamps as the only plaintext metadata. Scramble's backend is open source, hosted on GitHub and there you'll find a summation of the service: "GPG for the masses."
Scramble is still in very early stages so at this time, it's a basic encrypted message service. The webmail interface gives you a contact list and HTML mail can be viewed but not composed. You can also view your OpenPGP key pair, manage contacts, archive messages and Scramble has a list of keyboard shortcuts to streamline working in an account.
Unique to Scramble is its notary service which is intended to make public key exchanges more secure. Instead of asking one keyserver, a group of notaries are queried for a Scramble user's public key and if they all agree on the key's integrity, it's assumed safe to use by the client-side application.
Importing keys isn't possible yet and there are only 3 notaries now, all in the U.S. but a system like this needs many notaries all over the world to reach its full potential. Scramble's info page mentions that a mail client is in the works, seemingly in the form of a browser extension.
SCRYPTmail
https://scryptmail.com/ | https://ninja.scryptmail.com/ (self-signed cert)
Advertising: No
Aliases: 3
Allows signup through Tor: Yes
Attachment size: 10 MB
Connection security: TLS 1.2, Perfect Forward Secrecy, HSTS, prioritizes AEAD cipher suites. SSL Labs results - scryptmail.com, react.scryptmail.com (RapidSSL cert).
Import/export address book: No
Inactive account termination: 3 months for free accounts.
Inbox size: 200 MB
Legal: Terms and Conditions, Privacy Statement
Location: Servers with SoftLayer Technologies Inc. in Dallas, TX. United States.
Mobile access: Main site
POP3, IMAP: No
Requires JavaScript: Yes
Spam/Virus filtering: Yes (spam)
Your IP address in mail headers: No
SCRYPTmail is a zero-knowledge client-side encrypted mail service with client code on GitHub. Email body and attachments are encrypted using AES-256 and RSA-2048. RSA-4096 will be available as part of a paid service or you can instead import your own keys. Your private RSA key is encrypted with AES-256 and then Twofish-256 before being stored server-side but future plans are to store private keys entirely on the local client.
When you create your account, you'll be prompted to download it's secret token. This is SCRYPTmail's solution to resetting your password or PGP passphrase without actually storing them. An account token is a hexadecimal conversion of a hashed random string created when the account is opened. A reset requires this token, the account's email address and either the account password or PGP passphrase (whichever of the two you do have).
When receiving mail from other SCRYPTmail users, their public key signature (a hash) is checked for authenticity and will let you know if there's a mismatch. When communicating with outside mail accounts, you select the message for encryption and give it a PIN number. The recipient gets a link to open in a browser and they enter that same PIN to decrypt the message. Messages encrypted with a PIN expire after 4 weeks or the recipient can delete them instantly, and if a PIN is entered incorrectly 3 times in a row, the message is deleted. PINs are unique for each email or they can be saved with other recipient info in your contacts list.
Account settings let you change passwords or add a second, edit/add a new RSA keypair, change or disable session timeout, enable 2-factor authentication, create an alias or disposable mail address, create/sort folders and labels, edit a contact list and create mail filters. Displaying mail can be toggled between HTML and plaintext and there is HTML composing.
SCRYPTmail gives you the choice of a self-signed TLS certificate or one issued by RapidSSL. Their KeePass SafeBox works with KeePass's online password database feature to store your db within your SCRYPTmail account, and account passwords have a maximum length of 80 characters, including special characters. All metadata is encrypted between SCRYPTmail accounts, including To and From headers, and SCRYPTmail has a warrant canary.
Senditonthenet
https://www.senditonthenet.com
Advertising: No
Aliases: No
Allows signup through Tor: Yes
Attachment size: 80 MB
Authentication: n/a
Connection security: TLS 1.2, supports but does not prioritize Perfect Forward Secrecy and AEAD cipher suites. SSL Labs results.
Import/export address book: n/a
Inactive account termination: No
Inbox size: 80 MB
Legal: Terms & Conditions and Privacy Policy
Location: Company in Manchester and servers with iCloudHosting, United Kingdom.
Mobile access: Main site
POP3, IMAP: No
Requires JavaScript: Yes
Spam/Virus filtering: No
Your IP address in mail headers: n/a
Senditonthenet transports RSA encrypted files between users. It works entirely through a web browser and you get an 80 MB attachment limit. You can enter messages to accompany your packages and while the text is not RSA encrypted, though the whole message is still sent over HTTPS. You can only send files to users in your contact lists because without a Senditonthenet account, your recipients won’t have your public key. After activating your account, you receive an email at the confirmation address with your public key as an attachment.
Senditonthenet has their security information documented in a single, easy-to-digest page of their website. The service has what it calls a drop box (no connection to Dropbox). You can give your drop box link to people without a Senditonthenet account and they can upload encrypted files and an unencrypted message to you. Senditonthenet's server doesn't set any cipher suite priorities so it's up to the browser to decide. Modern browsers will specify strong cipher suites, old ones generally will not.
Free Webmail for Better Privacy (part 2)