EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > Email Comments, Questions and Miscellaneous
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Email Comments, Questions and Miscellaneous Share your opinion of the email service you're using. Post general email questions and discussions that don't fit elsewhere.

Reply
 
Thread Tools
Old 4 Jun 2016, 01:14 AM   #1
Mailfence
Senior Member
 
Join Date: Jun 2016
Location: Belgium
Posts: 152

Representative of:
Mailfence.com
Mailfence - End-to-End Encrypted & Digital Signing Service

Mailfence (mailfence.com) has been created out of our belief that 'Internet privacy is an absolute and definitive right'. After the revelations of massive global surveillance (PRISM....etc) - we decided it was time to offer a service fully dedicated to email privacy. We double-checked each line of code, hardened our servers and worked hard to find a SSL certificate with no american company involved in the certification chain (which is not that easy to find). Withal, the only answer to absolute privacy was end-to-end encryption and we opted OpenPGP (a well known standard - that was further refined in RFC-4880) along with the support of MIME.
The goal was to implement a "TRUE" end-to-end encryption setup (where en(de)cryption occurs purely on the client-side) under an easy-to-use application environment, that is absolutely independent from any third-party (add-on, plugin...) - which by far is the biggest landmark we have set in the secure emailing industry.
Our application use public libraries (openpgp.js - fairly audited) and provides a PGP/MIME based end-to-end solution, including an integrated key-store for managing (importing, exporting, modifying, revoking/deleting...) all of the user PGP public and private keys. Moreover, mailfence gives users the ability of 'Digital Signatures' for (both generating and verifying) PGP/MIME based schemes - an another unique feature which no other service (with-in such eco-system) provides.
Therefore, mailfence is a complete email-suite which not only focuses on User privacy and anonymity - but also gives an entire set of collaborative tools (i.e. Contacts, Calendar, Documents, Groups, Polls...) - so to meet the expectations for all kind of users (personal/private, professional/enterprise).
To further align our strong belief of "Privacy is a right and not a feature" - we donate 15% of "Pro" subscription revenue to associations (Electronic Frontier Foundation and the European Digital Rights Foundation) that globally defend the rights of user privacy on every possible level. Being a small team (with limited resources) - we are cautious, reliable, stable & honest and are massively working on improving our service.
Your suggestions/recommendations are highly welcomed - which will duly help us to further enhance and shape our service under your needs.
- Mailfence Team
Mailfence is offline   Reply With Quote

Old 4 Jun 2016, 01:35 AM   #2
mister
Essential Contributor
 
Join Date: Jun 2002
Posts: 386
Welcome to Emaildisussions Mailfence you should PM Edwin http://www.emaildiscussions.com/announcement.php?f=6 and
mention to him that you're a company rep you'll get a flair.
mister is offline   Reply With Quote
Old 4 Jun 2016, 02:18 AM   #3
Mailfence
Senior Member
 
Join Date: Jun 2016
Location: Belgium
Posts: 152

Representative of:
Mailfence.com
Quote:
Originally Posted by mister View Post
Welcome to Emaildisussions Mailfence you should PM Edwin http://www.emaildiscussions.com/announcement.php?f=6 and
mention to him that you're a company rep you'll get a flair.
@mister - Thank you for notifying that, I've PM'ed the admin of this forum.
Mailfence is offline   Reply With Quote
Old 4 Jun 2016, 03:35 AM   #4
rmannam
Senior Member
 
Join Date: Jun 2004
Posts: 143
Is ContactOffice owned by you? If so, how it is different from MailFence?
rmannam is offline   Reply With Quote
Old 5 Jun 2016, 05:07 AM   #5
Mailfence
Senior Member
 
Join Date: Jun 2016
Location: Belgium
Posts: 152

Representative of:
Mailfence.com
Quote:
Originally Posted by rmannam View Post
Is ContactOffice owned by you?
Yes, 'mailfence' has been developed by 'contactoffice' team.
Quote:
If so, how it is different from MailFence?
Mailfence is solely dedicated to "email privacy and security" and was born as a result of Snowden Revelations with a belief of "Privacy is a right, not a feature". Following are other precise distinctions.
  • No American Company in the SSL/TLS chain (no that easy to find) | Qualys SSL labs - A+.
  • Provides "True" end-to-end encryption - E2EE (all the crypto-processes occurs on the client side) | OpenPGP based (RFC 4880 > openPGPjs): Fairly audited.
  • Digital Signatures (OpenPGP & S/MIME).
  • Integrated Key-Store for managing (import, export, modify, revoke, delete...) all the crypto-keys | Full PGP interoperability.
  • Requires no third-party (add-on/plugin...) and therefore gives you complete control of your privacy with-in a single platform - which is the biggest landmark that we've achieved.
  • Full efforts at transparency (maintains an up-to date warrant canary) | locally hosted in Brussels-Belgium.
Needless to say - mailfence holds a significant amount of "uniqueness", not only with its in-house services but from tons other main-stream solutions as well.
Moreover, as I mentioned earlier - we donate 15% of "Pro" subscription revenue to dedicated associations (Electronic Frontier Foundation and the European Digital Rights Foundation) that globally defend the rights of user privacy on every possible level - which further aligns our values and goals towards online privacy.
Mailfence is offline   Reply With Quote
Old 6 Jun 2016, 10:53 PM   #6
Bamb0
Master of the @
 
Join Date: Feb 2005
Location: USA
Posts: 1,861
Welcome.... Thank you for your site
Bamb0 is offline   Reply With Quote
Old 13 Jun 2016, 05:05 AM   #7
zimmermanfan
Essential Contributor
 
Join Date: Aug 2010
Posts: 200
Superficially, I'm impressed with what I've seen so far. Few questions:

1) Does fencemail.com use any public keyrings, such as pgp.mit.edu? So that if a non-fencemail user publishes their public key somewhere, fencemail will find it?

1.1) If not, suppose I'm not a fencemail user, but I want to send a message to two fencemail users. Do they each have to add my public key to the keyring, or is it a shared public keyring so that my key only needs to be added once? I don't see a fencemail equivalent of hushtools.com, where outsiders can supply their public keys so that encryption "just works" for fencemail users who correspond with outsiders.

2) If a fencemail user downloads their mail over IMAP, is the payload PGP-encrypted? IOW, do they need to export their private key from fencemail and then import it locally?

3) Why does fencemail.com use non-free javascript? Why is it blocked by the LibreJS tool?

4) Why is First name and Last name required? Streetwise users don't give their real names, so you immediately put them in a position of making a false statement. It would be more appropriate to make these fields *optional* during registration, and changeable thereafter.

Last edited by zimmermanfan : 13 Jun 2016 at 05:18 AM.
zimmermanfan is offline   Reply With Quote
Old 16 Jun 2016, 07:33 PM   #8
Mailfence
Senior Member
 
Join Date: Jun 2016
Location: Belgium
Posts: 152

Representative of:
Mailfence.com
Quote:
Originally Posted by zimmermanfan View Post
1) Does fencemail.com use any public keyrings, such as pgp.mit.edu? So that if a non-fencemail user publishes their public key somewhere, fencemail will find it?
> Yes, mailfence users can find and import other PGP public keys from public key servers (pgp.mit.edu...) via their integrated key store (into their key-ring) and can also publish their own public keys so that other users can find them as well. For more info. check out this "how-to" guide.
Quote:
Originally Posted by zimmermanfan View Post
1.1) If not, suppose I'm not a fencemail user, but I want to send a message to two fencemail users. Do they each have to add my public key to the keyring, or is it a shared public keyring so that my key only needs to be added once? I don't see a fencemail equivalent of hushtools.com, where outsiders can supply their public keys so that encryption "just works" for fencemail users who correspond with outsiders.
> If you're not a mailfence user - and sending an encrypted email to multiple recipients that uses mailfence. You will need their PGP public keys (via public key server - if they have published it there, or by any other out-of-band means) in order to encrypt your email for them. As recipients (mailfence users), they will need their private key to decrypt an email which you've sent to them - and does not require your public key for that purpose.
Now both of the recipients will have to add your public key in their integrated key stores (individually) to securely reply back to you - this will allow them to verify your public key in a much richer way (matching fingerprint....etc) instead of relying onto a centralized local key-server which not only is insecure but also contradicts with the concept of PGP on philosophical grounds (No centralization/or centralized authority).
Moreover, a fully featured integrated key store also enable our users to perform all the crypto-keys related operations (import/export/modify/revoke/delete...) by themselves and thus transfer the full control of their privacy into their own hands - and that is what our belief duly relies upon.

Quote:
Originally Posted by zimmermanfan View Post
2) If a fencemail user downloads their mail over IMAP, is the payload PGP-encrypted? IOW, do they need to export their private key from fencemail and then import it locally?
> Mailfence is a 'pure' end-to-end encrypted solution (en(de)cryption occurs on the client-side) - therefore all the encrypted content remains encrypted at all times.
When you import encrypted emails via IMAP - you will receive them in as-is manner and will have to export your private key (in your local machine/or any other device) to decrypt them.

Quote:
Originally Posted by zimmermanfan View Post
3) Why does fencemail.com use non-free javascript? Why is it blocked by the LibreJS tool?
> The JavaScript we use is very complex and compressed. LibreJS simply translates 'it's complex' by 'it's suspect' which we find unrealistic. Its analysis is too simple to handle most modern JavaScript frameworks.
FYI: we are planning to release the code of our front-end in a later phase which will further clarify this and other code-level concerns.

Quote:
Originally Posted by zimmermanfan View Post
4) Why is First name and Last name required? Streetwise users don't give their real names, so you immediately put them in a position of making a false statement. It would be more appropriate to make these fields *optional* during registration, and changeable thereafter.
> Those fields allow us to suggest you an email address and provide you a login name. You can always change them once you create your account (in your 'personal data').
Moreover, as per our privacy policy - we never share any sort of data with any third-party, and comply by the Belgian law.

Thank you for your feedback, and will remain at your disposal.
Mailfence is offline   Reply With Quote
Old 19 Jun 2016, 06:24 PM   #9
zimmermanfan
Essential Contributor
 
Join Date: Aug 2010
Posts: 200
Quote:
Originally Posted by Mailfence View Post
Quote:
Originally Posted by zimmermanfan View Post
1) Does mailfence.com use any public keyrings, such as pgp.mit.edu? So that if a non-mailfence user publishes their public key somewhere, mailfence will find it?
> Yes, mailfence users can find and import other PGP public keys from public key servers (pgp.mit.edu...) via their integrated key store (into their key-ring) and can also publish their own public keys so that other users can find them as well. For more info. check out this "how-to" guide.
I asked "if a non-mailfence user publishes their public key somewhere, mailfence will find it?" Based on what you said, the correct answer is "No", mailfence ("MF") will not find it. The user must find it, and add it manually.

This may be good for security, but makes mailfence less usable for novices.

With hushmail, an expert non-hushmail user can tell a total novice to get a hushmail account, and the expert user can do all the key management on their end so that it /just works/ for the novice.

Suppose a MF user emails someone for the first time. If the key is not on their keyring, why not check pgp.mit.edu automatically, and offer to import the key on the condition that the user verifies the fingerprint?
Quote:
Originally Posted by Mailfence View Post
Now both of the recipients will have to add your public key in their integrated key stores (individually) to securely reply back to you - this will allow them to verify your public key in a much richer way (matching fingerprint....etc) instead of relying onto a centralized local key-server which not only is insecure but also contradicts with the concept of PGP on philosophical grounds (No centralization/or centralized authority).
Moreover, a fully featured integrated key store also enable our users to perform all the crypto-keys related operations (import/export/modify/revoke/delete...) by themselves and thus transfer the full control of their privacy into their own hands - and that is what our belief duly relies upon.
I screwed up the phrasing of my question, but you answered it well.

It's unclear how separate public keyrings protects your users. When a MF user composes an outbound message, what's to stop MF from substituting a different public key? Even if the user has their own public keyring, the webtool won't necessarily use it.
Quote:
Originally Posted by Mailfence View Post
When you import encrypted emails via IMAP - you will receive them in as-is manner and will have to export your private key (in your local machine/or any other device) to decrypt them.
Good answer.. that's what I would expect.
Quote:
Originally Posted by Mailfence View Post
> The JavaScript we use is very complex and compressed. LibreJS simply translates 'it's complex' by 'it's suspect' which we find unrealistic. Its analysis is too simple to handle most modern JavaScript frameworks.
FYI: we are planning to release the code of our front-end in a later phase which will further clarify this and other code-level concerns.
Bug report filed: https://savannah.gnu.org/bugs/?48266
zimmermanfan is offline   Reply With Quote
Old 19 Jun 2016, 06:43 PM   #10
zimmermanfan
Essential Contributor
 
Join Date: Aug 2010
Posts: 200
Mailfence requires an e-mail address for registration. This is flawed for several reasons.

* Creates chicken-egg problem. It's wrong to presume the user has e-mail service already. If the user does not already have an e-mail account, Mailfence blocks them from creating one. If they had one already, they might not need a Maifence account in the first place.

* If the user already has an e-mail account, then linking the two accounts defeats the purpose of having two accounts. It's bad identity management. Either way it's broken.

* I'll be the judge of whether I need a password recovery mechanism. It's less secure to supply an e-mail address for password recovery because if the other e-mail account is compromised, the adversary can attack the mailfence account by simply requesting a password reset.

* Even if an adversary has not compromised the password recovery account, sending tokens in the clear via e-mail is also prone to attack.

It's essential that disclosing a password recovery e-mail address be optional (or non-existent). Since this is a mandate, I'm out. I will not be registering on mailfence or advocating it to others until this is fixed.
zimmermanfan is offline   Reply With Quote
Old 19 Jun 2016, 08:28 PM   #11
north
Senior Member
 
Join Date: May 2012
Location: north
Posts: 164
activation code does not work! tried it two times.
north is offline   Reply With Quote
Old 24 Jun 2016, 10:36 AM   #12
Mailfence
Senior Member
 
Join Date: Jun 2016
Location: Belgium
Posts: 152

Representative of:
Mailfence.com
Quote:
Originally Posted by zimmermanfan View Post
Based on what you said, the correct answer is "No", mailfence ("MF") will not find it. The user must find it, and add it manually.
As I said, "mailfence users can find and import other PGP public keys from public key servers via their integrated key store". Now you seem to ask, will they be able to use it directly- and that's where the answer is 'No', they'll have to import them first (and verify it) before moving any further.

Quote:
Originally Posted by zimmermanfan View Post
This may be good for security, but makes mailfence less usable for novices.
That's what we are trying to do: raising the bar of ease-of-use until that thin line of security (which is our utmost priority) - so to make mailfence a platform for both technical and non-technical users, without compromising the security over convenience.

Quote:
Originally Posted by zimmermanfan View Post
Suppose a MF user emails someone for the first time. If the key is not on their keyring, why not check pgp.mit.edu automatically, and offer to import the key on the condition that the user verifies the fingerprint?
We are currently thinking likewise, and I'm glad that you've also suggested a somewhat similar approach. Though, being a small team (with limited resources) - we are currently focusing on other priority issues, and will consider this one soon.

Quote:
Originally Posted by zimmermanfan View Post
It's unclear how separate public keyrings protects your users. When a MF user composes an outbound message, what's to stop MF from substituting a different public key? Even if the user has their own public keyring, the webtool won't necessarily use it.
The question is about (absolute) "control" of privacy and a dedicated key-store (having private and public keyrings) exactly provides that. Then the notion goes towards security, where that absolute control comes into play and allow users to make the right decisions (avoiding the use of wrong public keys by proper fingerprint verification...etc). We don't adhere to the false concept of "Security through obfuscation" where most of the other solutions does all the user's key management - leaving them with no room to control their keypairs (which indeed are super private to user's).
Furthermore, this also enable our users to enjoy full PGP interoperability in a restrictionless manner, use multiple key-pairs, use no third-party plugin/add-on, perform critical operations (generation of revocation certificate, modifying passphrase/expiration date,...), etc...
We are currently enhancing our "How To" guide and Blog - to also educate users with best-practices in simple and intuitive ways.


Quote:
Originally Posted by zimmermanfan View Post
Quote: Originally Posted by Mailfence
> The JavaScript we use is very complex and compressed. LibreJS simply translates 'it's complex' by 'it's suspect' which we find unrealistic. Its analysis is too simple to handle most modern JavaScript frameworks. FYI: we are planning to release the code of our front-end in a later phase which will further clarify this and other code-level concerns.
Bug report filed: https://savannah.gnu.org/bugs/?48266
Thank you for your efforts, and we'll look forward for their response.

Quote:
Originally Posted by zimmermanfan View Post
Mailfence requires an e-mail address for registration. This is flawed for several reasons.
....
It's essential that disclosing a password recovery e-mail address be optional (or non-existent). Since this is a mandate, I'm out. I will not be registering on mailfence or advocating it to others until this is fixed.
While agreeing to some of your points and not with others - we duly respect the user right of online anonymity and freedom of association on the whole (and have planned multiple measures to take in this regard as well). However, under the related technical boundaries, this may or may not include the condition of an alternate email address.

Thank you for your detailed feedback - and will remain at your disposal.
Mailfence is offline   Reply With Quote
Old 24 Jun 2016, 10:39 AM   #13
Mailfence
Senior Member
 
Join Date: Jun 2016
Location: Belgium
Posts: 152

Representative of:
Mailfence.com
Quote:
Originally Posted by north View Post
activation code does not work! tried it two times.
Kindly, drop us an email at support@mailfence.com - with your login name, and we'll sort this out for you.
Mailfence is offline   Reply With Quote
Old 4 Jul 2016, 08:15 PM   #14
Mailfence
Senior Member
 
Join Date: Jun 2016
Location: Belgium
Posts: 152

Representative of:
Mailfence.com
Update.

Bitcoin acceptance, more inbox storage, multiple authentication schemes, improved digital signing & much more !
Check our Blog with latest Release Notes.
- Mailfence Team
Mailfence is offline   Reply With Quote
Old 20 Jul 2016, 09:16 PM   #15
Tsunami
The "e" in e-mail
 
Join Date: Jun 2004
Location: in between the bright lights and the far unlit unknown
Posts: 2,329
I have to admit to be a rookie when it comes to encryption and terminology such as in the posts above.

Does the need for a decryption key mean that if a MailFence user emails someone using for example Hotmail/Yahoo/Gmail or vice versa, the email would be not received or not readable?




I also have some questions that to me are quite important when choosing a new mail host:
- do you keep a log of previous sign-in dates and locations?
- what is the inactivity/expiry limit of a MailFence account? I mean, this doesn't necessarily have to be the same as for a Mail.be or ContactOffice.com account even when they are run by the same parent company.


I won't ask for how long the service has been around and whether it'll survive the forseeable future despite the competition from the big players out there. Mail.be/ContactOffice/MailFence have been around quite a while, I know as I am Belgian myself
Tsunami is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 06:00 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy