EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > Email Comments, Questions and Miscellaneous
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Email Comments, Questions and Miscellaneous Share your opinion of the email service you're using. Post general email questions and discussions that don't fit elsewhere.

Reply
 
Thread Tools
Old 26 Dec 2014, 05:27 AM   #61
David
Ultimate Contributor
 
Join Date: Dec 2001
Location: Canada.
Posts: 10,355
Quote:
Originally Posted by scryptmail View Post
@17pm

Ps. Dec 31, we will open registration again

Merry Christmas and Happy Holidays.
That is super. I will be sure to try out Scryptmail when registration reopens.

Though I tend to be supercritical of new email services, I have been impressed with reading scryptmail's responses, to the many questions he has fielded, which have been responded to in a very professional manner. A very merry Christmas and happy holidays to you too Scryptmail!

Cheers
David is offline   Reply With Quote
Old 26 Dec 2014, 10:04 AM   #62
rmannam
Senior Member
 
Join Date: Jun 2004
Posts: 103
Sergei seems to be highly [technically] qualified as he's working Scryptmail (beta) on his own. It is inappropriate to comment on his English communication rather encourage him.
rmannam is offline   Reply With Quote
Old 29 Dec 2014, 06:02 AM   #63
17pm
Cornerstone of the Community
 
Join Date: Sep 2013
Posts: 506
Quote:
Originally Posted by rmannam View Post
Sergei seems to be highly [technically] qualified as he's working Scryptmail (beta) on his own. It is inappropriate to comment on his English communication rather encourage him.
I don't think it's inappropriate. I thought he was American and his english seemed a little bit off on his blog posts. I'm not American myself so I do know that not everyone speaks english. However, not everyone is launching an e-mail service. I think it's important to understand the "politics" of launching a service. You'll be judged for what you say, like it or not.

If you read this thread you'll see that I encouraged him in my first posts. I continue to do so, and did recently on a thread he made on reddit /r/privacy (if I recall correctly).

My comments on his grammar should not be seen as personal attacks but as suggestions for improvement.


Quote:
Originally Posted by scryptmail View Post
@17pm
I never said I'm an American, I think you already raised those type of question at the beginning.
So yes, I'm Russian by nationality, who lives in USA for more than a decade. We probably can agree that quality of the product can not be determined by how well developers know writing English
I never mentioned your blog posts on this thread "scryptmail".. If you go back, you'll see that I gave some suggestions and asked some questions. Don't take my post about your grammar/english as an offense. Take it as an advise, a suggestion.

I'll be testing your service further since I'm in need of another service like yours. I already have enough accounts on tutanota.de :P


EDIT:

One suggestion:

I think you should create an "about" section, somewhere on the site.
17pm is offline   Reply With Quote
Old 29 Dec 2014, 07:12 AM   #64
scryptmail
Senior Member
 
Join Date: Nov 2014
Posts: 127

Representative of:
Scryptmail.com
Quote:
Originally Posted by 17pm View Post
I don't think it's inappropriate. I thought he was American and his english seemed a little bit off on his blog posts. I'm not American myself so I do know that not everyone speaks english. However, not everyone is launching an e-mail service. I think it's important to understand the "politics" of launching a service. You'll be judged for what you say, like it or not.
.....
One suggestion:

I think you should create an "about" section, somewhere on the site.
Hi 17pm.
No offence taken, I also think that constructive criticism as useful as positive feedback, for those who can listen, specially when 90% of people will just close tab without explanation.

As I mention, we got writer on board, so soon our writing part get much better.

Thank you and Happy Holidays
Next year we prepared some surprises for our users.

Last edited by scryptmail : 29 Dec 2014 at 09:11 AM.
scryptmail is offline   Reply With Quote
Old 31 Dec 2014, 04:41 PM   #65
scryptmail
Senior Member
 
Join Date: Nov 2014
Posts: 127

Representative of:
Scryptmail.com
Happy New Year!

Registration officially open

PS.don't forget to do hard refresh
scryptmail is offline   Reply With Quote
Old 10 Jan 2015, 01:43 PM   #66
scryptmail
Senior Member
 
Join Date: Nov 2014
Posts: 127

Representative of:
Scryptmail.com
Just quick update.
As per our users request, we added support for custom pin that you can provide when sending to third party servers. It will be stored in contacts and reused next time you choose to send encrypted message.

Also if someone unnoticed, we added disposable emails. You can use them to hide your real email or for registration in untrusted websites.

As always, we encourage you to leave comments on how to make service to better suit your needs.

Last edited by scryptmail : 10 Jan 2015 at 03:28 PM.
scryptmail is offline   Reply With Quote
Old 30 Jan 2015, 05:25 AM   #67
scryptmail
Senior Member
 
Join Date: Nov 2014
Posts: 127

Representative of:
Scryptmail.com
Friendly reminder
Now for those who hate 2-factor authentication, you can disable it in settings page.
We would love to hear your feedback on our service.
Thanks
scryptmail is offline   Reply With Quote
Old 30 Jan 2015, 04:48 PM   #68
17pm
Cornerstone of the Community
 
Join Date: Sep 2013
Posts: 506
Quote:
Originally Posted by scryptmail View Post
Friendly reminder
Now for those who hate 2-factor authentication, you can disable it in settings page.
We would love to hear your feedback on our service.
Thanks
You provide two-factor authenticaton? Damn, that was fast.

Google authenticator I suppose? Do you plan to add support to yubikey?
17pm is offline   Reply With Quote
Old 30 Jan 2015, 05:49 PM   #69
scryptmail
Senior Member
 
Join Date: Nov 2014
Posts: 127

Representative of:
Scryptmail.com
Quote:
Originally Posted by jslaterb View Post
It doesn't seem to be two-factor authentication. It's just a second password to decrypt the mailbox.

Have I missed something? I thought 2FA generates a different code every time you log in.
Oh NO, what you guys talking is called One Time Password (OTP). Honestly I got huge list of features to implement. And need help to prioritize things. You think yubikey feature would be great addon?
scryptmail is offline   Reply With Quote
Old 30 Jan 2015, 08:15 PM   #70
17pm
Cornerstone of the Community
 
Join Date: Sep 2013
Posts: 506
Quote:
Originally Posted by scryptmail View Post
Oh NO, what you guys talking is called One Time Password (OTP). Honestly I got huge list of features to implement. And need help to prioritize things. You think yubikey feature would be great addon?
Oh. You shouldn't call a second-password 2FA.

Normally 2FA is composed by something the user knows (a password) and something the user has (a token).

Two passwords doesn't improve much on one's security.
17pm is offline   Reply With Quote
Old 30 Jan 2015, 08:56 PM   #71
B4its2L8
Master of the @
 
Join Date: Dec 2007
Location: Hiding under my bed
Posts: 1,465
Quote:
Originally Posted by 17pm View Post

Two passwords doesn't improve much on one's security.
But it has always seemed to me that, while the idea of 2FA being "something you know" + "something you have" may be true for all practical purposes, in a sense isn't it still technically two passwords? It's just that the second factor – the 4 to 6 digit numeric (or alpha-numeric) code/password necessary for logging in and which isn't known ahead of time by the user – is sent to "something you have."

Though improbable in the extreme, it's not beyond the realm of possibility that someone could guess the code (which in Outlook's case is just a four-digit number) and gain access to someone's 2FA-protected account without actually "having" the user's cell phone.

(In Outlook/Hotmail’s case, their version of 2FA also includes the option to have the secondary login code sent to something else the user “has”: an alternate email address, which may or may not itself have 2FA.)

Even so, while two passwords don't improve security much, as you say, every little bit helps, no?
B4its2L8 is offline   Reply With Quote
Old 31 Jan 2015, 01:56 AM   #72
scryptmail
Senior Member
 
Join Date: Nov 2014
Posts: 127

Representative of:
Scryptmail.com
Ok. You are right. It seems like we don't have 2-Factor authentication in the way it is publicly known.

What I see is there is no term to represent that second password not used as proof to enter system but plays a critical role in encrypting your private keys and emails (i.e. The first password is just to retrieve a user object, and the second is to decrypt/encrypt it.) I think that at the time 2 factor authentication was brought up no one even thought to have end encrypted user data.

I can see the need for OTP in regular emails like for Gmail or in banking. However, in SCRYPTmail, knowing the first password doesn't give you anything except the ability to retrieve the encrypted object from the server which is encrypted with 512 bite key derived from a second password (secret phrase) (AES -> Twofish) This also means no single point of failure (if AES or Twofish is proven to be compromised or broken).

I'm still don't quite understand how an OTP PIN will be more secure than an 80 character long second key even just for the sake of entering an account.

What we rolled out a few days ago is that users can use a single password for retrieving an object and decrypting it like what was done in tutanota. We still put limitations on how many times you can try to enter it on the site until getting blocked for 10 minutes.

So yes, we don't have 2FA in the way we used to know it, but then I have to make another term. Correct me if I'm wrong, but doesn't it seem to be more secure in the way we make it at SCRYPTmail than to have some device or app from a third party where there may be known backdoors?

Last edited by scryptmail : 31 Jan 2015 at 02:07 AM.
scryptmail is offline   Reply With Quote
Old 31 Jan 2015, 02:51 AM   #73
17pm
Cornerstone of the Community
 
Join Date: Sep 2013
Posts: 506
Quote:
Originally Posted by scryptmail View Post
Ok. You are right. It seems like we don't have 2-Factor authentication in the way it is publicly known.

What I see is there is no term to represent that second password not used as proof to enter system but plays a critical role in encrypting your private keys and emails (i.e. The first password is just to retrieve a user object, and the second is to decrypt/encrypt it.) I think that at the time 2 factor authentication was brought up no one even thought to have end encrypted user data.

I can see the need for OTP in regular emails like for Gmail or in banking. However, in SCRYPTmail, knowing the first password doesn't give you anything except the ability to retrieve the encrypted object from the server which is encrypted with 512 bite key derived from a second password (secret phrase) (AES -> Twofish) This also means no single point of failure (if AES or Twofish is proven to be compromised or broken).

I'm still don't quite understand how an OTP PIN will be more secure than an 80 character long second key even just for the sake of entering an account.

What we rolled out a few days ago is that users can use a single password for retrieving an object and decrypting it like what was done in tutanota. We still put limitations on how many times you can try to enter it on the site until getting blocked for 10 minutes.

So yes, we don't have 2FA in the way we used to know it, but then I have to make another term. Correct me if I'm wrong, but doesn't it seem to be more secure in the way we make it at SCRYPTmail than to have some device or app from a third party where there may be known backdoors?
Hello.

I've emphasided (with bold) the points I want to address.

First, I say that a second-password doesn't give much security because if one has access to the first password, than has, most likely, access to the second password. Think about keyloggers. There's no point in having N passwords, the keylogger is gonna get them all. If you had a token, it would be different. A TOTP code, as the name suggests, is time-based. Even if someone gets hold of the pin you used last time you logged in, it won't do them no good, as the code is a function of time, that is, it'll change by the time they try to get in your account.

There's no reason to suspect that they've known backdoors and you do not. As far as I am aware, the implementation of TOTP is open-source. The source-code for yubikey's software is also open-source.

As an end-user, I do not feel comfortable, at all, with 2 passwords. I do feel comfortable with 1 password + a token.
17pm is offline   Reply With Quote
Old 31 Jan 2015, 02:58 AM   #74
scryptmail
Senior Member
 
Join Date: Nov 2014
Posts: 127

Representative of:
Scryptmail.com
Quote:
Originally Posted by 17pm View Post
Hello.

As an end-user, I do not feel comfortable, at all, with 2 passwords. I do feel comfortable with 1 password + a token.
That is great input, so for now you can disable second pass in settings. But we cant use OTP for data encryption, as it should be know before. When you say token, is providing as token in the manner of truecrypt file will be enough, or you mean token, but still changing every time? I assume if you select file as token, keylogger would not work

Thanks for input.
scryptmail is offline   Reply With Quote
Old 6 Mar 2015, 02:54 PM   #75
scryptmail
Senior Member
 
Join Date: Nov 2014
Posts: 127

Representative of:
Scryptmail.com
Just a quick update:
Now you can select font to use for your inbox and add tags to email to organize your communication.

Also we planing to run indiegogo campaign next week to rise funds to deploy more servers and to help with developing custom domain.

Thank you for keep using scryptmail and make it better with your input.

Last edited by scryptmail : 7 Mar 2015 at 12:13 AM.
scryptmail is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 03:03 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy