SCRYPTmail.com new email service

[David]

Quote:

Originally Posted by scryptmail

@17pm

Ps. Dec 31, we will open registration again

Merry Christmas and Happy Holidays.

That is super. I will be sure to try out Scryptmail when registration reopens.

Though I tend to be supercritical of new email services, I have been impressed with reading scryptmail's responses, to the many questions he has fielded, which have been responded to in a very professional manner. A very merry Christmas and happy holidays to you too Scryptmail!

Cheers

[rmannam]

Sergei seems to be highly [technically] qualified as he's working Scryptmail (beta) on his own. It is inappropriate to comment on his English communication rather encourage him.

[17pm]

Quote:

Originally Posted by rmannam

Sergei seems to be highly [technically] qualified as he's working Scryptmail (beta) on his own. It is inappropriate to comment on his English communication rather encourage him.

I don't think it's inappropriate. I thought he was American and his english seemed a little bit off on his blog posts. I'm not American myself so I do know that not everyone speaks english. However, not everyone is launching an e-mail service. I think it's important to understand the "politics" of launching a service. You'll be judged for what you say, like it or not.

If you read this thread you'll see that I encouraged him in my first posts. I continue to do so, and did recently on a thread he made on reddit /r/privacy (if I recall correctly).

My comments on his grammar should not be seen as personal attacks but as suggestions for improvement.

Quote:

Originally Posted by scryptmail

@17pm
I never said I'm an American, I think you already raised those type of question at the beginning.
So yes, I'm Russian by nationality, who lives in USA for more than a decade. We probably can agree that quality of the product can not be determined by how well developers know writing English

I never mentioned your blog posts on this thread "scryptmail".. If you go back, you'll see that I gave some suggestions and asked some questions. Don't take my post about your grammar/english as an offense. Take it as an advise, a suggestion.

I'll be testing your service further since I'm in need of another service like yours. I already have enough accounts on tutanota.de :P


EDIT:

One suggestion:

I think you should create an "about" section, somewhere on the site.

[scryptmail]

Quote:

Originally Posted by 17pm

I don't think it's inappropriate. I thought he was American and his english seemed a little bit off on his blog posts. I'm not American myself so I do know that not everyone speaks english. However, not everyone is launching an e-mail service. I think it's important to understand the "politics" of launching a service. You'll be judged for what you say, like it or not.
.....
One suggestion:

I think you should create an "about" section, somewhere on the site.

Hi 17pm.
No offence taken, I also think that constructive criticism as useful as positive feedback, for those who can listen, specially when 90% of people will just close tab without explanation.

As I mention, we got writer on board, so soon our writing part get much better.

Thank you and Happy Holidays
Next year we prepared some surprises for our users.

[scryptmail]

Happy New Year!

Registration officially open

PS.don't forget to do hard refresh

[scryptmail]

Just quick update.
As per our users request, we added support for custom pin that you can provide when sending to third party servers. It will be stored in contacts and reused next time you choose to send encrypted message.

Also if someone unnoticed, we added disposable emails. You can use them to hide your real email or for registration in untrusted websites.

As always, we encourage you to leave comments on how to make service to better suit your needs.

[scryptmail]

Friendly reminder
Now for those who hate 2-factor authentication, you can disable it in settings page.
We would love to hear your feedback on our service.
Thanks

[17pm]

Quote:

Originally Posted by scryptmail

Friendly reminder
Now for those who hate 2-factor authentication, you can disable it in settings page.
We would love to hear your feedback on our service.
Thanks

You provide two-factor authenticaton? Damn, that was fast.

Google authenticator I suppose? Do you plan to add support to yubikey?

[scryptmail]

Quote:

Originally Posted by jslaterb

It doesn't seem to be two-factor authentication. It's just a second password to decrypt the mailbox.

Have I missed something? I thought 2FA generates a different code every time you log in.

Oh NO, what you guys talking is called One Time Password (OTP). Honestly I got huge list of features to implement. And need help to prioritize things. You think yubikey feature would be great addon?

[17pm]

Quote:

Originally Posted by scryptmail

Oh NO, what you guys talking is called One Time Password (OTP). Honestly I got huge list of features to implement. And need help to prioritize things. You think yubikey feature would be great addon?

Oh. You shouldn't call a second-password 2FA.

Normally 2FA is composed by something the user knows (a password) and something the user has (a token).

Two passwords doesn't improve much on one's security.

[B4its2L8]

Quote:

Originally Posted by 17pm

Two passwords doesn't improve much on one's security.

But it has always seemed to me that, while the idea of 2FA being "something you know" + "something you have" may be true for all practical purposes, in a sense isn't it still technically two passwords? It's just that the second factor – the 4 to 6 digit numeric (or alpha-numeric) code/password necessary for logging in and which isn't known ahead of time by the user – is sent to "something you have."

Though improbable in the extreme, it's not beyond the realm of possibility that someone could guess the code (which in Outlook's case is just a four-digit number) and gain access to someone's 2FA-protected account without actually "having" the user's cell phone.

(In Outlook/Hotmail’s case, their version of 2FA also includes the option to have the secondary login code sent to something else the user “has”: an alternate email address, which may or may not itself have 2FA.)

Even so, while two passwords don't improve security much, as you say, every little bit helps, no?

[scryptmail]

Ok. You are right. It seems like we don't have 2-Factor authentication in the way it is publicly known.

What I see is there is no term to represent that second password not used as proof to enter system but plays a critical role in encrypting your private keys and emails (i.e. The first password is just to retrieve a user object, and the second is to decrypt/encrypt it.) I think that at the time 2 factor authentication was brought up no one even thought to have end encrypted user data.

I can see the need for OTP in regular emails like for Gmail or in banking. However, in SCRYPTmail, knowing the first password doesn't give you anything except the ability to retrieve the encrypted object from the server which is encrypted with 512 bite key derived from a second password (secret phrase) (AES -> Twofish) This also means no single point of failure (if AES or Twofish is proven to be compromised or broken).

I'm still don't quite understand how an OTP PIN will be more secure than an 80 character long second key even just for the sake of entering an account.

What we rolled out a few days ago is that users can use a single password for retrieving an object and decrypting it like what was done in tutanota. We still put limitations on how many times you can try to enter it on the site until getting blocked for 10 minutes.

So yes, we don't have 2FA in the way we used to know it, but then I have to make another term. Correct me if I'm wrong, but doesn't it seem to be more secure in the way we make it at SCRYPTmail than to have some device or app from a third party where there may be known backdoors?

[17pm]

Quote:

Originally Posted by scryptmail

Ok. You are right. It seems like we don't have 2-Factor authentication in the way it is publicly known.

What I see is there is no term to represent that second password not used as proof to enter system but plays a critical role in encrypting your private keys and emails (i.e. The first password is just to retrieve a user object, and the second is to decrypt/encrypt it.) I think that at the time 2 factor authentication was brought up no one even thought to have end encrypted user data.

I can see the need for OTP in regular emails like for Gmail or in banking. However, in SCRYPTmail, knowing the first password doesn't give you anything except the ability to retrieve the encrypted object from the server which is encrypted with 512 bite key derived from a second password (secret phrase) (AES -> Twofish) This also means no single point of failure (if AES or Twofish is proven to be compromised or broken).

I'm still don't quite understand how an OTP PIN will be more secure than an 80 character long second key even just for the sake of entering an account.

What we rolled out a few days ago is that users can use a single password for retrieving an object and decrypting it like what was done in tutanota. We still put limitations on how many times you can try to enter it on the site until getting blocked for 10 minutes.

So yes, we don't have 2FA in the way we used to know it, but then I have to make another term. Correct me if I'm wrong, but doesn't it seem to be more secure in the way we make it at SCRYPTmail than to have some device or app from a third party where there may be known backdoors?

Hello.

I've emphasided (with bold) the points I want to address.

First, I say that a second-password doesn't give much security because if one has access to the first password, than has, most likely, access to the second password. Think about keyloggers. There's no point in having N passwords, the keylogger is gonna get them all. If you had a token, it would be different. A TOTP code, as the name suggests, is time-based. Even if someone gets hold of the pin you used last time you logged in, it won't do them no good, as the code is a function of time, that is, it'll change by the time they try to get in your account.

There's no reason to suspect that they've known backdoors and you do not. As far as I am aware, the implementation of TOTP is open-source. The source-code for yubikey's software is also open-source.

As an end-user, I do not feel comfortable, at all, with 2 passwords. I do feel comfortable with 1 password + a token.

[scryptmail]

Quote:

Originally Posted by 17pm

Hello.

As an end-user, I do not feel comfortable, at all, with 2 passwords. I do feel comfortable with 1 password + a token.

That is great input, so for now you can disable second pass in settings. But we cant use OTP for data encryption, as it should be know before. When you say token, is providing as token in the manner of truecrypt file will be enough, or you mean token, but still changing every time? I assume if you select file as token, keylogger would not work

Thanks for input.

[scryptmail]

Just a quick update:
Now you can select font to use for your inbox and add tags to email to organize your communication.

Also we planing to run indiegogo campaign next week to rise funds to deploy more servers and to help with developing custom domain.

Thank you for keep using scryptmail and make it better with your input.