Gmail and Skype alternatives

[freesbies]

After a long time using Google Mail services to send and receive mails and Skype to chat with family and friends, I need good alternatives to protect my privacy with my folks and family. Google has been my choice for mailing services, although I think there's a better way of securing my data and keeping privacy over my e-mails.

I have recently been using IRC chat rooms to talk about projects with people on the Internet, but I can't figure out a good alternative to replace Microsoft's Skype to chat in a safe and reliable way with my folks.

I searched for a while and the XMPP protocol combined with Pidgin (Jabber, who developed this protocol, won't accept registration at this time because they are moving their database to a new machine) seems a good secure alternative to Skype and for Gmail I can't find something that fulfills my needs.

What mail and chat service do you use? If so, why? :stud

 

[Deleted member 13721]

net-p2p/retroshare. It's hard to convince people to use it and it drags in Qt with it, but it allows for secure IM and message services as well as file sharing.

As for the email, you would have to find a paid service committed to protecting your privacy, obviously most webmail providers can't guarantee you that.

 

[cpm@]

As an alternative to Skype you can give Linphone a try. It exists in the FreeBSD ports collection as net/linphone. On the subject of alternatives for Gmail, I totally agree with @zspider's comment. A good start is to check out the email encryption list to know some of the available providers (e.g. Lavabit was shutdown).

 

[Pushrod]

If you want true email privacy, you are going to need to colocate a server of your own. In any other case, there is an admin that is not you who has access to the machine and thus the data on it.

 

[kpa]

If you want true email privacy, you are going to need to colocate a server of your own. In any other case, there is an admin that is not you that has access to the machine and thus the data on it.

Even that can not guarantee that the mails that you receive can not be read by outsiders. The SMTP protocol defaults to unencrypted transfer and you can not really force the sending party to use TLS encryption because the vast majority of MTAs have no support for TLS transport when the MTA acts as a client.

 

[cpm@]

You can try checktls.com to verify that an email address uses TLS for secure transport. Also read STARTTLS extension for more details about how works the TLS email tests.

 

[kpa]

Yes you can check which MTAs can use TLS but how are you going to force everyone who wants to send email to you to use an ISP or mail service that supports TLS?

 

[cpm@]

Yes you can check which MTAs can use TLS but how are you going to force everyone who wants to send email to you to use an ISP or mail service that supports TLS?

Yep, that's another question not relative to trust or not on the latest improvements of the MTAs. If they don't convince you, it's quite simple to stop using their services. Implanting a unique large-scale awareness was never easy on the IT land, due its pluripotentiality factor

 

[Anonymous]

Yes you can check which MTAs can use TLS but how are you going to force everyone who wants to send email to you to use an ISP or mail service that supports TLS?

Install a Postfix MTA on your home base, and put among all the other pertinent TLS settings in /usr/local/etc/postfix/main.cf the following:

smtpd_tls_security_level = encrypt

This would refuse any none TLS connection attempt.

Of course this would mean, that you can't receive any non-TLS messages for your secured account. The sender would receive a "Message delivery failure notice" with a brief problem description, code 550.

My experience is that the servers of all my peers that I care of, can use TLS. For new peers there is the risk that they use outdated mailing systems, and unfortunately it happens too often that people do not understand the 550 notice. Anyway, I run that risk, and for those people I maintain a less-secured/restricted account.

Another problem that cannot be controlled by any restrictions on your own server is non-TLS connections of intermediate hops.

There are also advanced technics of TLS message interception by a MITM if he provides fake certificates to your or to any intermediate server. Here comes-in handy another big advantage of the own e-mail server, by that it can hold for the whole family and/or private community secured-1-hop e-mail accounts.

By using such accounts, you could discuss with your mother the mixing recipe for producing in her stainless steel pressure cooker the ultimate subnuclear-antiparticle-higgs-singularity-bomb (in plain: Baked Bean Soup), and no SSS (Secret Service Spy) in the entire multiverse would have a chance to intercept this conversation.

 

[cpm@]

Hi @rolfheinrich,

Thats make sense. So it's better to live with that inconvenience and not filter the non-TLS messages, than to lose some trusted deliveries. IMHO, this should be applied in some specifics cases as you said. As protocol I prefer to continue using GnuPG to encrypt messages, for me that is more than enough.

 

[KenGordon]

(e.g. Lavabit was shutdown).

I suppose some of the folks here have heard the Lavabit story? I found it to be extremely interesting... and scary.

 

[cpm@]

Sure, I read a bit about the Lavabit shutdown just because it was splashed for the Snowden Case. No wonder for this reason

Anyway, I think this matter should be treated in another Off-Topic thread. In fact, there are already some other topics about this issue.

 

[sossego]

1. Do some further researching.
2. You always have the choice of setting up your own mail server.
3. Skype has some very crappy code.

 

[sossego]

Sure, I read a bit about the Lavabit shutdown just because it was splashed for the Snowden Case. No wonder for this reason

Anyway, I think this matter should be treated in another Off-Topic. In fact, there are already some or other topic around this issue.

His post is relative to this subject. Some people are working on an alternative to email. The Lavabit founder is one of them. Google is an alternative to Skype.

 

[tzoi516]

I'm surprised the Lavabit owner was willing to open Snowden's email up for $3K.

 

[Anonymous]

Thats make sense. So it's better live with that inconvenient and not filter the non-TLS messages, than lose some trusted deliveries. IMHO, this should be applied in some specifics cases as you said. As protocol I prefer to continue using GnuPG to encrypts messages, for me is more than enough.

Hi @cpu82,

I am still in the process of sorting out all the notices that I read and all the lessons that I learned in the past few month about multiple threads from all sort of interested parties on citizens privacy. However, I came already to a couple of conclusions, and I keep-on installing, adapting, and fine tuning the counter measures. That said, eventually I may ease the requirements so clients can use TLS but may choose to not:

smtp_tls_security_level = may

The number of none-TLS aware clients is decreasing anyway.

In addition I have still my doubts about the integrity of the TLS-PKI, and TLS may be nothing more than snake oil for the crowd. So, perhaps it may be really better to encrypt/decrypt messages directly at the source/destination instead of or in addition to transport level encryption that may break at any hop.

I will evaluate GnuPG for my Mac OS X client. Thank you for the hint.

 

[Anonymous]

I'm surprised the Lavabit owner was willing to open Snowden's email up for $3K.

Was he? That part is new for me.

 

[tzoi516]

Yes. There's an article online about how Lavabit sent the FBI an invoice for $3K and they turned him down saying it was too much. Which is funny when you compare Halliburton gets to keep the $6M they over charged.

 

[tzoi516]

There's a redacted invoice online where Ladar Levinson estimated ~$3K for accessing Snowden's email account and the FBI said it wasn't justified.

 

[cpm@]

Thanks for your clarification, @rolfheinrich. I note your useful tip, it is possible I may need to use it in the near future. Regarding GnuPG, I highly recommend it. A common question on which is the preferred algorithm for signing and encrypting with GnuPG could make you doubt at first. You can choose between RSA and DSA/DSA-2, of course it supports others algorithms, depending on the circumstances, a choice will need to be made. I hope you can take a thorough look at the matter.

Also I added as resource the link to one good website about GnuPG.

Kind regards.

 

[cpm@]

His post is relative to this subject. Some people are working on an alternative to email. The Lavabit founder is one of them. Google is an alternative to Skype.

I hope that it's true what you claim about the Lavabit founder after that the USA Government has decided to abruptly closed his business. Given that its model architecture that they used for their project as a secure email service provider was clever at these times.

If anyone knows more details about their new work initiative, I would like to read it

 

[Erratus]

I like pointing back to the initial questions of alternatives for services which lost trust and confidence. net-p2p/retroshare has been named already. Searching the ports tree in the net-p2p category shows more alternatives. One of them might be net-p2p/i2p which is in active development. Looking on their web site is informative as there can be compared with other approaches. Have a look on SIMILAR SYSTEMS
http://www.i2p2.de/techintro.html#app.i2pmail

Regarding commercial email providers there is always a legal component involved, depending on the country where they are located. Knowing the local law is mandatory for choosing a provider. Some European countries demand already on 1000+ customers technical devices installed locally with the provider. As can be read Lavabit in USA had much more customers and no such device installed. Disturbing is that authorities were greedy and wanted all data which might be common practice. Note that your privacy might disappear already when the provider is searched for other persons or your email is found in someone else's address book.

Some conclusions can be drawn here. The big email providers cannot protect your privacy even if they want to and offer encrypted services. Providers only can give away data they have stored. Decentralized systems come in focus now for various reasons. They get more attention from those seeking for privacy, and from those who are attacking exactly these systems now more than ever. For the big anonymizing services it has changed, that their traffic can be analyzed from a higher perspective which an ordinary attacker cannot reach. Always note that metadata are by ways more valuable than content. Choose your friends carefully - and don't have too much of them. ;-)

 

[pkubaj]

If you want alternatives, check http://prism-break.org/ out.

 

[drhowarddrfine]

By using such accounts, you could discuss with your mother the mixing recipe for producing in her stainless steel pressure cooker the ultimate subnuclear-antiparticle-higgs-singularity-bomb (in plain: Baked Bean Soup), and no SSS (Secret Service Spy) in the entire multiverse would have a chance to intercept this conversation.

I wonder if I'm the only one who got your point (and I agree).

 

[drhowarddrfine]

...after that the USA Government has decided to abruptly closed his business.

The government cannot close any US business. The Lavabit guy closed it on his own. Business in the US is private enterprise and only regulated by federal laws if they do business that crosses state lines. Even then, the owner can be thrown in jail and go bankrupt but the business can continue to run if it has someone to do it and have the funds.