Beyond this, you can create solutions that can prevent even yourself from certain types of snooping with out a lot of additional work. This is a place where I think available source helps, if not open.
In the end, you pick your battles. Even if you self-host, there are risks.
Are we still doing this "Oh, they are nationality so they are spies!" thing?
Stereotyping is counterproductive. Still, based on recent changes in Australian law I can see why some organisations may pause before using services based there, or which rely on Australian contractors who may be compelled to compromise systems. So any companies boasting of their jurisdiction should not be immune to skepticism about how robust that distinction is in practice.
Looks like HN still does that. One of my comments earlier today was calling someone out who said it may or may not be a problem for you that the developers of some IDE are part-Russian, part-Czech[1]. I'm getting mixed up- and downvotes on a comment saying that I find this a harmful generalization (with no replies, by the way, so I don't know if maybe the downvoters didn't like a typo that I made, if they think xenophobia is fine, or anything in between).
The secure email services provide far less product-based value, though clearly the security and lack of ad tracking is there.
Ultimately the market will declare - but currently people overwhelmingly choose brand (Google) and feature-based value, whilst giving up their privacy. It's quite frustrating.
I have thought about this as well. What do you think could be added to secure email services to make the value more appealing?
In the dark distant past, ISPs of old would include email as a side effect of their data services including shell accounts, user file hosting, and maybe even CGI-BIN, if you paid.
The only thoughts I have had were to bundle some kind of VOIP/SMS package along with the secure email offer. Perhaps some startup MVNO could also include secure email and other advanced features along with their mobile data services.
All of this seems pretty far fetched, as email looks to be as niche of a product category as Premium IRC.
Google and MSFT seem to be competing on a value proposition like the full suite of office needs, even if it's for your person. I may be wrong, but I don't think that the average facebook using, instagram reading person even cares about email.
It's another feature checkbox among other features... and few even really consider it a high priority feature. For Google/MS commercial options include an office suite, even if the cheaper options are web only, which is still a pretty good value add. Not to mention network effect on "free" versions.
It's very hard to compete with a perception of free is what it comes down to. In the end, most people aren't afraid of their government spying on them with an "I've got nothing to hide" attitude about it. Prior to Snowden's leaks, my own thoughts were there was too much data to do anything with, I was deeply wrong.
In the end, if you wanted to compete, you'd have to get a web office suite at least better than Google Docs and undercut both Google and MS on price. Or maybe go the Apple route and provide best of breed integration and apps... unfortunately there's money to be made and competing with MS and Google would be very difficult. I'm not sure there's enough support for open-source to aid a startup to have a self and commercially hosted option... of course then there's the AWS path where they're suddenly offering your software and undercutting you.
Overall I am happy with the switch.
I am happy with mailfence. Miss yubikey and real twofactor (only in browser are two factor needed, imap etc just rely on normal password).
I have catchall enabled and can use both my mailfence and my own domain interchangeable.
I think I signed up with a 10 minute free mail. Paid with Bitcoin. Didn't provide any personal info (as principle, didn't use VPN etc).
Set up dmarc etc. Helpful support.
Really happy overall.
I use fairemail for email and simplecontacts + davx5. Works really well.
Also, their "we take software security" blurb is weak:
We use operating systems and open source software that take security seriously. However, software have bugs. In most cases, an update for a security problem will be available within minutes/hours of the original report. We perform the update as soon as it is available and validated.
Applying patches is table stakes. What portions of their stack, including their own code, have they actually had audited? Do they have software security engineers on staff? Is there a /security page somewhere on this site that explains where to report vulnerabilities?
My own take: you can't trust any web-based solution. But you can choose a provider which plays nice with open standards, supports eff and openpgp etc.
I don't let mailfence handle my keys, but I liked that they on every level, let me do what I want.
And I like that they let other people trust them to handle their pgp keys. Thus helping that ecosystem.
I guess Electron might be a reasonable application to quickly move your crypto code from the website to a local client so that a compromised server can't simply backdoor it. But then you want it to auto-update for security issues and you're back to square one. And if someone inspects the source code of each update (they won't), they'll just be slower updating and either run the old (vulnerable) code for longer, have forced and unscheduled downtime (while looking at the diff), or run the new code before it has been vetted.
While I used it, it was good at least. Setting up a custom domain at the time required sending the company an email iirc?
My requirements were:
1. Support my own domain
2. Support IMAP, CardDav, and CalDav
3. Privacy friendly country
Some alternatives I looked at and rejected were:
* Posteo - Doesn't allow domains
* Fastmail - The Assistance and Access Bill of 2018 makes Australia a privacy unfriendly country (also part of the Five Eyes)
* Protonmail - Doesn't support standard protocols and IMAP bridge was flaky
It would be a great name for an email service catering to spammers and scammers.
