> The only sane alternative that I can see is to run your own server, on your own hardware, preferably hosted inside your own home for maximum legal protection. Of course, unless you really know your stuff then your data could well be at greater risk from both legal and illegal intercept.

This is what I do. At home I have a Chromebox with FreeBSD and a fully encrypted disk. I have a VPS with an OpenVPN server and the required ports are forwarded to my own box. IMAP and SMTP submission require TLS so those are fully covered. Like you said though, the only thing you can't reasonably forcibly encrypt is SMTP itself. Most of the mail I receive comes with STARTTLS but not all.

With this setup the VPS provider can't see anything when SMTP happens with STARTTLS. Obviously if they really want to read my mail they can start MITM'ing the STARTTLS away because it isn't forced but this is the best setup that's reasonable.

My ISP for my home can only see encrypted OpenVPN traffic too. In fact the VPS is in another country but that's only a consequence of the silly VPS prices in my country.

Obviously with this setup I don't have to surrender my private key to anyone either, it sits on my own box (and I use a legitimate CA-issued certificate).

Great points.

One thing that bothers me about these "encrypted webmail"-services, is that they all depend on TLS for whatever thin sliver of security they provide. Then they go and use something that's not S/MIME and/or x509 for end-to-end (or whatever kind of) encryption/authentication.

At least leaning on pgp makes sense in because it is already somewhat deployed and in-use.

But since they all fall apart if TLS has a hole, it seems odd to add another layer. The complexity of any other solution for encryption/authentication must surely outweigh the benefits of OurCleverCryptoSystem(tm)?

I'm not aware of any advances that have changed the possibilities of asynchronous secure messaging: you can't have PFS, key distribution is hard.

At least with x509/gnupg you can partner with someone like youbikey, and at least pretend to lower the ux friction and increase the real-world security of the system.

/rant

You're right about you're being clear about working there, I'm sorry if I've sounded a bit harsh. Thank you for your analysis BTW. I think it's always useful to provide constructive review to fellow developers.

I agree with you that the only alternative is self hosting. That's why I'm anticipating a new wave of low power mini-computers with solid state memory, a fully configured embedded GNU/Linux or *BSD distro, and a webbased interface for management which would make it possible to host our own services at home using OSS only. The FreedomBox is an example of this.