Yup there are a few of them out there. We were not sure about their security and if they delete the conversations.So we created something which we feel is more secure.
I upvoted because I like the simplicity of the website.
But I have to say that I would have preferred if your code was open source. You state to use encryption and delete messages from your servers. Now I would like to have some sort of "proofs" and there is nothing more realiable than code.
Thanks! We just got started, and I totally get your point. Right now we are trying to figure if there is a commercial aspect to this. Our plan is to open source the code eventually.
Note: We use AES for encoding our keys into redis, where we use redis timeouts to clear out the data. Minimal postfix logging to ensure that we don't keep track of emails.
Without access to login to their server and look at the running code anytime you like, you still don't have any "proofs" of the encryption/deletion -- regardless of whether the code is open source or not.
How can T3mpmail tout its security/privacy and ask"Want to have a private conversation without being snooped on?", when their SSL configuration allows for non-Forward Secrecy key exchanges?
In other words, sniff their traffic, and if the server's private key is ever compromised, then all the traffic ever captured can be decrypted.
In a post-Snowden world, starting any email service focused on security and not using DHE or ECDHE is just silly and shows a lack of understanding about your attack vectors.
In a post snowden world, thinking email can be secure and talking about client-server encryption shows a lack of understanding in the snowden revelations.
Emails will be secure only whith a new protocol different than SMTP.
Edit: Sorry my post sounds agressive. It's not the goal. I'm sure you understand the snowden revelation. However I don't think their goal is to provide fully 'secure' email but only quick and anonymous email assuming it is used with a system like Tor of course.
There is one button that does anything on that website and that button replies to the one and only email in your temporary inbox. So ... How am I supposed to use this for anything?
12 comments
[ 3.2 ms ] story [ 24.7 ms ] threadBut I have to say that I would have preferred if your code was open source. You state to use encryption and delete messages from your servers. Now I would like to have some sort of "proofs" and there is nothing more realiable than code.
My 2c.
Note: We use AES for encoding our keys into redis, where we use redis timeouts to clear out the data. Minimal postfix logging to ensure that we don't keep track of emails.
In other words, sniff their traffic, and if the server's private key is ever compromised, then all the traffic ever captured can be decrypted.
In a post-Snowden world, starting any email service focused on security and not using DHE or ECDHE is just silly and shows a lack of understanding about your attack vectors.
(SSL Labs report, showing RSA key exchange support and no preference on cipher suites https://www.ssllabs.com/ssltest/analyze.html?d=t3mpmail.com)
Emails will be secure only whith a new protocol different than SMTP.
Edit: Sorry my post sounds agressive. It's not the goal. I'm sure you understand the snowden revelation. However I don't think their goal is to provide fully 'secure' email but only quick and anonymous email assuming it is used with a system like Tor of course.
This is a great tool.