Starting a new thread, since this is going into new territory. 

On Monday 30 April 2018 00:21:23 deloptes wrote:
> William Morder wrote:
> > On Saturday 28 April 2018 23:33:39 deloptes wrote:
> >> William Morder wrote:
> >> > So far it's the best option for private, secure email. You'll have to
> >> > do some reading about it (and compare with other email services) to
> >> > know why. Either you want end-to-end encryption, and other
> >> > privacy/security features, or you don't (yet) care that much.
> >> >
> >> > My only other option seems to be to roll my own (that is, host my own
> >> > email server on my own machine). I know of several people who do that
> >> > (such as Richard Stallman, if I recall), but it's a pain in the
> >> > behind, and a lot of work just to host your own email accounts with
> >> > your own domain, etc.
> >> >
> >> > I will try to make some enquiries about what is involved, if anybody
> >> > else really wants to know. So far, I've just been doing a lot of
> >> > reading, and it seems a little too much trouble. In lieu of that kind
> >> > of hassle, then, there is ProtonMail.
> >>
> >> You are welcome to use the hosting service of a friend or so. If you
> >> don't have such, we have one here, just let me know. I pay for 5 domains
> >> 140/y.
> >
> > Thanks, but no money to spend at present.
> >
> >> What I do not understand in the whole picture is how you get "encryption
> >> end to end" - it means the other end must also be encrypted. So what is
> >> the difference between this ProtonMail and using normal GnuPG.
> >
> > I think the problem here (and in another email you answer to somebody
> > else, dep, I think) is the conflation of two ideas: 1. end-to-end
> > encryption (which you're right, Kmail offers, but you have to do some
> > work yourself, whereas Proton is encrypted by default); and 2. a secure
> > email service where all emails are encrypted, and content or contact
> > information cannot be read even by the admins. And it is much better to
> > download emails to my own computer, rather than to leave them on the
> > server where they could be read by who knows?
>
> How is it encrypting by default, when it does not have access to your
> private key? You always provide password to use the private key. IF it is
> not the case, it is not secure - so I guess you somehow misunderstand what
> ProtonMail is (not that I understand properly what it is). In theory it is
> not possible to have encryption by default without providing the passphrase
> for the private key - all of this is supported in kmail - I can tell kmail
> to always encrypt for specific recipient(s).
>
> > Gmail, for example, can be used with Kmail, and properly encrypted; but
> > if any emails are left on the server, all data is gathered and reused by
> > Google, as I have discovered myself due to some targeted ads - which were
> > obviously related to recent emails that I had received.
> >
> > Our querent here, dep, as a journalist, would like to keep his sources
> > and contacts confidential. And while I am not a journalist as such, I am
> > engaged in research and writing (mostly history, anthropology, etc.),
> > which, in the wrong hands, might be twisted and misused to make my work
> > appear to be something it is not.
>
> Did you try OTR? AFAIK it is the one that journalists use and I think OTR
> is also supported in Kopete, but there are also other tools. You basically
> don't communicate things via mail except when to meet someone and where -
> that's it.
>
> > Lavabit used to offer a similar service, and got shut down. ProtonMail,
> > because they are located in Switzerland, promise (or hope) not to succumb
> > to pressure to snoop on users, or to create backdoors, etc.
>
> Yes I think a friend was looking into it because it is in Switzerland. But
> this has nothing to do with the way how encryption works. So I think you
> have to distinguish between location of mail server and actual encryption.
>
> > I have no clue if they are as good as they promise, but my mode of
> > operation is first to do a little research, then usually to try them out,
> > and find out by experience. Until I get a 32-bit bridge package and a
> > free account, ProtonMail is out for me, but I'll be watching what others
> > have to say.
> >
> > Someday, we can only hope, secure, private emails will be the norm,
> > rather than the exceptions.
>
> I follow GnuPGP since I uplifted kpgp to gnupg2 last year and there are
> discussions in making keys distribution more accessbile. In fact they did
> change few things regarding sks lately and it is much easier to find the
> public keys of some one to import and encrypt.
> Finally you have to have your servers under your control - anything else is
> not likely to be secure enough - even in Switzerland, although it is much
> better than somewhere else, it does not guarantee much.
>
> To sum up - you have few additional steps when using TDEs kmail+kpgp, but
> it is for free.
>
I think that's what I said. There are two (or maybe three) different issues 
here, which it seems are getting conflated by how we keep talking about it. 
Number 1 is encrypting our own emails sent by TDE's version of Kmail, using 
our own private keys. Number 2 is using an encrypted email service, which not 
only encrypts emails in transit, but also encrypts everything on the server, 
as well as Number 3, (which was pointed out by others) encrypting headers, 
addresses, etc. 

My own problem is that I have correspondents who talk about wanting to use 
encryption, but don't seem to know how to do it. I can send encrypted emails, 
but they don't seem to be able to read them. They can send encrypted emails, 
but then I can't read them. And those who claim to know what they are doing 
are generally too busy to spend time on getting it right. 

So perhaps a few of us (here on the TDE list) could work this out among 
themselves, if they can find somebody that they trust? 

Otherwise, you have right there the need for using ProtonMail or a similar 
email service. 

Bill