🆕 Software Suggestion | CTemplar #1642
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1642
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Basic Information
Name: CTemplar
Category: Email
URL: https://ctemplar.com
Description
A highly respectable email service that is hosted in Iceland and has a collection of features that respect privacy, security, and anonymity of users.
Resources
CTemplar comparison table vs Protonmail and Tutanota
https://blog.ctemplar.com/ctemplar-comparison-table/
CTemplar open source code of their webclient
https://github.com/CTemplar/webclient
I don't think it should be recommended:
I think they mean they would temporally use Cloudflare services to stop the attack, I'll send them an e-mail asking for this and other thing I want to ask them, still their service is excellent in almost every sense, I don't think this is reason enough to not recommend them.
Here's a comparison chart that they provide on their website (comparing themselves against Protonmail, Tutanota, Hushmail and Gmail) for more details, I think they totally deserve to be listed.
I'm not sure if there should be big worries about this given the fact that this scenario wouldn't be actively happening 24/7 and besides, if one really wants to transmit emails along with the worry of interception then their password encryption of email functionality can be used.
Also I doubt you will be able to use their service during a DDOS attack therefore it's not like Cloudflare can have some relevant information about you.
@Mikaela Could you please give specifics about the "research required" label. Is there a criteria being based against in order to judge whether or not this particular email provider passes the standards established by privacytoolsIO?
@MystesofEternity I think most of the important part which is under the PTio criteria is described in their comparative chart here(https://ctemplar.com/ctemplar-comparison-table/). And I'm pretty sure they pass the criteria.
The new (draft) criteria can be found here.
They don't have DANE, and they're not registered EFF's STARTTLS-Everywhere list. They also need to publish a plan to deprecate TLS 1.0 and 1.1 on mail.ctemplar.com; they still accept them and the mail server doesn't enforce cipher suite preferences.
Also, no public-facing leadership or ownership on the website. You need to go to the GitHub repo to see they're a group of Pakistani nationals that own a web dev agency.
Lastly, trust. How much does the community trust them, not just one person, but a consensus.
Fair enough, I think this can be worked out, I'll try to communicate with them to see if it would be too difficult to do this.
Ehh, what's the problem with them being Pakistan people? I haven't seen anything on their GH profiles that makes me think that they are nationalists.
Didn’t say Nationalist, I said National.
national - noun: a citizen of a particular country, typically entitled to hold that country's passport.
"a German national"
I don't know, I hope https://github.com/privacytoolsIO/privacytools.io/issues/977 will enlighten me on it and I guess I will be commenting there.
The whole company just screams untrustworthy. Offshore company in Seychelles talking about Icelandic privacy because they rented (virtual private?) server from Orange Website, while they are actually Pakistanis with address in Islamabad. What's stoping Pakistani authorities from coercing the founders?
Source: https://aretesol.com/portfolio-2/
I am the owner of CTemplar and I am a white male who resides in the USA. Yes, I hired a developer from Pakistan. I have also hired developers from Africa, Ukraine, France and South America. I pick developers based on the quality of their code, I do not select developers based on the color of their skin or their nationality. I will continue to hire developers based on their skill, without thought of their skin color.
My company was formed in Seychelles and servers in Iceland, exactly like Orangewebsite.com and flokinet.is. These are strong locations.
I made the planning decision to switch to cloudflare during DDOS attacks because I felt people need access to their email at all times. However, after all the booters were taken offline I have not noticed any serious DDOS attacks. Please do not view this statement as a challenge to DDOS my site, I am just sharing this for informational purposes. I would be happy to revise my company's policy to not switch to Cloudflare during heavy attacks.
->If you review our technical specs by clicking this link. DANE, TLS-RPT and MTA-STS are implemented and should reflect if this report is refreshed. https://www.hardenize.com/report/ctemplar.com/1581171498
->If you review the two links below you'll see we are at 85% and Protonmail is at 72%. I am not sharing this to slander PM, they are an excellent firm in every regard. I am giving this as a reference point.
https://internet.nl/mail/ctemplar.com/320238/
https://internet.nl/mail/protonmail.com/320240/
->We plan on publishing our f-droid android app on March 2nd.
Please contact me with questions or concerns
I recall then when Ctemplar started, it turned out to be a bit of a rough start. That was because its marketing material existed mostly of pieces which were trying to hit on protonmail, and how Ctemplar was better. Then those articles were quickly removed, care to expand a bit on that?
I have sent you an e-mail with more questions and you (or someone from your staff) told me something along the lines of "we will answer you briefly", would you care answering those questions?
A company is composed of people who perform different roles. It is my job to find the best person to perform each type of task. I have no experience with marketing so I hired someone to do it for me. I gave that person authority to execute their ideas. After implementing this persons idea’s I realized it was a mistake, I picked the wrong person for the job, so I removed this person and removed their implemented marketing strategy. I had someone message PM an apology on Twitter, they accepted the apology via Twitter (direct message). Since then we have acknowledged Protonmail’s contribution to the security and privacy ecosystem. You can read about it on our blog. https://ctemplar.com/ctemplar-recognizes-openpgpjs/ . Personally, I feel they offer a wonderful service and their run by very qualified and capable people. We are not enemies. We are all on the same team trying to fight against the assault to people's freedoms. The past marketing was a mistake, we apologized, and we posted truths about them. I cannot change the past, but I can change how things are in the present, and in the future.
Yes of course, thank you for your patience. Please review this and let me know if you have any other questions
Question: Who owns the company/organization? What percentage does each owner hold? (December 31 of prior year and current date)
Response: I have owned 100% of this company since it’s creation.
Question: Have you changed how information is processed and shared in the last year?
Response: We have not changed how any information was processed or shared.
Question: Do you share data – even “fuzzed” or “anonymized” data – with any of the owners/shareholders or any other company or organization server?
Response: I am the only shareholder, only owner and control all the voting rights. I don’t retain or share any information whatsoever. The idea of sharing others information, even fuzzed or anonymized, is repulsive to me. That’s why I created this company.
Question: Which components of your service are not open source? Where can we find the code for the open-source components?
Response: Our front end code resides here - https://github.com/CTemplar/webclient. The back end is not open source. This is what most every other service does I think. If both our front and back end were made available, then someone could create perfect clones of the service. Our back end code has no access to e2ee emails, it is ‘blind and dumb’ to what happens in the users browsers.
Question: Have you had any independent audits in the last three years? Please share the dates of those audits and audit reports.
Response: We have had two independent audits done at launch. I’ll have to look for those.
Question: If you require sign-up or account creation, do consumers have easy access to tools to delete their data? Can they delete everything on the servers or just the local cache?
Response: Yes. Users can delete everything instantly; no backups are kept of anything that’s deleted. If a user deletes their account, it is deleted instantly.
Question: Is there a way for consumers to view any information you have collected about them?
Response: We collect nothing and when a person signs out of their inbox, all records and data of their visit are purged from our system. They are shown a screen telling them all their usage data is deleted every time they exit their inbox.
Question: What is your business model? How do you fund operations and make money?
Response: CTemplar’s business model is offering paid accounts. We will never accept any donations, grants or investment from any outside source. I can prove this by making my companies shareholder corporate data available. But I won't be posting that publicly and I will require a signed NDA.
Question: Do you offer a transparency report?
Response: Yes it’s here: https://ctemplar.com/transparency-report-ctemplar/
Question: How is data secured (in transit and at rest)?
Response: In transit we use the latest encryption methods with a reasonable balance between security and compatibility. For CT to CT we apply PGP encryption on top.
Question: Who has access to customer data?
Response: The CC payment processor has access to user's payment information. Necessary developers have access to customers encrypted data so they can do their job.
Question: What 3rd parties have access to customer data?
Response: Our payment processor has access to people’s payment information if they pay with a credit/debit card. No other 3rd parties have access to any customer data whatsoever.
Question: What processes do you have in place if there is unauthorized access to data?
Response: Users data is encrypted when sent/recorded on the server. If there is unauthorized access they will only be able to obtain encrypted content. We will be supporting E2EE encrypted metadata within the next few months also.
Question: What customer data is collected, how often, and in what level of identification?
Response: When you visit our website, your browser sends us your user-agent and IP address. When you leave our site, no records are kept of your IP address with an association with your account. The IP’s might be stored anonymously for up to 7 seven days if it is required to defend against attacks. If you visit using our Onion site, then your real IP address is not seen.
Question: Will changes to your Terms & Conditions and privacy policies be communicated to end users at least 30 days in advance of any changes? How will these changes be communicated?
Response: We will announce changes to our PP and ToS by posting it on Reddit/Twitter/Facebook. I am happy to do it in other ways also.
Question: Do you plan on making your software available on F-droid? If not, why?
Response: Yes, we will make it available on F-droid on March 2nd. We will be officially launching both the iOS and Android apps at the same time. Both the Android and iOS apps will be open source on github.
Question: Another user commented on the issue about this entry from your blog (https://ctemplar.com/ddos-cdns-sri/) where you state that you will end up using Cloudfare services if you can’t handle a DDoS attack. Will you be using your regular service after the attack finishes? Are you planning on implementing something to not depend on Cloudflare?
Response: We decided to remove that policy today; we will handle all DDOS attacks by our self. We will never use Cloudflare or any CDN’s in any situation.
Don't worry, I understand you have a lot of other things to attend. By the way, is it better if I fill an issue on GH or send you an e-mail about troubleshooting? I have had a weird problem with your service lately.
You do use ajax.googleapis, fonts.googleapis and gstatic. Do they not collect any kind of information? Would you be willing to change their services for an open-source alternative (awesome fork or awesome fonts) or even better hosting all your icons and/or fonts on your own?
Yeah, it's pretty much and anyway it can't be proven that what's hosted it's the same as what's on GitHub.
Please provide URLs to these when you have time, it would be great to see them!
I don't think this is necessary, and if anything, the staff are the ones who may be interested in seeing it, but I don't know.
So you do share some data with 3rd parties? Please don't take it bad, I'm just trying to provide some honest feedback, I really love your service!
What does it mean that the IPs are stored anonymously? How do you anonymized them? Will you log the IPs of all your customers under such circumstances or just the ones of suspected attackers?
Really good to hear this, cheers!
I think the only thing you still need to meet PTio criteria is to be registered under EFF's STARTTLS-Everywhere list, if you have already deprecated TLS 1.0 and 1.1. Then I guess it's just a bit of time until they can modify the website.
Here you will find the criteria to list e-mail providers in case you want to check it with your team:
https://deploy-preview-1672--privacytools-io.netlify.com/providers/email/
I've refreshed it now as I have an account with Hardenize.
@Godfry what's the likelihood of Subresource Integrity on that google fonts usage?
@dngray We will be getting rid of the google fonts expeditiously.
@5a384507-18ce-417c-bb55-d4dfcc8883fe
Those will all be removed immediately. Thanks for bringing that to my attention.
We share anonymous order numbers with our payment processor when needed to process refunds. We share no other information with any 3rd parties. We allow BTC and XMR also.
Never at any time do we link any account to any IP address. There isn't a possibility for correlation. The IPs are stored in our logs for the minimum period of time we need to provide a stable service. These logs help to find harmful attack patterns and temporarily block the service. There is an automatic pruning and without manual intervention under normal circumstances.
If we are attacked by someone who also uses our service we would have no way to know. And to be honest I don't care. My only goal is to maintain steady service.
We are waiting to be registered under EFF's STARTTLS-Everywhere list, And we have depreciated TLS 1.0 and 1.1.
Thank you for your comments and questions. Kind regards to you all,
Hi,
Thanks for your in depth reply @Godfry. I am glad to see a provider striving to meet as many good practices as possible.
There were a few things that irked me though (marketing related):
This implies RSA, public/private keypairs. We know that quantum computing at some point in the future make public/private key cryptography not built to be post quantum proof crackable.
Current literature on that topic suggests cracking this kind of encryption could be as early as 5 years away, but more conservative guesses put this at 10-15 years away.
The "and future hypothetical attacks" is not something you can realistically offer with your service.
Do you plan to support AutoCrypt? I think this kind of out of band key sharing can be useful.
Ed25519 keys are becoming much more popular these days for OpenPGP due to their size. Some evidence of this being:
future-defaultkeyword ieThis is another assurance you can't really offer either. 100% means certainty without failure. The customer may very well compromise their own anonymity. Yes I know that wouldn't be your fault, but I would steer clear of making statements of certainty like that.
I think what you mean to say is that you don't personally collect the data and therefore cannot reveal it/be made to reveal it. I think it would be better to say that you allow anonymous usage.
I found it rather strange that "encrypted subject" would be a paid feature. I assume as you use PGP, this would be compatible with Engimail or neomutt. What I have noticed in this there's a new standard being developed Protected Headers for Cryptographic E-mail.
Currently there's no standard what should be in the subject, for example Thunderbird by default uses "Encrypted Message" while neomutt defaults to "Encrypted subject" (can be changed with
:set crypt_protected_headers_subject). This may reveal information about the language used by the author, and what email software they use, hence why they chose....Are you using this method or some other method?
I do feel this should be a feature available to all. This would benefit your paid customers too.
Eg. Alice might join your service and become a paying customer. She might tell Bob about it and he joins too. However, Bob has decided to not to become a paying customer.
If Bob sends an email to Alice without encrypted subject (because it's not a feature available on free accounts), that actually isn't good for Alice, who is a paying customer.
Another question I had was do you support WKD/WKS.
@Godfry Greetings! First of all, thank you for offering such a wonderful email service and alternative to Protonmail.
Today, I just realized that CTemplar's 2FA security feature gives no backup codes and that worries me... alot. Thanks to having lost a couple of important accounts to a 2FA disaster before and me not being vigilant enough to keep backup codes.
Because of that, I've strictly kept backup codes for every single 2FA activated account that I have to this day.
Are there any plans to improve this feature so that it provides backup codes just like how other services do?
@MystesofEternity I think this is probably either a bug or maybe the devs implemented wrong something. It is more appropriate to fill in an issue on their GitHub repository rather than asking the owner who is not in charge of programming.
@MystesofEternity please contact them directly for support issues, we want to keep this one about tracking related to privacytools.io
@dngray oh right, thanks for the heads' up about that.
@dngray
I apologize if my website's marketing upset you. I can't change the past but I can change the wording going forward. I'm sure many people share your same thoughts so this is an opportunity to improve things for everyone.
This was in reference to supercomputers' current ability to break RSA encryption. 4096 bit encryption gives greater future protection against supercomputer attacks in the future. If you still feel the wording should be changed I would be happy to change it.
Point well taken, I’ll update our wording to reflect your comments. Thank you.
Yes we use PGP. I’m not sure if we’re currently compatible with Engimail or neomutt but I’ll start looking into it. Thank you for showing me the development in protected headers, I’ll follow that closely and implement it if it makes sense.
Yes we do plan to support AutoCrypt but I don’t have any idea when we’ll get to it.
Thanks for this suggestion, I agree with your comment and we’ll update our wording.
We are currently showing *** for obfuscation because this is what is used for obfuscation for passwords as well. We have no problem switching to using … if it seems the better decision.
I appreciate your comments and you'll see these changes reflected on the website when we do our next website update
Kind Regards,
Godfrey
@MystesofEternity
I've added your suggestion to our development schedule, it's a good suggestion.
@dngray
One more thing. If my website should be approved by privacytools.io then I request that it be at the bottom of the list of email services.
I think of the secure email services like soldiers in a military unit. Each competitive against each other to better each other but when the real enemy arrives they stand united each holding their shield to protect themselves and the person next to them. For example some secure email services like PM or Tuta fight legal and cultural battles that other services like mine benefit from. To continue the analogy if a soldier is taken down (Like lavabit), there are others who can maintain the defense.
This analogy helps convey why I believe this industry benefits from several capable services who compete but stand together. However I also want to show honor and respect for the other email services and being put at the bottom of the list helps to convey that. Of course this is all contingent on being approved.
Kind Regards,
Godfrey
No problem. Sometimes missfires happen that we can reflect on later.
I figured as much that was referring to a classical computing context. Personally I'd just omit the "and future hypothetical attacks". It's impossible to really know what the future will be and whether or not such current cryptography will be entirely useful if some major breakthrough occurs.
The statement in itself infers certainty that you know that it will be sufficient in all cases. I'd probably word it like this sidestepping the whole thing about current vs future.
"We use 4096 bit RSA encryption. This ensures the confidentiality of your messages."
The method that Enigmail/Neomutt uses seems to be the same. It seems it was not part of the AutoCrypt spec, however the RFC Protected Headers for Cryptographic E-mail does seem to be drafted by AutoCrypt group.
I did notice this:
My guess is it would have something to do with the warning that Posteo gave on the bottom of their announcement: "Security recommendations for implementing Autocrypt".
Yes I'd use
...as that's what is defined in the specification, though there is more to it than just that. It would also be good to see CTemplar listed on the implementation status page, if/when you get it complete.Excellent!
Awesome.
The initial ordering was based on coverage of the criteria. We had then decided to just add new ones as they come along. That being said, there had been some suggestion of using alphabetical ordering to be more fair.
After the few marketing related things you mentioned above I don't see anything standing in the way.
I was looking at CTemplar and it really seems to be an alternative but let me just get off the subject of this discussion to talk about the free plan.
Only three e-mails per hour? Really? Not even for a simple test before you migrate from another server is that enough.
This is not the place to discuss this kind of things, the issue should be about if we should or not list the provider based on other things, not on how much the free plan can do. Providers from Silicon Valley make you think you don't have to pay anything but in fact they sell your personal data to keep the service running, almost every e-mail provider out there, that respects your privacy is paid, ProtonMail is an exception since they are the most known one and can afford to do it, CTemplar is a really new project, be considerate.
? "...a white male who resides in the USA" only narrows the ownership down to @ 50% of US residents. "I" could be almost anyone. The question is seeking verifiable owner and company information.
This is true actually and we do have a requirement for all providers:
We do not allow for random .onion e-mail services (often suggested) because nobody really knows who owns them ie. could be your worst adversary.
It does say on their transparency page:
I would have like to have been able to verify this from a public source.
@fabianski7 Yes our policy is 10 emails per hour to 3 different non-ctemplar recipients. Unlimited CTemplar to CTemplar. We might make this unlimited to any other encrypted email service in the future. The reason for this policy is because people have created hundreds of free accounts and would use them to email countless sextortion emails. Limiting outgoing emails is the best way to reduce that kind of abuse. I believe Protonmail arrived at that same conclusion and have a 10 email per hour limit also. If you have any suggestions about how to prevent abuse while offering a free anonymous service, please let me know.
@LizMcIntyre After it was falsely circulated that I am a Muslim, people flooded our support inbox with insults against Muhammad and statements about how only white people are capable of writing code. I hope that explanation explains why I responded like I did. Our transparency policy states that we will verify ownership and company information to organizations that sign NDA's.
Why dont I want my name/picture all over the website? My developers wrote the code. We used the PGP code Protonmail.com maintains. We were inspired by countless security professionals who never receive any recognition at all. I do not feel I deserve any special honor, glory or reorganization. Someday If I personally make exceptional contributions to the security and privacy industry I might feel I earned putting my name & face all over my website. Then maybe everyone would see that I could have made a fortune as a male model? Maybe everyone would want to have cutting boards made with a picture of my six pack abs on it because my ab's are so rock solid? I am just making a joke. I understand your concern and I will distribute my identity as it is needed.
@dngray I would be more than happy to send yourself or any Privacytools.io admin my incorporation documents along with my passport, drivers license, and any other documents that are desired. I only ask that an NDA is signed beforehand. You can contact myself or the legal team, they have fulfilled several of these requests so far.
I'll be done with the comments you outlined shortly. I am also going through the rest of my website and trying to change/revise anything else that could be viewed negatively. If feel you would be rightly insulted if I made the changes you stated, but did not change similar writing elsewhere. I am just being careful to make sure I treat your time respectfully. I'll be done shortly.
Kind Regards to you all,
@Godfry
You have an insecure connection on the registration page.
See: https://i.imgur.com/US88FCI.png
http://api.ctemplar.com/clock-image/6348e926b78d82958d6e2ee5ac3c10e712493c22/
https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content
If
security.mixed_content.block_active_contentis active (which is the default) it won't be possible to see the clock image.It seems that using user.js from ghacks breaks most of the site.
Accessing https://mail.ctemplar.com/mail/settings/dashboard-and-plans doesn't seem to be an easy task. See the amount of errors in the console: https://i.imgur.com/5bl3kLk.png
They repeat themselves everywhere. Some pages don't even open.
@fabianski7 I have tested using
user.jsfrom ghacks and it worked perfectly, there is already a fix which fixed most of the icons issue using that profile.If you still face the issue, please feel free to report an issue here https://github.com/CTemplar/webclient/issues
Thank you.
@fabianski7 about the registration page insecure, we are going to remove captcha completely, the fix is already on its way and will be availble soon.
If you still have any issue, please report here :
https://github.com/CTemplar/webclient/issues
@fabianski7 Your comments are noted and they will be corrected.
I want to discuss something with you Fabiansky7. You were asked by a moderator not to post these sorts of posts to this channel.
I feel that an unbiased reader of this chain of comments would state that your attitude is aggressive and your goal is to publicly belittle my service and cause distrust. This seems especially true after taking into account your disobedience of the moderator, and disrespect for the Privacytools.io website when you use it as a platform to report/solve bugs.
If your intent is to belittle and discredit my service, I will give you a public platform to do it. I will publish it on my website in the "Zero-Censorship" area. My service has made mistakes and has had bugs. I will not hide from them. Please email my support team if/when your ready to post your content to my website.
The bugs will be tracked and completed with the other tasks we're working on.
Kind Regards to you all,
@fabianski7 registration page insecure issue has been fixed as we have removed captcha for free signup. https://github.com/CTemplar/webclient/releases/tag/v2.1.3
Well, that was not my intention. I enjoyed the space here because since you are the owner of the service, it would be easier to report bugs.
I'm sorry if I left that impression.
I didn't see any admin complaining about what I posted (though this really isn't the place for it).
My intention was only to help with both sites.
@fabianski7 You responded kindly, and you kept the door open for continued friendly communication. That is a rare approach and I appreciate it. Sometimes in online communication it is difficult to gauge someone's mood and disposition because you can not see their expressions and hear the intonation of their voice. In this instance I feel I misunderstood you, I apologize. And you are correct I have often said that anyone is free to report bugs directly to me. Ultimately nothing matters except protecting people against privacy abuse. I think that's something you understand, thank you for your comments.
Your username reminds me of the football player named Fabianski, and that reminds me of a joke. Long ago I played football. During one game I wore a white uniform. Before the game I ate a chocolate bar to increase my energy. I ran onto the field and realized that I had mistakenly sat on the chocolate bar, I had a big brown stain on the back of my white shorts :) At the time it was embarrassing but I think it is funny now.
FYI - I'm almost done combing through my site removing rough edges.
@dngray I have completed all the wording changes to the website that I feel you indicated as well as other changes I feel needed to be made. If you notice other things, please give me the opportunity to correct them and I mean no disrespect to you or the Privacytools team. We have also started working on implementing autocrypt and we should be done with that within the next few weeks.
Respectfully, I submit my email service to be reviewed so that it can be listed on the email review page
@dngray You may want to look into this https://www.reddit.com/r/ctemplar/comments/flh2hg/website_hosted_on_same_server_as_mail_server/
@zack-95 If you read through the above comments you will see that using Privacytools.io as a platform to report bugs and concerns with our service is not acceptable. This policy has nothing to do with my service, it has to do with protecting the reputation of Privacytools.io and making sure it is never viewed as a support website for other services. If Privacytools.io is viewed as a support platform for services like mine, it reduces their ability to help people protect their privacy across all their needs.
We are preparing a response to your comment on Reddit and will post it shortly. If you have other concerns or questions please direct them to myself or my support team.
If your looking for a platform to make negative comments about my service I would be happy to publish your unedited review to our zero censorship page. In this way, you will benefit from greater visibility.
It is totally related, as it relates to a security risk, and I'm sure PTIO would not want to list a provider with such poor server infrastructure security practices that put their customers at risk.
PS: I'm not the reddit OP
@Godfry This isn't about reporting bugs. It's about the technical competence of the company in general. I am going to be candid here.
If you run
nmap ctemplar.com, you get something like this:This is of high concern, especially considering that you are a secure email service provider.
Furthermore, if we look for DNS records on your domain, all the domains and subdomains lead to one IP, suggesting there is only one server: the one in the screenshot above.
Your WordPress site (the CTemplar site itself), Jenkins and mail is all hosted on this one server, and WordPress has not had the best history of vulnerabilities to say the least (Kevin Beaumont, Senior Threat Intelligence Analyst for Microsoft Threat Protection went so far as to call it a "really good Emotet distribution tool with an okay content management system bolted on"). If we go to port 3000, we see an exposed Nextcloud instance, SSH is open on port 22 in password auth mode. This is obviously unacceptable for any sort of service, but especially one that claims to offer "armoured email".
I don't know how much you yourself understand about this, but you ought to get some people onboard that have professional knowledge around cyber security. Running a secure email is not a joke and bad cybersecurity is not just a "light inconvenience". This can backfire in your and your users' face so hard, that you won't be able to put your name anywhere near IT anymore. These comments and posts are very well-placed as PTIO (or really anyone) should not be recommending or using insecure providers for the sake of themselves.
@LordNikon2x Your blatantly racist reply is completely unacceptable. You are profiling people based on what other members of their ethnic group are doing. These developers likely commited no crime and yet are being blamed, just because they were born this way. This is a place for civil discussion, not for ad hominems and racism. I may disagree and have objections with the security practices of ctemplar but to be so rude and discriminatory is completely uncalled for and unnessesary.
Please have some decency and debate with facts, not misleading blanket statistics. Furthermore, speak for yourself. You have no right as a racist to speak for any members of this community and clearly do not understand or have knowlege of the community.
I'm so impressed with what was said by @zack-95, @VigilantSwanson and @LordNikon2x.
I am a student at a highly esteemed university. I researched everything they said and agreed to it all because it is the truth.
The email page of PTio should stay the way it is and no new sites should be added.The community and PTio came together and did a great job! Together we can achieve dreams!
I shall give it a read in the coming days.
Sure.
Cool.
Thanks for posting the link.
While I would agree with this sentiment it is concerning to see so many services open to the internet, particularly things like Jenkins which have quite a history in the past.
Another thing worth noting that meeting the criteria does not mean a certainty in being listed. It is a minimum baseline and a guide to what we look for.
I shall be looking forward to reading that.
Spot on.
@LordNikon2x
Please don't bother posting anything like that again.
@Jeremy-Stanford
This isn't the place for that.
Nice "Zero Censorship Policy"...
https://ctemplar.com/zero-censorship-policy/
After some discussion we've decided not to add CTemplar at this time.
The reason being we do not like to provide information which cannot be verified by public sources. We don't allow anonymous companies to provide services because it involves people trusting an unknown entity with their data that cannot be verified. If the company fails or does something disastrous there is no recourse.
To add CTemplar we would have to relax/remove our trust requirements. If we did this, we'd have all sorts of services recommended (we actually put that requirement in place to ward against people recommending random unknown .onion service email providers).
We won't be signing any NDAs regarding this, as it would mean we cannot reveal what we learn, and thus puts it on the community to trust us instead of the company they're doing business with.
I do however want to thank @Godfry and his developers for making the improvements we suggested. I also want to thank those who contributed meaningful replies.
@dngray
I won't require an NDA. Tell me where to send all my company verification documents and I'll email them to you.
I don't feel it appropriate to put my name and picture on the website. I reviewed Soverin & Disroot and they seem to have the same belief. If sending you my company verification & personal ID documents does not satisfy your requirements, could I meet them in the same way that Soverin & Disroot has?
I understand that nothing requires you to list qualifying services. However, I would like to know if my service meets your criteria. If my service meets your criteria, but you decline to list my site, I understand and I won't press the issue.
@VigilantSwanson
1.- It's true we have a single public facing IP, all our services behind are properly virtualized and totally isolated from each other. This applies to all public and private services, including those you've discovered with nmap and WordPress.
Even if we didn't consider enabling remote access to different internall tools using a port other than 80/443 a security issue, we have closed them to minimize discoverability of the different tools we use.
2.- We know SSH is listening in its standard port and its settings. We consider our implementation protects our systems from brute-force attacks and any other unauthorized access we can imagine.
The above comments are our responses to the points brought up. After a discussion with my team, we'll separate the servers. Thank you all for your comments.
Kind Regards,
With this you'd be saying: "we meet the criteria but we don't meet the criteria".
This creates problems as other providers would seek the exemptions to say they meet the criteria when they in fact don't. This would in turn dilute our purpose and compromise our mission. Our endorsement and branding would become meaningless.
It is likely to confuse users as well. They're likely to open many issues with both you, and us about why they are not on the PrivacyTools site, when they apparently meet the criteria.
The issue is with that we would have to distribute them on our site. We would have to provide some kind of public verification or reference that what we say is actually true. This is what gives PrivacyTools it's authority over other sites who simply just say X is good without any kind of validation or peer review.
There are many sites which endorse many things without reason or reference. What gives PrivacyTools it's reputation is the fact that discussions about what is added happen transparently, in public such as on GitHub. People can track the discussion and reasoning and use it in future debates as to why/why not a specific product should be used.
If we make recommendations with "secret sources", it encourages people to accuse us of being biased, bribed, compromised etc. We then would get this pollution on blogs, social networking websites and in comments on our own forums of discussion. It would confuse people and overall they would trust us less.
Members of the community would be able to clearly see that there is information they are "not allowed" to know. All sorts of conspiracy theories would be speculated. Members of our community have typically had their trust abused previously by large companies seeking to make a profit off their private data, as well as governments claiming to be invading their privacy for their own safety.
The other thing to note is, we're all people with regular jobs (mostly in IT). PrivacyTools is certainly a community project that depends on our spare time, and public donations. As a result there was a significant discussion Preventing Privacytools conflicts of interest - ensuring Privacytools integrity, which resulted in us creating a Conflict of Interest Policy, this is to provide some recourse should a team member work at a company which is also a recommended product or wants to be a recommended product.
From an legal standpoint I would certainly not be distributing any kind of documents covered under an NDA normally for other parties. From an ethical point I would refuse to posses such documents unless I had authority to distribute.
If you did give such permission, then you'd be better off distributing them yourself.
@dngray I understand. Thank you for explaining.
Could you please tell me the criteria? Once I know exactly what you're looking for I'll meet it.
Could you tell me how Soverin and Disroot met the criteria? I would like to use them as examples to be sure I provide a complete response.
Thank you
Sure, the criteria is available on our site https://www.privacytools.io/providers/email/#criteria
What part specifically? Both of these are public. Both providers are listed on KVK Disroot and Soverin. More information about KVK. You cannot register in the KVK without your legal name and contact details.
Both Soverin and Disroot also have have a presence on social media, which means we get to know something about the people behind the service. Eg. @muppeth I've often seen around on Github (in various other communities).
Soverin have relevant information about them located: https://soverin.net/about
There is a higher trustworthiness associated with a company being run in the same location as where the employees reside.
They also do use their real names, when promoting their product, and likewise on Twitter: Ivo Fokke, Patrick, Andre Meij.
In addition, ctemplar does not support IMAP, SMTP or JMAP.
This is not a requirement. See Tutanota. It's a best-case option.
You're right. btw, I saw on reddit that POP3/IMAP/SMTP support will be added next month.
https://www.reddit.com/r/ctemplar/comments/fjtiou/new_features_development_schedule/
@dngray
I am discussing this because I would like to meet your criteria, I understand that I can meet your criteria and not be listed. Based on what you've shared with me I feel my company meets the criteria of having "Public-facing leadership or ownership."
My service does also. Facebook, linkedin , Twitter.
My service is in the Dun & Dradstreet Global Database, here's information about DUN's numbers. DUN's numbers are considered by some to be the universal standard for business identification. To illustrate this, Apple requires a DUN's number to create a corporate mobile app. Apple will not accept KVK numbers as a form of corporate validation. For this reason, I think my companies DUN's number (which is 56-137-7531) is at least equal to a KVK number.
You can confirm my DUN's number by using the DUN’s number lookup form. It wont let me give out a static link.
https://fedgov.dnb.com/webform/searchAction.do
Country: Seychelles
Business Name: Templar software systems ltd
Likewise with a DUN's number.
As do I, it's attached to the DUN's number. I have an Alias, just as many coder do, and then I attach my real name to important documentation like the DUN's number.
I maintain an office in Iceland but many people work from the country they live in. I think this is exactly the same as the other services.
Like I mentioned before, I am not trying to compel you to list my site. I am pursuing this discussion because I feel my service meets the criteria and if it doesn't I would like to know why so I can make improvements.
Pleased to meet you, Paul
While aliases and privacy are respected, when dealing with an actual company that provides those privacy services, as @dngray said, I'd like to know who I'm dealing with. Hiding who is behind it actually makes me trust it less.
@zack-95
I see your view. I'm happy to provide any verification that you all want. I've added my name to github, and picture & name to http://keybase.io/, I've also verified myself with keybase's encryption.
From my view (a view gained from comments on this thread/reddit & direct email) I felt this community was trying to find a reason to disqualify my service because of hate toward Mexicans, Pakistanis and those of the LGBTQ community. Thank you for reopening the issue. Please give me a chance to respond to concerns before denying & closing the thread.
If the issue really is the nationality and gender of my employees then let's have out with it. As some of you who have emailed me will know, I will not give my opinion and will respond with academic studies that I think were conducted well. I would rather discuss this openly instead of having it be talked about in secret.
Kind Regards,
This is certainly not the view by the PrivacyTools team. We would never disqualify a provider based on these things. We do in fact have a Code of Conduct related to this.
Certainly not, and as such I have not mentioned it, because it is not something we use in our deciding factors.
I would just suggest ignoring the anonymous trolls that hold these views.
@dngray Thanks for the response:) I'll take your advice and ignore the trolls.
Let me know anything else you need.
@dngray @Godfry Any update on this? It has been a while, and the issue is open.
CTemplar has made some progress, so ig it would be worth looking to add them to https://privacytools.io/
https://ctemplar.com/help/answer/do-you-offer-imap-2/
IMAP may be arguably not required for adding to the list, but the fact that it was unequivocally promised soon at least twice over the last year gives a hint that the company might not have sufficient resources or may have difficulties of unknown nature, rendering its future questionable.
This discussion has been going on for a long time.
How about we end this discussion?
CTemplar does not implement CSP.
I am against adding it.
https://observatory.mozilla.org/analyze/mail.ctemplar.com
Doesn't look good 😥🥺 https://cyber-privacy.net/ctemplar-catastrophic-incident-with-complete-data-loss-july-2021/
Someone forwarded me this, but I can't attest for its trustworthiness. Can someone confirm this ?
"We cannot restore data from backups because we do not keep backups for security reasons" now that one is new
Seems to be confirmed by themselves on Twitter: https://twitr.gq/RealCTemplar/status/1414486941064695818#m