Ghostmail Snakeoil? #18

New Issue

2015-11-05T00:31:05Z

krumelmonster commented

2015-11-05 00:31:05 +00:00

(Migrated from github.com)

Ghostmail makes Confusing claims like "the safest place on the Internet", "Once it’s deleted it’s gone forever." (although there is no forward security!), "Data is encrypted at all times."
~~There is no way to verify these claims as the service is based on proprietary, hardly documented encryption.~~
EDIT: I was wrong, Ghostmail is actually open source and there has been a security audit. I am Sorry.

From their FAQ:

Can I use IMAP/SMTP (external email client i.e. Thunderbird)?

GhostMail is built to offer our users the best privacy and security. Hence we don't allow usage of IMAP/SMTP etc. as emails then will be vulnerable in case your computer or smartphone gets compromised.

By disallowing SMTP (isn't that a requirement to be listed anyway?), Ghostmail hinders its users from using the encryption software of their choice. Using a ~~shady~~ webapp instead of a real mail client provides absolutely no protection in case the device gets compromised. Quite the contrary, this model introduces new attack vectors because users have to rely on the integrity of the website anytime it loads in addition to that of their devices.

Ghostmail accounts can only connect to other ghostmail accounts. Therefore, a ghostmail account cannot replace a real email account.

In short: Ghostmail only let's you send messages to other ghostmail users, it doesn't allow you to encrypt your messages with the software of your choice and the information on the website is misleading. Ghostmail shouldn't be listed as a Privacy-Conscious Email Provider.

Ghostmail makes Confusing claims like "the safest place on the Internet", "Once it’s deleted it’s gone forever." (although there is no forward security!), "Data is encrypted at all times." ~~There is no way to verify these claims as the service is based on proprietary, hardly documented encryption.~~ **EDIT:** I was wrong, Ghostmail is actually [open source](https://www.ghostmail.com/open-source) and there has been a [security audit](https://www.ghostmail.com/docs/CSIS_GhostMail_Security_Audit_February_2015.pdf). I am Sorry. [From their FAQ:](https://www.ghostmail.com/faq) > Can I use IMAP/SMTP (external email client i.e. Thunderbird)? > > GhostMail is built to offer our users the best privacy and security. Hence we don't allow usage of IMAP/SMTP etc. as emails then will be vulnerable in case your computer or smartphone gets compromised. By disallowing SMTP (isn't that a requirement to be listed anyway?), Ghostmail hinders its users from using the encryption software of their choice. Using a ~~shady~~ webapp instead of a real mail client provides **absolutely no** protection in case the device gets compromised. Quite the contrary, this model introduces new attack vectors because users have to rely on the integrity of the website anytime it loads in addition to that of their devices. Ghostmail accounts can only connect to other ghostmail accounts. Therefore, a ghostmail account cannot replace a real email account. **In short:** Ghostmail only let's you send messages to other ghostmail users, it doesn't allow you to encrypt your messages with the software of your choice and the information on the website is misleading. Ghostmail shouldn't be listed as a Privacy-Conscious Email Provider.

bookercodes commented

2015-11-05 08:44:05 +00:00

(Migrated from github.com)

Hello @krumelmonster,

First and foremost, thank you for your detail in writing this issue.

Unfortunately, GitHub is reserved for technical issues only. Issues like yours belong on the forum where the community can share their opinion on it.

From README.md:

Please do not submit suggestions here on GitHub - this is only for developing the website. Please submit them to our subreddit instead. Thank you.

It would be very much appreciated if you could take a couple of minutes to re-post this same issue to r/privacytoolsio. If you need any help, let me know! Thanks.

Hello @krumelmonster, First and foremost, thank you for your detail in writing this issue. Unfortunately, GitHub is reserved for technical issues **only**. Issues like yours belong on the [forum](https://www.reddit.com/r/privacytoolsio) where the community can share their opinion on it. From [`README.md`](https://github.com/privacytoolsIO/privacytools.io/blob/master/README.md#contributing): > Please do not submit suggestions here on GitHub - this is only for developing the website. Please submit them to our [subreddit](https://www.reddit.com/r/privacytoolsIO/) instead. Thank you. It would be very much appreciated if you could take a couple of minutes to re-post this same issue to [r/privacytoolsio](https://www.reddit.com/r/privacytoolsio). If you need any help, let me know! Thanks.

krumelmonster commented

2015-11-05 09:36:36 +00:00

(Migrated from github.com)

I would very much appreciate it if someone else could move the issue to reddit and delete it afterwards.

bookercodes commented

2015-11-05 09:47:08 +00:00

(Migrated from github.com)

Done: https://www.reddit.com/r/privacytoolsIO/comments/3rm0po/ghostmail_snakeoil/

It would still be good if you could make an account to engage with anyone who might want you to clarify.

Done: https://www.reddit.com/r/privacytoolsIO/comments/3rm0po/ghostmail_snakeoil/ It would still be good if you could make an account to engage with anyone who might want you to clarify.

This repo is archived. You cannot comment on issues.