❌ Software Removal | Mailbox.org - bad actors #985
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#985
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
Mailbox.Org is a bad actor in the space. Despite saying they promote "Data Protection", "Security", etc, they are requiring users forefeit data to the largest spyware company in the world: Google.com.
You can see this on their signup page which requires sending data to Google: https://mailbox.org/en/
The Problem
By sending this information to Google it means Google now knows that the particular person attempted to signup for mailbox.org. This is a huge side channel attack
In the process of signup the browser fingerprint, IP, and persistent cookies will be set on the users machine which Google will further use to track said user.
Increasingly Google is making it very hard (impossible) to solve CAPTCHAs for anyone who refuses to let themselves be tracked by Google. People who utilize the very tools on PrivacyTools.io and do things like 1) resist browser fingerprinting 2) utilize a VPN / Tor 3) Utilize extensions such as canvas blocker / umatrix, etc. will be given impossible to solve CAPTCHAs (a discussion about this was just on hackernews today).
In fact, that is what happened to me. Google gave me a repeating impossible to solve CAPTCHA due to me being untrackable by them. The end result was that I was not even able to register for this service. This service is a PAID service. It does not need send data to Google (or force users to) at all.
The Solution
I think PrivacyTools.io needs to take a stand. It cannot support services that promote Google and their evilness when Google is directly opposed to the goals of Privacy. Google is making it harder and harder for users to utilize the very advice given on PrivacyTools.io because it is using it's CAPTCHA to frustrate said users by giving them the captcha more image, making them solve longer captchas, making the captcha images fade in longer to take more time, and sometimes completely denying the service to the user (your network has made too many requests) or giving them the dreaded impossible to solve CAPTCHA loop.
If PrivacyTools, of all sites, does not start to take a stand by not promoting companies that make these unsavory, anti-privacy, unethical business relationships then no one will. Mailbox.ORG should NOT be promoted as a PRIVACY service when it has a partnership with Google and requires all users to forefeit data and LABOR to Google (that labor trains Google's AI engine).
For that reason, I think they should be removed. For example, competitors such as Tutanota and Protonmail do NOT require a Google captcha. Neither does disroot, etc. It is much, much better than users see fewer options that TRUE instead of many options where some of them are fake and reduce privacy.
I recommend Posteo
Same price, nearly same features (some better, some not) but fully without Google or other external shi*
The reddit discussion: https://www.reddit.com/r/privacytoolsIO/comments/bz6549/warning_mailboxorg_is_a_bad_actor_and_unethical/
TL;DR: It's about Google CAPTCHA service.
@BurungHantu1605 Well, most Reddit users don't care about such things. Just read the comments
I think it's a bit much to call them a "bad actor" because they used recaptcha in order to stop spammers signing up accounts. It was explained Google Captchas during account registration.
From what I have read in other places Google's Recaptcha is actually one of the most effective ways at stopping spam. Many of the other captchas can be easily beaten unfortunately. They do say that they are considering alternatives.
Looking across the board they are one of the better providers, so I think they should stay. In fact they would be one of the top picks at the moment.
I have spoken with Mailbox and I do feel they are quite competent (experienced) in their ability to run mail servers.
Disclosure: I do not have a mailbox account, but I am seriously considering them for my own personal needs. The reason for this was because they support MTA-STS, TLS-RPT and DANE and also would allow me to use my own domain which Posteo doesn't - although they would be my next choice if I did not want to use my own domain.
They have some unique features that a lot of the other providers do not have such as:
Some of the other providers there I think are a lot less experienced. (See my comparison table).
For example if I was considering any kind of business arrangement where I felt uptime and service was necessary, I would probably put Mailbox, Posteo, and Protonmail as my primary picks.
I agree with @tya99, calling them "bad actors" is a bit much and rather dishonest about the services they offer.
I wouldn't support them being removed.
And all apples are not equal. Tutanota, does not use PGP for example so it's not exactly interoperable with everyone else.
Additionally you must use their client. So no using tools you are used to, imapfilter, offlineimap, or mail clients like Thunderbird.
OP's concerns can mitigated largely by using the Tor Browser. A Google Recaptcha isn't impossible, and you only ever have to do it once.
This also is not an example of a side channel attack and is a completely inappropriate use of such terminology. At most it could be considered profiling.
We shouldn't be trimming any providers yet. I have been in contact with all of them and made them aware we intend to publish the results of https://github.com/privacytoolsIO/privacytools.io/issues/603#issuecomment-443403963 around March 2020 to coincide with industry deprecation.
Unlike what you might think, a mail server has a lot of moving parts and does require significant infrastructure design so implementing such features may have certain blockers. That is why I gave them a lot of warning (initially consulted them around November 2018).
I was using the Tor browser. As you may have heard, Tor and the Tor browser are increasingly becoming incompatible with reCAPTCHA. That is part of the issue. Tor is a cornerstone of privacy infrastructure. Companies like mailbox.org are enabling reCAPTCHA in it's vision of a non-private internet. Google does this by frustrating users with reCAPTCHA and denying users service if they are using Tor via the reCAPTCHA mechanism.
This is not about solving a CAPTCHA. Increasingly, Google will not even let anyone solve a CAPTCHA. If you are not trackable, then you are denied service. Here are some reports of this:
https://old.reddit.com/r/TOR/comments/bs7ef1/super_annoyed_at_the_fact_that_i_cant_register_a/
https://old.reddit.com/r/TOR/comments/a9ldqn/tor_is_unusable_because_of_captchas/
https://old.reddit.com/r/TOR/comments/aq1rpr/all_i_want_to_do_is_make_a_throwaway_with_no_ties/
reCAPTCHA is fundamentally incompatible with a privacy site like Mailbox.org. An organization that was pro-privacy would never have the culture that would lead to a decision of using reCAPTCHA. You can see this with Tutanota, Protonmail, Disroot, etc. Their corporate culture did not lead any of these companies to but up a non-optional reCAPTCHA. The use of reCAPTCHA indicates a deeper cultural problem at Mailbox.org.
I thought you might be right however I was proven wrong. When I e-mailed them about the issue they completely disregarded and lied about the reason. reCAPTCHA is NOT used to stop BOTS because I am a PAYING customer. My PAYMENT is proof of being human. Thus, since we can officially conclude that bots are not the reason it makes one wonder "Why are they requiring sending data to Google? In what other areas are they lax, incompetent or outright lying to users?"
The reply they gave me was the following which completely dismissed it:
Note, it is a complete lie. I am a PAYING customer. If they can convince bots to PAY them, then they have hit a gold mine. It has nothing to do with stopping bots. It likely has nothing to do with wanting to feed data to google either and that is just a side effect. But, what it does have to do with is having a culture in the company that really does not respect privacy. That is how they came to the conclusion to partner with a spyway company and force the signup of CAPTCHA even for paying customers.
I agree that there are not many providers, so no providers should be trimmed. However, as an alternative, maybe it would be better to rank providers based on various categories?
So, if they continue to be listed, there can be a warning that they have partnerships with spyware companies / data mining companies or something similar. That One Privacy Guy does this with VPN providers. There are behaviors of many VPN providers that indicate their corporate culture is not actually pro-privacy. The pro-privacy is just marketing.
He points out these "unethical" behaviors in his rankings and reviews of companies. There are companies that profit from being pro-privacy. And there are companies that pro-privacy to their soul. The company is bathed privacy. It is not merely a marketing strategy to get customers, but it is part of the fabric and soul of the company.
I think that as much as possible these true privacy companies should be placed in front of the fake, marketing-only privacy companies like mailbox.org. So, even if mailbox.org remains on the page there can be a little warning "Business decisions of this company show that privacy is not a first-priority, highest value part of their corporate culture"
To be honest I think you're reading way too much into it. I think this will be my last response on the issue as it appears you're conflating a whole bunch of things in a rather ranting way.
With the VPN providers there are many more of them. So we can afford to be more picky. A lot of the points on that site don't really translate over to email. It is not like there are certain providers that won't let you email other providers for example.
The privacy issue with the captcha you have can be mitigated by the Tor Browser. Realistically Google is gonna know you're using Mailbox as soon as you email a @gmail.com user anyway.
Using Google captcha a single time during the sign up process may not be ideal but it serves a purpose. Whenever you use Reddit you have to do the same thing during account signup.
The only data that is sent back to Google is a token saying you completed the captcha if you look at the developer docs. Therefore they do know what your mailbox username is.
I have not signed up with Tutanota, but Protonmail and Disroot have similar things they do in the signup process. Protonmail for example won't let you use IMAP on free accounts (likely because it's trivial to use that to script a bot). While Disroot makes you 'tell them a little story of why you want to join'. The latter I'm not sure actually would work against a determined adversary, wanting to open bot accounts for spam.
Mailbox is a much larger provider so individually reading the responses might be too much load on physical staff (and then errors are made). That also introduces language issues for people that don't speak the same language as the person reading the challenge response.
They don't know that when you signup. At the point of signing up you've not paid anything.
There are other tickets that involve expanding the information about email providers (In regard to security). I am in the process of chasing them up for further information on some of the areas of interest.
You have to also remember email is not the most private way to communicate. This is inherit in the design in regard to metadata on the top of the email.
Mailbox.org isn't even close to a monopoly.
Posteo and Kolab Now are way better in the realm of privacy and internet civil liberties.
Plus, last I checked mailbox.org was heavily reliant on proprietary software.
Google CAPTCHA has been know to target TOR and VPN users.
In my experience, most of the time I just get denied service.
Malibox.org is not free, therefore there is little reason for them to add another layer for spam protection. :)
Not everyone should be on the same provider. Some decentralization is good. Having run a mail server myself I can tell you there's a lot of moving parts and sometimes it is a pain. This is part of the reason I am getting out of it.
Particularly as new standards are adopted. For me it's not a matter of me not being able to do it, it's just a matter of time.
From what I have read Mailbox (the parent company, Heinlein Support GmbH) does do a fair bit of campaigning for privacy and free speech within Germany. https://mailbox.org/en/company#our-history in this way they're very much more like ProtonMail and Disroot.
When I made some inquiries as a part of my research in the other ticket I was quite impressed that Peer Heinlein personally replied to me (not just drone support with non-specific answers). He was particularly transparent about their operation and I certainly got the feeling he had a fair bit of experience.
Something I had noticed was the providers in that table, particularly towards the bottom half (and the ones with not many ticks) were a lot less helpful. Tutanota was also very helpful and pointed me to tickets on their tracker. The only downside there is, their encryption isn't compatible with PGP or other providers. They have basically rolled their own, which I think was the wrong direction to take. I would have preferred them to get a RFC for their encryption method.
Their encryption only works if you're on Tutanota, or are okay with emailing a "link to the email on their server" rather than an actual copy of the email. They do not have IMAP/SMTP, and do not place importance on being compatible with PGP (which ProtonMail does). That is actually one of the reasons I like Protonmail. I think their bridge software was a good compromise.
Some of the providers didn't really respond with anything more than "we're thinking about this" or they had no plans for implementing these things, or could give me no time frame. I told them that I was looking at updating that email page around March 2020 (1.5 years from when I first contacted them) which is when the removal of TLS 1.0/1.1 in major browsers is due to occur.
You may be also interested in reading this: https://www.ctrl.blog/entry/protonmail-vs-mailbox
At this point Kolabnow does not do MTA-STS. I have inquired about it but gotten no response regarding that. MTA-STS is an important standard for increasing the reliability of opportunistic encryption between mailservers. (Currently the only way to keep the metadata encrypted during transit). PGP doesn't do that. Another thing that bothered me particularly was their weak key exchange of 1024 bits. Some of my contacts use Google Apps (which implements MTA-STS), and it is expected Microsoft will too as they were co-authors on that RFC. A lot of government email I receive is from Office 365, and quite often goes through Mimecast. Both DANE and MTA-STS are important.
Currently Posteo.de, mailbox.org, ProtonMail and Tutanota are the only providers that I can see that have end-to-end encryption at rest, so that the provider cannot read your emails. (Excluding metadata).
ProtonMail allows you to upload your current email through the bridge, and it will be encrypted at rest, it is end-to-end encrypted.
With mailbox.org and posteo.de it will only be 'new emails' that will be encrypted end-to-end with your PGP key (inbound encryption). So if I used either of them I would probably download my current email with OfflineIMAP and not migrate it to my new mailbox.
If you have a lot of sensitive email to migrate, ProtonMail is probably a better choice, the reason for this is because when you upload through the bridge that will be encrypted.
Posteo.de allows encryption of email and it underwent an external audit by Cure53, that however is not end-to-end encryption.
They also offer end-to-end encryption like mailbox.org. Also The Encrypted Mailbox (Mailbox.org). However you should note neither of these things will protect you from lawful interception, TKÜ. Although likely in those situations you'd better hope you do not live in a country that has key disclosure as they would likely apply that to you personally (not the provider). This is of course assuming they know who you already are.
For my personal use I have plans to do something this https://www.grepular.com/An_NFC_PGP_SmartCard_For_Android (see video). I don't consider Android to be a very secure environment, and this way I can avoid having my PGP private key on the actual phone.
However as I can't use my own domain name, that rules posteo.de out (for me). This is a must-have for businesses and people who don't want to be 'locked' to a particular provider.
The freedom to me of being able to update my MX record if a provider starts to do something silly like charge ridiculous fees, sell themselves to some other company which is a bad actor etc is something I'm not willing to give up for anyone.
A user may not necessarily care whether a provider is anonymous. I am skeptical about paying for posteo.de and expecting to be anonymous. I am not going to be anonymous if it's the email I give people in real life or submit resumes on anyway.
Unless you're paying extra to clean your bitcoin (ie through a tumbler) would expect the payment could very well lead back to you anyway. It's very much a case of trusting them to not keep the data such as what wallet the money came from. If this is in your threat model I'd probably use a free provider, PGP and never access it without Tor. You'd also be very careful not to do anything with that account that traces back to your real identity.
ProtonMail, at this point they do not have an app on F-Droid, although that is planned. I don't have GAPPS on my phone and I use LineageOS.
Protonmail doesn't have calendars either (yet), however this should be coming soon. They are also planning authentication with U2F, hopefully WebAuthn and FIDO2 as well. Protonmail does have more flexibility here than Posteo or Mailbox because they use their own API and not IMAP/SMTP.
What would be nice is if Posteo.de and Mailbox.org had an authentication system like Google and became their own OAuth providers.
With Google and OAuth2, you can in Thunderbird give Google your username/password to authenticate with Gmail. A small contextual window pops up (in Thunderbird, for the 2FA code). The authentication autoconfig format allows for specifying the OAuth2 provider.
I'm not sure how many mail clients support authentication via OAuth2, but this certainly seems like the future for providing 2FA codes and also being compatible somewhat with mail clients like Thunderbird. (See the webmail bit.) This way 2FA can be offered for IMAP users without application specific passwords or no 2FA.
One of the things I do like about ProtonMail is that contacts in your address book are encrypted (not E2E), but the sub-data like phone numbers/notes is Zero-Access Data. Posteo's contacts are also encrypted (not E2E). With mailbox.org they are not but at this point it probably doesn't matter as with all 3 providers the metadata is available (display name and address field). Even with Tutanota from the email.
It should also be noted though that names and email addresses (typically found in the headers of emails) are not encrypted end to end, this applies to all providers. Other information like phone numbers and notes are. ProtonMail says here exactly what is encrypted on their server (and what is encrypted end-to-end), email metadata is not one of those things (To, From, Subject etc). Posteo.de talks about their encryption.
Most email providers which don't sell your data aren't free, at some point. Someone has to pay the bills at the end of the day. I'll remind you that Posteo isn't free either. Some of the advanced features of protonmail require a subscription too.
This is typically because those IP ranges are used by spammers for abuse. That is to be expected.
Sometimes that happens when a specific node is abused a lot. I have noticed that particularly when creating accounts on reddit.
You just reset to another node and do the captcha. You only have to do it once - that is not a huge ask. The exact data sent to Google is their developer documents, It's the page you're visiting and that site's site key.
Mailbox.org uses Open-Xchange the source is available for that. OX does have support contracts, which are paid for. Think of it a bit like RHEL. I could see that being an important factor for a large provider with many customers.
Protonmail source is available for some parts of their system. It would not be enough to run your own 'clone of Protonmail'. That is developed internally so they provide support to themselves. That is probably why they are a bit more expensive than other providers.
Some of posteo's source is available. They tend to be using a lot more community source, Roundcube etc.
It is however important to note, although the source is available, there are probably parts that are not used internally.
As it's not your hardware technically none of the source is available (you can't check that the source on github for example is actually the same as what is in use). So you are putting a certain degree of trust on a service someone else runs.
For businesses that need GDPR auditing, it would appear ProtonMail and Mailbox.org would probably be a more suitable choice. Of course using their own domain would be a non-negotiable factor as well.
This statement is false. Captcha is used only when signing up for a new account. At that point you are not yet a paying customer. So mailbox is using captcha to prevent spam bots signing up for new accounts. Once you have an established account captcha is not used. I have had a mailbox account for several years and never get a captcha request when signing in using the website. Once you are a paying customer mailbox has made the decision not to use a captcha, which shows they do have respect for privacy for their paying customers.