On Saturday, March 10, 2018 at 9:38:38 AM UTC-5, little help wrote:
> On Wednesday, March 7, 2018 at 8:11:25 PM UTC+1, Tim W wrote:
> > I am sorry what is reason so many people want to get and use a riseup.net 
> > account outside political or some other social reason
> > 
> > They had their canary down for over a year because of gag order from the 
> > feds.
> > 
> > They have totally rewritten there canary statement since which was prior 
> > very clear and concise.  Now it looks to be heavily lawyered careful play 
> > on words...thus its vague using words that can having wide varying meaning. 
> >  what is omitted is any speech with the words warrant, gag order, NSL.  If 
> > they get any of those it will NOT of itself require them activating the 
> > canary protocol.
> > 
> > Here is their old Canary statement followed by the new one:
> > 
> > OLD:
> > riseup has not received any National Security Letters or FISA court orders, 
> > and we have not been subject to any gag order by a FISA court, or any other 
> > similar court of any government. Riseup has never placed any backdoors in 
> > our hardware or software and has not received any requests to do so. Riseup 
> > has never disclosed any user communications to any third party.
> > 
> > 
> > NEW:
> > Riseup positively confirms that the integrity of our system is sound. all 
> > our infrastructure is in our control, we have not been compromised or 
> > suffered a data breach, we have not disclosed any private encryption keys, 
> > and we have not been forced to modify our system to allow access or 
> > information leakage to a third party.
> > 
> > 
> > Unfortunately we cannot use common sense to read these but they must be 
> > read thru the eye of a laywer  I think you really see the effects of the 
> > rewritten statement. 
> > 
> > From what I can tell the system is closed source.  They no longer offer any 
> > form of encryption.  I must all be done on your email client.  There is no 
> > two factor authentication.  The user name and password to get your into 
> > your mailbox from what I can see maybe moot as there is no info on any use 
> > of encryption outside users manually or thru a client using gpg.  If that 
> > is correct then any mail not gpg encrypted is sitting in the mailbox in 
> > cleartext.  Unless there is something like AES 256 protecting the mailbox 
> > via your password but then that means thru the recovery passcode system 
> > they very well can get back into your mailbox even with lost credentials 
> > and no reset alternate email address.
> > 
> > For a person that plans to gpg encrypt all their emails what does this 
> > offer anyone over the other free email accounts.  Sure your contacts are 
> > not mined to hell and back but in terms of email content I see no 
> > difference and actually lower login security.
> > 
> > I was looking at the thread and it looks like around 40 people requested 
> > referral codes on this thread while the canary was expired.  One person 
> > even mentioned it and it went uncommented on.
> > 
> > Compare this to say protonmail its not even remotely close.  As both can be 
> > had for free and without all the need for referrals as its targeted toward 
> > liberal/social/anticapital political change groups not sure the point?  
> > Elitism?
> > 
> > I honestly was surprised so many people on this list asking for it and 
> > where unphase by the fact the canary was expired and it was known they were 
> > under a gag order.  We make a big deal about a close source binary blob for 
> > a driver or firmware to a nic or gpu yet a closed source email provider 
> > system with a triggered canary and no one misses a beat?  I know the thread 
> > was off topic and has been running for years and why I never even read it 
> > till now for no other reason than I was wasting time but wow I am surprised.
> Yeah your concerns are legitimate.
> I guess they changed canary to make it more usable. Old one was a bit awkward 
> since due to warrant they were not able to update it or comment anything 
> about it.
> New one doesn't cover subpoenas and gag orders, but only covers 
> infrastructure they control and are always free to comment on.
> So new canary is not as reassuring as old one, but new one will not cause 
> this 6 months old radio silence when users didn't know what is going on.
> Btw old gag order and investigation was because of some cryto blackmailing. I 
> think I found this somewhere on riseup canary pages.
> You are right there is nothing else than username and password protecting 
> your account. But this is the same for every other non two factor 
> authentication account. And two factor isn't perfect either.
> And they are as far I know closed source so you just have to trust them. 
> Which is again same as majority of other email providers.
> You mentioned that "They no longer offer any form of encryption."
> This is not true. After that gag order debacle they introduced new encrypted 
> mailboxes.
> https://riseup.net/en/about-us/press/canary-statement
> Under this new system (if what they claim is true), feds will not be able to 
> read any emails if they don't have password of account. Under old system 
> riseup admins were able to provide content of emails to feds without your 
> password, under new system they cant. (New system also doesn't allow admins 
> to reset your password if you forget it)
> So to answer your question, I guess people are recently rushing to riseup 
> because it is "known as secure" and they trust the sources where they heard 
> that.
> I reality nobody can be rally sure if whole thing is not just honeypot.
> And most importantly. You said that if you encrypt your emails with PGP, 
> riseup doesnt offer much more than any other free email provider. This is 
> mostly true. But for people that are switching from using gmail, this is 
> still huge step forward, since riseup promises they wont mine emails content 
> to serve users ads or manipulate them in any other way.
> (emails are old technology and data travels between email servers unencrypted)

You are correct on the encrypted mailboxes.  The issue is they really suck as 
giving info on it and thats why I missed it.  

Here is the info I found in case anyone is interested:

TREES - A NaCL-based Dovecot encryption plugin

This plugin adds individually encrypted mail storage to the Dovecot IMAP

This plugin is inspired by Posteo's
which uses OpenSSL and RSA keypairs. TREES works in a
similar way, but uses the Sodium crypto library (based on NaCL).

How it works:

On IMAP log in, the user's cleartext password is passed to the plugin.

The plugin creates an argon2 digest from the password.

This password digest is used as a symmetric secret to decrypt a libsodium 

Inside the secretbox is stored a Curve25519 private key.

The Curve25519 private key is used to decrypt each individual message, using 
lidsodium sealed boxes.

New mail is encrypted as it arrives using the Curve25519 public key.

Sorry I am usually very good at finding things like this when I dig but I 
missed it this time.  So its confirmed according to their doc they do 
automatically encrypt and decryt email data using keys generated and accessed 
by the login password.

Still wording and issue that make me uncomfortable about their system.

As for protonmail the comment about using the bridge is correct but it is also 
available for Linux.  


"Download and install the ProtonMail IMAP/SMTP Bridge to use your encrypted 
email account with any email client. Available for Windows, Mac, and Linux."

Maybe they added Linux later? This is likely the case as they are still in a 
rapid advancement/implementation roll out and grow phase of their business 
model.  Actually read a bit farther and it was just recently they add linux as 
they stated expecting to add it spring of 2018.  Its cool a company that 
actually beats its estimated delivery times on upgrades and new apps.

Frankly, I personally would never keep sensitive emails on any server  and 
certainly not one I did not control for longer than needed to be access, 
replied to.  Once done they would be copied to local control or deleted.  Even 
on my local machine I would move to a layered encryption offline archive backup 
if it needed to be kept for reference beyond its current use need. 

My guess is we all know plenty of people who have every email they have ever 
gotten still siting in their gmail account; hundreds of thousands emails easy.

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to