Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you're really concerned about someone stealing your e-mail don't store it on a server! I download all my e-mails to my laptop using Thunderbird, where I store them in an encrypted filesystem. I make daily encrypted backups of the e-mails which I store in the cloud, the encryption key never leaves my device. I keep 3 months of e-mails available online so I can search through them on my phone (which is an acceptable risk for me). IMHO services like Protonmail offer very little additional protection over that.

Few people remember this today but downloading e-mails was the norm in the early 2000s and before. You would only keep a few weeks or months of e-mails on the server and then either delete or download them, as providers didn't offer very generous storage quotas. It was only with the introduction of GMail that this changed because Google offered "unlimited" storage (since they wanted people to store all their e-mails online so they could mine them).

BTW Protonmail doesn't need to inject extra JS into your client and wait for you to login in to decrypt your e-mails, they receive them all in cleartext and they send out e-mails for you in cleartext so they can simply log them without any modifications to the client code.



Not to criticize, but to clarify:

> encrypted backups of the e-mails which I store in the cloud, the encryption key never leaves my device.

Doesn't in mean that in (unlikely) case something happens to your device (like harddrive crash), you won't be able to access the backups?


You can have encrypted offsite backups for cheap a la backblaze (and slightly more expensive with other providers if you have principled objections to backblaze).


What would be some objections to Backblaze?


I think only this:

https://news.ycombinator.com/item?id=26536019

Depending on your POV it is either a mild story or a non-story. It certainly doesn't meet my threshold for avoiding a service, but some people are more sensitive.


Sounds like a single point of failure to me as well. I don't think it is that unlikely that laptop unintentionally change owners or just break.


I have an offline backup of the key (encrypted).


Is this based on the assumption that the NSA’s collect_metadata.sh cronjob is on a longer than 3 month cycle?

As a privacy step i see how this protects you from hackers and thieves (and legitimate search warrants), but not anything snowden warned us about


I'm not trying to protect against state-level surveillance, that would be hopeless IMHO. I'm protecting against a hacker stealing my entire e-mail history from the last 5-10 years.


Who are you emailing? Do they practice the same email security practices that you do?


Probably not. You want to say that my e-mails can still get leaked by their recipients? Sure, but that's a risk I can't control anyway.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: