Login

r/bmail_official

▲ 8 r/bmail_official+2 crossposts

Chris from bmail.ag here, the only verifiably private email service. I have been in the privacy industry for over a decade and have seen a ton of misinformation about email providers, so I'm helping set the record straight.

Drop your email provider below and I will tell you exactly how private it is, what their architecture actually does and doesn't protect against.

Proton, Tuta, Gmail, Yahoo, AOL, Outlook, Fastmail. No one's safe.

u/V3R1F13D0NLY — 11 days ago
▲ 1 r/bmail_official

When did you first become concerned with email privacy?

Was it the Snowden leaks? The 3 billion breached Yahoo accounts?

What was the moment that made you realize the importance of protecting your inbox?

I always knew there was a chance email was being watched, but Snowden confirmed it for me.

reddit.com
u/V3R1F13D0NLY — 4 days ago
▲ 10 r/bmail_official+1 crossposts

'Swiss Privacy" has more hole than Swiss cheese

A Swiss flag is not a firewall.

If a provider can log your IP address to 'monitor for abuse,' they can log it for a court order. If they can monitor a mailbox for 'safety,' they can monitor it for a government. They are not villains. They are administrators operating under whichever set of laws applies this week.

In 2021, Swiss authorities ordered ProtonMail to log a user's IP. ProtonMail complied. The architecture permitted it. Switzerland, it turned out, was a jurisdiction, not a guarantee.

bmail's API gateway runs inside an Intel SGX enclave. Client IP addresses are processed in hardware-isolated memory and never written to any storage. There is nothing to log because the architecture never permitted it.

Physically protected by hardware, not imaginary lines.

u/V3R1F13D0NLY — 5 days ago
▲ 27 r/bmail_official+1 crossposts

Lavabit, an email provider, once printed 410,000 encryption keys in 4-point font on 11 pages, handed them to the FBI, then deleted the entire company

A clip from this week's Hide & Speak where we discussed the insane Lavabit story.

A court order arrived demanding the encryption keys that protected 410,000 user accounts. The founder complied... technically...

He printed every key in 4-point font across 11 pages and handed the physical stack to the FBI. 🤣 What a legend.

They were not amused. They demanded an electronic copy and gave him almost no time to produce it.

He chose option three. He deleted the company. 410,000 accounts and inboxes wiped overnight.

A few things worth pulling out:

  • The legal mechanism that forced the keys is still on the books
  • Most email providers would have complied without the printout stunt or the deletion
  • Users had no warning and no way to verify what was happening on the backend
  • This was not a hypothetical. It was a real court order, in 2013, against a real provider that thousands of people trusted with their email

The part that sticks with me is that the choice even existed. If the keys are accessible to the provider, they are accessible to anyone with a court order or anyone who compromises the provider.

For anyone who has read about this case before, what other providers do you think would have made the same call he did?

Full episode here: https://www.youtube.com/watch?v=X0TAd-4eIb8

Written breakdown here: https://s.vp.net/iQi47

youtube.com
u/V3R1F13D0NLY — 6 days ago