Lavabit is probably the most secure, private email service right now

Martin Brinkmann
Jul 14, 2013
Updated • Jun 30, 2019
Software, Windows software
|
58

We know that Google reads emails that you receive to display advertisement on Gmail, and that other mail providers may be doing the same. With new information about Prism still hitting the news on a daily basis, it may be important for Internet users to find alternatives to services by companies that allegedly have aided the NSA.

Some alternatives may even provide you with better overall security. If you look at what Edward Snowden used for example, the whistleblower who leaked information about Prism, then you will find out that he apparently used Lavabit as his email provider for one of his accounts.

You have probably never heard about Lavabit before, as it is a rather small provider with just over 350,000 users in total. What sets is apart though is its focus on privacy and security that you may not find elsewhere easily.

The service offers free and paid accounts. What is interesting here is that there are two free accounts available, basic and personal, that differ in regards to available storage, the message size limit, and whether advertisement is displayed to the user or not. The basic account provides you with 128 Megabyte of storage, but does not come with ads at all, while the personal account offers 1 Gigabyte of storage and advertisement.

The paid accounts increase storage, the incoming and outgoing message limit per day, message size limit, and add a couple of extra privacy and security features to the account including fully encrypted email storage on the company servers.

The most expensive account for individuals is the premium account. It gets you 8 Gigabytes of storage, all features, an increased incoming and outgoing message limit, and more, for $16 a year.

Security and privacy features

Lets take a look at the security and privacy features that Lavabit offers:

  • Transport Layer Encryption via SSL
  • Secure Mail Storage via asymmetric encryption so that emails, once on the server, can only be read with the user's password. This means that no one can access them, and that they cannot be handed over either.
  • ClamAV integration
  • Domainkeys support to prevent domain impersonation.
  • Sender Policy Framework (SPF) to verify that messages have been verified from a server that is authorized to relay messages for a domain.
  • Greylisting and blacklisting support.

Setting up an account

Once you have set up an account, free or paid, you can add the new email address to one of your email clients. If you are using a local client, you can use Pop3 or IMAP to do so. Lavabit offers a web interface as well which you can make use of to retrieve emails.

In Thunderbird, you do the following:

  1. Select Tools > Account Settings.
  2. Click on Account Actions and select Add Mail Account.
  3. Enter your name, the email address in the form username@lavabit.com and the password that you have selected during signup.
  4. Thunderbird will retrieve the incoming and outgoing server information automatically, so that you only have to pick Pop3 or IMAP to set up the account.

The web interface is very basic in comparison to Gmail or Outlook, but it is sufficient to read and compose email messages, and that is what it is all about in the end.

If you have selected one of the free accounts, you can upgrade it to one of the available paid accounts in the preferences on the official website.

Closing Words

The free accounts do not support the encryption of email storage on the server. While you do get a couple of other interesting features, it is full encryption that sets this service apart from Gmail and other popular email services. This means that you may want to pay $8 or $16 per year to take advantage of that feature.

Update

Lavabit has shut down. The owner and operator of the service notes on the main site that he had to decide to "become complicit in crimes against the American people or walk away from nearly ten years of hard work". Unfortunately, he is not allowed to share why the service is shut down but states that he will fight whatever he is facing in court.

Update 2: Lavabit is available as a service again.

Summary
Lavabit is probably the most secure, private email service right now
Article Name
Lavabit is probably the most secure, private email service right now
Description
A look at Lavabit,a secure email service that was shut down in the wake of the Snowden revelations, and is now available again.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Natasha said on December 5, 2014 at 2:05 pm
    Reply

    Try Runbox.com
    They are based on Norwegia.

  2. Jey said on October 24, 2013 at 5:53 pm
    Reply

    “Dan August 8, 2013” – “The problem with lavabit and other technology solutions is that the enemy does not rely on breaking the crypto. All they need to do is to use the massive legal power of the state to compel compliance or to destroy the service.”

    That’s right. This why I am planning a Lavabit-like paid service hosted in Europe. I am looking for testers to get some feedback. Those interested in helping me will get a free personal email account. Contact me at: test@onelink.tk

    1. Dave said on October 24, 2013 at 8:45 pm
      Reply

      With respect, how do we know that this is not a mail address harvesting scheme or some other nefarious activity? Who is or is NOT trustworthy? More information posted on a website would be better I feel, or disclose plans to a source like Martin for publication. I’m interested in principle but must say, I’m disinclined to e-mail a complete stranger, never mind disclosing any other information!

      1. Jey said on October 24, 2013 at 11:06 pm
        Reply

        You are right. I want to clarify that the free email account will expiry in few months as I will not use the .tk domain for the production server but probably an .eu .ch or .is depending on where I will setup the hosting. I will have COMPLETE access to emails on onelink.tk for testing, so it is not advisable to use it for your private purposes. Then I will be very happy to grant a real email address to testers for their help. I am setting up the website but I will release it to the public when ready.

        Service features will be similar to Lavabit ones, and in detail:
        Transport Layer Encryption via SSL3/TLS1.2 over http pop imap smtp
        “A” rated https encryption by SSL labs
        DKIM support to prevent domain impersonation
        Sender Policy Framework (SPF) to verify that messages have been verified from a server that is authorized to relay messages for a domain
        Secure Mail Storage via TRUECRYPT encryption
        CLAM AV integration
        Roundcube WEBMAIL over https only
        (+ other feature under testing)

  3. Roberts_c said on August 12, 2013 at 2:03 am
    Reply

    oh, ok. I have looked at a few since my Lavabit was shut down so maybe im getting mixed up. They look good, i signed up as well.

  4. Roberts_c said on August 11, 2013 at 7:00 pm
    Reply

    I agree, better if they don’t use java, active x etc. http://privatdemail.net/en/ looks good, but they do seem like they use java.

    1. Geek said on August 11, 2013 at 9:55 pm
      Reply

      Oh? I don’t even have Java installed on this box and I was able to sign up and use my client. There is no web interface….

  5. Q said on August 9, 2013 at 2:08 pm
    Reply

    No, Silent Circle is not shut down. Their project to develop Silent Circle mail has been shut down. But, the company, along with its other products, are very much alive and kicking.

  6. Quan Shui said on August 9, 2013 at 10:58 am
    Reply

    So, what’s is the option now ?

  7. Johnbo said on August 9, 2013 at 9:36 am
    Reply

    One of the things that I really liked about Lavabit was that it did not use Java. I basically use a browser with just about everything shut off so there is no scripting, ActiveX, etc and Lavabit was the only one I could find that would work like this. Is there a secure alternative that does not use Java or anything else besides the most basic setup?

  8. Larry said on August 9, 2013 at 7:26 am
    Reply

    Silent Circle is shut down. They preemptively shut down after Lavabit did.

  9. Dan said on August 8, 2013 at 11:43 pm
    Reply

    The problem with lavabit and other technology solutions is that the enemy does not rely on breaking the crypto. All they need to do is to use the massive legal power of the state to compel compliance or to destroy the service.

    1. Martin Brinkmann said on August 9, 2013 at 3:58 am
      Reply

      That’s pretty scary if you ask me.

  10. Roberts_c said on August 8, 2013 at 8:54 pm
    Reply

    https://riseup.net/en can reset passwords. if they can do that its no encrypted on the server

  11. Roberts_c said on August 8, 2013 at 8:51 pm
    Reply

    I cannot get onto https://tamar.safe-mail.net. has it been shut down as well?

    1. Piano said on August 21, 2013 at 4:48 pm
      Reply

      go to safe-mail.net, and remember they are allowed to read your mails :)

    2. Martin Brinkmann said on August 9, 2013 at 4:01 am
      Reply

      The only one that I know of that shut down in the wake is Silent Circle: https://silentcircle.com/

    3. Geek said on August 9, 2013 at 3:20 am
      Reply

      Odd, it was working when I investigated the site this morning.

      They’re in Israel… may as well be Washington, DC as far as spying politics goes.

  12. Roberts_c said on August 8, 2013 at 8:43 pm
    Reply

    I gave my donation for the conspiracy fight. Wikee leaks cant even get donations. shut down by visa an pay pal.

  13. Dave said on August 8, 2013 at 3:38 pm
    Reply

    Conspiracy! Does sound that way. Anybody know more? Perhaps it ought to be re-located.

  14. Nick said on August 8, 2013 at 3:30 pm
    Reply

    This is on Lavabit’s website now:

    My Fellow Users,

    I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

    What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

    This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

    Sincerely,
    Ladar Levison
    Owner and Operator, Lavabit LLC

    Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.

  15. antigeek said on August 8, 2013 at 3:22 pm
    Reply

    @geek:

    clearly you, those who laugh at the conspiracy theorists, won’t laugh last, and will look miserably at the end of the day.

    just read the message at lavabit.com and then try typing “let the conspiracy theories begin” once more.

    1. Geek said on August 8, 2013 at 7:56 pm
      Reply

      Oh, hey! Lookie what I found today:
      http://privatdemail.net/en/

      No web interface, only POP and IMAP, but no logs and SSL! Also not under the EU/US snoop laws … they claim to be in an arab country.

      Cheers!

      1. Jason said on August 9, 2013 at 4:14 am
        Reply

        Well, a company based in an Arab country is probably the last choice you’d like to use. Or second last, right after China.

        Except for Israel there is _no_ country in the Middle East that could be called an open and stable democracy, one that at least on the paper respects people’s rights. All of these are either dictatorships or old-style monarchies (which are, after all, dictatorships with style). And for Israel: Israel is a) home to one of the most sophisticated secret services in the world and b) under the constant impression of being attacked.

        If you don’t want some US company to host your data, have a look at Northern European countries, i.e. Scandinavia. Germany might be a choice as well, they have a strong, constitution-based protection of private data, even though current governments play the “security rules out everything”, too.

      2. ex-antigeek said on August 9, 2013 at 3:34 am
        Reply

        also looks promising
        http://www.mailpile.is/

        and don’t forget to at least take notice of bitmessage
        https://bitmessage.org/wiki/Main_Page

    2. Geek said on August 8, 2013 at 5:17 pm
      Reply

      @antigeek – I did not laugh at the conspiracy theorists. I myself thought an FBI raid was going on, but having no evidence to support this, I chose to voice only facts.

      1. antigeek said on August 8, 2013 at 7:20 pm
        Reply

        ok, sorry then, dude.
        it must be years of being happy lavabit user and then seeing it dead (more like killed) that angered me this much – and sadly the conspiracy theories are becoming reality these days (and too many people still deny the obvious)…
        peace.

  16. j1nxxx3 said on August 8, 2013 at 3:14 pm
    Reply

    Lavabit is down. went to check my email this morning, got this
    https://lavabit.com/

  17. Leonard Leslie said on August 8, 2013 at 7:03 am
    Reply

    As of early yesterday (08/07), My connection to Lavabit could not be established. Are they gone or just down? Hmmmm.

    1. Geek said on August 8, 2013 at 7:33 am
      Reply
  18. Mike said on July 23, 2013 at 4:22 pm
    Reply

    Trying to maintain any type of email security while using Outlook is like exercising while smoking. Switch to an open source email client as the first step.

  19. Ken Saunders said on July 14, 2013 at 6:54 pm
    Reply

    So what is the total solution? Is there one? You’re in the hands of others online and the only way to be fully covered is to stay offline. Seriously.
    At some point, you have to trust someone. What makes you think that anything that you use online, or (nearly) any piece of software is what the developer, company, organization, says. That’s what I’m reading in the comments above.

    It is in the best interest of a company, organization, individual, whatever to operate honestly and with nefarious, shady motives if they want to generate any revenue, or have anyone use their product and or service no matter what that may be.

    There are checks and balances in place. When a privacy policy or TOS is posted, then the entity needs to respect it and adhere to what it is states or they can be sued (it’s a contract between consumers and providers), and they will lose consumers.

    No one would use Startpage, Hushmail, and others if they didn’t deliver what the say that they do, so they wouldn’t jeopardize losing everyone (and face a class action law suit) by doing anything but, what they say they do/offer, etc. They wouldn’t be able to compete so they offer something different, better, sometimes unique.

    With all of that said, There are just a few services, products, and companies that I trust, but only one of them 100%. That’s Mozilla.

    I do have a Hushmail account and only did so after some research. Google I’m still getting away from and working on self-hosted email (for now), although that is on my web host’s servers.

    “Using Thunderbird with GPG and Enigmail addon means *you* are in control of the encrypted mail”

    Unless you go through all of the code in the add-on (which you can do of course), how do you know that you are in control?

    You’re trusting the add-on developer(s) and Mozilla, and whatever else in between.
    But you can/should trust Mozilla of course.

    Thanks for the info Martin. I’ll look into it.
    The price that you mentioned isn’t unreasonable. Especially compared to other services (Yahoo, Google Apps, etc) and what they offer and do. I’m still looking for a better business, pro solution.

  20. Seban said on July 14, 2013 at 6:38 pm
    Reply

    I have an email account at posteo.de. Unfortunately I am unable to find an english version of the site, it might not exist.

    https://posteo.de/site/datenschutz
    • SSL
    • Registration w/o personal data
    • No storage of reference data
    • No saving of IPs
    • IP stripping
    • …

    They also value sustainability, using renewable energy and social financing.
    It costs 1€ per month.

    I’d like to use PGP-encryption, but nobody I know uses it. I keep attaching my public key, but nobody seems to care :/

    1. Piano said on August 21, 2013 at 4:45 pm
      Reply

      You can ask POSTEO everything what has to do with privacy on their servers, they will answer your questions in english – not a standard machine writing, they really read what you write to them.
      You can ask them technical questions or what to click to send a mail, there are always polite
      and relevant answers you get from their support.
      Piano.

  21. melen said on July 14, 2013 at 4:19 pm
    Reply

    Just signed up and it’s very easy to to configure. I hooked it up with my Outlook account and that was very easy also. Really not a hassle at all, I first started to read how to set it up with Outlook and it seemed a little complicated so I just went to my Outlook page and into options and it was self explanatory. Really a cinch and very easy to set up. Have tried it from Lavabit and Outlook sending and receiving mail with out any problems. Thanks for the info on this little beauty…….

  22. KK said on July 14, 2013 at 4:02 pm
    Reply

    “I think the important thing about mail encryption is that we need everyone to be doing it – it needs to become the system default. Until then, encryption may simply help the establishment and their govt clones to single out the ‘troublemakers.'”

    It *needed* to be the system default from the beginning. That option was not chosen.
    Any guesses as to why?

    If email is not encrypted….it’s not “snooping”. Get it?

    Like you said, corporations and government *do not* have your best interests at heart.

    If you’re not at the top of the money pyramid…
    You are the “mark” of the beast so to speak.
    An entity that gets trinkets (Gmail etc.) in trade for your wealth (labor, time etc.)

    The sucker born every minute.

    Linux and encryption came from people that don’t want to play that game.
    It’s join them or lose your wealth really.

  23. Jojo said on July 14, 2013 at 2:50 pm
    Reply

    You might want to check out http://www.safe-mail.net also. I’ve been using their free account (only 3MB storage) as the target account for mails form my Spamex account. They are very reliable in general. Are they really secure? [shrug] Who knows? I can only go by what they say.
    ============
    Overview of Safe-mail Features

    Safe-mail is one of the most secure communication systems on the planet. We provide email, instant messaging, data distribution, data storage and file sharing tools in an easy-to-use suite of applications that allow businesses and individuals to communicate with each other in privacy and confidence. Because Safe-mail applies advanced encryption security at every point in the system, no one can intercept your messages, and no one can view the contents of your account.

    https://tamar.safe-mail.net/support/eng/help/infocenter.html

    1. Anon said on April 18, 2014 at 6:28 pm
      Reply

      Safe-Mail is operated out of Israel. Enough said….

  24. Wayfarer said on July 14, 2013 at 2:48 pm
    Reply

    The problems with Prism, etc, haven’t just arisen because of govt snooping, but because lickspittle corporate managers put their customers second – but that’s hardly new. Anyone who trusts any of these people – Microsoft, Google, whoever – with sensitive data deserves all they get. But too often privacy and security come a poor second to ‘cool’ – even with most consumers, it has to be said.

    I think the important thing about mail encryption is that we need everyone to be doing it – it needs to become the system default. Until then, encryption may simply help the establishment and their govt clones to single out the ‘troublemakers.’

    As someone said, Thunderbird with Enigmail might be the best answer to date – but how much better (for most users) if email clients like Thunderbird were built around security instead of treating it as an add-on.

    Snowden? The man’s a hero as far as I’m concerned.

  25. Dave said on July 14, 2013 at 2:32 pm
    Reply

    Tried this on the second-grade “free” account and got annoying adverts stuck on the end of incoming mail when I tested it. That’s a miss for me, I’m afraid.

  26. Glenn said on July 14, 2013 at 1:35 pm
    Reply

    You describe POP3 and SMTP as if they’re alternatives, one to the other; but POP3 is for getting and SMTP is for sending messages. This just makes me wonder if you meant to say IMAP instead of SMTP (since IMAP is an actual alternative to POP3 for getting messages, and both–POP3 and IMAP accounts–would use SMTP for sending. Personally, I’d never use POP3 for email (except maybe for archiving Gmail messages locally), so Lavabit doesn’t look very interesting (unless it actually does provide IMAP support).

    1. Martin Brinkmann said on July 14, 2013 at 3:32 pm
      Reply

      Glenn you are right. I thought IMAP but wrote SMPT. Have corrected it in the article.

  27. Mask said on July 14, 2013 at 11:18 am
    Reply

    “Secure Mail Storage via asymmetric encryption” is only for payed account.

    1. Martin Brinkmann said on July 14, 2013 at 11:35 am
      Reply

      That is right.

  28. KK said on July 14, 2013 at 10:34 am
    Reply

    Nebulus has it right.

    I mean, Lavabit and Startpage could be wholly owned subsidiaries of Google Inc.
    Who really knows who owns what?
    The corporate world has a byzantine structure.

    Remember Scroogle?
    http://searchengineland.com/scroogle-org-is-gone-forever-says-site-owner-112245

    They were thwarted by Google all the way. But Startpage.com is able to offer the same basic idea unfettered. Why does Google not harass them? Hmmmmm.

    Using Thunderbird with GPG and Enigmail addon means *you* are in control of the encrypted mail. As far as that can be trusted anyway. At least it’s a start.

  29. Nebulus said on July 14, 2013 at 10:10 am
    Reply

    A few remarks:
    1. Just because Snowden used a certain email service, that doesn’t mean it’s the most secure service in the world.
    2. Just because they claim they encrypt everything, that doesn’t mean that they are really doing it.
    3. Even if they do what they say, as long as the code is not reviewed by people with enough experience and expertise in cryptography, bugs or implementation errors can still exist.

    1. Martin Brinkmann said on July 14, 2013 at 10:54 am
      Reply

      Sure, that is right. You can however add other means of protection on top of that. As some have pointed out, use encryption in Thunderbird.

      1. Nebulus said on July 14, 2013 at 2:29 pm
        Reply

        Yes, in my opinion, using end to end encryption (i.e. Enigmail plugin + GPG) gives you a higher degree of confidentiality. That way you will not rely on mail server owner’s good will.

  30. Gonik said on July 14, 2013 at 9:55 am
    Reply
  31. Richard said on July 14, 2013 at 8:13 am
    Reply

    Addendum
    You might also investigate Off-the-Record Messaging at http://www.cypherpunks.ca/otr/ for secure IM/SMS type communications.

  32. Richard said on July 14, 2013 at 8:07 am
    Reply

    Take a look at three other choices:
    1. Hushmail http://www.hushmail.com/,
    2. Enlocked https://www.enlocked.com/
    3. Thunderbird add-in Enigmail – http://www.enigmail.net/home/index.php

    1. Geek said on July 22, 2013 at 4:47 am
      Reply

      Husmail hands over data and they lie when they say their admins can’t access emails – not secure.

      http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/

    2. aj said on July 18, 2013 at 8:19 pm
      Reply

      All of the email providers you are talking about are in the United States, so you’re sort of missing the point concerning PRIS. If the server is in the USA then they are subject to the laws of the United States. Runbox, based in Norway, is a safer and better selection as they are by Norwegian law, not allowed to conspire with the ns a or anyone else outside of Norway. They have a secure ssl connection. They are inexpensive and ery responsive to any questions you have about your account.

      1. Geek said on July 22, 2013 at 4:51 am
        Reply

        Incorrect – Hushmail is based out of Vancouver, Canada. But they have been handing PGP keys over to the US readily: http://it.slashdot.org/story/07/11/17/1823225/hushmail-passing-pgp-keys-to-the-us-government

    3. Martin Brinkmann said on July 14, 2013 at 8:59 am
      Reply

      Thanks for the links Richard, very helpful.

      1. Mark said on September 9, 2013 at 8:25 am
        Reply

        Take a look at http://www.mail1click.com the company is base in UAE but the servers that I’ve traced are located in Germany.

      2. tim said on August 21, 2013 at 10:16 am
        Reply

        Dear Martin,

        I found your article. Thank you. However, going to Lavabit a notice of shutdown of the service was listed.

        Are there any ‘safe and private’ email services for free-use in Germany, in English?

        Thank you
        Tim

      3. Martin Brinkmann said on August 21, 2013 at 12:35 pm
        Reply

        I do not know any German service, but I’m monitoring the Icelandic Mailpile project which will launch in 2014 if everything goes as planned: http://www.mailpile.is/

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.