Lavabit is probably the most secure, private email service right now

We know that Google reads emails that you receive to display advertisement on Gmail, and that other mail providers may be doing the same. With new information about Prism still hitting the news on a daily basis, it may be important for Internet users to find alternatives to services by companies that allegedly have aided the NSA.

Some alternatives may even provide you with better overall security. If you look at what Edward Snowden used for example, the whistleblower who leaked information about Prism, then you will find out that he apparently used Lavabit as his email provider for one of his accounts.

You have probably never heard about Lavabit before, as it is a rather small provider with just over 350,000 users in total. What sets is apart though is its focus on privacy and security that you may not find elsewhere easily.

The service offers free and paid accounts. What is interesting here is that there are two free accounts available, basic and personal, that differ in regards to available storage, the message size limit, and whether advertisement is displayed to the user or not. The basic account provides you with 128 Megabyte of storage, but does not come with ads at all, while the personal account offers 1 Gigabyte of storage and advertisement.

The paid accounts increase storage, the incoming and outgoing message limit per day, message size limit, and add a couple of extra privacy and security features to the account including fully encrypted email storage on the company servers.

The most expensive account for individuals is the premium account. It gets you 8 Gigabytes of storage, all features, an increased incoming and outgoing message limit, and more, for $16 a year.

lavabit accounts

Security and privacy features

Lets take a look at the security and privacy features that Lavabit offers:



  • Transport Layer Encryption via SSL
  • Secure Mail Storage via asymmetric encryption so that emails, once on the server, can only be read with the user's password. This means that no one can access them, and that they cannot be handed over either.
  • ClamAV integration
  • Domainkeys support to prevent domain impersonation.
  • Sender Policy Framework (SPF) to verify that messages have been verified from a server that is authorized to relay messages for a domain.
  • Greylisting and blacklisting support.
Read also:  F.Lux 4 brings presets and program whitelist

Setting up an account

Once you have set up an account, free or paid, you can add the new email address to one of your email clients. If you are using a local client, you can use Pop3 or IMAP to do so. Lavabit offers a web interface as well which you can make use of to retrieve emails.

In Thunderbird, you do the following:

  1. Select Tools > Account Settings.
  2. Click on Account Actions and select Add Mail Account.
  3. Enter your name, the email address in the form [email protected] and the password that you have selected during signup.
  4. Thunderbird will retrieve the incoming and outgoing server information automatically, so that you only have to pick Pop3 or IMAP to set up the account.

The web interface is very basic in comparison to Gmail or Outlook, but it is sufficient to read and compose email messages, and that is what it is all about in the end.

lavabit email

If you have selected one of the free accounts, you can upgrade it to one of the available paid accounts in the preferences on the official website.

Closing Words

The free accounts do not support the encryption of email storage on the server. While you do get a couple of other interesting features, it is full encryption that sets this service apart from Gmail and other popular email services. This means that you may want to pay $8 or $16 per year to take advantage of that feature.

Update

Lavabit has shut down. The owner and operator of the service notes on the main site that he had to decide to "become complicit in crimes against the American people or walk away from nearly ten years of hard work". Unfortunately, he is not allowed to share why the service is shut down but states that he will fight whatever he is facing in court.

Please share this article

Facebooktwittergoogle_plusredditlinkedinmail


Filed under:


Responses to Lavabit is probably the most secure, private email service right now

  1. Richard July 14, 2013 at 8:07 am #

    Take a look at three other choices:
    1. Hushmail http://www.hushmail.com/,
    2. Enlocked https://www.enlocked.com/
    3. Thunderbird add-in Enigmail - http://www.enigmail.net/home/index.php

    • Martin Brinkmann July 14, 2013 at 8:59 am #

      Thanks for the links Richard, very helpful.

      • tim August 21, 2013 at 10:16 am #

        Dear Martin,

        I found your article. Thank you. However, going to Lavabit a notice of shutdown of the service was listed.

        Are there any 'safe and private' email services for free-use in Germany, in English?

        Thank you
        Tim

      • Martin Brinkmann August 21, 2013 at 12:35 pm #

        I do not know any German service, but I'm monitoring the Icelandic Mailpile project which will launch in 2014 if everything goes as planned: http://www.mailpile.is/

      • Mark September 9, 2013 at 8:25 am #

        Take a look at http://www.mail1click.com the company is base in UAE but the servers that I've traced are located in Germany.

    • aj July 18, 2013 at 8:19 pm #

      All of the email providers you are talking about are in the United States, so you're sort of missing the point concerning PRIS. If the server is in the USA then they are subject to the laws of the United States. Runbox, based in Norway, is a safer and better selection as they are by Norwegian law, not allowed to conspire with the ns a or anyone else outside of Norway. They have a secure ssl connection. They are inexpensive and ery responsive to any questions you have about your account.

    • Geek July 22, 2013 at 4:47 am #

      Husmail hands over data and they lie when they say their admins can't access emails - not secure.

      http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/

  2. Richard July 14, 2013 at 8:13 am #

    Addendum
    You might also investigate Off-the-Record Messaging at http://www.cypherpunks.ca/otr/ for secure IM/SMS type communications.

  3. Gonik July 14, 2013 at 9:55 am #

    Also, https://riseup.net

  4. Nebulus July 14, 2013 at 10:10 am #

    A few remarks:
    1. Just because Snowden used a certain email service, that doesn't mean it's the most secure service in the world.
    2. Just because they claim they encrypt everything, that doesn't mean that they are really doing it.
    3. Even if they do what they say, as long as the code is not reviewed by people with enough experience and expertise in cryptography, bugs or implementation errors can still exist.

    • Martin Brinkmann July 14, 2013 at 10:54 am #

      Sure, that is right. You can however add other means of protection on top of that. As some have pointed out, use encryption in Thunderbird.

      • Nebulus July 14, 2013 at 2:29 pm #

        Yes, in my opinion, using end to end encryption (i.e. Enigmail plugin + GPG) gives you a higher degree of confidentiality. That way you will not rely on mail server owner's good will.

  5. KK July 14, 2013 at 10:34 am #

    Nebulus has it right.

    I mean, Lavabit and Startpage could be wholly owned subsidiaries of Google Inc.
    Who really knows who owns what?
    The corporate world has a byzantine structure.

    Remember Scroogle?
    http://searchengineland.com/scroogle-org-is-gone-forever-says-site-owner-112245

    They were thwarted by Google all the way. But Startpage.com is able to offer the same basic idea unfettered. Why does Google not harass them? Hmmmmm.

    Using Thunderbird with GPG and Enigmail addon means *you* are in control of the encrypted mail. As far as that can be trusted anyway. At least it's a start.

  6. Mask July 14, 2013 at 11:18 am #

    "Secure Mail Storage via asymmetric encryption" is only for payed account.

  7. Glenn July 14, 2013 at 1:35 pm #

    You describe POP3 and SMTP as if they're alternatives, one to the other; but POP3 is for getting and SMTP is for sending messages. This just makes me wonder if you meant to say IMAP instead of SMTP (since IMAP is an actual alternative to POP3 for getting messages, and both--POP3 and IMAP accounts--would use SMTP for sending. Personally, I'd never use POP3 for email (except maybe for archiving Gmail messages locally), so Lavabit doesn't look very interesting (unless it actually does provide IMAP support).

    • Martin Brinkmann July 14, 2013 at 3:32 pm #

      Glenn you are right. I thought IMAP but wrote SMPT. Have corrected it in the article.

  8. Dave July 14, 2013 at 2:32 pm #

    Tried this on the second-grade "free" account and got annoying adverts stuck on the end of incoming mail when I tested it. That's a miss for me, I'm afraid.

  9. Wayfarer July 14, 2013 at 2:48 pm #

    The problems with Prism, etc, haven't just arisen because of govt snooping, but because lickspittle corporate managers put their customers second - but that's hardly new. Anyone who trusts any of these people - Microsoft, Google, whoever - with sensitive data deserves all they get. But too often privacy and security come a poor second to 'cool' - even with most consumers, it has to be said.

    I think the important thing about mail encryption is that we need everyone to be doing it - it needs to become the system default. Until then, encryption may simply help the establishment and their govt clones to single out the 'troublemakers.'

    As someone said, Thunderbird with Enigmail might be the best answer to date - but how much better (for most users) if email clients like Thunderbird were built around security instead of treating it as an add-on.

    Snowden? The man's a hero as far as I'm concerned.

  10. Jojo July 14, 2013 at 2:50 pm #

    You might want to check out http://www.safe-mail.net also. I've been using their free account (only 3MB storage) as the target account for mails form my Spamex account. They are very reliable in general. Are they really secure? [shrug] Who knows? I can only go by what they say.
    ============
    Overview of Safe-mail Features

    Safe-mail is one of the most secure communication systems on the planet. We provide email, instant messaging, data distribution, data storage and file sharing tools in an easy-to-use suite of applications that allow businesses and individuals to communicate with each other in privacy and confidence. Because Safe-mail applies advanced encryption security at every point in the system, no one can intercept your messages, and no one can view the contents of your account.

    https://tamar.safe-mail.net/support/eng/help/infocenter.html

    • Anon April 18, 2014 at 6:28 pm #

      Safe-Mail is operated out of Israel. Enough said....

  11. KK July 14, 2013 at 4:02 pm #

    "I think the important thing about mail encryption is that we need everyone to be doing it - it needs to become the system default. Until then, encryption may simply help the establishment and their govt clones to single out the 'troublemakers.'"

    It *needed* to be the system default from the beginning. That option was not chosen.
    Any guesses as to why?

    If email is not encrypted....it's not "snooping". Get it?

    Like you said, corporations and government *do not* have your best interests at heart.

    If you're not at the top of the money pyramid...
    You are the "mark" of the beast so to speak.
    An entity that gets trinkets (Gmail etc.) in trade for your wealth (labor, time etc.)

    The sucker born every minute.

    Linux and encryption came from people that don't want to play that game.
    It's join them or lose your wealth really.

  12. melen July 14, 2013 at 4:19 pm #

    Just signed up and it's very easy to to configure. I hooked it up with my Outlook account and that was very easy also. Really not a hassle at all, I first started to read how to set it up with Outlook and it seemed a little complicated so I just went to my Outlook page and into options and it was self explanatory. Really a cinch and very easy to set up. Have tried it from Lavabit and Outlook sending and receiving mail with out any problems. Thanks for the info on this little beauty.......

  13. Seban July 14, 2013 at 6:38 pm #

    I have an email account at posteo.de. Unfortunately I am unable to find an english version of the site, it might not exist.

    https://posteo.de/site/datenschutz
    • SSL
    • Registration w/o personal data
    • No storage of reference data
    • No saving of IPs
    • IP stripping
    • ...

    They also value sustainability, using renewable energy and social financing.
    It costs 1€ per month.

    ---

    I'd like to use PGP-encryption, but nobody I know uses it. I keep attaching my public key, but nobody seems to care :/

    • Piano August 21, 2013 at 4:45 pm #

      You can ask POSTEO everything what has to do with privacy on their servers, they will answer your questions in english - not a standard machine writing, they really read what you write to them.
      You can ask them technical questions or what to click to send a mail, there are always polite
      and relevant answers you get from their support.
      Piano.

  14. Ken Saunders July 14, 2013 at 6:54 pm #

    So what is the total solution? Is there one? You're in the hands of others online and the only way to be fully covered is to stay offline. Seriously.
    At some point, you have to trust someone. What makes you think that anything that you use online, or (nearly) any piece of software is what the developer, company, organization, says. That's what I'm reading in the comments above.

    It is in the best interest of a company, organization, individual, whatever to operate honestly and with nefarious, shady motives if they want to generate any revenue, or have anyone use their product and or service no matter what that may be.

    There are checks and balances in place. When a privacy policy or TOS is posted, then the entity needs to respect it and adhere to what it is states or they can be sued (it's a contract between consumers and providers), and they will lose consumers.

    No one would use Startpage, Hushmail, and others if they didn't deliver what the say that they do, so they wouldn't jeopardize losing everyone (and face a class action law suit) by doing anything but, what they say they do/offer, etc. They wouldn't be able to compete so they offer something different, better, sometimes unique.

    With all of that said, There are just a few services, products, and companies that I trust, but only one of them 100%. That's Mozilla.

    I do have a Hushmail account and only did so after some research. Google I'm still getting away from and working on self-hosted email (for now), although that is on my web host's servers.

    "Using Thunderbird with GPG and Enigmail addon means *you* are in control of the encrypted mail"

    Unless you go through all of the code in the add-on (which you can do of course), how do you know that you are in control?

    You're trusting the add-on developer(s) and Mozilla, and whatever else in between.
    But you can/should trust Mozilla of course.

    Thanks for the info Martin. I'll look into it.
    The price that you mentioned isn't unreasonable. Especially compared to other services (Yahoo, Google Apps, etc) and what they offer and do. I'm still looking for a better business, pro solution.

  15. Mike July 23, 2013 at 4:22 pm #

    Trying to maintain any type of email security while using Outlook is like exercising while smoking. Switch to an open source email client as the first step.

  16. Leonard Leslie August 8, 2013 at 7:03 am #

    As of early yesterday (08/07), My connection to Lavabit could not be established. Are they gone or just down? Hmmmm.

  17. j1nxxx3 August 8, 2013 at 3:14 pm #

    Lavabit is down. went to check my email this morning, got this
    https://lavabit.com/

  18. antigeek August 8, 2013 at 3:22 pm #

    @geek:

    clearly you, those who laugh at the conspiracy theorists, won't laugh last, and will look miserably at the end of the day.

    just read the message at lavabit.com and then try typing "let the conspiracy theories begin" once more.

    • Geek August 8, 2013 at 5:17 pm #

      @antigeek - I did not laugh at the conspiracy theorists. I myself thought an FBI raid was going on, but having no evidence to support this, I chose to voice only facts.

      • antigeek August 8, 2013 at 7:20 pm #

        ok, sorry then, dude.
        it must be years of being happy lavabit user and then seeing it dead (more like killed) that angered me this much - and sadly the conspiracy theories are becoming reality these days (and too many people still deny the obvious)...
        peace.

    • Geek August 8, 2013 at 7:56 pm #

      Oh, hey! Lookie what I found today:
      http://privatdemail.net/en/

      No web interface, only POP and IMAP, but no logs and SSL! Also not under the EU/US snoop laws ... they claim to be in an arab country.

      Cheers!

      • ex-antigeek August 9, 2013 at 3:34 am #

        also looks promising
        http://www.mailpile.is/

        and don't forget to at least take notice of bitmessage
        https://bitmessage.org/wiki/Main_Page

      • Jason August 9, 2013 at 4:14 am #

        Well, a company based in an Arab country is probably the last choice you'd like to use. Or second last, right after China.

        Except for Israel there is _no_ country in the Middle East that could be called an open and stable democracy, one that at least on the paper respects people's rights. All of these are either dictatorships or old-style monarchies (which are, after all, dictatorships with style). And for Israel: Israel is a) home to one of the most sophisticated secret services in the world and b) under the constant impression of being attacked.

        If you don't want some US company to host your data, have a look at Northern European countries, i.e. Scandinavia. Germany might be a choice as well, they have a strong, constitution-based protection of private data, even though current governments play the "security rules out everything", too.

  19. Nick August 8, 2013 at 3:30 pm #

    This is on Lavabit's website now:

    My Fellow Users,

    I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

    What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

    This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

    Sincerely,
    Ladar Levison
    Owner and Operator, Lavabit LLC

    Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.

  20. Dave August 8, 2013 at 3:38 pm #

    Conspiracy! Does sound that way. Anybody know more? Perhaps it ought to be re-located.

  21. Roberts_c August 8, 2013 at 8:43 pm #

    I gave my donation for the conspiracy fight. Wikee leaks cant even get donations. shut down by visa an pay pal.

  22. Roberts_c August 8, 2013 at 8:51 pm #

    I cannot get onto https://tamar.safe-mail.net. has it been shut down as well?

    • Geek August 9, 2013 at 3:20 am #

      Odd, it was working when I investigated the site this morning.

      They're in Israel... may as well be Washington, DC as far as spying politics goes.

    • Martin Brinkmann August 9, 2013 at 4:01 am #

      The only one that I know of that shut down in the wake is Silent Circle: https://silentcircle.com/

    • Piano August 21, 2013 at 4:48 pm #

      go to safe-mail.net, and remember they are allowed to read your mails :)

  23. Roberts_c August 8, 2013 at 8:54 pm #

    https://riseup.net/en can reset passwords. if they can do that its no encrypted on the server

  24. Dan August 8, 2013 at 11:43 pm #

    The problem with lavabit and other technology solutions is that the enemy does not rely on breaking the crypto. All they need to do is to use the massive legal power of the state to compel compliance or to destroy the service.

  25. Larry August 9, 2013 at 7:26 am #

    Silent Circle is shut down. They preemptively shut down after Lavabit did.

  26. Johnbo August 9, 2013 at 9:36 am #

    One of the things that I really liked about Lavabit was that it did not use Java. I basically use a browser with just about everything shut off so there is no scripting, ActiveX, etc and Lavabit was the only one I could find that would work like this. Is there a secure alternative that does not use Java or anything else besides the most basic setup?

  27. Quan Shui August 9, 2013 at 10:58 am #

    So, what's is the option now ?

  28. Q August 9, 2013 at 2:08 pm #

    No, Silent Circle is not shut down. Their project to develop Silent Circle mail has been shut down. But, the company, along with its other products, are very much alive and kicking.

  29. Roberts_c August 11, 2013 at 7:00 pm #

    I agree, better if they don't use java, active x etc. http://privatdemail.net/en/ looks good, but they do seem like they use java.

    • Geek August 11, 2013 at 9:55 pm #

      Oh? I don't even have Java installed on this box and I was able to sign up and use my client. There is no web interface....

  30. Roberts_c August 12, 2013 at 2:03 am #

    oh, ok. I have looked at a few since my Lavabit was shut down so maybe im getting mixed up. They look good, i signed up as well.

  31. Jey October 24, 2013 at 5:53 pm #

    "Dan August 8, 2013" - "The problem with lavabit and other technology solutions is that the enemy does not rely on breaking the crypto. All they need to do is to use the massive legal power of the state to compel compliance or to destroy the service."

    That's right. This why I am planning a Lavabit-like paid service hosted in Europe. I am looking for testers to get some feedback. Those interested in helping me will get a free personal email account. Contact me at: [email protected]

    • Dave October 24, 2013 at 8:45 pm #

      With respect, how do we know that this is not a mail address harvesting scheme or some other nefarious activity? Who is or is NOT trustworthy? More information posted on a website would be better I feel, or disclose plans to a source like Martin for publication. I'm interested in principle but must say, I'm disinclined to e-mail a complete stranger, never mind disclosing any other information!

      • Jey October 24, 2013 at 11:06 pm #

        You are right. I want to clarify that the free email account will expiry in few months as I will not use the .tk domain for the production server but probably an .eu .ch or .is depending on where I will setup the hosting. I will have COMPLETE access to emails on onelink.tk for testing, so it is not advisable to use it for your private purposes. Then I will be very happy to grant a real email address to testers for their help. I am setting up the website but I will release it to the public when ready.

        Service features will be similar to Lavabit ones, and in detail:
        Transport Layer Encryption via SSL3/TLS1.2 over http pop imap smtp
        "A" rated https encryption by SSL labs
        DKIM support to prevent domain impersonation
        Sender Policy Framework (SPF) to verify that messages have been verified from a server that is authorized to relay messages for a domain
        Secure Mail Storage via TRUECRYPT encryption
        CLAM AV integration
        Roundcube WEBMAIL over https only
        (+ other feature under testing)

  32. Natasha December 5, 2014 at 2:05 pm #

    Try Runbox.com
    They are based on Norwegia.

Leave a Reply