Thunderbird teams up with secure and private email provider Mailfence
Mailfence announced a partnership with Thunderbird on the company's blog just a few days ago. Mailfence is a secure and private email provider headquartered in Belgium promising a tracking-free privacy-preserving email service that is protected by Belgian privacy laws. Security-wise, Mailfence supports encryption (OpenPGP) and digital signatures.
Thunderbird users may create new email addresses directly from within the client; this can be done in addition to adding existing email addresses or as the first step after installation of the client. While it is possible to do so from email provider websites as well, creating accounts from within Thunderbird has the advantage that they are set up correctly right away and that the project team may get a small financial contribution from the email provider in question.
Mailfence's integration in Thunderbird enables the synchronization of all of the organization's tools with Thunderbird according to the announcement:
The collaboration between the two organizations will deepen the integration of their respective services to improve user experience. Later this year, users with a Mailfence account in their Thunderbird, will benefit from an automatic sync with all of the Mailfence tools: email, calendar, contacts, and encryption keys. They get a highly secured email solution with full respect for their privacy.
The full integration will become available to all Thunderbird users later in 2021; a specific release version or date has not been revealed.
Thunderbird users may set up a Mailfence account already in the client, however. To do so, select File > New > Get a new Mail Account from the main menu, or Account Actions > Get a new Email address.
Setting up the account is straightforward. Just keep the default suggested name or type any other name that you want as the username, and hit the search button to find out if the username is still available and get a list of alternatives.
Select the Free Trial / €30 a year button to pick an address; this redirects you to the sign-up page in Thunderbird. All you have to fill out at this point is the desired account password, and a second email address for recovery purposes and activation.
The "Free Trial" part makes it look like as if it is a paid-only service, but that is not true entirely. Mailfence has a free plan that you may use and three commercial plans. Problem is, the free plan does not support POP3 or IMAP, and that excludes it from being used in Thunderbird.
If you sign-up to the service in Thunderbird currently, you sign up for a trial of the Entry level plan. Sign-in on the website and you may switch to a different plan but free is still not an option as it does not support syncing.
A welcome email provides new customers with the information, stating that the account will be downgraded after the trial period to a free account if the order is not completed, and that it will stop working in Thunderbird afterwards because of the limitations of the free account.
Now You: what is your take on the cooperation?
Mailfence | Wikipedia
https://en.wikipedia.org/wiki/Mailfence
Block in Russia
On 05 March 2020, Mailfence reported that their SMTP servers are blocked by Russian based email services. This was in response to their refusal to submit a Notice of Commencement of Collaboration with Roskomnadzor’s (the Federal Supervision Agency for Communications, Information Technology, and Mass Communication) of the Russian government. Mailfence did not respond to this request, citing obligation to provide information about users, violating its Terms and the federal Belgian laws.
Server location
Since their servers are located in Belgium, they are legally outside of US jurisdiction. Mailfence is therefore not subjected to US gag orders and NSLs, notwithstanding extradition treaties with the US. Under Belgian law, all national and international surveillance requests must go through a Belgian court.
Transport security
The service supports HTTPS and uses TLS with ephemeral key exchange to encrypt all internet traffic between users and Mailfence servers. Their 4096-bit RSA SSL certificate is signed by Buypass AS and supports Certificate Transparency and Strict Transport Security.
https://en.wikipedia.org/wiki/Strict_Transport_Security
Mailfence.com holds an “A+” rating from Qualys SSL Labs
https://en.wikipedia.org/wiki/Qualys
and also supports DANE.
https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
End-to-end encryption
The service uses an open-source implementation of OpenPGP (RFC 4880) for emails. OpenPGP keypair is generated in client-browser, encrypted (via AES256) with the user’s passphrase, and then stored on Mailfence server. The server never sees the user’s OpenPGP keypair passphrase.
The service also supports end-to-end encryption for emails using a shared password with the possibility of message expiration.
Warrant canary and transparency report
The service maintains an up-to-date transparency report and warrant canary.
https://en.wikipedia.org/wiki/Warrant_canary
Official blog for Thunderbird project:
Mailfence Encrypted Email Suite in Thunderbird | The Thunderbird Blog
https://blog.thunderbird.net/2021/03/mailfence-encrypted-email-suite-in-thunderbird/
> Now You: what is your take on the cooperation?
This is a strong candidate and the preferred option.
I used to use Thunderbird encryption (Enigmail) for sensitive and important emails, but I also use ProtonMail and Tutanota because the Snowden case “made me aware the importance of provider quality (reliability of data management and confidentiality)”. In order to centrally manage these with Thunderbird, I “needed a paid version” and the free service was very inconvenient because it “supports only its own webmail function and does not support multiple accounts”.
Since “Mailfence” has a good reputation, I will try its trial service and reconsider it as also an option for paid services.
For reference:
ProtonMail | Wikipedia
https://en.wikipedia.org/wiki/ProtonMail
Tutanota | Wikipedia
https://en.wikipedia.org/wiki/Tutanota
Runbox | Wikipedia
https://en.wikipedia.org/wiki/Runbox
Fastmail | Wikipedia
https://en.wikipedia.org/wiki/Fastmail
I live in Belgium. This is a warning for all those that think the government here give a damn about the laws. We have a saying here: we have a lot of rights in our country, the problem is getting them. This country is rotten to the core and its privacy protection laughable. If any ‘security’ or ‘privacy’ related service says they’re located in Belgium – beware!
@Shiro,
> I live in Belgium.
> This country is rotten to the core and its privacy protection laughable. If any ‘security’ or ‘privacy’ related service says they’re located in Belgium – beware!
I see, but that is a matter of government and internal affairs, and If Belgium is an EU member state and has signed the GDPR, no one can violate the “rule of law”. “Mailfence” has passed third-party audits and is defined by law to be free from interference from other countries. If we are concerned about illegal actions by governments, there is nothing in the world we can trust. The only realistic option is to ask, “What is not good enough and Which one would be reasonable?” of course, we cannot be overconfident, so we should secure some means. Definitely insecure means are Google and Microsoft services (even paid ones), and “communication services that go through Russian, Chinese, Korean, Vietnam, Myanmar, India, Iranian, Turkish, and Egyptian government jurisdictions” and “servers under Five Eyes surveillance”. At the very least, end-to-end encryption should be applied.
Wonder about the data Google collects in Chrome and links to you? Now we know | gHacks Tech News
https://www.ghacks.net/2021/03/16/wonder-about-the-data-google-collects-in-chrome-and-links-to-you-now-we-know/#comment-4489775
Five Eyes: UKUSA Agreement | Wikipedia
https://en.wikipedia.org/wiki/UKUSA_Agreement
I wish people would understand and know more about how Email works to understand that “secure and private” doesn’t exist, no matter how much you want to believe paying for an email provider like mailfence or protonmail (which is like pretty bad anyway, a big marketing lie) email by itself is insecure and not private.
Think about this, if you pay for the mailfence service… how many people will you email that will be also on the mailfence service? That’s the only way some type of “encryption” would ever happen, once you email someone who is not on the same domain, how will that ever be private and secure? And that’s the biggest problem.
You can use other more secure methods of communication to reach to people and don’t use emails that’s the point I want to make. Because it doesn’t matter where you are and what you do, and how many audits and how many letters you put together in a form of “law”, emails will not be any more secure and even if you believe in some government smoke screens that supposedly protects you, well, Governments don’t and won’t care about you, so the smoke screen propaganda to make you believe they do, well, it is not going to work.
You might argue about how lesser of the evils and sometimes you are forced to email someone because you were told to do so by a bank or whatever, well, that sucks but that won’t change anything, it won’t change emails are insecure and everyone should just drop using them for most if not all types of communications anyway.
+1 to this.
Encrypt your message with PGP or any other previously-agreed-on cypher and don’t depend on a service to protect you. And pay for it on top?!
There are some things you’re overlooking. I’ll just talk about ProtonMail because I’m not too familiar with the other services.
If you use ProtonMail, your data is encrypted on the server and cannot be read by ProtonMail themselves. Compare this to Gmail where your data is freely accessible to Google for analytics and other purposes. This also keeps your data protected in the event that ProtonMail has a data breach. Even if you send emails to recipients who aren’t using ProtonMail, I posit that encryption of your data at rest is still a big plus.
Also if you really need to send something sensitive to someone and ensure that it’s secured, you can send a secure message to someone, and instead of the recipient getting the actual message, they will instead get a link where they have to sign into ProtonMail and view the message that way.
https://protonmail.com/support/knowledge-base/encrypt-for-outside-users/
@Ryan F,
ðŸ‘
@Larrstraus,
@Why,
However, in real life, this is not the case. There may be times when we have no choice but to use e-mail, and since oral communication or memos do not leave any record (physical evidence), they can be “reversed” and cause disadvantages. Therefore, e-mail is a useful means of keeping a record of communication.
The question is “what must be taken into account” when using e-mail, and understanding the means to do so. If we are concerned about “invasion of privacy”, then messages in “plain text” are the worst, and encryption is a common sense measure.
Introduction to Cryptography, OpenPGP, and Enigmail | The Enigmail Project
https://enigmail.net/index.php/en/user-manual/introduction-to-cryptography
Also, as the Snowden case revealed, we must examine “providers”, “servers”, and “communication channels”.
In short, we must not use Gmail (Google) or Outlook (Microsoft) : Snowden’s warning.
https://www.ghacks.net/2021/03/16/wonder-about-the-data-google-collects-in-chrome-and-links-to-you-now-we-know/#comment-4489775
Five Eyes: UKUSA Agreement | Wikipedia
https://en.wikipedia.org/wiki/UKUSA_Agreement
And many free services are unreliable, with “unknown servers and communication channels”; Yahoo! services had “poor server management, resulting in frequent data breaches and missing messages”.
Based on these lessons, if you want to be safe, ProtonMail, Tutanota, Mailfence, Runbox, and Fastmail are the main choices.
All of them have trial plans, so I recommend you to “try them out”. You can see the difference in actual usability, which cannot be found by catalog values or reputation.
Enigmail in Thunderbird allows you to set the “expiration date” of the decryption key, but the other party must handle the message encrypted with the “decryption key”, so if they do not understand the decrypting procedure, they will not be able to decrypt the message and communication will be hindered.
Enigmail – Home | The Enigmail Project
https://enigmail.net/index.php/en/
With ProtonMail and Tutanota, you don’t have to do such a complicated thing to communicate.
In short, users themselves should choose the means that they judge to be the best, based on their values, preferences, and actual circumstances (how they use the system, who they are with, etc.). If the other party is a beginner class, “Enigmail” must be excluded. You may have to use different methods depending on your audience.
You are wrong. Just repeating this Internet meme of “email is insecure” does not make it right.
This is a very interesting development.
However, last time I checked, Mailfence could not be described as an encrypted email provider, because it is not encrypted at rest. It’s Privacy Tools.io which discovered it, Mailfence acknowledged it, and it’s the reason why Privacy Tools.io does not list it anymore among its recommended services.
Of course, if you apply PGP, which is optional, your email will, indeed, be end-to-end encrypted. And even if you don’t, like, probably, most of its users, Mailfence allows you to escape the tracking of big-name providers, such as Gmail, Microsoft of others.
Last time I checked, Mailfence also had a very generous allotment of aliases (I think 100), contrary to most other encrypted email providers, which avoids the need to use a service such as Anonaddy.
Webmail only here and the ‘MailStore Home’ application to backup all email locally.
Mailfence, Tutanota, Posteo, LibMail, PowerMail, ProtonMail (just to name those I know) all have their specifics. MailFence becoming a Thunderbird partner is certainly a worthy title (for both companies by the way). Having an account on each is of course possible, adding another grain of organization, say for instance, continent-specific? I’d keep for Antartica the service I trust the less… 1 email every ten years, lol.
Is it maybe so that only Switzerland, Island, and Sweden will not share your information with other countries and other countries like Belgium will?
So if Mailfence is asked to share his Belgium-based database info whit almost any government they will replay, with that requested.
Hmmm, more encryption/privacy hoopla. I have taught all my ‘kith and kin’ this proverb:- “Never put into an email what you would not put on the back of an open postcard to your Grandmother.” I never email anything to a bank, or an insurance company, or such that has any usable, personal info on/in it. Emails are about as private as mail sent by post office.
Any discussion of paid secure email services must include Ðœailbox.org and Posteo. They have some of the best features at the best price, last time I checked. And work with email clients.
> Any discussion of paid secure email services must include Ðœailbox.org and Posteo.
mailbox.org | Wikipedia
https://de.wikipedia.org/wiki/Mailbox.org
Secure e-mail for private and business customers | mailbox.org
https://mailbox.org/en/
Posteo | Wikipedia
https://en.wikipedia.org/wiki/Posteo
Email green, secure, simple and ad-free | Posteo
https://posteo.de/en
Banks, brokers, lawyers, hospitals, doctors etc. all seem to require you to use their secure webmail system to send “secure mail”, they don’t support use of S/MIME or PGP. A few of my friends use software that supports S/MIME or PGP but none of them (or my relatives) have ever bothered to learn how to configure it for secure mail.
Thunderbird is trying to make it easier to use PGP and have now partnered with a email provider that supports PGP, but the problem is critical mass. Its not worth the hassle if you can very rarely ever use it. Its not helped by privacy-centric email providers like ProtonMail [1] and Tutanota [2] not being open eco-systems. Unfortunately unless popular free email services like gmail.com, yahoo.com and outlook.com support PGP in their webmail (in a way that is interoperable with both OpenPGP and each other) PGP will remain a small niche market.
[1] If a recipient doesn’t have a ProtonMail account they get a link that loads the message in a browser, and requires you to have previously given them a passphrase.
[2] Tutanota doesn’t support PGP though they use the same encryption ciphers.
@Eric Moore,
> Banks, brokers, lawyers, hospitals, doctors etc. all seem to require you to use their secure webmail system to send “secure mailâ€, they don’t support use of S/MIME or PGP.
> but none of them (or my relatives) have ever bothered to learn how to configure it for secure mail.
> the problem is critical mass. Its not worth the hassle if you can very rarely ever use it.
> Its not helped by privacy-centric email providers like ProtonMail [1] and Tutanota [2] not being open eco-systems.
> PGP will remain a small niche market.
I totally agree with you.
Most home users are indifferent to the issue of “personal information infringement” by browsers (especially Google users and Microsoft users), operating systems, applications, etc., and assume that there is no real harm in being infringed. Unfortunately, even the intellectuals who have acquired higher education in the company I work for are only interested in whether it is “free, easy, comfortable, convenient, and the latest technology” or not.
But if we value the “confidentiality of private communications,” we need to do the best we can. And it is important to achieve consensus (sharing awareness by expressing of consent through understanding the implications) with the other party to the communication.
In fact, I use Enigmail in Thunderbird to communicate with my communication partners, and ProtonMail or Tutanota to communicate with those whose skills are lacking. If we give up, things will end without progress, but if we persevere and devise efforts according to the person we are communicating with, we will find a way.
I’ve been using Gmail as my sole active email account, via its Web interface, for a *long* time. That’s the email address everyone I know and every business I deal with has for me. Changing your email address on scores of sites, and getting everyone you deal with to change their contact info is *major* PITA. Still, I’ve been having increasingly urgent misgivings about Gmail for some time — a continually dumber and clumsier interface over the past decade, coding changes that wreak *havoc* on my primary browser’s performance, and, *obviously*, privacy. I’d like to switch to a more private email service.
The problem for me is that most people I correspond with are not computer gurus. For my correspondence with them to remain secure and private end to end, decryption/encryption on their side has to be either automatic or brain-dead simple. With some secure email services, I gather it would be enough to convince them to get their own account with the same service, but a lot of ordinary users don’t want to have to check multiple email accounts for new messages, and a lot of ordinary users *definitely* don’t want to pay for a new account on a different service. It’s a conundrum.
At any rate, I really appreciate all of the comments here, particularly those from owl. I suppose I’ll bite the bullet one of these days, but the solution has to be easy for my correspondents (and me!) and it can’t cost too much. (Yeah, I know: When a product is “free,” *you’re* the product.)
Regardless of the merits of Mailfence, Protonmail is a closed system unless you pay for IMAP and SMTP support. Signing up for a “free” account that you literally cannot use with Thunderbird makes absolutely no sense.