I had a similar impression. Even though I was quite impressed with their whitepaper, I received a reply from them that this is outdated. Here is the full response:
​
>We are considering to do this at some point in the future
Does this mean there has not yet been an external audit? That would seem to contradict with the <em>whitepaper section 3.5</em> "Therefore, we have chosen to keep our source code closed, as a security measure, and hire independent third-party auditors to verify our privacy and security measures."
The white paper is a bit outdated. Most of it is still correct, there are some minor differences in the situation now — we're planning an update for later. We migrated to a total new interface, infrastructure and code-base a year ago (roughly). At least that one hasn't been audited. (We do have a bug bounty program like many other companies.)
(end of reply)
​
Searching the website I can't find any bug bounty program, searching in DuckDuckGo with site:startmail.com bounty
delivers no result, site:startmail.com bug
only delivers results to their blog with bug fix changelogs, hackerone.com has no bounty listing of StartMail.
This is all a bit sloppy to me, and it makes them seem less trustworthy in my opinion. Such a shame, I was really digging their unlimited alias feature!
Hi u/haveaquestion2016 I consult with StartMail.com (as well as StartPage.com). Here's some info that might help:
Section 4.2.2 of the StartMail Technical White Paper explains how the User Vault works:
>User data is stored in what we call a User Vault, which is essentially a fully encrypted LUKS volume [7]. Users can access its contents for the length of their session by providing their account password.
>While the Vault is closed (i.e. the volume is not mounted), no one can access the contents of the Vault, even if they otherwise have access to the server.
>Because of our User Vault system, we do not have to store users’ passwords, or even hashed versions of them, so we don’t. Instead of checking a user’s password, we simply use it to attempt to open the Vault. If this succeeds, the password was correct. Of course, the appropriate security measures are in place to protect ourselves against timing attacks when checking credentials this way.
Assuming their whitepaper is still relevant:
How data is stored:
"User data is stored in what we call a User Vault, which is essentially a fully encrypted LUKS volume [7]. Users can access its contents for the length of their session by providing their account password.
While the Vault is closed (i.e. the volume is not mounted), no one can access the contents of the Vault, even if they otherwise have access to the server.
Because of our User Vault system, we do not have to store users’ passwords, or even hashed versions of them, so we don’t. Instead of checking a user’s password, we simply use it to attempt to open the Vault. If this succeeds, the password was correct. Of course, the appropriate security measures are in place to protect ourselves against timing attacks when checking credentials this way."
How search index is created:
" In order for the search functionality to respond quickly, email needs to be indexed and indices must be up to date. This can happen at any point in time, provided it occurs before the user begins a search. In the case of StartMail, however, the user’s search indices can only be updated when the user is logged in. When the user is not logged in, emails and indices are stored encrypted in the User Vault, and indexing operations cannot take place. The constraint that forces us to index email only upon log-in provides better privacy and security for our users at the expense of a slight drawback in terms of processing speed."
I am using Startmail for this exact use case. https://www.startmail.com/en/ The data security may not be as tight as ProtonMail, but it is good enough for me. You can also use email clients like Thunderbird, FairMail etc. Edit: The disposable emails use the domain @use.startmail.com. You can use any name as long as it's not taken. You can create as many emails as you want and optionally set expiry dates.
ProtonMail does not require your real name or any other real personal information when you sign up for a new account, but you must enter a working email address where ProtonMail can send an email with a verification link. You can provide ProtonMail with a throw-away email address from another email provider untraceable to your real identity. For example: one of many free email service providers not requiring your real name or other personally identifying information is a StartMail free, 7-day trial account: https://www.startmail.com/en/.
60 bucks a year, but you may want to check out startmail. Standard privacy focused email provider but they're not U.S. based, you can use your own domain if you want, and you can make up random disposable emails in addition to your primary account if you want.
// edit: It really sucks that one jerk off can destroy other peoples business' but ,honestly, can any U.S. based email provider truly claim to protect their clients privacy?
They may not be answering because at least some of this is already covered in their technical white paper on their website (for example, yes, it's encrypted at rest) https://www.startmail.com/en/whitepaper/
As mentioned above, the StartMail team is separate from the Startpage team. For more info, check out the StartMail privacy policy: https://www.startmail.com/en/privacy/. If you have any additional questions, you can contact StartMail via email .
Here's a safe & free alternative in the EU:
And here's a paid option for €50 a year, which includes 10 permanent (and changeable) aliases - plus infinite temporary aliases (handy for website registrations):
Why doesn't Startmail ever get a mention? I've been a user since 2014 when it was still in beta. Based in the Netherlands, run by the same people as the search proxy Startpage, it's privacy-focused, integrates GnuPG, gives disposable email addresses, etc.
Startmail meets all your requirements:
Startmail was developed by the same people who created Startpage, the private search engine.
Hope this helps!
Thanks for the heads-up, I'm on Linux.
How do they not have that working?
Guess I stay with https://www.startmail.com/en/ which has no problem with Thunderbird on Linux
You just saved me a sign-up fee!
Cheers!
For a recovery email address, it's easy to register and use a free 7-day trial email account at StartMail: https://www.startmail.com/en/
EDIT—I think no recovery email address and no phone number are necessary to register a free 7-day trial accout at StartMail, which, in turn, you can use as your recovery email address at Proton Mail.
Hi. I have reached out to the technical team for help in understanding your question as it relates to the PM bridge, but it's late in the Netherlands so I likely won't have any follow-up information until tomorrow.
In the meantime, the StartMail Technical White Paper offers details about the StartMail architecture. You can find information specific to IMAP in section 4.2.6
Note, too, that power users have the option for native desktop PGP with StartMail via IMAP.