[tor-talk] Sending email from Tor browser

Sat Jun 14 16:28:14 UTC 2014

On 6/14/2014 6:33 AM, Chen Cecilia Zhang wrote:
> and the strange thing is : I tried to test the email sending from Tor and
> without Tor browser, and the IP address shows in the "original email" from
> gmail are the same....
>
> Will anyone help explain how come? thansks
>
>
> On Sat, Jun 14, 2014 at 4:22 AM, Chen Cecilia Zhang <
> chenceciliazhang at gmail.com> wrote:
>
>> No software to compose email, as you mentioned, just normal email account
>> such as yahoo.
>>
>> The reason i wonder is even the email was composed within tor browser, but
>> the email was actually sent 1 month later, will that show the actual IP
>> address?
>>
>>
>> On Sat, Jun 14, 2014 at 3:04 AM, Sebastian G. <bastik.tor> <
>> bastik.tor at googlemail.com> wrote:
>>
1st, it would be much better to use a more "private" & security 
conscious provider than the likes of Gmail or Yahoo.
Like Unseen.is or some others.  I wouldn't depend on claims by any, that 
they "can secure email from all security / law enforcement agencies."

Was the IPa shown in the email header the same as your Tor exit IPa, or 
your ISP's assigned address?
If using TBB & no addons or plugins that could possibly reveal your IPa, 
it shouldn't be possible for even Gmail to see your real IPa.
If you did use TBB (correcly) & your *real* IPa showed up in the email 
header, something's wrong.

Some email providers don't even include your IPa in the header - like 
Unseen.is, VFEmail & several others.
Unseen.is or any others aren't necessarily the magical answer to all 
email security & privacy issues.  For instance, at one time, Unseen 
claimed "end to end" strong encryption *between* Unseen users - if using 
their webmail.  You can read their disclosure on the latest "modified" 
PGP encryption they provide.

I pointed out to them that the encryption, while *on their servers* may 
be very good, there was still a hole in that strong encryption, in 
between their server & users' computers.  That part of the communication 
was "only" SSL / TLS encryption - which some Snowden documents indicated 
the NSA *had broken* (I believe - my head is killing me today).  That 
one gap essentially made their encryption process no better than many 
other providers, (a chain is only as strong as its weakest link).    
Except mail on their servers was stored encrypted, which kept them from 
reading it.

Since then, they developed their own desktop client, allowing users to 
encrypt msgs locally before sending.  I haven't used it yet, so can't 
comment on that client, or whether retrieving messages with the client 
maintains "strong" encryption between their server & users' computers 
(stronger than SSL / TLS).  I assume that now w/ the local client & 
users encrypting messages before sending, that the private keys are 
generated & stored on users' computer rather than on their server.

For free accounts - using webmail, the private keys were stored on their 
server (may still be, if using webmail).  Now there's an alternative to 
webmail.  But that also requires trusting their client & the encryption 
software / algorithm.

Here is a comparison of some of the more "privacy conscious" providers:
http://thesimplecomputer.info/free-webmail-for-better-privacy

When considering Simple Computer's information (or any other), *check 
with the providers* for final details.  Providers' policies & technology 
used can change at any time.

For instance, Simple Computer's comment:  "Unseen does not plan to 
support Internet Explorer for chat & video, and the current Tor Browser 
Bundle (3.6.1) is built on Firefox 24 ESR which lacks features in its 
JavaScript engine to work properly with Unseen," is *not true* anymore 
(AFAIK).  I use TBB w/ Unseen's webmail.  Months ago, there were some 
temporary problems in using their site with TBB, but after I reported 
them, Unseen made changes on their side that seem to have fixed it.