🆕 Software Suggestion | CTemplar #1642
Comments
|
I don't think it should be recommended:
|
I think they mean they would temporally use Cloudflare services to stop the attack, I'll send them an e-mail asking for this and other thing I want to ask them, still their service is excellent in almost every sense, I don't think this is reason enough to not recommend them. Here's a comparison chart that they provide on their website (comparing themselves against Protonmail, Tutanota, Hushmail and Gmail) for more details, I think they totally deserve to be listed. |
I'm not sure if there should be big worries about this given the fact that this scenario wouldn't be actively happening 24/7 and besides, if one really wants to transmit emails along with the worry of interception then their password encryption of email functionality can be used. |
Also I doubt you will be able to use their service during a DDOS attack therefore it's not like Cloudflare can have some relevant information about you. |
|
@Mikaela Could you please give specifics about the "research required" label. Is there a criteria being based against in order to judge whether or not this particular email provider passes the standards established by privacytoolsIO? |
|
@MystesofEternity I think most of the important part which is under the PTio criteria is described in their comparative chart here(https://ctemplar.com/ctemplar-comparison-table/). And I'm pretty sure they pass the criteria. |
|
The new (draft) criteria can be found here. They don't have DANE, and they're not registered EFF's STARTTLS-Everywhere list. They also need to publish a plan to deprecate TLS 1.0 and 1.1 on mail.ctemplar.com; they still accept them and the mail server doesn't enforce cipher suite preferences. Also, no public-facing leadership or ownership on the website. You need to go to the GitHub repo to see they're a group of Pakistani nationals that own a web dev agency. Lastly, trust. How much does the community trust them, not just one person, but a consensus. |
Fair enough, I think this can be worked out, I'll try to communicate with them to see if it would be too difficult to do this.
Ehh, what's the problem with them being Pakistan people? I haven't seen anything on their GH profiles that makes me think that they are nationalists. |
|
Didn’t say Nationalist, I said National. national - noun: a citizen of a particular country, typically entitled to hold that country's passport. |
I don't know, I hope https://github.com/privacytoolsIO/privacytools.io/issues/977 will enlighten me on it and I guess I will be commenting there. |
|
The whole company just screams untrustworthy. Offshore company in Seychelles talking about Icelandic privacy because they rented (virtual private?) server from Orange Website, while they are actually Pakistanis with address in Islamabad. What's stoping Pakistani authorities from coercing the founders? |
|
I am the owner of CTemplar and I am a white male who resides in the USA. Yes, I hired a developer from Pakistan. I have also hired developers from Africa, Ukraine, France and South America. I pick developers based on the quality of their code, I do not select developers based on the color of their skin or their nationality. I will continue to hire developers based on their skill, without thought of their skin color. My company was formed in Seychelles and servers in Iceland, exactly like Orangewebsite.com and flokinet.is. These are strong locations. I made the planning decision to switch to cloudflare during DDOS attacks because I felt people need access to their email at all times. However, after all the booters were taken offline I have not noticed any serious DDOS attacks. Please do not view this statement as a challenge to DDOS my site, I am just sharing this for informational purposes. I would be happy to revise my company's policy to not switch to Cloudflare during heavy attacks. ->If you review our technical specs by clicking this link. DANE, TLS-RPT and MTA-STS are implemented and should reflect if this report is refreshed. https://www.hardenize.com/report/ctemplar.com/1581171498 ->If you review the two links below you'll see we are at 85% and Protonmail is at 72%. I am not sharing this to slander PM, they are an excellent firm in every regard. I am giving this as a reference point. ->We plan on publishing our f-droid android app on March 2nd. Please contact me with questions or concerns |
|
I recall then when Ctemplar started, it turned out to be a bit of a rough start. That was because its marketing material existed mostly of pieces which were trying to hit on protonmail, and how Ctemplar was better. Then those articles were quickly removed, care to expand a bit on that? |
I have sent you an e-mail with more questions and you (or someone from your staff) told me something along the lines of "we will answer you briefly", would you care answering those questions? |
A company is composed of people who perform different roles. It is my job to find the best person to perform each type of task. I have no experience with marketing so I hired someone to do it for me. I gave that person authority to execute their ideas. After implementing this persons idea’s I realized it was a mistake, I picked the wrong person for the job, so I removed this person and removed their implemented marketing strategy. I had someone message PM an apology on Twitter, they accepted the apology via Twitter (direct message). Since then we have acknowledged Protonmail’s contribution to the security and privacy ecosystem. You can read about it on our blog. https://ctemplar.com/ctemplar-recognizes-openpgpjs/ . Personally, I feel they offer a wonderful service and their run by very qualified and capable people. We are not enemies. We are all on the same team trying to fight against the assault to people's freedoms. The past marketing was a mistake, we apologized, and we posted truths about them. I cannot change the past, but I can change how things are in the present, and in the future. |
Yes of course, thank you for your patience. Please review this and let me know if you have any other questions Question: Who owns the company/organization? What percentage does each owner hold? (December 31 of prior year and current date) |
Don't worry, I understand you have a lot of other things to attend. By the way, is it better if I fill an issue on GH or send you an e-mail about troubleshooting? I have had a weird problem with your service lately.
You do use ajax.googleapis, fonts.googleapis and gstatic. Do they not collect any kind of information? Would you be willing to change their services for an open-source alternative (awesome fork or awesome fonts) or even better hosting all your icons and/or fonts on your own?
Yeah, it's pretty much and anyway it can't be proven that what's hosted it's the same as what's on GitHub.
Please provide URLs to these when you have time, it would be great to see them!
I don't think this is necessary, and if anything, the staff are the ones who may be interested in seeing it, but I don't know.
So you do share some data with 3rd parties? Please don't take it bad, I'm just trying to provide some honest feedback, I really love your service!
What does it mean that the IPs are stored anonymously? How do you anonymized them? Will you log the IPs of all your customers under such circumstances or just the ones of suspected attackers?
Really good to hear this, cheers! I think the only thing you still need to meet PTio criteria is to be registered under EFF's STARTTLS-Everywhere list, if you have already deprecated TLS 1.0 and 1.1. Then I guess it's just a bit of time until they can modify the website. |
|
Here you will find the criteria to list e-mail providers in case you want to check it with your team: https://deploy-preview-1672--privacytools-io.netlify.com/providers/email/ |
I've refreshed it now as I have an account with Hardenize. |
|
@Godfry what's the likelihood of Subresource Integrity on that google fonts usage? |
|
@dngray We will be getting rid of the google fonts expeditiously. @5a384507-18ce-417c-bb55-d4dfcc8883fe
Those will all be removed immediately. Thanks for bringing that to my attention.
We share anonymous order numbers with our payment processor when needed to process refunds. We share no other information with any 3rd parties. We allow BTC and XMR also.
Never at any time do we link any account to any IP address. There isn't a possibility for correlation. The IPs are stored in our logs for the minimum period of time we need to provide a stable service. These logs help to find harmful attack patterns and temporarily block the service. There is an automatic pruning and without manual intervention under normal circumstances. We are waiting to be registered under EFF's STARTTLS-Everywhere list, And we have depreciated TLS 1.0 and 1.1. Thank you for your comments and questions. Kind regards to you all, |
|
Hi, Thanks for your in depth reply @Godfry. I am glad to see a provider striving to meet as many good practices as possible. There were a few things that irked me though (marketing related):
This implies RSA, public/private keypairs. We know that quantum computing at some point in the future make public/private key cryptography not built to be post quantum proof crackable. Current literature on that topic suggests cracking this kind of encryption could be as early as 5 years away, but more conservative guesses put this at 10-15 years away. The "and future hypothetical attacks" is not something you can realistically offer with your service. Do you plan to support AutoCrypt? I think this kind of out of band key sharing can be useful. Ed25519 keys are becoming much more popular these days for OpenPGP due to their size. Some evidence of this being:
This is another assurance you can't really offer either. 100% means certainty without failure. The customer may very well compromise their own anonymity. Yes I know that wouldn't be your fault, but I would steer clear of making statements of certainty like that.
I think what you mean to say is that you don't personally collect the data and therefore cannot reveal it/be made to reveal it. I think it would be better to say that you allow anonymous usage.
I found it rather strange that "encrypted subject" would be a paid feature. I assume as you use PGP, this would be compatible with Engimail or neomutt. What I have noticed in this there's a new standard being developed Protected Headers for Cryptographic E-mail.
Currently there's no standard what should be in the subject, for example Thunderbird by default uses "Encrypted Message" while neomutt defaults to "Encrypted subject" (can be changed with Are you using this method or some other method? I do feel this should be a feature available to all. This would benefit your paid customers too. Eg. Alice might join your service and become a paying customer. She might tell Bob about it and he joins too. However, Bob has decided to not to become a paying customer. If Bob sends an email to Alice without encrypted subject (because it's not a feature available on free accounts), that actually isn't good for Alice, who is a paying customer. Another question I had was do you support WKD/WKS. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I shall give it a read in the coming days.
Sure.
Cool.
Thanks for posting the link.
While I would agree with this sentiment it is concerning to see so many services open to the internet, particularly things like Jenkins which have quite a history in the past. Another thing worth noting that meeting the criteria does not mean a certainty in being listed. It is a minimum baseline and a guide to what we look for.
I shall be looking forward to reading that.
Spot on. Please don't bother posting anything like that again. This isn't the place for that. |
|
Nice "Zero Censorship Policy"... |
|
After some discussion we've decided not to add CTemplar at this time. The reason being we do not like to provide information which cannot be verified by public sources. We don't allow anonymous companies to provide services because it involves people trusting an unknown entity with their data that cannot be verified. If the company fails or does something disastrous there is no recourse. To add CTemplar we would have to relax/remove our trust requirements. If we did this, we'd have all sorts of services recommended (we actually put that requirement in place to ward against people recommending random unknown .onion service email providers). We won't be signing any NDAs regarding this, as it would mean we cannot reveal what we learn, and thus puts it on the community to trust us instead of the company they're doing business with. I do however want to thank @Godfry and his developers for making the improvements we suggested. I also want to thank those who contributed meaningful replies. |
I won't require an NDA. Tell me where to send all my company verification documents and I'll email them to you.
I understand that nothing requires you to list qualifying services. However, I would like to know if my service meets your criteria. If my service meets your criteria, but you decline to list my site, I understand and I won't press the issue. |
|
@VigilantSwanson The above comments are our responses to the points brought up. After a discussion with my team, we'll separate the servers. Thank you all for your comments. Kind Regards, |
With this you'd be saying: "we meet the criteria but we don't meet the criteria". This creates problems as other providers would seek the exemptions to say they meet the criteria when they in fact don't. This would in turn dilute our purpose and compromise our mission. Our endorsement and branding would become meaningless. It is likely to confuse users as well. They're likely to open many issues with both you, and us about why they are not on the PrivacyTools site, when they apparently meet the criteria.
The issue is with that we would have to distribute them on our site. We would have to provide some kind of public verification or reference that what we say is actually true. This is what gives PrivacyTools it's authority over other sites who simply just say X is good without any kind of validation or peer review. There are many sites which endorse many things without reason or reference. What gives PrivacyTools it's reputation is the fact that discussions about what is added happen transparently, in public such as on GitHub. People can track the discussion and reasoning and use it in future debates as to why/why not a specific product should be used. If we make recommendations with "secret sources", it encourages people to accuse us of being biased, bribed, compromised etc. We then would get this pollution on blogs, social networking websites and in comments on our own forums of discussion. It would confuse people and overall they would trust us less. Members of the community would be able to clearly see that there is information they are "not allowed" to know. All sorts of conspiracy theories would be speculated. Members of our community have typically had their trust abused previously by large companies seeking to make a profit off their private data, as well as governments claiming to be invading their privacy for their own safety. The other thing to note is, we're all people with regular jobs (mostly in IT). PrivacyTools is certainly a community project that depends on our spare time, and public donations. As a result there was a significant discussion Preventing Privacytools conflicts of interest - ensuring Privacytools integrity, which resulted in us creating a Conflict of Interest Policy, this is to provide some recourse should a team member work at a company which is also a recommended product or wants to be a recommended product. From an legal standpoint I would certainly not be distributing any kind of documents covered under an NDA normally for other parties. From an ethical point I would refuse to posses such documents unless I had authority to distribute. If you did give such permission, then you'd be better off distributing them yourself. |
|
@dngray I understand. Thank you for explaining. Could you please tell me the criteria? Once I know exactly what you're looking for I'll meet it. Thank you |
Sure, the criteria is available on our site https://www.privacytools.io/providers/email/#criteria
What part specifically? Both of these are public. Both providers are listed on KVK Disroot and Soverin. More information about KVK. You cannot register in the KVK without your legal name and contact details. Both Soverin and Disroot also have have a presence on social media, which means we get to know something about the people behind the service. Eg. @muppeth I've often seen around on Github (in various other communities). Soverin have relevant information about them located: https://soverin.net/about There is a higher trustworthiness associated with a company being run in the same location as where the employees reside. They also do use their real names, when promoting their product, and likewise on Twitter: Ivo Fokke, Patrick, Andre Meij. |
|
In addition, ctemplar does not support IMAP, SMTP or JMAP. |
This is not a requirement. See Tutanota. It's a best-case option. |
|
You're right. btw, I saw on reddit that POP3/IMAP/SMTP support will be added next month. |
|
@dngray
My service does also. Facebook, linkedin , Twitter.
My service is in the Dun & Dradstreet Global Database, here's information about DUN's numbers. DUN's numbers are considered by some to be the universal standard for business identification. To illustrate this, Apple requires a DUN's number to create a corporate mobile app. Apple will not accept KVK numbers as a form of corporate validation. For this reason, I think my companies DUN's number (which is 56-137-7531) is at least equal to a KVK number. You can confirm my DUN's number by using the DUN’s number lookup form. It wont let me give out a static link.
Likewise with a DUN's number.
As do I, it's attached to the DUN's number. I have an Alias, just as many coder do, and then I attach my real name to important documentation like the DUN's number.
I maintain an office in Iceland but many people work from the country they live in. I think this is exactly the same as the other services. Like I mentioned before, I am not trying to compel you to list my site. I am pursuing this discussion because I feel my service meets the criteria and if it doesn't I would like to know why so I can make improvements. |
|
@zack-95 From my view (a view gained from comments on this thread/reddit & direct email) I felt this community was trying to find a reason to disqualify my service because of hate toward Mexicans, Pakistanis and those of the LGBTQ community. Thank you for reopening the issue. Please give me a chance to respond to concerns before denying & closing the thread. If the issue really is the nationality and gender of my employees then let's have out with it. As some of you who have emailed me will know, I will not give my opinion and will respond with academic studies that I think were conducted well. I would rather discuss this openly instead of having it be talked about in secret. Kind Regards, |
This is certainly not the view by the PrivacyTools team. We would never disqualify a provider based on these things. We do in fact have a Code of Conduct related to this.
Certainly not, and as such I have not mentioned it, because it is not something we use in our deciding factors. I would just suggest ignoring the anonymous trolls that hold these views. |
|
@dngray Thanks for the response:) I'll take your advice and ignore the trolls. |
|
@dngray @Godfry Any update on this? It has been a while, and the issue is open. |
|
|
https://ctemplar.com/help/answer/do-you-offer-imap-2/ |
|
This discussion has been going on for a long time. CTemplar does not implement CSP. |
|
Doesn't look good 😥🥺 https://cyber-privacy.net/ctemplar-catastrophic-incident-with-complete-data-loss-july-2021/ |
|
"We cannot restore data from backups because we do not keep backups for security reasons" now that one is new
Seems to be confirmed by themselves on Twitter: https://twitr.gq/RealCTemplar/status/1414486941064695818#m |
and others
Basic Information
Name: CTemplar
Category: Email
URL: https://ctemplar.com
Description
A highly respectable email service that is hosted in Iceland and has a collection of features that respect privacy, security, and anonymity of users.
Resources
CTemplar comparison table vs Protonmail and Tutanota
https://blog.ctemplar.com/ctemplar-comparison-table/
CTemplar open source code of their webclient
https://github.com/CTemplar/webclient
The text was updated successfully, but these errors were encountered: