đŸ’Ÿ Archived View for gemini.circumlunar.space â€ș users â€ș laur%C3%AB â€ș mail â€ș criptext.gmi captured on 2024-02-05 at 10:28:05. Gemini links have been rewritten to link to archived content

View Raw

More Information

âŹ…ïž Previous capture (2023-12-28)

-=-=-=-=-=-=-

Criptext

There are so many violators popping up now that I wasn't supposed to review any more of them unless they were significant for some reason. However, this one was mentioned to me by two people and it encompasses a lot of what's wrong with E-mail services and computing in general, so I might as well get to it. Let's start with the quote from their main page:

Quite possibly the most private email service — ever

That's it - I'm sold. Of course, no violator has ever made that promise before...not at all. But let's not jump ahead of ourselves, and first check out what's actually so special about Criptext. First of all, since it's a shitty Electron "app" (literally embedding Chromium inside it), it takes up a huge amount of resources - much more than Claws Mail. The interface is your usual webshit and you cannot make it fit with the rest of your operating system - like an alien invader. Obviously, forget about it supporting mail clients; Criptext says fuck the established standards - we'll run our own special snowflake webshit implementation. That alone would usually be a dealbreaker for me, but let's dig deeper. I don't seem to be able to run the "app" through either torify or proxychains, so it can be assumed to not support anonymization. To use Criptext, you need to sign up through the "app" which asks you for your real name. Now let's tackle some specific claims made on their site:

All your emails are locked with a unique key that‘s stored on your device alone, which means only you and your intended recipient can read the emails you send.

So, Criptext alleges to be E2E - but actually, it only works between Criptext accounts - others will just receive your mail unencrypted as usual. And - as the "app" doesn't support PGP (unlike a regular mail client) - you're left bare unless you encrypt through the command line. This is not at all different than what Proton or Tutanota are doing.

Criptext doesn‘t store any emails in its servers. All your emails are stored on your device alone, which means you‘re in control of your data at all times.

That's actually absolutely impossible. At some point, the E-mail has to go through Criptext servers so that it is delivered to the recipient. Why pretend otherwise?

With real-time tracking you can know once your email is read.

This is advertised as a unique feature, but actually, mail clients support it with something called "Request Return Receipt". No advantage for Criptext, unfortunately. Now check this from their security section:

All your emails and private keys are stored solely on your device. Once Criptext delivers an email there‘s no trace of it left in our servers whatsoever.

This is called "decentralized architecture" by Criptext - which is of course a total joke since their "app" enforces usage of Criptext servers - unlike a regular mail client. Let's now check out their privacy policy:

Once messages are delivered to your device, they are deleted from our servers. The same holds true for messages which you send.

Okay - assuming they're not bluffing (which they already did a few times) - this is a welcome change of pace compared to most violators. However, POP3 protocol in mail clients supports the deletion of E-mail upon retrieval - so again, this is not specific to Criptext.

We also keep email metadata (subject, date and sender email address) in order to enable certain features of the Services, such as the “unsend”, “read receipts” and “expiration” features.

The duration is not mentioned. Red flag.

When a normal, unencrypted email is sent to you by a non-Criptext sender, the email gets encrypted by the server with your public key and can only be decrypted by your device. The same holds true for attachments that are sent to you from non-Criptext addresses. This means that your emails are always encrypted, even if the sender is not using Criptext.

That just means the E-mail would be encrypted from Criptext to you - but not before it reaches Criptext. Therefore, Criptext could still read it - again, why pretend otherwise?

We may automatically log information about you and your computer or mobile device when you access our Services. This includes information like hardware model, operating system information, battery level, signal strength, app version, browser information, and mobile network, connection information including mobile operator or ISP, language and time zone, and IP.

So, Criptext stores your IP address and lots of other information. Duration is again not specified. It also shares that data with unspecified partners:

We may disclose your personal information to our subsidiaries and corporate affiliates for purposes consistent with this Privacy Policy.

Okay, I think it's lights out for Craptext now. The only positive about them is their promise to immediately delete your E-mail upon retrieval - but seeing how many deceptive claims they've already made, it's doubtful they even do that. All that remains from the privacy posturing on their main page is a pile of rubble. The sane thing to do is to leave Craptext rotting right along the Protons, Fastmails and Hushmails and use some proper services.