💾 Archived View for gemini.circumlunar.space › users › laur%C3%AB › mail › ctemplar.gmi captured on 2024-02-05 at 10:27:56. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

-=-=-=-=-=-=-

CTemplar (DEAD)

UPDATE April 2022: Dead. No reason given as far as I can see. UPDATE May 2022: okay, we now know they have been threatened by the glowies - "When we created this service, we made a promise to ourselves that we would shut down the email service if we couldn’t guarantee our security claims to our users. That day has come, and we would rather shut this service down than make security changes that would have been harmful to you." RIP.

UPDATE February 2022: CBF writing a new review but now the free account requires an invite code. The paid ones cost too much for a service that does not even support mail clients.

I used to have a review of this one, and it was not so good. However, after reading my review, CTemplar wrote me an E-mail to say they've changed most of the offending issues (kudos!). Since I didn't want to spread wrong information, I took the old review down, and just now finally got around to a rewrite. So, is CTemplar actually worth using now?

I would still say - not really. First of all, it lacks mail client support which for me is the most important issue. I don't care about webmail when it will never have the amount of features my mail client does and requires enabling potentially malicious JavaScript in the browser. But wait, CTemplar claims that they cannot do that because of checksums:

Currently all end to end encrypted email services can hack their own users and decrypt all of their data except us. We are able to provide this level of protection using an implementation of checksums that have not been used before.

There are two problems with this claim. First of all, comparing checksums doesn't require any special implementation - you can do it with any service that shares their code externally (for example, on Github). Then, you just compare that code to the one from your browser's "View source" option. However, all the E-mail providers I've seen don't actually share the code that runs on the site - only files to build / generate it. Thankfully, one of our chat's regulars undertook the job of building CTemplar and after several tries, still couldn't. Even if you did manage to do so, you'll have to compare the checksums every single time you use the site and for every single script it loads. Clearly, this is impossible in practice, and therefore useless. If they really cared about this, they'd just put the real code on GitHub so you could compare directly.

Of course, even if you managed to accomplish the above Herculean feat, this would do nothing to guarantee that the code is not malicious. You'd still have to go and inspect it to see what it does, and it's made all that much harder if it is obfuscated - which CTemplar's happens to be. Even though they might not be able to target you specifically without being exposed through the checksums (that is, if you happened to compare them at that moment) - they can just attack everyone, and then even remove the violating code the next day before anyone detects it. See? Checksums do nothing to protect against malicious code. Okay, enough about checksums, let's check out their privacy policy:

When you visit our website, your browser sends us your user-agent and IP address. When you leave our site no records are kept of your IP address with association to your account. We store your IP in an anonymous way for 7 days.

The "anonymized data" rears its ugly head again. What exactly is stored is anyone's guess.

If you choose to delete your account, everything is deleted and no records or backups kept.

Now that's a great policy which unfortunately most providers don't follow. By the way, this is apparently thanks to the "Icelandic privacy laws" - which are actually a thing unlike, say, Swiss privacy laws (a meme at this point) which enforce 6 months of data storage.

We will not disclose anything to third parties, except your payment information if you choose to buy a paid account.

Again, this is the only way to be private. CTemplar, by the way, also allows bitcoin payments so even if you DO want a paid account, you can avoid your data being stored anywhere but CTemplar.

Okay, I've skipped some sections because I want to cover the most important part in depth. Check out this quote:

We use a CDN service because its use is required to provide a better experience serving our static website content quickly around the world. Our CDN service also provides necessary protection against DDOS attacks. CDN’s can theoretically serve malicious code to our users. Our SRI & Checksum implementation offers protection from malicious code served by CDN’s.

The checksums thing I've analyzed above, so let me tell you briefly what is SRI. Whenever a site includes a resource from a third party (let's say, a JavaScript library or a style) - that third party could in theory modify the file being sent at any time. To protect itself (and the viewers), the site could attach an "integrity" parameter to the resource with a hash which your browser would then compare to the received file to ensure it's what the site intended to send. If the hash doesn't match, it means that the either the site serving the resource, or some other third party, tampered with the file. However, this works only for the resources for which the site added the integrity tag - the meddling third party could still modify anything else. The bigger problem, though, is what kind of CDN did CTemplar have in mind:

For example, if CTemplar receives a DDOS attack that we are not able to handle, we will switch to using Cloudflare.

So they will put their site behind the evil Cloudflare in case of a DDOS. What does that mean for their claims about SRI? Briefly, what Cloudflare does is proxy the whole page (instead of a specific file or several) - so that it can modify it before serving it to you, including removing the integrity checks if it wanted to. See, SRI can only protect against the third party modifying a file if it has no access to the page that sets the integrity checks - but Cloudflare does. That CTemplar pretends otherwise means they are either lying to you or didn't do their research - which is bad news for their trustworthiness.

With that out of the way, let's get to the positives about CTemplar. Registration requires no personal data or ReCaptcha. Front page claims that they "never track your IP address, keep logs on your usage or record any identifying information at any time"; which is great but again - since they've specified "identifying information", there must be collection of some allegedly non-identifying data - and we're in the dark as to what it is. CTemplar does provide an onion domain but it redirects to their clearnet one.

Wow! And here I was thinking I'll be a good guy and list some positives, but it seems CTemplar does not deserve it. I could dig deeper, but it seems fruitless at this point. CTemplar does seem to care about you at least a little bit - since they did send me an E-mail some months ago and changed some of the offending issues. But they still don't support mail clients (the most important feature for a provider) and have other glaring flaws such as the totally insecure and disrespectful downgrading of the onion domain to the clearnet. They also made wrong claims about both checksums and subresource integrity - call it fraud or incompetence, I don't care. Even if they changed stuff again, the reputation has been irreversibly damaged. As much as it pains me to say it - because there are truly lots of way worse providers out there - avoid CTemplar.