💾 Archived View for gemini.circumlunar.space › users › laur%C3%AB › mail › secmail.gmi captured on 2024-08-18 at 19:37:24. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-12-28)
-=-=-=-=-=-=-
UPDATE July 2021: Dead. Rumors of the admin being arrested, but no proof.
Onion-only provider accesible through http://secmailw453j7piv.onion. No mail client support. Signing up is hassle-free with simple captcha and no personal information required. Keep in mind that - even though connecting through onion means that your IP address likely won't be revealed - secmail could still read the mail contents unless they are PGP encrypted. Since the TOR network is a very tasty target for various spies, it makes secmail's trustworthiness all the more important - and unfortunately, they fail the test. The service contains no privacy policy - though it has some vague claims of really caring about your security, there is zero information on what they store and for how long. Their clearnet domain contains just a link to the onion - however, it has no SSL so an attacker could rewrite the link to their phishing site and steal credentials. In fact, this is how SIGAINT, another onion e-mail provider, got hacked sometime ago:
We are confident that they didn’t get in,” states the alert. “It looks like they resorted to rewriting the .onion URL located on sigaint.org to one of theirs so they could MITM [man-in-the-middle] logins and spy in real-time.”
Another investigator wrote them an e-mail a few days ago where they said that they have no time to implement SSL (they are relying on the TOR network's automatic bad relay detection, which is not perfect - "In 32 days I've found 15 instances where a node is sniffing and using my credentials"). They've had two fucking years to support SSL but don't - and since they know about SIGAINT's hack, making themselves intentionally vulnerable to the same means they are either be heavily incompetent or a honeypot. Secmail has also refused to comment on not having a v3 (more secure) onion domain; do they also not have time for that? All it takes is one additional line in the config file: "Just use your ​regular onion service torrc and add HiddenServiceVersion 3 in your onion service torrc block.".
When secmail got started, they advertised themselves on reddit, where they took a lot of criticism. For example, their first server configuration used to reveal the OS and PHP versions, which makes it so much easier for hackers to get in - and at that point, they were already "operating for more than six months" - can you say incompetent? So, despite allegiances of security and the allure of the darknet, I'd stay away from this one. It has nothing at all over RiseUp which also supports onion domains (v3 as well!). Read a deeper investigation of secmail in the link below if you're interested.
https://web.archive.org/web/20200201012905/https://geneticabhorrence.neocities.org/secmail.html