703 words
November 15, 2023
4 minutes read
Is Countermail the most secure email service ?
Introduction
CounterMail is yet another "encrypted" and "anonymous" email provider. Countermail may be the oldest service of its kind still active, with a domain registered in May 2008 and the service ready in May 2010. However, they are less well-known than their competitors, possibly due to their invite-only registrations, which limit their user base.
Claims
They seem to be based in Sweden, but neither the company nor its members are disclosed on their website. The webmail platform is Roundcube (open source), and encryption/decryption occurs client-side using OpenPGP.js. While their main website is behind Cloudflare, the login and webmail are not; the proxy used is hosted at "Adminor" in Sweden. They do not provide a Tor link and require JavaScript for client-side decryption, similar to most services of this type. To register, you need an invite code, and unlike Tuta/Tutanota, there is no wait time, and no phone number is required as it is the case with ProtonMail.
They claim to only provide email metadata to Swedish authorities after reviewing the requests with their lawyers which is also the claimed to be the case with ProtonMail and Tuta/Tutanota. According to their assertions, the metadata shared in this case would only include email recipients and subjects, which is standard since this information cannot be encrypted with PGP as it needs to be known to the mail server. Additionally, they assert that they do not store nor have the capability to log client IP addresses.
Cons
There are multiple issues with CounterMail, but the main concern for me is trust. The company and its employees remain hidden, raising questions about who would take accountability in case something goes wrong. There is also a clear lack of communication and updates, the only blog posts are some changelogs with only minor improvements.
There are also privacy issues; they lack a Tor domain (which seems unusual for a service of this type), and they do not accept Monero. Unfortunately, the limited acceptance of Monero is a common issue, with Tuta/Tutanota being the only email service that supports Monero through a proxy seller.
CounterMail also doesn’t have any open-source clients. The issue goes further as they don’t even have any client. Even their password manager named SafeBox needs to be accessed in the account settings. Not that I would have used it anyway as it lacks many modern functions.
They also don’t have their own data centers nor even their own IP addresses, which could pose issues as they have less control over their infrastructure compared to, for example, ProtonMail or Tuta/Tutanota.
The last issues may not be problematic for the majority of people but could be viewed as concerns for others. Firstly, this is an invite-only service, which might seem unusual for a privacy-focused service to limit access in such a way (though they are not the only ones, and I understand the desire to control access). Secondly, they are relatively expensive, with a price slightly higher than ProtonMail Plus despite offering a lot less functionalities and updates. They also do not offer any free-plan (there is only a 7 day free trial).
Conclusion
I'm a firm believer that competition is always a good thing, and every service serves its own purpose. However, it appears that CounterMail is a good service with good intentions but it has failed to adapt and keep up with the market. The issue is that it seems like something that may have been revolutionary years ago but now, with the plethora of options available, appears a little outdated. However, to be fair, even though they lack many features and I wish they had more control over their infrastructure, they still offer many good security features that other email services do not. I also appreciate that they have remained online for this long, which give me some confidence in their service.
To really conclude, I think that the only matter is that you can’t see the server code nor config for all of the services of this type. So you need to trust someone and this choice is personnal. I can understand why someone would trust countermail more than for example ProtonMail but I don’t.
i[a]sy.st
I’m ██████████ █████, a ██ years old working at ████████ ███████████.