Free anonymous email&chat provider GhostMail

GhostMail is a new encrypted email, chat and file storage provider based in Switzerland that claims zero knowledge of its users and no log keeping. Everything is free, the company says this option will always exist. In the future a subscription model with extra features will be introduced to cover expenses.

Opening an account in GhostMail took me seconds, I only had to pick a username and a password. They are one of the few email providers that do not require you to have an existing email address to complete the sign up process. The sign up form consists of two fields, one where you enter a desired username and another box where you enter twice a made up password.

I sent myself a test email, the email headers revealed that GhostMail server was in Sweden. I contacted Birger, GhostMail’s Chief Operating Officer to ask about this and he told me that within two weeks everything will be based in Switzerland where the company headquarters are, when this is completed, only Swiss law will be applicable.

GhostMail interface has nothing to envy from any mainstream email provider, clear, easy to use on a desktop or mobile device, and your browser can notify you when you have incoming mail. The tabbed interface gives you quick access to other email folders, chat, encrypted files and settings, without any annoying ads. In Firefox it works very well, I didn’t test it with other browsers.

GhostMail encrypted anonymous email provider

GhostMail encrypted anonymous email provider

The default settings do not allow you to receive incoming email from other services. If anybody from Yahoo or Gmail sends you a message and you have not changed this setting, the sender will receive and autoreply telling him to open a GhostMail account. I imagine that most people will want to set their account to being able to receive outside email, first thing you should do after signing up.

When you send an email to an insecure provider with NSA backdoor, like Gmail, you will be shown a warning saying: “This email will not be end-to-end encrypted, as the receiver is outside GhostMail.“. Messages you send carry a small signature promoting Ghostmail, nothing too annoying and, it can be changed in settings.

You can also set up a notification email address where you will be warned of new messages, and also in settings, you can set two factor authentication for logging into your account, when enabled, in addition to the password you will asked for the number displayed in the Google Authenticator mobile app of your smartphone.

Email encryption takes place in your browser with javascript, using RSA 2048 bit and AES 256 bit among other algorithms. Messages can be set to self-destruct within a period of time of in between 1 hour to 7 days, this option is clearly visible in the Compose Email window and effortless to manage using a checkbox and a slider bar.

Other security features are a transparency report and warrant canary card found in GhostMail website, the number of subpoenas received from the authorities to hand over user data are listed there, if this were to happen, Ghostmail can only assist giving away encrypted data without a way to decrypt it as only the user owns the private keys to do that and there is no backdoor.

I liked that GhostMail has taken the time to document the encryption method they use, plainly explained with diagrams, and they have written an easy to understand privacy policy. The zero knowledge network GhostMail has is really a must have for any email provider, now that we know for sure that the USA and UK have the habit of issuing gagging orders to email providers.

I like integrated live encrypted chat too, and best of all, GhostMail is open source and has been audited by a security company. But, I have one big issue with this platform, having to convince my contacts to ditch whatever they use and move all of them to GhostMail can’t be done.

There are similar services that provide quality encrypted email and chat, for example, and Countermail. I would have appreciated if GhostMail was using an encryption standard like OpenPGP and XMPP, this way I would still be able to securely communicate with users from other services, although usability would have likely suffered, I rather spend more time writing an email than spending time trying to convince somebody to move to my email provider.

GhostMail encrypted email

GhostMail encrypted email

Overall, this is a very easy to use email and chat service but it is going to be useless if the person you communicate with is not on the same platform. I would have liked GhostMail far more if they had implemented a secure viewer, like Tutanota has, where, users of insecure email providers are not sent a message telling them to open an account somewhere else. With Tutanota Yahoo and Gmail users are sent a link to a secure viewer hosted in a secure server so that they can read the content without having to switch provider.

If you want an email provider that does not keep connection logs, and you trust GhostMail claim that they don’t, they are a good option, but don’t count on GhostMail being the ideal medium for encrypted email and chat, people isn’t going to open an account with them just because you tell them to do so.

Another minor point, is that there is no way to delete a GhostMail account in case of emergency, even in Yahoo you can erase your account, although it takes them three months to delete all data. But if GhostMail keeps no logs and all encrypted, it is not a big worry, just a nice to have feature.

I would give this provider a 6 out of 10, I think that they are perfect in usability, features, clear documentation and excellent privacy policy, as well as being based outside the USA and the European Union, but it is going to be hard to communicate securely with others who are not on the same platform and that is a problem that they have no solution for.

Update August2016: Ghostmail has announced they are closing down! link erased.

Leave a Reply