How much does CounterMail cost?
CounterMail lets users try the service for seven days for free However, the firm does point out at that there are certain limitations:
Premium accounts can be purchased for three subscription periods, all those plans come with the same features and 4 GB of encrypted storage space. A six-month subscription costs $29, a one-year subscription costs $49, and a two-year subscription will set you back just $79.
Those prices are not excessively expensive. However, they are more costly than other notable services like Tutanota and Posteo; which both provide their services for $13.68 per year.
Anybody who wants to use a custom domain will need to pay a onetime fee of $15. This is not unusual, as many secure email services do charge a flat rate for bringing across (or setting up new) custom domain name inboxes.
Any user who struggles with the 4 GB storage capacity has the option to expand their inbox. Users can opt for between 250 MB and 1.75 GB of extra space. This is charged as a one-off flat rate to expand the storage capacity, and costs $19 for 250 MB, $35 for 500 MB, $59 for a GB more, and $89 for 1.75 GB. This is not hugely concerning considering that it is a one-offfee.
Payments for subscriptions can be made via credit card, Paypal, wire transfer, or Bitcoin. The option to use Bitcoin can allow people to subscribe privately as long as they also use a VPN to conceal their IP.
Features Overview
- OpenPGP encryption
- Support for PGP/MIME
- Diskless web servers
- Secure forms
- Android, Windows, MacOS X and Linux support
- Dynamic aliases
- Message filter / Autoresponder
- Anonymous email headers
- IMAP for using third-party clients
- USB key option
- Password manager
- Custom domains supported
- XMPP chat server
- Bitcoin payments accepted
- XMPP chat server
Privacy
CounterMail is a secure email provider based and hosted in Sweden, a location that is not considered brilliant for privacy due to ongoing mandatory data retention directives that force ISPs to store web browsing histories and metadata for six months. However, it is worth noting that these directives do not directly affect email providers, and it actually appears that Swedish ISPs are refusing to cooperate anyway.
Sweden is a part of the greater 14 Eyes surveillance agreement, meaning that it does cooperate with 5 Eyes members to perform surveillance. What’s more, a law passed in 2009 (Försvarets radioanstalt, FRA) allows the National Defence Radio Authority to wiretap all telephone and Internet traffic that crosses Sweden’s borders for national security reasons. While the law is supposed to apply only to international web traffic, FRA has been used to justify indiscriminate bulk data collection.
Swedish authorities also have the power to force a provider of encrypted services to “order a person with knowledge of a computer systems’ function or of measures that are used to protect the [desired] information, to provide information that is necessary to enable the execution of the warrant.” So, it is possible that CounterMail could theoretically be served a warrant that forces it to decrypt any emails that are encrypted at rest.
Thankfully, CounterMail provides full end-to-end encryption for its service, meaning that users can opt to control the keys to their email data themselves. This takes the power to decrypt emails out of CounterMail’s hands and means that the Swedish government would not be able to compel the firm to provide access to that email data.
On the other hand, you do have to trust that CounterMail is doing what it promises with your encryption keys (and that the software doesn't covertly pass your password and keys to the firm). Unfortunately, that is a blind leap of faith, because CounterMail runs on closed source software that is not publicly available and has never been audited by a third party. As is the case with all closed source privacy services, this may be enough to put some people off the service.
What’s more, CounterMail does require users to delete their private key from its servers (which means it is there to start with, which definitely rings some alarm bells). Also, we asked the firm about updating my PGP keys to ones we already hold, and the firm told me:
The mere suggestion that they want us to email them our private key is weird, the whole point of PGP is that only you hold your private key, eliminating the need to trust any third parties. So, why does CounterMail seem intent on introducing that element of trust?
As is always the case with email, some metadata (the subject, IP address, to/from, DKIM signing information, References header, etc) is accessible to the email provider in order to provide the service of sending the emails, and this data could theoretically be harvested or passed to the authorities.
To somewhat mitigate against this problem, CounterMail scrubs all IP address from the header of emails. CounterMail also promises never to log customer IP addresses on its servers. Thus it is one of the few email providers that can be considered no logs. To achieve this, CounterMail uses diskless intermediary servers to scrub IP addresses before passing encrypted messages along to its bare metal servers. This “filter” system ensures that no IP addresses are ever recorded to a company hard drive by accident.
We checked online for the firm’s privacy policy, but the link in the footer of the website doesn’t link to a proper policy, which is more than trivial. A full GDPR compliant policy would make this service much easier to recommend, especially considering it is an EU company.
Finally, the firm uses no cookies on its website, and Privacy Badger detected no trackers. The firm also promises to delete all transaction data within two weeks. However, if you pay with PayPal or a card, evidence of the transaction will exist elsewhere.
Security
CounterMail is said to be a custom roll-out of SquirrelMail (which is open source GPL). However, the firm was quick to point out that their modified version is closed source.
The service allows users to sign and encrypt emails within their browser using fully audited OpenPGP encryption standards. Attachments can also be encrypted. Plus Countermail always encrypts everything that is stored at rest on its servers (including plain text messages).
CounterMail uses a standard implementation of OpenPGP. Full key management is available for contacts but is unorthodox for updating your own. Countermail is easily interoperable with all other PGP email services and is ready to send encrypted emails as soon as you open an account. PGP keys are generated in your browser and stored on CounterMail’s servers encrypted.
It is worth noting that CounterMail does store your private encryption key by default (in an encrypted state).
However, it never stores your password which is needed to decrypt the key to access messages. That does sound reasonable and might be a fair trade-off for convenience, although it is definitely more secure for the key never to leave your own desktop. Users can opt to delete their key from the firm’s servers to store it locally if they prefer.
It is worth noting, that it is impossible to recover a CounterMail account if you lose your password. The private key is encrypted using your password, and both are necessary to access the account. For this reason, it is vital to always remember your password.
CounterMail is a Java environment webmail application that runs in your browser. This means that the service is vulnerable to certain Java attacks (a server operator can push malicious code which the browser will just accept). To be fair on Countermail, this is true of all Java and Javascript webmail interfaces. To avoid any possible exploits, it will be necessary to use IMAP or SMTP to access the service with a standalone third-party email client such as Thunderbird or Enigmail.
It is worth noting that it is possible to set up email aliases for your account, this allows you to set up random addresses that forward to your main inbox. These can be created for countermail.com or cmail.nu domain names. Those temporary aliases can be deleted whenever you wish and can be used to protect your primary inbox address.
However, there is a security issue that comes with aliases used with CounterMail. Unlike some other providers which blacklist an alias from ever being used again after it has been created, CounterMail allows them to be recycled. This means that after you close an alias down, somebody else could create the same alias and end up receiving emails originally meant for you. This carries significant security and privacy risks.
Finally, we checked the service using Qualys SSL Labs to check the quality of its SSL/TLS implementation and were happy to find that the firm scores A+. The firm also provides protection against SSL Man-in-the-Middle attacks by adding RSA and AES-CBC encryption underneath the standard SSL-protocol. As such, Countermail provides four layers of protection for user data: SSL encryption, Session encryption, OpenPGP encryption, and Server-side disk-encryption for data at rest.
Also worth a mention; you can opt to purchase a USB stick containing a keyfile to login into your account. This ensures that even if someone phishes or guesses your password, they will never be able to access your account without the physical dongle. This is the only form of Two Factor Authentication that the firm provides.
Ease of Use
Getting a subscription with CounterMail is easy, and no previous email address, phone number, real name, or other personally identifiable data is needed to set up the free email account. Once the 7-day free trial is over, you will need to supply payment, and, if you do so, the firm will know who you are. However, it does promise to delete this transaction data after just two weeks, which is good. In addition, you can elect to pay with Bitcoin for added privacy.
Once inside the webmail interface, navigation is simple and users are greeted with a welcome email that arrives encrypted with PGP. This message is decrypted automatically using the PGP key that is generated when you sign up. Anybody that has an existing PGP key can update their keys by emailing the firm and supplying their public key. This side of the service is great for beginners.
Importing contacts is just as easy. Simply, click on contacts and then import them. CounterMail supports CSV and vCard formats so that you can import from just about any previous email provider. We found the function to work without a hitch when using the CSV function.
Importing and exporting encryption keys from within CounterMail’s settings is also simple, and there are guides if you need them. Sending someone an email using Countermail will automatically encrypt the message with the key found in your keyring. If no key is found you are notified to let you know that you need to add one.
What’s more, sending messages to fellow Countermail users (or Hushmail users) does not require you to already have the recipient’s key in your keyring. Instead, the service automatically fetches the key for you. This definitely saves you time and allows you to send secure emails to fellow users with ease, which, again, is ideal for beginners.
It is worth noting that if you decide to delete your private encryption key from Countermail’s server for security reasons, you will not be able to view message directly in the webmail interface (major bug reported by users). Instead, you will need to download the message as an attachment, save it as text, and then decrypt it locally.
This is a bit time-consuming but is the only way to use the CounterMail with 100% control over your private key. Again, this feels like CounterMail is forcing people to hand over their private key, which makes me uneasy.
If like us, you do wish to delete your private key from its servers you can do so by navigating to Settings > Preferences > Security and Keys. Here you can opt to download your keys and delete the private key.
While CounterMail is a bit short on features when compared to many email providers, it does have a few extras worth mentioning. The Safebox feature allows you to securely store notes, a Calendar is available, and users get the use of an XMPP chat server that is compatible with Jabba clients.
Admittedly, however, it is a bit thin on the ground when compared to many other services (even ones that cost around half).
Customer service
All customers are able to ask the customer service team for help using the ticket system on its website. A notification for the response is sent to your inbox. We asked a succession of easy and tricky questions from the point of view of a beginner, to see how the team would react.
Responses usually came within three to four hours, and the team seemed eager to be both truthful and helpful. This is a part of the service that is definitely a plus. However, do bear in mind that from our experience customer support is only available during European working hours, so depending on where you are you may need to wait longer.
An FAQ and Knowledge Base is available on its website, which has various guides and answers to important questions. Blogs that explain aspects of the service such as its diskless servers and session encryption are well written and provide useful information.
Conclusion
CounterMail is supposed to be easy to use, and in many ways it is. The automatic allocation of a PGP key at sign-up is great and certainly means that users can jump in at the deep end and start sending other CounterMail (and Hushmail) users encrypted messages right out of the box.
However, for anybody that already has a PGP key, replacing the keys the firm automatically allocates you - with one you have already spent time sharing with your contacts is not immediately obvious. The same goes for setting up CounterMail to work on a third party client via IMAP, it is possible, but even following the instructions it may feel a bit daunting.
Where extra features are concerned; everything is available within a few clicks. However, we can’t help feeling that there is something about the interface that doesn’t make a newbie feel at home. It certainly doesn’t have the pleasing aesthetics of some of its competitors. On the other hand, it shouldn’t take long for anybody to get up to scratch because the firm does provide plenty of support options and guides.
On the whole, this service seems a bit thin on the ground in terms of features considering the cost. The fact that is closed source is definitely a disappointment, considering the emphasis that is placed on privacy and security throughout its website.
If it all works as claimed, it is fair to say that CounterMail is an extremely secure and efficient email provider. The no IP logging is a non-standard feature that puts this provider in a relatively small group of secure email providers. But, you do have to take CounterMail at its word, and, if you are paranoid, this is a surefire deal breaker.
On the other hand, for people that are looking to de-Google and want a service that lets them start sending PGP encrypted emails without having to learn anything about key management (as long as they can convince all their friends, family members, and contacts to also use CounterMail) this could provide a very workable solution.