🆕 Software Suggestion | CTemplar

[MystesofEternity]

Basic Information

Name: CTemplar Category: Email URL: https://ctemplar.com

Description

A highly respectable email service that is hosted in Iceland and has a collection of features that respect privacy, security, and anonymity of users.

Resources

CTemplar comparison table vs Protonmail and Tutanota https://blog.ctemplar.com/ctemplar-comparison-table/ CTemplar open source code of their webclient https://github.com/CTemplar/webclient

[dngray]

@dngray I have completed all the wording changes to the website that I feel you indicated as well as other changes I feel needed to be made.

I shall give it a read in the coming days.

If you notice other things, please give me the opportunity to correct them and I mean no disrespect to you or the Privacytools team.

Sure.

We have also started working on implementing autocrypt and we should be done with that within the next few weeks.

Cool.

@dngray You may want to look into this https://www.reddit.com/r/ctemplar/comments/flh2hg/website_hosted_on_same_server_as_mail_server/

Thanks for posting the link.

@zack-95 If you read through the above comments you will see that using Privacytools.io as a platform to report bugs and concerns with our service is not acceptable.

While I would agree with this sentiment it is concerning to see so many services open to the internet, particularly things like Jenkins which have quite a history in the past.

Another thing worth noting that meeting the criteria does not mean a certainty in being listed. It is a minimum baseline and a guide to what we look for.

We are preparing a response to your comment on Reddit and will post it shortly. If you have other concerns or questions please direct them to myself or my support team.

I shall be looking forward to reading that.

It is totally related, as it relates to a security risk, and I'm sure PTIO would not want to list a provider with such poor server infrastructure security practices that put their customers at risk.

Spot on.

@LordNikon2x

Please don't bother posting anything like that again.

@Jeremy-Stanford

This isn't the place for that.

[smnthermes]

Nice "Zero Censorship Policy"... https://ctemplar.com/zero-censorship-policy/

[dngray]

After some discussion we've decided not to add CTemplar at this time.

The reason being we do not like to provide information which cannot be verified by public sources. We don't allow anonymous companies to provide services because it involves people trusting an unknown entity with their data that cannot be verified. If the company fails or does something disastrous there is no recourse.

To add CTemplar we would have to relax/remove our trust requirements. If we did this, we'd have all sorts of services recommended (we actually put that requirement in place to ward against people recommending random unknown .onion service email providers).

We won't be signing any NDAs regarding this, as it would mean we cannot reveal what we learn, and thus puts it on the community to trust us instead of the company they're doing business with.

I do however want to thank @Godfry and his developers for making the improvements we suggested. I also want to thank those who contributed meaningful replies.

[Godfry]

@dngray

To add CTemplar we would have to relax/remove our trust requirements. We won't be signing any NDAs regarding this

I won't require an NDA. Tell me where to send all my company verification documents and I'll email them to you.
I don't feel it appropriate to put my name and picture on the website. I reviewed Soverin & Disroot and they seem to have the same belief. If sending you my company verification & personal ID documents does not satisfy your requirements, could I meet them in the same way that Soverin & Disroot has?

Another thing worth noting that meeting the criteria does not mean a certainty in being listed. It is a minimum baseline and a guide to what we look for.

I understand that nothing requires you to list qualifying services. However, I would like to know if my service meets your criteria. If my service meets your criteria, but you decline to list my site, I understand and I won't press the issue.

[Godfry]

@VigilantSwanson 1.- It's true we have a single public facing IP, all our services behind are properly virtualized and totally isolated from each other. This applies to all public and private services, including those you've discovered with nmap and WordPress.
Even if we didn't consider enabling remote access to different internall tools using a port other than 80/443 a security issue, we have closed them to minimize discoverability of the different tools we use. 2.- We know SSH is listening in its standard port and its settings. We consider our implementation protects our systems from brute-force attacks and any other unauthorized access we can imagine.

The above comments are our responses to the points brought up. After a discussion with my team, we'll separate the servers. Thank you all for your comments.

Kind Regards,

[dngray]

However, I would like to be able to say that I meet your criteria.

With this you'd be saying: "we meet the criteria but we don't meet the criteria".

This creates problems as other providers would seek the exemptions to say they meet the criteria when they in fact don't. This would in turn dilute our purpose and compromise our mission. Our endorsement and branding would become meaningless.

It is likely to confuse users as well. They're likely to open many issues with both you, and us about why they are not on the PrivacyTools site, when they apparently meet the criteria.

I will provide all the company verification documents to the privacytools.io team without a signed NDA. If I provide those documents to your team, can I say that I meet your criteria?

The issue is with that we would have to distribute them on our site. We would have to provide some kind of public verification or reference that what we say is actually true. This is what gives PrivacyTools it's authority over other sites who simply just say X is good without any kind of validation or peer review.

There are many sites which endorse many things without reason or reference. What gives PrivacyTools it's reputation is the fact that discussions about what is added happen transparently, in public such as on GitHub. People can track the discussion and reasoning and use it in future debates as to why/why not a specific product should be used.

If we make recommendations with "secret sources", it encourages people to accuse us of being biased, bribed, compromised etc. We then would get this pollution on blogs, social networking websites and in comments on our own forums of discussion. It would confuse people and overall they would trust us less.

Members of the community would be able to clearly see that there is information they are "not allowed" to know. All sorts of conspiracy theories would be speculated. Members of our community have typically had their trust abused previously by large companies seeking to make a profit off their private data, as well as governments claiming to be invading their privacy for their own safety.

The other thing to note is, we're all people with regular jobs (mostly in IT). PrivacyTools is certainly a community project that depends on our spare time, and public donations. As a result there was a significant discussion Preventing Privacytools conflicts of interest - ensuring Privacytools integrity, which resulted in us creating a Conflict of Interest Policy, this is to provide some recourse should a team member work at a company which is also a recommended product or wants to be a recommended product.

From an legal standpoint I would certainly not be distributing any kind of documents covered under an NDA normally for other parties. From an ethical point I would refuse to posses such documents unless I had authority to distribute.

If you did give such permission, then you'd be better off distributing them yourself.

[Godfry]

@dngray I understand. Thank you for explaining.

Could you please tell me the criteria? Once I know exactly what you're looking for I'll meet it.
Could you tell me how Soverin and Disroot met the criteria? I would like to use them as examples to be sure I provide a complete response.

Thank you

[dngray]

Could you please tell me the criteria? Once I know exactly what you're looking for I'll meet it.

Sure, the criteria is available on our site https://www.privacytools.io/providers/email/#criteria

Could you tell me how Soverin and Disroot met the criteria? I would like to use them as examples to be sure I provide a complete response.

What part specifically? Both of these are public. Both providers are listed on KVK Disroot and Soverin. More information about KVK. You cannot register in the KVK without your legal name and contact details.

Both Soverin and Disroot also have have a presence on social media, which means we get to know something about the people behind the service. Eg. @muppeth I've often seen around on Github (in various other communities).

Soverin have relevant information about them located: https://soverin.net/about

There is a higher trustworthiness associated with a company being run in the same location as where the employees reside.

They also do use their real names, when promoting their product, and likewise on Twitter: Ivo Fokke, Patrick, Andre Meij.

[ghost]

In addition, ctemplar does not support IMAP, SMTP or JMAP.

[dngray]

In addition, ctemplar does not support IMAP, SMTP or JMAP.

This is not a requirement. See Tutanota. It's a best-case option.

[ghost]

You're right. btw, I saw on reddit that POP3/IMAP/SMTP support will be added next month. https://www.reddit.com/r/ctemplar/comments/fjtiou/new_features_development_schedule/

[Godfry]

@dngray I am discussing this because I would like to meet your criteria, I understand that I can meet your criteria and not be listed. Based on what you've shared with me I feel my company meets the criteria of having "Public-facing leadership or ownership."

Soverin and Disroot also have have a presence on social media

My service does also. Facebook, linkedin , Twitter.

Both providers are listed on KVK Disroot and Soverin.

My service is in the Dun & Dradstreet Global Database, here's information about DUN's numbers. DUN's numbers are considered by some to be the universal standard for business identification. To illustrate this, Apple requires a DUN's number to create a corporate mobile app. Apple will not accept KVK numbers as a form of corporate validation. For this reason, I think my companies DUN's number (which is 56-137-7531) is at least equal to a KVK number.

You can confirm my DUN's number by using the DUN’s number lookup form. It wont let me give out a static link. https://fedgov.dnb.com/webform/searchAction.do Country: Seychelles Business Name: Templar software systems ltd

You cannot register in the KVK without your legal name and contact details.

Likewise with a DUN's number.

They also do use their real names

As do I, it's attached to the DUN's number. I have an Alias, just as many coder do, and then I attach my real name to important documentation like the DUN's number.

There is a higher trustworthiness associated with a company being run in the same location as where the employees reside.

I maintain an office in Iceland but many people work from the country they live in. I think this is exactly the same as the other services.

Like I mentioned before, I am not trying to compel you to list my site. I am pursuing this discussion because I feel my service meets the criteria and if it doesn't I would like to know why so I can make improvements.

[ghost]

Pleased to meet you, Paul

While aliases and privacy are respected, when dealing with an actual company that provides those privacy services, as @dngray said, I'd like to know who I'm dealing with. Hiding who is behind it actually makes me trust it less.

[Godfry]

@zack-95 I see your view. I'm happy to provide any verification that you all want. I've added my name to github, and picture & name to http://keybase.io/, I've also verified myself with keybase's encryption.

From my view (a view gained from comments on this thread/reddit & direct email) I felt this community was trying to find a reason to disqualify my service because of hate toward Mexicans, Pakistanis and those of the LGBTQ community. Thank you for reopening the issue. Please give me a chance to respond to concerns before denying & closing the thread.

If the issue really is the nationality and gender of my employees then let's have out with it. As some of you who have emailed me will know, I will not give my opinion and will respond with academic studies that I think were conducted well. I would rather discuss this openly instead of having it be talked about in secret.

Kind Regards,

[dngray]

From my view (a view gained from comments on this thread/reddit & direct email) I felt this community was trying to find a reason to disqualify my service because of hate toward Mexicans, Pakistanis and those of the LGBTQ community.

This is certainly not the view by the PrivacyTools team. We would never disqualify a provider based on these things. We do in fact have a Code of Conduct related to this.

If the issue really is the nationality and gender of my employees then let's have out with it.

Certainly not, and as such I have not mentioned it, because it is not something we use in our deciding factors.

I would just suggest ignoring the anonymous trolls that hold these views.

[Godfry]

@dngray Thanks for the response:) I'll take your advice and ignore the trolls.
Let me know anything else you need.

[hejwoidhenw]

@dngray @Godfry Any update on this? It has been a while, and the issue is open. CTemplar has made some progress, so ig it would be worth looking to add them to https://privacytools.io/

[clonesr1]

have owned 100% of this company since it’s creation.

I am the only shareholder, only owner and control all the voting rights. I don’t retain or share any information

CTemplar’s business model is offering paid accounts. We will never accept any donations, grants or investment from any outside source. I can prove this by making my companies shareholder corporate data available. But I won't be posting that publicly and I will require a signed NDA

[lazyoldbear]

https://ctemplar.com/help/answer/do-you-offer-imap-2/ IMAP may be arguably not required for adding to the list, but the fact that it was unequivocally promised soon at least twice over the last year gives a hint that the company might not have sufficient resources or may have difficulties of unknown nature, rendering its future questionable.

[ghost]

This discussion has been going on for a long time. How about we end this discussion?

CTemplar does not implement CSP. I am against adding it. https://observatory.mozilla.org/analyze/mail.ctemplar.com

[paulverbeke]

Doesn't look good 😥🥺 https://cyber-privacy.net/ctemplar-catastrophic-incident-with-complete-data-loss-july-2021/ Someone forwarded me this, but I can't attest for its trustworthiness. Can someone confirm this ?

[ph00lt0]

"We cannot restore data from backups because we do not keep backups for security reasons" now that one is new

Doesn't look good 😥🥺 https://cyber-privacy.net/ctemplar-catastrophic-incident-with-complete-data-loss-july-2021/ Someone forwarded me this, but I can't attest for its trustworthiness. Can someone confirm this ?

Seems to be confirmed by themselves on Twitter: https://twitr.gq/RealCTemplar/status/1414486941064695818#m