Q & A

Q: What is SCRYPTmail? What can I do here?
A: SCRYPTmail is encrypted email service with a focus on security and user privacy. You can use SCRYPTmail on any device that supports modern browsers like Google Chrome or Firefox.

With SCRYPTmail, you can send encrypted emails and files of any type (doc, zip, mp3, etc.) to people who don't even have a SCRYPTmail account. You can also send an email to multiple people at the same time, and it will BCC to each of them so you never leak your recipients. As a result, SCRYPTmail can take care of all your personal or business messaging needs where privacy is important.

Q: How is SCRYPTmail different from other services?
A: Unlike many service out there, SCRYPTmail is a true front-end encrypted service so clear text information is never send over network. As extra security layer, we also encrypt email meta data so if our database ever get compromised, an attacker can not learn who talk to whom.

Q: My friend told me that end to end encryption is less secure than server side and someone can change the code to steal my password.
A: To prevent code modification by third party, we use strong HTTPS encryption protocol which is graded as A+ by Qualys. Our servers have strict security and access policies and are regularly monitored. Our code available for public audit, and not only frontend code that is sent to you as a user but also our backend scripts as well that communicate with the database internally.

End to end encryption protocol is built in a way that all code has to be shipped to the client's computer thus highly increasing the chance to detect any backdoors. When other services hold all your data internally and nobody except owners have ability to audit, it can potentially leave serious bugs unnoticed.

Holding data internally also leaves the door wide open for employee access, and they are physically able to save users' passwords without ever been detected.

Q: I already have an account at ZXY.com. Why should I switch?
A: It's question of personal preferences. Let's take a minute and compare email services to car brands: one is known to be well built, another for speed, the third for ride comfort, and the fourth for features such as GPS, CD player and leather seats.

SCRYPTmail is young service as we are less than a year old, but we are already able to offer more features than other encrypted services. We have already established standards that other have to follow to keep up. If you have choice to have Tesla for the same price, why should you keep Prius?

Q: I use secure peer to peer message services. Why would I use SCRYPTmail?
A: Most of the time encrypted peer to peer message services are build on top of bitcoin protocol. It is as secure as it is bulky. In order to communicate, you have to download all transactions that are growing over time which consumes your hard drive space. The current bitcoin database is bigger than 17 Gb. Later, it will just grow.

Many people also seems to oversee problem that your message has to be stored in many computers. RSA keys used in such a system are getting essentially older and weaker opening the possibility to break it later and decrypt all your messages. Using a service like SCRYPTmail will minimize this risk as we don't share your information even its encrypted. In addition, your inbox is encrypted with AES-256 which is superior to RSA.

Q: I use my own email server for private communication.
A: Having you own email server is very cool. You are either security expert that can install and secure your own server, or a person that read few articles and have impression of being protected. Maintaining your own email server can be costly, time consuming and potentially unsafe.

SCRYPTmail has a designated person to monitor server performance, install patches and update security certificates. Let us take that responsibility and burden off your shoulders.

Q: What is this all about with disposable emails?
A: We are glad you asked. Disposable emails, in short, mean that you can delete them at will without risking losing your main account. When we use other emails services, many times we stumble upon some sites that you want to register for but are not sure if the site is legit, going to spam you later or sell your address. Sometimes disclosing your email address that is assigned to PayPal or a bank account can even lead to financial loss.

With disposable emails, you are protected from any of these scenarios. Just go to settings page, open disposable email tab, and click create one. SCRYPTmail will generate a unique email address that you can provide to such website to register. If later you discover that website is valid, you always can change your registration to a genuine address. If it's not, delete the disposable address and never hear from them again!

Q: Why does your service have this strange email per account limitation instead of regular Mb or Gb size?
A: When we started developing SCRYPTmail, we came to the understanding that with end to end encryption our servers have very little knowledge about our users. In fact, they cannot read your email, attachments or even whose it is. All emails are encrypted as an object and stored in our database anonymously. This means everytime you login into your inbox the server sends a list of encrypted objects to your computer. It decrypts all of them that belong to you and shows them in a readable format including the features of search ability, sorting by date and if it was opened or not.

As we said above, we can't just send you part of an email or sender information. This increases the size of the payload (i.e if you have 1000 emails in your inbox, you may be downloading around 500kb -1Mb of data) It will have a direct impact on your experience. Imagine if you have 10,000 or 20,000 emails? You may have to wait for minutes or even crash browser due to such size.

Q: Will you have ads? Or sell/give my data?
A: Heck no.

Q: How are you going to make money out of this?
A: We believe in the right for privacy for everyone so we have basic free accounts that have all the essential features to protect your data. We will introduce non-essential paid features later on for our users to enjoy.

Q: What are your thoughts on internet privacy?
A: Big companies invest a good deal of time and money to convince the public that the most important things about privacy is to allow hiding your online status, your public posts or your profile pictures from the people around you. Adding these tools allows companies to calm down the public and change nothing in how they are turning over private data to marketers and other third parties. Most likely if someone gives you a product online for free, it's not a product they sell, the actual product they sell is you and your information!

Instead, at SCRYPTmail, we think that the two most important components of internet privacy should be:

  1. Protecting your private conversations from snooping third parties such as officials, employers, mass surveillance, etc.
  2. Protecting your personal data from third parties such as marketers, advertisers, etc.

This is what everybody should care about. SCRYPTmail is a project with an aim to create a truly private email service without the usual caveats. This means that instead of diverting attention with low-impact settings, we can afford to focus on the real privacy issues that exist today.

Q: How old is SCRYPTmail?
A: SCRYPTmail was launched on November 18, 2014.

Q: Which devices are supported?
A: You can login to SCRYPTmail from as many of your devices as you like — some functions are unavailable for Apple users since iOS does not support files downloading that encrypted on your device. We support tablets, smartphones and computers. We have a web client and plan to roll Android and iOS apps as soon as we can.

Q: Who can I write to with my SCRYPTmail account?
A: You can write to anyone as long as you provide valid email address.

Q: How do I know if a person received my email?
A: Currently, we don't have this feature. However, in future, we are planning to provide some information if your message was delivered.

Q: How do I invite my friends?
A: Inside of your mailbox, you may click 'Invite' link and provide an email address for the person you are wanting to invite. SCRYPTmail will send an invitation request.

Q: What can I use as my email address?
A: You can use the following ranges of characters: a-z, 0-9 and dot and underscores. Email address are case-insensitive (e.g. SCRYPTmail and scryptmail is the same user). The email address must be at least 3 characters long.

Q: What do I do if my username is taken?
A: SCRYPTmail usernames are distributed on a first come first serve basis. Try another username!

Security

Q: How secure is SCRYPTmail?
A: SCRYPTmail is more secure than mass market email services like Yahoo and Gmail and even more than some encrypted services because we encrypt attachments and even the recipient and sender. We are based on the PGP protocol and built upon time-tested algorithms to make security compatible with high speed delivery and reliability on weak connections. We are continuously working to improve the security of our protocol for clients.

Q: What if I’m more paranoid than your regular user?
A: SCRYPTmail uses end-to-end encryption by default. We use our own signed certificate at https://ninja.scryptmail.com which has HSTS and HPKP features. Your keys stored on the server are encrypted with AES-256 and Twofish which means 512 bit of encryption key. Also, this has no single point of failure. If AES or Twofish show critical weakness, your private keys will still be protected.

Later on we will offer keys up to 4096 bit long and store only public keys on the server. It will ask you for a private key every time you login.

Q: Why should I trust you?
A: SCRYPTmail is open. Anyone can check our source code, see how everything works and make an informed decision. In fact, we welcome security experts to audit our system and would appreciate any feedback (support@scryptmail.com).

Q: Can I help?
A: Yes, we are always welcome our users to help us improve. Submitting reports, writing to us about features you would like to have will help us to outline future of SCRYPTmail.

Your Account

Q: How do I delete my account?
A: If you would like to delete your account, you can do this on the settings page. Deleting your account permanently removes all your emails, contacts and email addresses. This action must be confirmed with your password or secret phrase and cannot be undone.

Q: What happens if I delete my account?
A: As was just said, all your data will be removed from our servers: all emails and contacts associated with your account will be deleted. That said, your contacts will still have their copy of the emails you sent them.

Termination of an account is irreversible. If you sign up again, you will appear as a new user and will not get your history or contacts back.

Location

Q: I heard a server located in Switzerland or Germany is better due to strict privacy laws in such countries. Where are SCRYPTmail servers located?
A: Our servers located in USA, but later on, we plan do deploy them in multiple countries.

We hear this type of question pretty often nowadays. It's come to our attention that many email services build their whole business model on the fact their servers located outside of US jurisdiction in countries like Switzerland, Germany, Iceland, Canada, etc. and thus protected from USA gag and court orders or even the NSA.

We believe that most of the time such services just obfuscate or clearly ignore important facts and misguide users. We dropped just a few facts down below so you can make your own decision:

German: Scandals in 2014 with NSA monitored Chancellor Angela Merkel. Would you still think they won't have access to some small internet company? (http://www.spiegel.de/international/germany/germany-expected-to-open-investigation-into-nsa-spying-on-merkel-a-973326.html)

Switzerland: Country of banks whose main business is to keep clients money private now cooperating with DOJ to disclose information. Can we expect our data will be more safe over there than money? (http://www.businessinsider.com/r-draft-us-deal-for-swiss-banks-in-tax-row-seeks-total-cooperation-paper-2014-10).

Canada: At least is honest about cooperating with law enforcement.

Iceland: Looked promising until recently. I guess everyone heard about famous case of Silk Road. Servers were located in Iceland, and FBI made request to Iceland police who made copy of silk road servers to hand them over to FBI secretly. How is that working for your privacy protection? (http://ia700603.us.archive.org/21/items/gov.uscourts.nysd.422824/gov.uscourts.nysd.422824.57.0.pdf) P. 9

Moreover, it was stated that the FBI should not follow US constitution nor laws when servers located outside of USA (i.e Fourth amendment).

It is crystal clear for us that our location is not any worse than other countries and sometimes even better. We will not misguide our users under the false impression of better privacy.

If all your data is encrypted on your computer, does it really matter where it is stored?