The purpose of this document is to try to answer as many questions regarding SecureNym as could be anticipated. It is SecureNym's policy to be as open as possible about the service provided and how it works.
The topics are divided into the following subject areas.
- The purpose
- Software and hardware
- How it works
- Access options
- Security realities
- Why SecureNym was created
- Payment options and issues
- Privacy comments
Any suggestions for additions to this section or improvements to our service are appreciated. Comments or questions may be addressed to firstname.lastname@example.org
What SecureNym does
SecureNym is merely a tool to increase privacy, offering anonymity and significantly more security than conventional e-mail. SecureNym does only e-mail and nothing else and is not a "do-all, end-all" solution.
There are many methods available to increase e-mail privacy, anonymity, and security. The most obvious is the remailer network, which is without charge to the user. While the use of remailers may or may not be within the technical skills of some users, the degree of security they offer is without question. As with any such enhancement, there are some trade offs which have to be considered.
As a rule of thumb, you can choose any two of the following, but you can't have all three.
- 1. Free service
- 2. Ease of use
- 3. Speed and reliability
The pieces and parts
There's no magic. SecureNym uses no revolutionary, proprietary methods. The majority of the software is open source to assure it's integrity. The system is built around Sendmail on Apache/Solaris, using Procmail, MySQL, ModSSL, PHP4, SASL_AUTH, S/mime, and PGP 6.5.1. SecureNym uses these tools to optimize the user's privacy and security.
The hardware consists of Sun Solaris servers and firewalls and Cisco network devices.
It is not possible to use SecureNym without SSL/TLS encryption.
All outgoing messages are processed in Procmail and all identifying headers are removed and rewritten. Inbound messages are screened by spam filters before placement into the mailbox, but the header information is left intact unless from another SecureNym account. As a further security enhancement, PGP or S/mime may be enabled to insure that the user's stored messages are encrypted using the user's public key.
(Note: S/mime is not compatable with SecureNym's webmail.)
- 1. A web based interface featuring SSL encryption. SecureNym supports 256 bit SSL, but the strength of SSL encryption depends upon the user's browser.
- 2. Mozilla Firefox and Mozilla Thunderbird are simply outstanding and are available free of charge, for ALL platforms.
- 3. Mac's Mail.app and just about any other mail client work with SecureNym.
- 4. Outlook/Outlook Express are compatible, with the caveat that these mail clients have frequest security issues, and must be patched frequently.
- 5. Regardless of where you are, or what ISP you are using, SASL_AUTH will allow you to use your mail client with SecureNym to both send and receive messages securely.
SecureNym supports either IMAP or POP3 mailboxes.
Anonymity and security
There is no way SecureNym, or anyone else, can make a user invisible or to guarantee that there is not some method that may be used to identify a user.
When using SSL, the user's ISP would be able to detect only that a connection has been made to SecureNym. They would not be able to see the details of any activities during that connection.
No system is hack-proof, period. SecureNym has makes every effort to insure that it would be as difficult as possible to do so.
It is arguable that some entities, either government agencies or private, may have the technology to break encryption, of whatever algorithm or strength. While it is not possible to know the extent of these abilities, SecureNym makes every effort to make any intrusion as expensive and time-consuming as possible, even for those with the most advanced capabilities.
Why SecureNym exists
SecureNym was founded by a group of privacy advocates who wanted to offer a service to the computer neophyte. The founders of SecureNym, like many other users, are capable of obtaining e-mail security without use of a paid service. The goal is to offer privacy and security to those without the skills or time to obtain them otherwise.
SecureNym is intended to help the user protect his privacy, and makes no claim to be the holy grail solution to securing e-mail. By design, SecureNym should be easily used by even computer novices.
Whether a user chooses SecureNym or not, it is our hope and stated policy to increase public awareness of the privacy issues that exist on the internet today.
All methods of payment, no matter how well thought out, offer challenges. SecureNym accepts payments by money order, credit card, or PayPal. All require a valid email address for confirmation. It does not matter what or where that address is, as long as it can receive the key information. The address is not archived by SecureNym.
Regardless of the method of payment, the procedure remains the same. Upon receipt of payment a randomly generated key number will be issued and sent to the address provided. The address is of no importance to SecureNym, as long as it can receive the key message.
With the key is the URL for key entry, and subsequent account creation. Once the key has been entered, and prior to any account being created, the key is removed from our databases. The user may create an account or accounts bearing whatever name and password is desired. SecureNym keeps no record of the e-mail address to which a key was sent.
Depending on the level of paranoia applied, there may be other issues. It is theoretically possible;
- that a handwriting expert could identify your writing on an envelope or money order.
- that a typewriter used to address an envelope and/or money order could be traced.
- that your fingerprints could be obtained from an envelope or money order.
- that an account used for receipt of the key could be traced back to your real identity.
SecureNym does not log IP addresses or user activity, and there are no message backups. It is assuredly in SecureNym's best interests to strictly adhere to this policy.
Securenym uses a cookie only to set a session id for webmail. This is removed when the user logs out, and does not contain or tie to any personally identifiable information.
Your credit card provider will have transaction information, but only to the extent that a payment was made to SecureNym. Due to credit card fraud, a record is kept of the transaction. If total anonymity is your goal, payment should be made via money order.
There is no means of connecting any payment to an account. Support of this statement is the simple logic that to do otherwise would be contrary to the interests of SecureNym; it is far better to claim, and be able to subsequently prove, that there is no knowledge of any user's identity.
SecureNym accepts no advertising and does not sell or trade subscriber information.
SecureNym will not tolerate spam. Users will be immediately terminated for any spam.
SecureNym will do everything within it's power to protect every user's security and privacy.