this post was submitted on 13 Jul 2026
-11 points (17.6% liked)

Privacy

10296 readers
574 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 3 years ago
MODERATORS
 

Full disclosure: I am the maker. I am not here to tell you it is perfect. I am here because this community is best at finding the holes, and I would rather you find them now.

Elusive (elusivemail.xyz) is encrypted email. The thing I care about is honesty over claims. The landing page has a two-sided ledger showing what is sealed to your key versus what the server can see. Most services bury the second half. I put it front and center.

Sealed to your key: message bodies, subject lines, attachments, the sender and recipient of every stored message, and in keyfile mode the key itself. Visible to the server: who a message is from and to at the moment it passes through, your account details, and incoming mail the instant it arrives, before it is encrypted to your key.

The crypto: keys are generated in your browser (OpenPGP.js, curve25519, Argon2id). Your password never leaves your device, the server only stores a hash, so it cannot derive your key. End-to-end by default, plus a keyfile mode where nothing stored can decrypt your mail.

Where I will not blow smoke: incoming external mail is plaintext at receipt, the envelope is visible at delivery time to route mail (no logs), and it is closed source right now.

The whole plan is public and numbered on the roadmap (elusivemail.xyz): open source everything at 300 users, then a public API, native apps, our own hardware in Switzerland, a multi-server split so no single machine holds everything, an independent audit at 4,000, and eventually an encrypted communicator and drive. If a number slips, the page says so. Watch the roadmap, not my word.

It is free, no ads, I make no money. What would make you trust it, or not? What did I get wrong?

top 11 comments
sorted by: hot top controversial new old
[–] Skyline969@piefed.ca 14 points 15 hours ago (2 children)

Closed source? Immediately zero trust.

[–] WhatAmLemmy@lemmy.world 4 points 15 hours ago

You're not gonna trust some rando on the internet with your sensitive data? You're crazy!

[–] elusivemail@lemmy.world -2 points 14 hours ago (2 children)

Fair. Want to build a bit of recognition first, then it all opens at 300, it's on the roadmap. Honestly til then I'd treat it as alias and disposable mail more than your main inbox. Once it's open and audited you can verify all of it yourself

[–] CallMeAl@piefed.zip 7 points 14 hours ago

I would not use a service where the operator is not clearing declaring their legal identity and corp contact info and registered business address.

I have no way to know who you are or why you are doing this and I can think of a lot of reasons someone who do this that are not in my interest.

[–] HubertManne@piefed.social 1 points 9 hours ago

cool. cool. just get back to us when you get to that point on the roadmap then. Nothing will give you better input into holes than gpl.

[–] CallMeAl@piefed.zip 5 points 15 hours ago

Unless I know you personally and your qualifications to build this, nothing would make me use or trust it.

[–] unitedwithme@lemmy.today 4 points 14 hours ago (2 children)

Haha, I chuckle at everyone shitting on it already like they've never used A Gmail, hotmail, or icloud account who are way worse than what you're stating.

Plus, it's a test, you're not asking people to migrate their whole lives to it.

Anyway, as an up-and-coming service/provider, its nice to see competition in this space. I do have a few questions:

  1. Why currently closed source and not launching with open source? You're eventually going that way anyway, right?
  2. If its owned hardware and not everything on 1 box, but you'd make no money, how are you going to fund projects in the future? What about upgrades or unforeseen expenses?
  3. What's your end goal making your own over Proton, Tuta, etc? Are there newer/better encryption methods? Is this a project to learn from?
[–] mnemonicmonkeys@sh.itjust.works 1 points 14 hours ago
  1. If its owned hardware and not everything on 1 box, but you'd make no money, how are you going to fund projects in the future? What about upgrades or unforeseen expenses?

They could start taking donations, but it is worth asking the question to get them thinking about future plans

[–] elusivemail@lemmy.world -1 points 14 hours ago (1 children)

Apreciate this, genuinely.

  1. Opening it at 11 users does nothing, nobody audits a nobody. Want a bit of recognition first, and honestly want it rock solid before the whole internet tears into it. Opens at 300, that's the deal.
  2. Fair one. "No money" means no ads, no data selling, no investors, not zero revenue ever. It's cheap to run now and I cover it myself. As it grows: donations first, then paying for capacity like storage and extra aliases, anonymous payment. Never charging for privacy itself.
  3. Honestly, we want to be real competition, not just another inbox. The goal is a full private cloud: mail, messaging and drive on the same keys, with real anonymity built in. Crypto itself is standard (OpenPGP, curve25519, Argon2), the bet is the honesty and the full anonymous stack, not fancier math. We're 11 users and a long way off, so judge the steps not the dream.
[–] unitedwithme@lemmy.today 2 points 13 hours ago

Thanks for the quick reply. Looks like you're at 12 users now on your website. Count me a 13 haha.

I'm not good at reading through the code, but I test features, function, errors, holes, etc. I'll do what I can.

[–] kibblebits@quokk.au 0 points 15 hours ago