Using Sub Rosa
Sub Rosa is a safe, proven secure email service designed to reduce, to the greatest extent possible, the opportunity for anyone other than the intended recipient, to read your private email. It has an extensive list of features as shown below.
When used in conjunction with our NoName email service, traffic analysis may also be evaded.
When you subscribe to the Sub Rosa email service, an email account will be automatically created on our server using your chosen identity. You may chose an identity that is recognizable to others, such as your name, or not, depending upon your specific needs. You can choose the domain name “novo-ordo.com”, “novoordo.com”, “protectedspeech.us”, “quietgarden.net”, “vaultmail.pw”, or “yachtmail.me”. Other domain names are possible if special arrangements are made. If anonymity is one of your requirements, be sure to use an anonymous payment method so that we do not know who you are.
The best way to use your Sub Rosa email account will depend on your particular situation and requirements. What we present below is some general advice, a list of features, and how to use each one.
Security Begins at Home
The most important, and perhaps the most painful place to implement security, is on your personal computer. It is the weakest link in the security chain. Unless you do everything you can to minimize your vulnerabilities at that point, all your other efforts will not make you safe.
Please see our page on computer security for information on the threats to your computer and “How to Keep a Secret” for a starting point on how to counter them.
The Sub Rosa Server
Email stored on the Sub Rosa server is as secure as it can be.
Your account is anonymous. We do not know who you are and we do not track your activity beyond what is needed for spam prevention.
Your emails are encrypted while on our server. Should someone break in to the server, they would not be able to read any emails stored there, even if they were not encrypted by the sender.
Our server is in an off-shore legal jurisdiction. What little information that could be recovered, cannot be subpoenaed by US or European courts.
We use Transport Layer Security to prevent eavesdropping on your email during transmission between your computer and our server.
Connecting to the Server
There are two ways of accessing your Sub Rosa account:
- You can configure an email client such as Thunderbird to access your account using the IMAP or POP3 protocols. This is the most secure method and is preferred because it allows you to encrypt your messages more easily and securely.
- You can use our webmail interface to access your account through your web browser. This is less secure but easier. It is also preferred if you are not using your own computer.
You may use any email client that supports the IMAP or POP3 protocols. We recommend Thunderbird which is free, opensource, runs on most computers and operating systems, and is more secure than many other clients. Many computer attacks have used email so employing a secure email client is important to your overall computer security.
We assume you already have an email client installed. If not, download and install one according to the supplier’s instructions. Again, we recommend Thunderbird.
Next, you need to configure an account. The account may be configured to use either the POP3 or IMAP protocols. POP3 can automatically download your emails to your computer. This is the most secure if you use a single computer for email and you keep that computer secure. Your stored messages are as secure as your computer.
IMAP will, by default, leave them on the server until you delete them. It is best if you access your email from more than one computer, say at home and at work. Your stored messages are as secure as our server.
The following steps assume you are using Thunderbird as an email client. The information you need will be the same for any client but the order of the steps may be different.
- From the top menu: File -> New -> Existing Mail Account…
The Account Wizard will appear.
Mail Account Setup
- Your name
Enter the name you want to appear in the From: field of your emails.
- Email address
Enter the email address you selected when you subscribed.
Enter the password you selected when you subscribed.
“Remember Password” automatically enters your password when sending or receiving mail.
Check the information shown for typos, then click Done.
Your account has been setup in Thunderbird. Click on the “Inbox” link to read your messages. You may be asked for your password.
All other settings may be set to your personal preferences.
You may now install a PGP encryption plugin, such as Enigmail, into the email reader. This will allow you to encrypt your messages on your computer before sending them. Generate your public/private key pair and publish the public key or send it to those with whom you need to communicate privately.
Whenever you send a private email, encrypt it using the recipient’s public key. Whenever you receive an encrypted email, decrypt it using your private key.
Other Email Clients
The settings for other clients are:
- server name: novo-ordo.com
- port: 993 for IMAP, 995 for POP3
- user name: your full email address
- connection security: SSL/TLS
- authentication: normal password
- outgoing port: 587
- connection security: starttls
The Web Interface
A web based email client will always be less secure than one running on your own computer. That said, under some circumstances, it may be the best you can do. If you travel and must use public computers, it is your only choice.
The preferred webmail interface is Roundcube at: https://novo-ordo.com/roundcube. Note this is https not http. This means the webmail interface is communicating over an encrypted link to ensure your privacy.
When you log into a web interface your user name is your full email address, i.e. firstname.lastname@example.org.
To setup encryption through the webmail client, after logging in, select “Settings” at the top left corner of your screen. Follow the menus you find there.
If you are using a public computer, you may consider using the virtual keyboard provided on the login page to prevent your message being captured by a keylogging program. Watch for cameras.
For an added level of security, all Sub Rosa services may be accessed using The Onion Router – also know as the Dark Web. Web based services including webmail can be found at: https://novordxxyzzxzw6t.onion. SMTP is at: subros443kyxuwxf.onion port 465. Using torbirdy, you can also access IMAP and POP3 at: subros443kyxuwxf.onion. Messages about invalid certificates can be disregarded.
Aliases may be managed through the Customer Services page. Log in and select manage aliases. A convenient screen will appear allowing you to add and delete email aliases.
Setting up Encryption
If your email client is Thunderbird, or Mozilla, download the Enigmail plugin. See the Free Software Foundation’s Email Self-Defense page for detailed step by step instructions.
How It Works
When you send an email, we receive it over a 256-bit encrypted TLS link. Our email server then encrypts it again and stores it in the recipient’s account, if on our server or, forwards it to the recipient on a foreign server. The extra encryption adds to the difficulty an attacker would have in finding and reading your email. If you do not trust the foreign server, consider using our self-destructing email service.
When you receive an email, we encrypt it before placing it in your account and decrypt it when you access it. This is transparent to you and is just an added layer of security. You may access it through your email reader or the webmail interface. If the sender encrypted the message, you will need to decrypt it with your private key.
If you also need to avoid traffic analysis, you can send your emails through a special address on our server (you will be given instructions when you subscribe) that will route it through the Mixmaster remailer network. See the Using NoName Anonymous Email to learn how that works.
If there is anything you do not understand or are having difficulty with regarding your Sub Rosa email account, you may always ask by sending email to: