I know this is an older post but in case anyone else comes across it I thought I would add me two cents (esp since no one else replied). I have used Riseup. They provide free email, a chat service, and VPN. For quite some time they were using PPTP which is inexcusable. They have moved away from this with a new VPN offering called "Black" that relies on Bitmask, but they have not allowed me to use this service yet. The docs I have seen for the new VPN look good, but I will trust it when I can test it. The chat service is acceptable so long as you are using strong encryption a la OTR. As for their email service - securing email is both hard and probably illegal for US companies (think CALEA which requires ISPs to wiretap customers at government request). They provide good documentation on how to use PGP with a variety of email clients. You can also connect to Riseup services using Tor. In conclusion: Riseup is not perfect, but it is among the best and most comprehensive security suites available for free. Users with enough tech acumen to identify Riseup's shortcomings can use the service to significant benefit.

VideoPod , regardless of the service or medium you choose to use I like joshwieder 's suggestion of PGP to encrypt and sign the messages *before* they hit the wire. Unfortunately, I have no experience with RiseUp or similar services but our Church has a number of Missionaries in Muslim Countries and I'll check with them to see what they're using.

Thank you so much for the reply. It's been a long time and I appreciate the response. Also I never heard from RiseUp. If they did reply it may have gone in to my spam filter so now I'm wondering if I should bother to recontact them again. Hey Isn't Def Con sort of looming on the horizon? 8-)

That would be wonderful We've got a very young couple with 5 children... I know.... Don't ask... They felt the call and I personally am concerned about their family but it's in Gods Hands. Also it helps if we can keep them secure. Blessings...

VideoPod no guarantees but I've got my feelers out to see what I can find.

Thank You soooo Much!

i don't want to speak for anyone else, but i will say that Moxie Marlinspike is one of the smartest hacker friends i have and also one of the most devout people when it comes to trust, privacy, and keeping one's secrets secret. he has publicly said that RiseUp is one of a very short list of entities whom he has found worthy of a not-insubstantial degree of trust over the years. but those comments were a couple years back.

some of the folk who attend the DEFCON Shoot also have riseup.net emails which are still current.

short answer: i'd trust them more than many other privacy- and crypto-associated entities out there.

"Also I never heard from RiseUp."

Its been a while since I dealt with their account activation process, but I seem to remember that they have a sort of application process and that due to their limited resources they strongly prioritize signups from non-profits and that sort of thing. In my own case, the account I activated was for / on behalf of a non profit research organization called the Puppycide Database Project that compiles records of and crowdsources research in relation to police killings of animals. Anyway, the group has some very legitimate surveillance concerns and I think that may have helped expedite the application. Again, its been a while since I went through the signup and I don't know your own circumstances VideoPod but if you're doing some sort of non-profit/NGO/charity work, journalism or activism I would recommend including some reference to that in your signup.

I currently use Riseup.net for XMPP chat services with OTR as well as PGP encrypted email, I have no complaints.
Some of my privacy-centric friends also use it for the same resources, I would not say to use it for a VPN.

There are a few very controversial and perhaps contradictory claims in Agent X's post above. Agent X, can you clarify what you mean by "PGP/GPG has a ton of security issues", for example? I am aware of some serious issues in the past with injecting phony data into signed messages with GPG, but that was resolved 8 years ago. I am also familiar with arguments that XKEYSCORE-like infrastructure will flag encrypted information for further inquiry. However, you then go on to recommend the OP use TAILS, for which the same issue applies ([through surveillance of download mirrors](http://www.eweek.com/security/linux-...atch-list.html)), and indeed XKEYSCORE had a plugin written specifically to ID those even tangentially interested in TAILS. Even if this was not the case, OP is a religious missionary heading to a muslim country. This alone places him/her among the most strident of red flags for state surveillance. Finally, strong PKI remains a mainstay of good OPSEC; identity verification remains a weak arm against the use of strong PKI when it remains the only method to prevent interception of sensitive content.

As for self-hosted email, I agree that this is the best option for attempting to secure a means of communication which remains intrinsically insecure - with one vital proviso. Self hosted email servers are only a gain for OPSEC when an experienced email administrator is available to both configure and provide ongoing maintenance for the self hosted email server. Furthermore physical security as well as redundant power and network connectivity must be insured to prevent interruptions of service as well as the implementation of surveillance equipment. These items are simply beyond the resources of many people who are in need of securing their communications. IMO email administration, particularly when encryption is thrown into the mix, is not a core competency even among IT employees. I have known many, many admins who have worked in various sysadmin capacities who would be completely incapable of troubleshooting email besides possibly reading email headers. The upshot of this is that an email server hosted in a competent data center by an ethical company that would fight CALEA warrants and eventually lose is *infinitely* safer than an email server that has accidentally been configured as an open proxy, or that leaks user information.