Tor Mail

Tor Mail was a Tor hidden service that went offline in August 2013 after an FBI raid on Freedom Hosting. The service allowed users to send and receive email anonymously to email addresses inside and outside the Tor network.

History
Tor Mail provided web mail access with two webmail applications to choose from, one fully functional ajax-based, and one simple client which required no JavaScript or cookies. The user could also access mail via SMTP, POP3 or IMAP with an email client. The user signed up and accessed Tor Mail via the Tor hidden service and needed to have Tor software installed on a computer to access Tor hidden services. Users were not required to provide any identifying information such as their name or address.

Tor Mail's goal was to provide completely anonymous and private communications to anyone who needed it. The service providers said that they were anonymous and could not be forced to reveal anything about a Tor Mail user. They also said that the service did not cooperate with anyone attempting to identify or censor a Tor Mail user.

Tor Mail's service consisted of several servers, the hidden service, and an incoming and outgoing internet facing mail servers. The site's operators said that the only data stored on the hard drive of those servers was the Exim mail server and the Tor software. "No emails, logs or personal data were stored on those servers, thus it doesn't matter if they are seized or shut down." They claimed to be prepared to quickly replace any relay that was taken offline. The service and SMTP/IMAP/POP3 were on a hidden server completely separate from the relays. The relays did not know the IP address of the hidden service.

2013 JavaScript attack
A message appeared on the Tor Mail main page in early August 2013, saying "Down for Maintenance Sorry, This server is currently offline for maintenance. Please try again in a few hours." Since August 2013, the service has been unavailable. The disappearance of Tor Mail has been linked to the arrest on child pornography charges of the alleged operator of Freedom Hosting, which hosted a large number of .onion sites. In September 2013, the FBI admitted in a court filing in Dublin that it had taken down Freedom Hosting.

The following month, details emerged of a zero-day JavaScript attack affecting the Tor Browser Bundle based on Firefox ESR 17 if JavaScript was enabled, as it was by default. Later versions of the Tor Browser Bundle disabled JavaScript by default. This zero-day vulnerability was exploited during the takedown to send users' IP addresses and Windows computer names to an FBI-controlled server in Virginia. In January 2014 it was confirmed that the FBI had access to Tor Mail servers.

In January 2016, it was claimed that innocent TorMail users may also have been subject to hacking by the FBI.