Who's Been Reading Your E-Mail?; A Simple Solution for Better E-mail Privacy and Security
Email's the communication channel of the internet
Email communication is a large part of the internet and is generally required for every account you sign-up to online services. Even email services request a second email for you!
What is the concern? Who has access to my emails?
The topic of who may have access and why are both interesting and scary to consider. Apart from major mail providers scanning your emails for target advertising the two main reason that come to mind are:
Identity theft
Email providers and their trustworthiness are critical to your identity, privacy and in some cases your money!.
Consider that the general purpose of providing an email to a service that you are signing up for is so that you can reset your password encase you forget it. This process generally entails the service sending you an email to your provided email address with a link allowing you to update your password...
Your traditional email provider which has unrestricted access to your emails as they are hosting the service/server; could use this power to reset the password to any of your accounts that are not protected by 2 Factor Authentication (2FA). This would ultimately lead to the destruction of their reputation in the space but they would take a large number of accounts down before word had spread and the abuse was discovered.
Generally the above situation would cause more reputation damage than it was worth.. In the case of Bitcoin it maybe another story all together.
Security of personal information
If you are implicated into some investigation by governments or powerful entities; the service you are using could be forced by a court-order to hand over a copy of your mailbox and associated access logs and statistics. There may not be any valid reason for this investigation you could inadvertently end up as a suspect and someone trawling through your personal emails without you even knowing.
What can i do about it? Encrypt all the things!
Encryption; this of course leaves the protection of the encryption keys up to you but i feel the benefits far out way the burden of having a diligent backup solution; if you would like to view what i consider a well conceived backup solution, please see my previous post HERE.
Protonmail.com - Better emails security through encryption
Protonmail.com is a free open source solution that provides email services with data encrypted at rest. This means that even if they wanted to or where compelled to by law Protonmail could only provide your email data in it's encrypted form requiring the password that you retains for decryption.
Use a long password for encryption otherwise the benefits of this approach could be undermined.
Key features of Protonmail.com
Swiss Privacy - Data Security and Neutrality
ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws.
Zero Access to User Data - Your encrypted data is not accessible to us
ProtonMail’s segregated authentication and decryption system means logging into a ProtonMail private email account requires two passwords. The first password is used to verify the identity of the user. After that, encrypted data can be retrieved. The second password is a decryption password which is never sent to us. It is used to decrypt data on your device so we do not have access to the decrypted data, or the decryption password. This means we cannot hand over your data to third parties. For this reason, we are also unable to do decryption password recovery. If you forget your decryption password, we cannot recover your data.
End-to-End Encryption - Automatic Email Security
All emails are secured automatically with end-to-end encryption. This means even we cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties.
Anonymous Email - Protect Your Privacy
No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.
100% Free - Free Secure Email
We believe email privacy and security are fundamental human rights that should be available for everyone. Basic ProtonMail accounts are always free. You can support the project by donating or upgrading to a paid account.
Send Encrypted emails - even to normal email addresses
Protonmail support's the sending of encrypted emails even if your recipient is not using Protonmail. Protonmail will send your recipient a link which they can use to load the contents of your email in a web browser which will required the password word you defined at the time of sending to decrypt.
Mobile Apps - IOS and Android
Protonmail has released mobile apps for Apple and Android products to help you keep an eye on your email while on the run
Plans
Protonmail.com have a basic Free service but also have a paid service which offers some enhanced functionality; details of plans are below:
Protonmail Free - € 0 /mo or € 0 /yr
- 500 MB Storage
- 1 Address
- Send 150 Messages per day
Protonmail Plus - € 5.00 /mo or € 48.00 /yr
- 5GB Storage
- 1 Custom Domain
- 5 Addresses
- Send 1000 Messages per day
Protonmail Visionary - € 30.00 /mo or € 288.00 /yr
- 20GB Storage
- 10 Custom Domains
- 50 Addresses
- Unlimited Sending
Sounds Awesome! are there any concerns?
Protonmail.com is a lot more secure than your average mail service but it is not a magic bullet, there are a few method that could be used by adversary's to gains access to your data. Learn more from the 'Threat model' post on Protonmail's Blog
1.Compromised User
This is the most common type of compromise. Even if you use the world’s most secure electronic communication system, advanced encryption does you no good if there is a keylogger on your computer recording all of your keystrokes. ProtonMail does not and can not guard against a compromise of a user’s machine.
2.Man-in-the-Middle (MITM) Attacks
This is a very rare attack where an adversary will sit between the user and the ProtonMail servers and tamper with the data being relayed between the user and the server. However, because ProtonMail messages are encrypted before they leave the user’s browser, an attacker cannot get message data by simply listening in on the communications. The attacker would have to actually send the user’s browser a modified version of the ProtonMail website which may secretly pass the mailbox password back to the attacker. This is a far more difficult attack that can typically only be executed by a strong adversary (like a government) and is generally a targeted attack. It cannot easily be used on a large scale to perform mass surveillance.
3.Unauthorised backdoor
Another attack vector would be if an attacker somehow gained access to ProtonMail’s servers in Switzerland without us noticing. Such an attacker could conceivably change the ProtonMail software to send bad encryption code to user’s browsers that would somehow allow the attacker to get unencrypted data. ProtonMail has implemented numerous safeguards against this on the server level. We have routines that constantly scan for code changes and will detect them. The attacker would have to gain control of the server, instantly change the behavior of the code scanners, and then modify the software all without anybody at ProtonMail noticing. The odds of this being successfully executed is indeed quite low.
Sign up process
Signup is simple it takes 2 minutes and does not require any personal information.
1.Browse to Protonmail.com
2.Click the 'Sign up' button
3.Select your desired plan and click the 'Select Plan Button'; we will use Free
4.Enter your details and once completed click 'Create Account' - read notes below
Note: Section 2. (Login password) Is stored with Protonmail to authenticate you (similar to a normal password); Section 3. (Mailbox password) is your encryption password; not stored with Protonmail and no means to recover this key if you lose it! This key/password is used client side to decrpyt your mailbox
[IMPORTANT] Section 2 & 3 described above should NOT use the same password!!!
5.Pass the bot protection with your desired method; we will use reCAPTCHA
6.User account and Key will be generated
7.You will be redirected automatically to you dashboard
TL;DR
Protonmail provides a much more secure alternative to traditional email providers without trading usability or functionality. For people within the cryptocurrency community the relevance of such improvement's should be crystal clear!.
I can personally recommend ProtonMail and hope everyone will take the time to consider their options.
Protonmail accepted donation's in Bitcoin! See HERE for details.
Keep in mind that emails you send FROM protonmail to NOT PROTONMAIL may or may not be encrypted in transit (depending both on how tolerant protonmails' servers are to non-TLS-speaking smtp endpoints and on the configuration of the remote smtp server in the target domain).
They will definitely NOT be encrypted in the other persons' email provider.
If you want to achieve that, then you need PGP.
Windows: https://www.gpg4win.org/
Mac: https://gpgtools.org/
Linux: https://gnupg.org/
Also keep in mind that all the encryption protonmail does for your email, while great, is dependent on the javascript being served to you; if their webserver is compromised, or they are "somehow" compelled to give someone access.. all bets are off.
I'd still recommend protonmail, use it myself, but know the advantages and disadvantages.
And more importantly, don't be lulled into a false sense of security.
Very valid points. There is an encrypted email option which only sends a link to the recipients who then need to decrypt in browser with password.
karnal is absolutely on the money here... smtp encryption is something of a crapshoot - STARTTLS downgrade attacks are pretty trivial due to backwards compatibility.
https://www.elie.net/blog/understanding-how-tls-downgrade-attacks-prevent-email-encryption
When it comes to email, to be absolutely certain you do have to go full tinfoil hat and install some PGP variant...
The protonmail android app works really well too.
I recommend Protonmail too!
I've used Protonmail for almost 2 years now, never been happier with an email client!
I've always felt uncomfortable using gmail, thanks for sharing this.
Cheers, glad you got some value from it:)