Is Your "Secure E-mail Service" Really Secure?
There are a number of secure (encrypted) e-mail services available today. Using a secure e-mail service can help protect the content of your e-mail from being scanned / read by advertisers, government agencies, and other cyber-criminals. But just how secure is that "secure e-mail service" you are using?
In 2007 we saw that Hushmail was able to provide information about its clients' e-mail after receiving an order from a Canadian court.
In 2013 Lavabit shutdown their entire e-mail service after the FBI demanded they hand over their encryption keys so the government could read e-mail sent through their servers.
In 2018 Protonmail complied with 336 government request for information about their users.
In August 2019, Privacy Watchdog expressed concerns over the security (or lack of security) provided by Protonmail.
In December 2020 we read that "Tutanota is being forced by a German court to develop a backdoor that will be used by authorities to monitor individual mailboxes and read emails in plain text."
These examples, and others like them, make clear that no e-mail service is 100% secure when targeted by the government. E-mail service providers are businesses that must comply with the law of the country where they are located (or completely shutdown and face contempt of court charges in the case of Lavabit).
If the e-mail service provider holds the encryption keys to your account they can decrypt and read your e-mail, or make it available to government agents. Even if your decryption key is secure by a strong password/passphrase that is only used once a message is downloaded to your device; an e-mail provider could be forced by their government to develop a targeted attack against your account.
Protonmail is arguably the most popular of the secure e-mail providers. The following article look at the pros & cons of Protonmail as a choice for secure e-mail.
ProtonMail review: Is secure email really secure?
Mr. Robot Uses ProtonMail, But It Still Isn't Fully Secure
Tutanota vs ProtonMail: A Secure Email Battle for 2021
ProtonMail review: have we found the most secure email provider in 2021?
ProtonMail Review
ProtonMail Review & Test (2021): Is it Really Worth Your Money?
While we have looked at Protonmail's strengths and weaknesses as a secure e-mail provider, these same considerations may be (and should be) applied to any e-mail provider when you a considering a secure communication service.
---
Our thoughts on secure e-mail services are that:
1. A secure (encrypted) e-mail service is better than one that is not.
2. Never fully trust the encryption provided by a service provider. Encrypt your messages prior to sending them through e-mail.
3. An e-mail service hosted in a country other than where you reside makes it more difficult (but not impossible) for government agents to gain access to your e-mail.
4. Secure e-mail should be set-up and only accessed using TOR or a similar means of anonymous connection. Never associate your real name or other personal information with your secure e-mail account registration.
5. Secure e-mail should have perfect forward secrecy (compromise of one e-mail should not compromise all e-mails).
Comments
Post a Comment