Download and view my resume (PDF)

Wednesday, December 28, 2016

The Best Secure Email Service

I am looking for an encrypted email service so that I can have at least a little bit of built-in security for my communications. Herein, I compare providers and select one.

Required features
  1. Exchange insecure emails with normal email users
  2. Exchange secure emails to users on the same service
  3. Send a secure message to a normal insecure email user
  4. Decent web interface
  5. To use my own domain name for my family's email addresses
Nice features
  • Exchange PGP emails with existing users
  • Decent Android interface
  • Secure emails encrypt subject too
  • Able to share domain with other users
Features I don't care about
  • Anonymity. My email address is my name. The purpose of encrypting these communications is not to hide who I am, it is to hide what I am saying.
  • Decent iOS interface.
Definition of secure
  • No screwing around here. A secure message is one that is encrypted by the sender, decrypted by the recipient, and no broker in between is capable of reading the plain text. How to do this is a long-since solved problem so there is no excuse for doing it wrong.
I started my comparisons by making a spreadsheet for feature comparison. That was interesting, and the internet has a bunch of those already, but I found it to be irrelevant because almost all of the services were simply unacceptable for technological reasons which made their other features irrelevant. Instead of starting with the chart, I'll tell you why each service was unacceptable, then at the end I will show a chart comparing only the ones that were technically okay.

First up is Posteo. The analysis for this service was easy because they do not support using your own domain and specifically say that they will never do so. The whole point of having my vanity domain is for the email address, thus this service is not for me. I have no opinion of it as a service because I didn't evaluate it; it just doesn't do what I need it to do. Posteo was the only provider I considered which didn't support custom domains.

Next is Countermail. This is a long-lived secure email service with many fans. But the interface to the emails appears to be strictly through a Java app -- no, make that applet, which isn't even a feature of my web browsers anymore. Sure I could install Java for my browser on my home computer but what about other computers? I don't always have a browser with Java handy which is why I require "5. A decent web interface". Thus it's not for me.

SaluSafe and its apparent sister service Cryoptoheaven also both use a Java-only interface so I didn't consider either of them.

All the rest of the providers I signed up for an account and used it to evaluate how it worked.

Mailfence has some positive reviews online but the bottom line is there was no feature to meet requirement "4. Send a secure message to a normal insecure email user". The only way to send a secure email is to manually configure a key exchange with your interlocutor and if they don't use encryption you're just out of luck.

All the rest of the services had some sort of feature for brokering a secure or "secure" message to a normal email user. This is an important feature, maybe the most important, so I want this feature to be well implemented in the service I choose. Most people use insecure email and most of my email will be exchanged with such people so it is my responsibility to assure an acceptable level of protection.

To start out the comparisons of this feature, take a detour back through SaluSafe which I actually got an account for and tried out this feature and it was really disappointing: you send a "secure" email to the recipient who receives a link to read the message. Wut!? What is secure about that? First, there is no apparent encryption used and if there is any then SaluSafe must hold the key; that means they can read the message, so it doesn't meet my definition of secure. Second, sending a plaintext link to a recipient with no credential exchange is exactly as secure as just sending them the message. The email containing the link says something about a "question and answer" so that may be an optional feature that I missed, but my test email didn't use it.

A similarly weak implementation comes from StartMail from the privacy-friendly people at StartPage (which I like). When you send a "secure" message to an outside email address, you set "questions" and "answers" which StartMail then uses to challenge the recipient, then they can read the message. The message is either unencrypted or is encrypted by a key known to StartMail, making it accessible to their employees, hackers, and subpoenas. StartMail is out.

Hushmail uses the same system as StartMail: a rinky-dink question-answer pop quiz which means the message isn't a secret. Hushmail is out.

Let's talk about Mailbox.org in a little bit more detail. This service is far more feature-rich than many of the others. Many of these services offer Contacts and some offer Calendar, but Mailbox.org also offers Tasks, Drive, Text and Spreadsheet. The Drive feature offers optional per-file encryption. The  other services, however, apparently don't have any encryption features which is too bad. It is difficult to make things like that truly secure but it would be really nice. Many users may find essential value in these additional features but they should not think of Mailbox.org as a fully encrypted suite.

Their feature to send secure emails to external recipients is less bad than the previous examples but it still came up short. When such an email is sent the system appears to encrypt it using a random password which it picks and doesn't even bother to show you. In addition you can optionally accept to require a four-digit code which it picks and displays to you. Mailbox.org then sends a message to the recipient containing the password but not the code. If you opted for the code, you transmit the code in secret to the recipient through some other channel. This protects against a malefactor compromising the recipient's email and thus accessing your secret message.

That approach isn't good enough, though, because Mailbox.org picks and knows the encryption key and the code. If they know the secrets then they can read the email. If they can read the email then bad actors can read the email. They are so close to doing it right that I wouldn't be surprised if they change to allow you to set your own code -- but for now they can read my messages so they aren't secure so they're out.

This brings us to, finally, the two services that appear to get it right: Tutanota and ProtonMail. Only these two services passed the technological tests for sending secure emails so I will compare them in detail starting with a chart. These show valuable features in my personal priority order with comparable details marked in green or red to show level of support; color saturation indicates importance to me.


TutanotaProtonMail
Multiple users/organizationYesNo ("early 2017")
ContactsEncryptedEncrypted
Catch-allYesNo
Used as clientNoNo
Two-factor authenticationNoOAuth
Open sourceYesYes
Own domainsYes, unlimitedYes, unlimited
Android AppGoodGood
Web AppGoodGood
Price12 euros per user per year48 dollars per user per year
Separate mailbox passwordNoYes
Group emailsYesYes
PGPNoCan receive, must encrypt yourself to send, can download key
AliasesUp to 5Up to 5
NotificationsSimpleAdvanced
Rich Text EditorOnly bold and italicYes
Sorting emailsRulesAdvanced Filters, Labels
Time-limited emailsNoYes
SignaturesYesYes
Keyboard shortcutsNoYes
Interface customizationA tiny bitA medium amount

In my opinion it is not obvious which of these two is superior, so my bottom line conclusion is that both Tutanota and ProtonMail are winners. In general ProtonMail tends to have more features, or more advanced features, but it costs more. For instance, Tutanota has some simple 'rules' for automatically routing emails to certain folders; while ProtonMail has an advanced 'filters' feature including labels.

Some features are clearly distinct. ProtonMail doesn't support catch-all which might be a deal-breaker for some people, and I myself do require catch-all, but I can get it it before the emails are forwarded to my secure mailbox.

For me, however, the essential feature is the first one listed: my email setup is for my family so I must have a way to organize multiple users with individual mailboxes. With ProtonMail a user with a custom domain can only set up himself with addresses, not other users. ProtonMail promises to implement this feature in early 2017, and right now it's late 2016, so maybe I will soon be re-evaluating my decision but for now I'm going to sign up for the premium Tutanota service. Future blog posts may chronicle my adventures in encrypted email.

No comments:

Post a Comment