![eb303623](https://pic-cc.com/data/avatars/m/150/150934.jpg?1733143058"){kind=avatar}
eb303623
MEMO
- Joined
- 01.05.24
- Messages
- 254
- Reaction score
- 6,742
- Points
- 93
Today, We are going to touch the topic on communication by email.
Now, we live in a digital world where by Mail can be sent electronically through electronic devices such as Smart Phones, Laptops etc.
Ladar Levinson, founder of the Lavabit encrypted email service once stated “If you knew what I do about email, you probably wouldn’t use it”. Email is not as private as many of us have long assumed it to be. For decades, the assumption around email is that it is essentially a private communication between
two parties. The analogy that is commonly drawn is that email should be like a letter mailed between two parties: the email is sealed by the sender and opened
by the recipient with the understanding that any given email could be selectively opened by a third party. This myth has largely been dispelled by the Snowden
leaks, and many average individuals are now much more aware of the lack of privacy inherent in email communication. In reality, email less like a letter sealed in an envelope and more like a postcard that anyone along the way can read.
Email is accessible to many parties between the recipient and the sender, including law enforcement and intelligence agencies, the email service provider, and malicious third-parties. For all intents and purposes, email should be treated by the sender as a matter of public record. I assume as a matter of course that every email sent through a mainstream provider is read by someone other than the intended recipient (or at least scanned by several computers). As a result, I am
very hesitant to send anything via these channels that I would not wish to read alongside my name in the news.
There are two basic categories of “secure” email. The first is what most people typically think of when they imagine email encryption: emails that are encrypted end-to-end between the sender and the recipient and are not accessible by the
mail provider. This is what I consider to be the safest and most secure form of encrypted email, even though this form of email is typically more complicated to use. I call this category “End-to-End Encrypted Email”. The second category of
email encryption is less secure; the emails themselves are not necessarily encrypted end-to-end. All emails stored with such a service, including those in the
box, sent, draft, and trash folders, are stored encrypted on the provider’s servers. They are not “scraped” for marketable data and their contents are safer from
prying eyes. I refer to this category of email as “Securely Stored Email”.
another party, but it would be difficult to exchange the password for that file without sending it unencrypted in some form or fashion. Sending the password in
plaintext (whether through email, text message, voice phone call, snail mail, etc.) would leave it vulnerable to interception and compromise the integrity of the
entire system. At best, it leaves all participants with some level of doubt about the security of the system. Meeting in person to exchange the key would perhaps be the safest method of symmetric key exchange. This may not be possible and is
rarely feasible. Because of the problem of key exchange, email encryption typically relies on a wholly different encryption model than that used to protect data-at-
rest. This encryption model is known as asymmetric or public-key encryption.
Asymmetric encryption solves this problem rather elegantly by using a pair of keys. Instead of a single key that is used to both encrypt and decrypt, such as the
symmetric keys used by VeraCrypt, an asymmetric key pair consists of a public key and a private key. Each has a separate and distinct purpose. The public key is used to encrypt messages to the recipient, and the private key is used to decrypt the
same message. For example, if Jermaine wanted to send an encrypted email to Julius he would download Julius public key. Jermaine would then use Julius public key to encrypt the message to Julius. When Julius receives the email, he must have his own private key and password to decrypt the message. When Julius responds to Jermaine, he will encrypt his response using Jermaine's public key. The response can only be decrypted using Jermaine's private key.
Because the public key can only be used for encryption, it is not secret. Public keys can be posted on websites and blog, hosted on purpose-built key servers, or
emailed freely. The interception of the public key makes no difference as it cannot be used to decrypt anything. The private key, on the other hand, is secret and
should be very closely guarded. The private key can be used to decrypt anything encrypted with the public key. The compromise of a private key means the
compromise of all your incoming messages that were encrypted with your public key, including all historical communications until you revoke it with a revocation
certificate.
This system of asymmetric encryption has been around for many years. Unfortunately, it has traditionally been unwieldy and difficult to implement. Until
recently, email encryption has required a complicated process to set up and use. While this was not necessarily a problem for the security conscious and technically
literate, it was difficult to convince anyone else to implement encryption. Email encryption requires participation on the part of both sender and recipient. For
years, email encryption was implemented only by very few security-conscious users. Fortunately, a new breed of encrypted email providers has proliferated. These new providers automate much of the encryption process.
I believe that the automation of encryption is very important. One of the most commonly used forms of encryption for internet traffic is the HTTPS protocol. It is
so commonly used because it is transparent to the user and requires no technical skill or effort on the part of the user. It just happens in the background and the overwhelming majority of internet users don’t even notice it. The easier encryption is to use, the greater the number of people that will actually use it.
TUTANOTA
Simply known as Tuta It automates the PGP encryption process for both body and attachments of emails. It also offers the ability to encrypt attachments to outside users and set a self-destruct time on messages. Tuta's cryptographic implementation is free and open source and open to independent audit. It also offers paid tiers that support aliases (numerous organic email addresses that forward to a single account), custom domains, and expanded storage options.
Tuta is far option superior option for privacy and security over mainstream email providers and I do not discourage anyone from using it. Redundancy is good,
and I have many Tuta accounts created and ready should a vulnerability be discovered in other systems and an immediate switch becomes necessary. For more information on Tutanota and to setup an account, visit https://tuta.com/secure-email
DISROOT
Disroot is also very similar to Tutanota. The service is
completely open source, 100% free, and the graphical user interface (GUI) is absolutely amazing. It uses Rainloop, a modern mobile friendly UI for email management with GPG support for easy email encryption. It also has XMPP support, which is a huge plus. It is secure, encrypted, and they promise to never track your activity, display ads, profile you, or mine your data. Which means all your emails are private. It is worth noting however, that this encryption is server-side encryption and you have no control of your secret key, which is definitely a security issue. It is still much more private than any mainstream email provider
though. Disroot is available at
Disroot.org
MAILFENCE
When talking about secure and private emails, Mailfence is one of the top names that comes to mind. They are based in Belgium and have become one of the most popular email services among the security and privacy community. The service came into existence following the Snowden revelations under a belief
that users have an absolute and irrevocable right to internet privacy. During the 15
years of ContactOffice’s (Mailfence Devs) operation, the company’s policy has always been that tracking and profiling users for the sake of government
surveillance or commercialization of data is obscene and an unacceptable breach of privacy. Mailfence is end-to-end encrypted just like Tuta and Disroot .
It gives uses FULL CONTROL in managing encryption keys without any third-party plugins or addons.
It has many security features including enforcing strong password and key
passphrase policy, two factor authentication, authentication log for every connection, stripping IP addresses from the email headers by default, DKIM and much more.
Definitely consider signing up with them when deciding which email provider you want to go with, as they are extremely reliable and safe.
browser. Further, neither of these options currently allow you to generate a revocation certificate. A revocation certificate allows the user to revoke his or her
keypair. Upon revocation any historical or future messages encrypted with that keypair will no longer be accessible. By implementing manual PGP encryption users are given the opportunity to take email encryption out of the browser and
enjoy the protection of a revocation certificate.
NOTE : There are a large number of email providers that claim to be secure. In large part this is true; these services are almost always certainly both more secure and
private than mainstream email providers. On the other hand, most of these services have also given up their keys to the U.S. Government and/or created
backdoors. Backdoors in cryptosystems that are only available to a single party are
technically impossible.
It is very likely such a backdoor is being exploited by other parties as well. Further, we do not want the U.S. Government having any kind of access to our communication devices. For this reason, the possession of encryption keys by the US Government makes their security questionable. Though I am an advocate against mass surveillance, my bigger fear is that the government will be hacked or
otherwise lose control of these keys and compromise the security of all users.
I also highly recommend you shy away from proprietary cryptosystems. The systems I prefer and have mentioned here tend to use widely available, vetted PGP encryption, or another open-source cryptography. The systems that I recommended above, while not perfect, come very close. On the other hand, the
systems I recommend AGAINST have backdoors or violate some basic principles. Insecure providers such as these include CryptoHaven, Hushmail, Startmail, Gmail, Hotmail, and Yahoo. STAY AWAY FROM THEM!!!
Gmail is an excellent product with excellent security, and even businesses rely on its powerful features. If there are individuals with whom you share intimate
personal details, trade secrets, or other sensitive information, do not do so over Gmail if at all possible. It would be an extremely hard sell to convince many people to leave Gmail.
CONCLUSION :
Now, we have seen the best way to protect and encrypt our mail to keep us and our information safe. Next time, we will look into Communication Security over phone (Voice) and Text. For now, Let me leave it here.
ALL THE BEST!
WHAT'S AN E-MAIL?
E-MAIL, refers to "
Electronic Mail
". In the olden days, Mail was sent in a letter by regular "Mail Box or Postal Service".
Now, we live in a digital world where by Mail can be sent electronically through electronic devices such as Smart Phones, Laptops etc.
Ladar Levinson, founder of the Lavabit encrypted email service once stated “If you knew what I do about email, you probably wouldn’t use it”. Email is not as private as many of us have long assumed it to be. For decades, the assumption around email is that it is essentially a private communication between
two parties. The analogy that is commonly drawn is that email should be like a letter mailed between two parties: the email is sealed by the sender and opened
by the recipient with the understanding that any given email could be selectively opened by a third party. This myth has largely been dispelled by the Snowden
leaks, and many average individuals are now much more aware of the lack of privacy inherent in email communication. In reality, email less like a letter sealed in an envelope and more like a postcard that anyone along the way can read.
Email is accessible to many parties between the recipient and the sender, including law enforcement and intelligence agencies, the email service provider, and malicious third-parties. For all intents and purposes, email should be treated by the sender as a matter of public record. I assume as a matter of course that every email sent through a mainstream provider is read by someone other than the intended recipient (or at least scanned by several computers). As a result, I am
very hesitant to send anything via these channels that I would not wish to read alongside my name in the news.
There are two basic categories of “secure” email. The first is what most people typically think of when they imagine email encryption: emails that are encrypted end-to-end between the sender and the recipient and are not accessible by the
mail provider. This is what I consider to be the safest and most secure form of encrypted email, even though this form of email is typically more complicated to use. I call this category “End-to-End Encrypted Email”. The second category of
email encryption is less secure; the emails themselves are not necessarily encrypted end-to-end. All emails stored with such a service, including those in the
box, sent, draft, and trash folders, are stored encrypted on the provider’s servers. They are not “scraped” for marketable data and their contents are safer from
prying eyes. I refer to this category of email as “Securely Stored Email”.
END-TO-END ENCRYPTED EMAIL OPTIONS
One of the huge problems with encryption for email is the problem of key exchange. It would be simple to encrypt a file with VeraCrypt and email it to
another party, but it would be difficult to exchange the password for that file without sending it unencrypted in some form or fashion. Sending the password in
plaintext (whether through email, text message, voice phone call, snail mail, etc.) would leave it vulnerable to interception and compromise the integrity of the
entire system. At best, it leaves all participants with some level of doubt about the security of the system. Meeting in person to exchange the key would perhaps be the safest method of symmetric key exchange. This may not be possible and is
rarely feasible. Because of the problem of key exchange, email encryption typically relies on a wholly different encryption model than that used to protect data-at-
rest. This encryption model is known as asymmetric or public-key encryption.
Asymmetric encryption solves this problem rather elegantly by using a pair of keys. Instead of a single key that is used to both encrypt and decrypt, such as the
symmetric keys used by VeraCrypt, an asymmetric key pair consists of a public key and a private key. Each has a separate and distinct purpose. The public key is used to encrypt messages to the recipient, and the private key is used to decrypt the
same message. For example, if Jermaine wanted to send an encrypted email to Julius he would download Julius public key. Jermaine would then use Julius public key to encrypt the message to Julius. When Julius receives the email, he must have his own private key and password to decrypt the message. When Julius responds to Jermaine, he will encrypt his response using Jermaine's public key. The response can only be decrypted using Jermaine's private key.
Because the public key can only be used for encryption, it is not secret. Public keys can be posted on websites and blog, hosted on purpose-built key servers, or
emailed freely. The interception of the public key makes no difference as it cannot be used to decrypt anything. The private key, on the other hand, is secret and
should be very closely guarded. The private key can be used to decrypt anything encrypted with the public key. The compromise of a private key means the
compromise of all your incoming messages that were encrypted with your public key, including all historical communications until you revoke it with a revocation
certificate.
This system of asymmetric encryption has been around for many years. Unfortunately, it has traditionally been unwieldy and difficult to implement. Until
recently, email encryption has required a complicated process to set up and use. While this was not necessarily a problem for the security conscious and technically
literate, it was difficult to convince anyone else to implement encryption. Email encryption requires participation on the part of both sender and recipient. For
years, email encryption was implemented only by very few security-conscious users. Fortunately, a new breed of encrypted email providers has proliferated. These new providers automate much of the encryption process.
I believe that the automation of encryption is very important. One of the most commonly used forms of encryption for internet traffic is the HTTPS protocol. It is
so commonly used because it is transparent to the user and requires no technical skill or effort on the part of the user. It just happens in the background and the overwhelming majority of internet users don’t even notice it. The easier encryption is to use, the greater the number of people that will actually use it.
TUTANOTA
Tuta is far option superior option for privacy and security over mainstream email providers and I do not discourage anyone from using it. Redundancy is good,
and I have many Tuta accounts created and ready should a vulnerability be discovered in other systems and an immediate switch becomes necessary. For more information on Tutanota and to setup an account, visit https://tuta.com/secure-email
DISROOT
completely open source, 100% free, and the graphical user interface (GUI) is absolutely amazing. It uses Rainloop, a modern mobile friendly UI for email management with GPG support for easy email encryption. It also has XMPP support, which is a huge plus. It is secure, encrypted, and they promise to never track your activity, display ads, profile you, or mine your data. Which means all your emails are private. It is worth noting however, that this encryption is server-side encryption and you have no control of your secret key, which is definitely a security issue. It is still much more private than any mainstream email provider
though. Disroot is available at
Disroot.org
MAILFENCE
that users have an absolute and irrevocable right to internet privacy. During the 15
years of ContactOffice’s (Mailfence Devs) operation, the company’s policy has always been that tracking and profiling users for the sake of government
surveillance or commercialization of data is obscene and an unacceptable breach of privacy. Mailfence is end-to-end encrypted just like Tuta and Disroot .
It gives uses FULL CONTROL in managing encryption keys without any third-party plugins or addons.
It has many security features including enforcing strong password and key
passphrase policy, two factor authentication, authentication log for every connection, stripping IP addresses from the email headers by default, DKIM and much more.
Definitely consider signing up with them when deciding which email provider you want to go with, as they are extremely reliable and safe.
FULL MANUAL ENCRYPTION OPTIONS
As mentioned earlier, the encrypted email services above are automatically encrypted using PGP (Pretty Good Privacy) and enjoy the tremendous benefit of requiring no working knowledge of public key encryption. However, because all these providers are in-browser crypto, they are still vulnerable to Java exploits and other remote attacks against thebrowser. Further, neither of these options currently allow you to generate a revocation certificate. A revocation certificate allows the user to revoke his or her
keypair. Upon revocation any historical or future messages encrypted with that keypair will no longer be accessible. By implementing manual PGP encryption users are given the opportunity to take email encryption out of the browser and
enjoy the protection of a revocation certificate.
NOTE : There are a large number of email providers that claim to be secure. In large part this is true; these services are almost always certainly both more secure and
private than mainstream email providers. On the other hand, most of these services have also given up their keys to the U.S. Government and/or created
backdoors. Backdoors in cryptosystems that are only available to a single party are
technically impossible.
It is very likely such a backdoor is being exploited by other parties as well. Further, we do not want the U.S. Government having any kind of access to our communication devices. For this reason, the possession of encryption keys by the US Government makes their security questionable. Though I am an advocate against mass surveillance, my bigger fear is that the government will be hacked or
otherwise lose control of these keys and compromise the security of all users.
I also highly recommend you shy away from proprietary cryptosystems. The systems I prefer and have mentioned here tend to use widely available, vetted PGP encryption, or another open-source cryptography. The systems that I recommended above, while not perfect, come very close. On the other hand, the
systems I recommend AGAINST have backdoors or violate some basic principles. Insecure providers such as these include CryptoHaven, Hushmail, Startmail, Gmail, Hotmail, and Yahoo. STAY AWAY FROM THEM!!!
PLEASE DO NOT USE GMAIL
Google spy's everything you are doing. When you send a message to an acquaintance, colleague, family member, friend, or lover who uses Gmail, even from your ultra-secure, encrypted email account, you become a Gmail user. When you place data into the Google ecosystem, your data is collected and associated with your name, even if you do not have a Gmail account. Though I am picking on Gmail, the same can be said for Hotmail, Yahoo, and other mainstream email providers. The ones who do not monetize services directly or monetize primarily through hardware sales must make their money in some other way. This way is nearly always through advertising.Gmail is an excellent product with excellent security, and even businesses rely on its powerful features. If there are individuals with whom you share intimate
personal details, trade secrets, or other sensitive information, do not do so over Gmail if at all possible. It would be an extremely hard sell to convince many people to leave Gmail.
CONCLUSION :
Now, we have seen the best way to protect and encrypt our mail to keep us and our information safe. Next time, we will look into Communication Security over phone (Voice) and Text. For now, Let me leave it here.
ALL THE BEST!
Last edited:
