Encrypted email isn’t secure, but if you must use it, here are some Lavabit alternatives
last week, FBI raids on Freedom Hosting and child porn distributors took down Tor Mail, a secure email provider for users of the Tor network. A few days later, secure email provider Lavabit, which had previously provided whistleblower Edward Snowden with an email address, closed its doors. Its owner left a cryptic message stating he’d been forced to choose between betraying the American people and shutting down. It’s possible that Snowden wasn’t the target — a search warrant for child pornography was executed against Joey006@lavabit.com on June 10 — but it’s possible that the two cases together had an impact on the decision to shut down the service. The day after Lavabit closed, Silent Circle announced it would also discontinue its own secure email client. With multiple vendors dropping out of the race at the same time that consumer interest in secure email services is heating up, what are your options?
We’re going to discuss them, but before we do, there’s a larger point that needs to be made. If you need secure end-to-end communication, email is probably the wrong way to do it. This has been driven home with the most recent leaks from Snowden and the Guardian, which reveal that the NSA has loopholes (under Section 702) that allow it to retain data gathered on US citizens and possibly search that data without a warrant. The documents that have leaked specify that agents are not to do this until appropriate oversight is in place, but there’s no information on whether the data was used in this fashion previously or what the current status is.
Intrinsic insecurity
The problem with email security is that the email system is designed on to facilitate the communication of any two people with an email address, even when those two addresses are on entirely different networks separated by thousands of miles. Emails themselves must be stored on a server somewhere until retrieved and read. The requirements of this asynchronous communication are part of what make email extremely useful, but they make it more difficult to secure. Therein lies the problem — most of the methods used to make email more secure make it less useful.
Users can install their own encryption software and encrypt email sent through services like Gmail, Hotmail, or Yahoo, but such methods are only useful if you’ve exchanged encryption keys with the recipient. These methods aren’t particularly easy to configure and using them necessitates convincing each and every recipient of the need for such encryption. These problems are part of why more people are interested in secure email in the first place. The NSA’s scope and the secretive nature of data sharing agreements with other foreign organizations makes it extremely difficult to estimate the degree of protection offered by using a foreign service.
The bottom line is this: If you’re going to communicate with someone, and you need it to be really, really secure, email is probably the wrong way to go. But given that, what are the options? We went looking for services that weren’t based in the US, offer end-to-end encryption, and that offer the option to use your own keys, stored offsite. This last helps ensure that the email service provider is unable to provide information, even under pressure. US and Canadian services, like Hushmail, were not considered. Keep in mind that foreign countries are not guaranteed to protect your security. Germany has some of the strongest privacy laws and protection methods in the EU, but the German BND and BfV (foreign and domestic intelligence agencies) both partnered with the NSA and used resources like XKeyscore.
It’s imperfect, but such criteria are the best we have. After searching through online documentation, reviews, technical documents, and security forum conversations, there are two services that seem to top everyone’s lists: Countermail and Neomailbox.
Countermail
Countermail is based in Sweden and offers end-to-end PGP encryption and serves its website from CD-ROM media, not spinning disks. It claims to be the only provider that provides security against man-in-the-middle (MITM) attacks. Users log in via Java applet, which is then encrypted “using SHA-1, random IV and 262k iterations. The random 128-bit AES-Key and CBC-IV is also generated, using the Java SecureRandom CS-PRNG.” That data is then further encrypted using Countermail’s server-side RSA key. All of this is done inside the Java applet. The cryptography APIs are part of the open-source “Legion of the Bouncy Castle” project.
Countermail offers a USB key for session authentication as well. The (presumably) read-only key contains a 512-bit keyfile that’s combined with your login data to provide additional authentication strength. You can also run the client directly off the USB drive rather than inside a browser environment, decreasing the chance of a MITM attack or browser-based logger. As always, a system that’s been fully compromised could still be vulnerable to snooping, but these methods are fairly secure.
Password requirements for Countermail are fairly loose, the system only requires a 7-digit password. Max length is 128 digits. It can be used to handle email for a web server, but Countermail can’t register domains and doesn’t provide actual web hosting services. You can also add PGP keys of encryption users who don’t have service with Countermail. All attachments, contacts, and calendar entries are also encrypted.
Interested users should note that Countermail doesn’t provide “Lost Password” functions to certain services, including its “Safebox” password management product (included in the Countermail package). There’s a free trial for seven days, pricing tiers start in three-month blocks for $19.99 ($6.33 per month) and run out to 24 months for $99 ($4.12 a month). The domain hosting package is a one-time $10 fee. USB keys are $15 for two or $20 for three. The base prices above are all for 250MB of storage; extra storage is a one-time fee of $29 (+250MB) to $109 (+1750MB, 2GB total).
According to Qualsys’ SSL Labs evaluation tool, Countermail’s security rating is an “A”. Areview of the service from May 2012 found that users can download and keep keys privately if they wish, though doing so risks the complete loss of access to your email.
Neomailbox
Neomailbox is based in Switzerland and emphasizes its strong data protection laws. Now, Switzerland isn’t in the EU, but it has adopted some European Union laws — the extent of which, I’m not honestly sure. I am leery of reading too much into this, not because EU laws aren’t strong, but because the fine print in who those laws apply to and whether or not the US has any quiet agreements with governments about data sharing are far more important than the letter of the legal code. I think it’s smarter to use an outside provider than a US company, but I’m cautious of leaning too much on the “Well, Swiss/EU law says I’m safe” line of thinking.
According to Neomailbox, the company scrubs all IP information and can, upon request, scrub additional information from email headers as well. Hardware tokens are available for additional authentication capabilities. It looks as though Neomailbox partners heavily with RITLabs, which develops The Bat email client. A wide range of email clients are supported, however.
Original image courtesy of Nerdbusiness.com. Full review linked below
Services like domain email hosting are available ($15). 1GB of hosting is $49 per year; a 5GB account is $79.95 a year, and 10GB is $109.95 a year. There’s a risk-free trial for 30 days with a money back guarantee. Neomailbox doesn’t give as much information on encryption methodology as Countermail but notes that it also relies on OpenPGP and provides extensive links to OpenPGP tools and compatible email clients. Anti-spam features and unlimited disposable email addresses are all part of the service.
There’s also an “Offshore Privacy Combo” service that appears to combine VPN capabilities with email. I couldn’t find any reviews of the product, and it appears to have a 5GB/month limit. Pricing is set at $89.95/year at 5GB per month, or $69.95 for 500MB.
This full review of Neomailbox dates to 2011, but it gives a comprehensive overview of the service. According to Qualsys’ SSL evaluation tool, the Neomailbox server also scores an “A”, though the score total is slightly lower than Countermail.
Flaws in the system
Ultimately, XKCD’s comic on the topic remains the greatest concise example of the problems with relying on these methods to protect your data. At present, no US or Canadian system can be trusted for the same reasons Microsoft and Google can’t be trusted. While their PR states that they “only comply with legitimate requests,” the NSA’s demands and metadata gathering have been ruled legitimate. Until that changes, these services have no security value whatsoever.
Original image by XKCD
It’s not clear if the guarantees granted by EU law are unilaterally applied to US citizens as well, or if these precepts are bent when certain government entities come calling. For that reason, it’s important to move away from email for storing any truly sensitive communication in favor of synchronous communication systems. While a full consideration of options is beyond this article, point-to-point communication via IM is likely safer than any email alternative.
But the flurry of interest in secure email systems also underscores the degree to which government secrecy on these programs has damaged the public’s confidence in them. The NSA has a responsibility to protect the nation from terrorist attacks, and some of that work necessitates monitoring lines of communication. Few people would argue that access to email or mobile phone accounts should be off limits in all cases. But by refusing to have those conversations until Snowden forced the issue, the government has created a scenario in which people are deeply concerned about overreach precisely because the government’s current policies have eviscerated the protection formerly extended by the 4th Amendment.
0 comments:
Post a Comment