Participants:
- Alice - sender (real Alice, or your bank, or social networks, etc..)
- Bob – recipient (for example you, or vice versa)
- Trudy – intruder of any kind (MitM, local infostealer, someone who has access to your laptop, internet or email provider, etc..)
In the case, if Alice sends Bob an email with its ID/bank statement/confirmation link... they (both) have some problems
Problems | Description |
---|---|
No encryption | Anybody who has access to your inbox (online, offline, or in transit) – can read your email content |
No sender validation | Why are you sure, that the message with the subject your account has been blocked is from your bank? Maybe somebody bought a domain like yourbank.com-block.zip and used it for phishing |
No backups | In the case, if your email provider is not accessible now for any reason – you have to have a second way to receive your letters |
No retention period | Sometimes it's not a good idea to keep all emails in the inbox as plaintext forever |
No email address protection | In the case of data breach of any online resource – your email address will be used for spam or credential stuffing |
Solutions review
Encryption
If you just wanna encrypt your email contents between two email addresses – you may just use a mailvelope.
It works easy and good for both sides:
- Just create your keys
- And share your public key to Bob
- Now he can use it for encryption when sends messages to your
Thunderbird could also resolve the issue, just read this note
There are a lot of clients, that support PGP encryption, just check the list here https://www.openpgp.org/software/
Backups
For some reason you may want to have yet another storage for your emails, for example: your laptops, Gmail, and Proton
Why? For cases, if your laptop is lost, your Gmail or Proton account will be blocked (or not accessible for maintenance) and you wanna find your letters anyway
Solution – email relays
I believe the best choice for today is https://simplelogin.io/, that is why:
- solve the problem – generates a lot of email aliases, that will forward all emails to other your own inboxes
- additionally provides a PGP encryption for all incoming emails, it's useful for cases if you want to encrypt messages from social networks or from your banks, but they do not support it
For paranoic: you may deploy it on your own hosting...
Email address protection
And again email relays:
- SimpleLogin (and others) also provides email aliases, that could be used as reverse email addresses (you may use this alias even for communications and your real email address will be still hidden)
Other services like this one: addy.io or relay.firefox.com (no PGP, as I remember)
Retention period
Ok, you are responsible for your mailbox, but sometimes you send something to the other side and you want to be sure, that its mailbox will not be the reason for your data leak
How is it today?
- A lot of users use Gmail – there is a protection of messages with confidential mode
- your message will be removed after N days
- additionally, you may request authorization by code from SMS (you should enter the phone number of the recipient, that you know)
- The same functionality from other providers, like protonmail or tutanota
- but there you may define the password, for access to the email
- they additionally may request email confirmation (to confirm the inbox owning)
- and provide a replying possibility – right from the web page, the recipient reads the letter
Sender validation
By the way:
- if you use a PGP encryption you already have a sender validation (only if somebody does not own a sender's private key and its passphrase)
- also you may use PGP just for signature
- email relays provide you unique email addresses for each website, which is why if you receive an email not from your relay – you will be triggered by this red flag
Email as a chat
What about messengers?
A lot of them keep data as plain text (that is why the search function does not work offline 😉)
You may use your mailbox with backups, address protection, encryption, expiration periods, and sender validation like chat!
Just try Delta Chat
Top-level review
I described the easiest ways for a lot of people how to protect emails (addresses and contents), I hope someone can add more info (or concerns/questions) in the comments, and the post will be updated
Look at this checklist https://digital-defense.io/checklist/email/ , It believe it will be useful for someone
Top comments (5)
My own choice is SimpleLogin, because "SimpleLogin joins the Proton family"
And I trust to Proton family, anyway – it could be used as a self-host, but I do not want to have issues with whitelisting my IP addresses for antispam systems
If you trust to Fastmail – aliasing supports there from the box, sometimes I see this as a feature for some mailing systems, but not sure, that I;m ready to use them
Side remark, simplelogin, Firefox Replay and .addy integrate well with Bitwarden
bitwarden.com/blog/add-privacy-and...
Thank you! Very good a useful point, and next time I'll write about password managers short note with a comparison (I tried a lot of them and use them every day)
Additionally, let's mention other possibilities:
While your article is great, I don't get why you refer to PGP (proprietary) instead of GPG