World Top 10 most secure mail service

I found to be the seven most secure e2e encryption technology used for securing a mail services.

More items…

secure-email hero

App tips14 min read

The 6 Most Secure Email Services and the Security Measures They Practice

By Benjamin Brandall · January 21, 2019

“Plain email is not a secure medium.” – The SANS Institute

According to the Breach Level Index, over 13 million records have leaked or been lost in published cybersecurity breaches since 2013. Of those 13 million records, a terrifying 96 percent weren’t encrypted. The method these hackers most often use to break in, steal staff identities, and mine trade secrets?

Email.

Email is ancient technology compared to modern team communication tools, and it has technical limitations that make its age a real barrier to security. Luckily for its four billion users, developers and security researchers are consistently coming up with ways to improve on this old technology for it to be viable and safe in the age of rapid and intelligent attacks.

In this piece, we’ll talk about what to look for in a secure email service, and then we’ll present what we found to be the seven most secure services.

Security Features to Look for in an Email Service

You probably already use Gmail or Outlook. What’s wrong with those services? Are they not secure? Well, it depends on your threat model and adversary.

Some of the biggest differentiators between security-focused and regular email are pertinent if you’re a large organization or enemy of the state, but could be seen as overkill by everyday users.

For example, server location might only be pertinent if you’re an activist who can reasonably expect their communications to be subpoenaed by the government. On the other hand, end-to-end encryption can help both individuals and businesses keep their information secret: Unencrypted emails were to blame for at least four major breaches of the past few years, leaking millions of emails and causing millions of dollars of avoidable damage.

Below are the features you’ll often find as part of secure email, along with thoughts on why they may—or may not—matter to you.

End-to-end encryption

To understand end-to-end encryption, you first need to understand encryption.

Encryption is a way to obscure data. Any website with https in its URL is using Secure Socket Layer (SSL) to keep data you send secure as it travels from your computer to the website’s server. SSL provides a way for your computer to guarantee that data it sends to and receives from an SSL-enabled server is encrypted. Almost all websites you visit regularly will have SSL enabled to protect users against getting their passwords or form input stolen by someone “tapping the line.”

The same goes for email data: Sending an email over an encrypted network means scrambling the plain text content of the email so it’s impossible to read without what’s called an encryption key, which functions like a password.

Encryption diagram

Modern encryption does such a good job that it would take a million computers working for sixteen million years to crack, but non-security focused services like Gmail and Hotmail only encrypt the data as it travels from your computer to their servers. On the other side, it can be plainly read. That requires users to trust that these organizations won’t use their encryption keys to read your email—or that the keys won’t fall into the hands of hackers.

End-to-end encryption puts control in the hands of the user. When you load up your inbox from an end-to-end encrypted email service, it first has to receive a private key that’s unique to your account—and essentially uncrackable—before it de-scrambles the encrypted content. Unless you’re manually encrypting emails, this process all happens in the background for end-to-end encrypted tools.

Encryption is a hard problem to solve for computer scientists and can be resource-intensive to implement. It’s only in recent years that end-to-end encryption has become standard thanks both to messaging apps like WhatsApp and the public’s increased paranoia after incidents like Snowden’s NSA leaks, which revealed the extent to which world governments monitor their citizens. Not even Google’s systems were safe from prying eyes.

SKIP TO CONTENTSearch apps…Sign upHomeApp PicksMore items…

secure-email hero

App tips14 min read

The 6 Most Secure Email Services and the Security Measures They Practice

By Benjamin Brandall · January 21, 2019

“Plain email is not a secure medium.” – The SANS Institute

According to the Breach Level Index, over 13 million records have leaked or been lost in published cybersecurity breaches since 2013. Of those 13 million records, a terrifying 96 percent weren’t encrypted. The method these hackers most often use to break in, steal staff identities, and mine trade secrets?

Email.

Email is ancient technology compared to modern team communication tools, and it has technical limitations that make its age a real barrier to security. Luckily for its four billion users, developers and security researchers are consistently coming up with ways to improve on this old technology for it to be viable and safe in the age of rapid and intelligent attacks.

In this piece, we’ll talk about what to look for in a secure email service, and then we’ll present what we found to be the seven most secure services.

Security Features to Look for in an Email Service

You probably already use Gmail or Outlook. What’s wrong with those services? Are they not secure? Well, it depends on your threat model and adversary.

Some of the biggest differentiators between security-focused and regular email are pertinent if you’re a large organization or enemy of the state, but could be seen as overkill by everyday users.

For example, server location might only be pertinent if you’re an activist who can reasonably expect their communications to be subpoenaed by the government. On the other hand, end-to-end encryption can help both individuals and businesses keep their information secret: Unencrypted emails were to blame for at least four major breaches of the past few years, leaking millions of emails and causing millions of dollars of avoidable damage.

Below are the features you’ll often find as part of secure email, along with thoughts on why they may—or may not—matter to you.

End-to-end encryption

To understand end-to-end encryption, you first need to understand encryption.

Encryption is a way to obscure data. Any website with https in its URL is using Secure Socket Layer (SSL) to keep data you send secure as it travels from your computer to the website’s server. SSL provides a way for your computer to guarantee that data it sends to and receives from an SSL-enabled server is encrypted. Almost all websites you visit regularly will have SSL enabled to protect users against getting their passwords or form input stolen by someone “tapping the line.”

The same goes for email data: Sending an email over an encrypted network means scrambling the plain text content of the email so it’s impossible to read without what’s called an encryption key, which functions like a password.

Encryption diagram

Modern encryption does such a good job that it would take a million computers working for sixteen million years to crack, but non-security focused services like Gmail and Hotmail only encrypt the data as it travels from your computer to their servers. On the other side, it can be plainly read. That requires users to trust that these organizations won’t use their encryption keys to read your email—or that the keys won’t fall into the hands of hackers.

End-to-end encryption puts control in the hands of the user. When you load up your inbox from an end-to-end encrypted email service, it first has to receive a private key that’s unique to your account—and essentially uncrackable—before it de-scrambles the encrypted content. Unless you’re manually encrypting emails, this process all happens in the background for end-to-end encrypted tools.

Encryption is a hard problem to solve for computer scientists and can be resource-intensive to implement. It’s only in recent years that end-to-end encryption has become standard thanks both to messaging apps like WhatsApp and the public’s increased paranoia after incidents like Snowden’s NSA leaks, which revealed the extent to which world governments monitor their citizens. Not even Google’s systems were safe from prying eyes.

alt

This screenshot from a leaked NSA document shows how the agency was able to bypass SSL encryption and read user data in plain text.

If an email service that uses end-to-end encryption is forced by the authorities to hand over its data, it will only be able to provide data that is useless to anyone without the user’s private encryption key.

PGP encryption

Pretty Good Privacy, or PGP, was developed in the early 1990s as a way to guarantee the security and privacy of email communications over insecure networks. Its basic concept involves the use of private and public keypairs, and is implemented today in secure communications tools like ProtonMail and Signal.

When you send an email encrypted with PGP, you use your public key like a padlock to secure the contents, in addition to using your password to authenticate with your email service. The recipient then uses their own private key to unlock the padlock and read the message. Public and private keys are simply long strings of text, like passwords.

his list.

Two-factor authentication

Two-factor authentication adds an extra layer of security to your email accounts that makes a cracked password useless and the hacking process exponentially more difficult. That’s because it relies on two things:

  • Something you know, like a username and password
  • Something you have, like your mobile phone or a backup key

It makes sense not to rely solely on the integrity of your password. Have I Been Pwned, a database of sensitive information captured from hacks all around the world, has over 320 million passwords on file. Passwords are routinely hacked, leaked, and used to compromise victims’ accounts. The likelihood of a hacker having access to both your password and your phone or physical backup, however, is vastly lower.

Two-factor authentication is implemented in a lot of different ways, but the most common is the use of a one-time token. When you tap the Google app to sign in from a new computer, you’re sending a unique token to the server that can be used only once. The same goes for getting a code over SMS to log into Twitter. This prevents it from leaking or being used for continued access. It also makes it easier to recover your account if you lose access.

Open source

Open source software, like the Android operating system and Firefox browser, is software that makes its source code available for users, developers, and the community to inspect and improve. This is contrary to something like Microsoft Outlook, which comes packaged as an executable file that can’t be inspected or audited.

What does the way a tool’s source code is treated have to do with security?

Well, when you’re using an email service like Outlook, you’re putting your trust in the fact that Microsoft’s developers are (a) acting in good faith by not adding anti-user features to the software, and (b) competent and have built a secure system.

No such leap of faith is required if the software is open source. Open source projects are developed with complete transparency because that’s how they thrive and improve. Bugs are made public knowledge, and large projects are armed with thousands of dedicated debuggers.

This kind of scrutiny is good, and it’s uniquely possible with open source. In fact, it’s one of the reasons Linux operating system was developed so stably and quickly despite being the project of a bedroom hacker and group of volunteers.

Analyzing the merits of the open source model in his book The Cathedral and the Bazaar, developer Eric Raymond writes:

Consider the way a puddle of water finds a drain, or better yet how ants find food: exploration essentially by diffusion […] Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone. Or, less formally, “Given enough eyeballs, all bugs are shallow.

There’s nothing about closed source software that implies insecurity, but an open source email service and app is usually desirable because you will be able to review third-party audits and proof. We reached out to Brett Shavers, digital forensics analyst and owner of incident response training firm DFIR Training, to clarify why it’s important that a tool is open source:

Open source implies that since the code is open to inspection that it must be safer since you can see the code. But for all practical purposes, few ever check the code of any open source software and trust it anyway. With closed source, you just have to trust it. Either way, most email users simply trust their service. I tend to go with the open source model.

For closed-source projects, you have to take the developer’s word for it, and they could be implementing dodgy cryptography.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.