23rd November 2020
Email Security & Privacy Concerns

Email Security & Privacy Concerns

Overview

Are you done with being followed by Google or Microsoft? Do you care about your privacy? If you can answer ‘Yes’ on both of these questions, this article might be interesting to you. In this blog post, I want to discuss with you about secure email providers. To keep the data in your inbox safe, it matters to think carefully about which email provider you choose.

These days we all get overwhelmed by security. Due to the Coronacrisis, even Zoom was telling everybody that they have a secure platform. But, just saying that you have encrypted communications. Those words alone mean nothing. The word ‘encryption’ alone means nothing, it’s not giving any credibility to any product or platform.

In this article, we discuss the three leading secure email providers ProtonMail, Tutanota, and Hushmail. There are many more secure email providers on the market today, but I want to limit myself to these three best-known services. But first, we take a dive into some of the “unsafe” email providers we use, like Gmail, Outlook.com and Yahoo!.

I will not make a fully comparison between ProtonMail, Tutanota and Hushmail. This article is limited to privacy concerns regarding the use of e-mail.

What’s wrong with Gmail, Outlook and Yahoo!?
There is nothing wrong with the email providers such as Gmail, Outlook.com (former Hotmail.com), and Yahoo!. I had used Hotmail for many, many years. But when you care about your privacy and security you should take into consideration if these providers are satisfying your privacy and security needs.

Privacy as a payment method
Let’s take Google by example. First, ask yourself this question? How much do you pay Google to use their services? How much do you pay to use their Search Engine? Nothing? Are you sure? Google is a commercial company, how are they earning money if you can use their services for free?

Google

Google is not making a secret of it; they collect and use your personally identifiable information. According to the Privacy Policy of Google, they collect all the information to give to Google, when you use one of their ‘services’.

We also collect the content you create, upload, or receive from others when using our services. This includes things like email you write and receive, photos and videos you save, docs and spreadsheets you create, and comments you make on YouTube videos.

Google is even reading the body of all your email messages. Back in 2017 Google had announced that they are stopping with reading your emails, for advertisement purposes. Because a lot of Gmail users had complained about it But, Google is still reading your emails, but not for advertisement purposes. Google has added in 2018 the ‘smart nudging’ option which brings automatically e-mail messages to your inbox when a reply hasn’t been sent by you or a recipient. Fortunately, you can disable this option, but it’s enabled by default.

When you create an account by Google, you need to fill in these details:

  1. Firstname.
  2. Lastname.
  3. Phone number, Google needs to verify if you’re a human. They had could use ReCaptcha. Why a phone number?
  4. Date of birth.
  5. Gender.

Now you know what you pay to Google to use their services; you pay with your privacy.

Yahoo!

Yahoo! had his own problems, they had suffered a couple of data breaches. The first data breach of Yahoo! occurred in August 2013 and 1 billion user accounts, including unencrypted security questions and answers, were been taken.

The second breach, in 2014, the hackers had obtained data from over 500 million user accounts, including account names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers. Most of the passwords were encrypted with MD5, which can be broken very quickly.

In July 2016, account names and passwords for about 200 million Yahoo! accounts were for sale on the darknet site “TheRealDeal”.

So, if you are using a Yahoo! email account for a long time, you’re account is definitely exposed in one of the data breaches. You do not want that anyone sees your love stories through mail or your banking email messages and they were (are) visible to the hackers and cybercriminals.

When you create an Yahoo! account, you need to fill in these credentials:

  1. First name.
  2. Last name.
  3. Mobile phone number.
  4. Date of birth.

Outlook.com, Hotmail.com, and MSN-accounts

Microsoft had promised privacy protection with the launch of Outlook.com in 2012.

“We don’t scan your email content or attachments and sell this information to advertisers or any other company, and we don’t show ads in personal conversations,”

Chris Jones

Microsoft had a data breach in April 2019. Hackers had targeted the support accounts from the service desk of Microsoft and then used that to gain access to information related to customers’ email accounts. Subject lines of their emails and who they’ve communicated with. According to Microsoft, the bad actors were not able to have unauthorized access to the content of the emails or attachments.

Microsoft had refused the reveal how many accounts were affected but about 6% of there users were notified that their account was possibly breached. Microsoft has about 400 million customers on their Outlook.com, 6% of it makes 24 million possibly breached accounts.

Conclusion
If your comfortable with using the services from Google, Microsoft or Yahoo!, keep using them, I respect that. I have only tried to given you some things to think about and you ask yourself the question if there is no need to change from email provider, just don’t.

Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say

Edward Snowden

When you create an Microsoft-account, you need to fill in these credentials:

  1. First name.
  2. Last name.
  3. Date of birth.

Let’s highlight three secure (zero-knowledge?) email providers.

Secure Email Providers

ProtonMail

ProtonMail

Company

Proton Technologies AG

Year Founded

2014

Headquarters

Plan-les-Ouates, Switzerland

Founders

Andy Yen, Jason Stockman, and Wei Zon

Offers FREE plan

Yes (Freemium)

Supporting Platforms

Modern UI Webmail, iOS App, Android App, POP/SMTP

I’m a customer of ProtonMail, I have one e-mail address with the protonmail.com. In this section, I will try to explain to you why I’m a customer of ProtonMail.

ProtonMail is a product from the company Proton technologies AG and the headquarters are located in Switzerland. That’s an advantage to me because Switzerland is offering some strong legal protections. Switzerland has a long history of privacy and security and is not member of the Five Eyes, Nine Eyes, and Fourteen Eyes alliance.

ProtonMail has end-to-end encryption, the employees of the company do not have access to your stored email messages. Even when they want to read your email, they can’t, because your email is encrypted and protected with your password. This extra layer of security goes beyond their own company, even when you reset your password, you can’t read the received email messages or other content that were created before the password reset, because they are encrypted with a different password. This makes ProtonMail a zero-knowledge email provider.

If a court order requires access to your emails, ProtonMail will cooperate and they will handover all of your email messages. However, your emails will be unreadable because they have been encrypted. However, the subject lines are not encrypted and they will be readable and handed over to the Swiss court order. Only your message content and attachments are end-to-end encrypted (with TLS).

ProtonMail is also protecting your e-mail account from social engineering attacks. If you call ProtonMail, with your phone, and you try to convince them that you own an account on ProtonMail and you ask them to reset your password, they don’t.

When it comes to user tracking an tracing, there is a lot of tracking going on when you access your Gmail, Outlook.com, or Yahoo!. But on ProtonMail not, they protect you from tracking, no additional tracking scripts are running when you access your email and when you register an account on the ProtonMail platform you do not have to give them your mobile phone number or date of birth and so on.

What ProtonMail data is encrypted?
ProtonMail is encrypting the following data:

  1. The message body and attachments.
  2. Emails sent between ProtonMail users.
  3. Emails from ProtonMail to non-ProtonMail users, if ‘Encrypt for Outside’ is enabled. Otherwise, TLS will be used (if the receiver supports TLS-encryption).
  4. Emails from non-ProtonMail users to ProtonMail users.
  5. All messages in your ProtonMail mailbox are stored with zero-access encryption.
  6. Contacts are stored and encrypted.
  7. Email on the smartphone with the ProtonMail app.

Does ProtonMail has an clean blanket?

Although ProtonMail is used for privacy enthusiasts, there were (or still are?) some privacy concerns surrounding the privacy of ProtonMail. Professor Nadim Kobeissi is claiming that the company Proton Technologies is lying and that their product ProtonMail is not using end-to-end encryption. Nadim has released his analysis, you can download his analysis below.

This analysis is not peer-reviewed according to the response to this analysis, ProtonMail had issued their website: Response to analysis of ProtonMail’s cryptographic architecture.

There’s something else that stands out. If you want anonymously access your email, ProtonMail has an official tor onion website: https://protonirockerxow.onion/. But, when you sign up you will be redirected from the .onion address to the .com, the question is why the redirection?

Ultimately, it has to do with trust. Do you trust the company behind ProtonMail? If not, maybe you could switch to Tutunota or are you staying on ProtonMail.

Tutanota

Tutanota

Company

Tutanota

Year Founded

2011

Headquarters

Hannover, Germany

Founders

Matthias Pfau

Offers FREE plan

Yes (Freemium)

Supported Platforms

Modern UI Webmail, IOS App, Android App, Linux, Windows, MacOS

I have also an email account on the Tutanota email platform. The headquarters of Tutanota is located in Hannover in Germany. In my opinion, that’s a disadvantage of Tutanota in comparison with ProtonMail. Germany has strict legal laws, but it’s a company that is a member of the EU. Germany is also part of the Four Eyes, Nine Eyes, and Fourteen Eyes groups, these country’s intelligence agencies are working together and exchanges sensitive information.

Tutanota has end-to-end encryption. Tutunota is using asymmetric encryption (AES128/RSA2048). The employees of the company don’t have access to your email messages and in contrast to ProtonMail, the subject lines of the email messages are encrypted and not readable. This makes Tutanota a more zero-knowledge provider in comparison to ProtonMail.

Just like ProtonMail, Tutanota is not using any tracking or tracing scripts and it’s also protecting you from being tracked when you open your emails. Tutunota automatically blocks images so that external content is not being loaded hen you click on an email. Tutunota also strips header information, like IP-address, from your emails to protect your privacy.

What Tutanota data is encrypted
Tutanota is encrypting the following data:

  1. The message body and attachments.
  2. Unlike ProtonMail, Tutanota does encrypt the subject line.
  3. Contacts are stored and encrypted.
  4. Calendar items are encrypted.
  5. External recipients can answer with an encrypted email (password exchange needed).
  6. Email on the smartphone with the Tutunota app.

The concerns with Tutunota

In 2018, Tutanota received a letter from the Itzehoe Amtsgericht in the German Land of Schleswig-Holstein This letter was requesting police access to the content of certain encrypted email messages. The police wanted to see the content of e-mails from criminals who use malware to blackmail companies in the state.

If the email conversation stays within the network of Tutunota, the messages are end-to-end encrypted. And there is no possibility that Tutunota can hand over this encrypted content because they can’t decrypt the messages. But, when an email conversation with non Tutunota users is not end-to-end encrypted. The police requested access to these non-encrypted email messages. Eventually, Tutunota was forced to build functionality in their software that makes a copy of non-encrypted email messages, so that these messages can be handed over if a court order requires it.

Hushmail

Hushmail

Company

Hush Communications Ltd

Year Founded

1999

Headquarters

Vancouver, Canada

Founder

Cliff Baltzley

Offers FREE plan

No (Premium)

Supported Platforms

Webmail, iOS App

In comparison with ProtonMail and Tutunota, Hushmail is the old school. It has 15 years more experience than ProtonMail and 11 years more than Tutunota. Hushmail exists since 1999. Is a longer experience also meaning that Hushmail is offering better privacy than ProtonMail and Tutunota?

Hushmail is offering more than the other two. It has pre-built web forms and they are HIPAA compliant. The company’s headquarters are located in Vancouver, Canada. The firm Hush Communications Ltd is a subsidiary of Hush Communications Corporation, a firm based in Delaware, USA.

With the headquarters in Canada, there comes the first privacy concern: Canada is part of the Five Eyes, Nine Eyes, and Fourteen Eyes alliance, like Tutunota. The second concern is that the parent company has a location in the USA, this raises privacy questions. Back to Canada; The Copyright Modernization Act (the Act), also known as the Bill C-11 law, was introduced in the House of Commons of Canada on 29 September 2011. This law forces ISPs to perform mandatory data retention.

So, there are many questions regarding your privacy when you use Hushmail. Although, they have end-to-end encryption of their email messages if both of the users sending messages back and forth using the platform of Hushmail. For the encrypted transmission, Hushmail is using PGP (with SSL if supported by the recipient).

What Hushmail data is encrypted

  1. The message body and attachments.
  2. Email send between Hushmail users.
  3. Hush Secure Forms.
  4. Hushmail contacts.
  5. Hushmail calendar.
  6. Email on the smartphone with the Hushmail app.

When you create an Hush mail, you need to fill in these credentials:

  1. Firstname.
  2. Lastname.
  3. Alternative email address, why a must-have?
  4. Mobile phone number

Some last words

I hope that after reading this article, you a little bit more aware that your privacy matters. If you still wanna use Gmail, Outlook.com, or Yahoo!, I respect that. You know now that you pay with your privacy and if you are comfortable with that, that’s fine! But, before you go on with using their services, take this into consideration:

  1. How far back do you save your email messages? Is there a need to store email messages from ten years ago? If not, maybe you can remove some of your emails.
  2. If you’re not using the IMAP/POP services on Gmail, disable these protocols in your Gmail-account.
  3. Maybe you using your Gmail-account on many online services. You can make a forwarding on your Gmail-account to your ProtonMail, Tutanota, or Hushmail account, and delete the email message from your ‘insecure’ email provider.
  4. Google, Microsoft, and Yahoo! are also encrypting your email messages but, they have the key and they can and will read through your email messages.
  5. Make sure that you use strong passwords and enabled Two-factor authentication.

I do not know who you are or what your threat model is. You have to make your decision which email service you’re comfortable with. Personally I use Protonmail, because the majority of my contacts are using ProtonMail. But, if they decide to switch to Tutunota, I have also to switch to use the end-to-end encryption to protect my email content.

References

  1. Arno Reuser Open Source Intelligence: so what?
  2. The Privacy, Security, & OSINT Show – Episode 175
  3. Google will stop reading your emails for Gmail advertisements
  4. Microsoft admits Outlook.com hackers were able to access emails
  5. Dump Gmail for Outlook.com? Four reasons you might
  6. ProtonMail
  7. Tutanota
  8. Tutunota Security
  9. Does ProtonMail encrypt email subjects?
  10. The truth about ProtonMail
  11. Response to analysis of ProtonMail’s cryptographic architecture
  12. Gericht zwingt E-Mail-Anbieter, Daten unverschlüsselt herauszugeben
  13. Court forces email provider Tutanota to release unencrypted data
  14. Hushmail Authentication and Encryption Design

Do you have any comments or questions regarding this article, please leave a comment. If I have made a mistake in this article, I will be the first to admit and not hesitate to contact me.

I want to thank you for reading this article. This blog does not use advertisements and is completely free! Consider supporting me with a small donation to keep my website free of (Google) advertisements.

Buy me a coffeeBuy me a coffee

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *