Secure your E-Mail Usage

Because of some confused discussions in our forum about e-mail usage we want to outline the recommendations of JonDos GmbH.

Webinterfaces of mail providers

Using a webinterfaces for e-mail communication is not the recommended way.

  • HTTPS encryption of most websites is not secure. Only 10% of the top 200.000 websites with HTTPS encryption offer a secure configuration. Most problems are weak encryption, insecure renegotiation and BEAST vulnerability. We checked the webinterfaces of some mail providers at random and none of them was genuinely secure.

  • Third party web tracking by advertising and tracking elements can leak identifying information like user IDs or usernames by URL or page title to tracking services after login. Time by time the leak of identifying information may be unintentionally by the mail provider. But intentionally or unintentionally - the results are equal. Tracking services can link all e-mail accounts and social media accounts together. This problem is not limited to webinterfaces of mail providers. A study of the University Stanford featured out: 61% of TOP websites leak identifying information after login to third party tracking services.

    There are substantial evidence that user IDs and usernames can trivially be used to identify a user. Some tracking companies have already deployed username based matching in their products. Additionally we want to point out the usage of the near-ubiquitous online tracking programs by law enforcement (and intelligence services?).

  • There is a major technological trend in surveillance from real-time intercepts to access of stored records (cloud services, mail providers...) because of declining effectiveness of traditional wiretapping. By using a webinterface all mails you did not delete (sent and received mails, drafts) are stored on the mail server outside of your control.

  • End-2-end encryption for e-mails is difficult to use (with OpenPGP) or not possible (with S/MIME). Some mail providers offer S/MIME encryption in the webinterface. This kind of encryption is a placebo, do not use it. The private key is stored on the server and easy to compromise. A secure end-2-end encryption is not possible with this solution.

Use an email client

We only recommend Mozilla Thunderbird. There are some other nice e-mail clients available too. But because of limited resources we can not gather recommendations for other e-mail clients. A tutorial for a secure Thunderbird configuration you may find in our online help: Anonymous e-mail accounts with Thunderbird <-.

  1. Think about your mail provider. Does he sell you a service or does he earn money by collecting your data.

  2. Do not use IMAP accounts. In this case all mails are stored on the server. We recommend the usage of POP3 accounts. For POP3 accounts the mails are stored on your computer.

  3. Secure your SSL/TLS setting. For compatibility with some mail providers Thunderbird supports old and insecure SSL/TLS encryption settings. You have to disable it. In case of problems by connecting you mail server (SMTP or POP3) with secure settings, you may leave the provider and choose another one with secure SSL/TLS encryption.

  4. Read and write your mails in "plain text" only. Otherwise dangerous e-mail attachments could compromise your computer.

  5. HTML-only mails may contain many tracking features. Read it only in "Simple HTML" or disable all HTML privacy issues.

If you were using anonymisation services like JonDonym or Tor you have to set some more configuration values to hide your prefered language, your regional provenance, your local IP address and the software you are using. Do NOT use the account creation wizard! It will leak your real IP address because of a serios bug in Thunderbird. To create a new account you have to start Thunderbird with "Work offline".

Please read our tutorial carefully <-.

We know, it is not easy for beginners to setup a secure Thunderbird configuration. Together with TorProject.org we are going for a simple to install Thunderbird-XPI called TorBirdy. At the moment only a very early pre-alpha release is available (for testing purposes only!). We want to invite developers to support TorBirdy to make it ready as soon as possible.

Trackbacks

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Baum says:

    Wenn man Thunderbird mit der Jondo Live CD nutzt, ist man dann auf der sicheren Seite? Ist da alles schon sicher eingestellt?

  2. cane says:

    In der Version 0.9.26 ist die Thunderbird Config auf dem aktuellen Stand. Bei älteren Versionen der Live-CD fehlt die Deaktivierung der HTML5 Trackingfeatures in HTML-only Mails. Da standardmäßig alle Mails in Plain Text gelesen werden, ist das vielleicht nicht kritisch.

  3. Somohornhiera says:

    I don't think you would accept my help click here


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.