If you have been following my posts as of late, you will have seen that I am on a anonymous bend. Some of my friends have wondered why I was seeking to disappear digitally and if that is the takeaway from my work it should not be. By the very act of posting this information I am by nature not anonymous. I think its important as our society becomes more open that we are able to close and keep private what we want. The option should always be yours. In that vein this post will cover email storage and usage.
Before I get started I want to state up front that your privacy is a God Given Right. I believe that as did my American Forefathers. If you are using these services to the detriment of the poor in spirit, those that hunger, the meek, the mourners, the merciful, pure of heart, peacemakers, or those that suffer for justice; you are not welcome here. I share this to ensure those who assist the above are able to continue forward.
I use GMail exclusively through Google Apps and personal accounts for my email needs. Google has made it incredibly easy to archive rather than delete. That means being able to query messages as far as 7 years back and there is a benefit in that. The downside is that due to legal ramifications that mail can be accessible to certain parties. In addition to those in countries with restrictive policies are constantly being monitored, email storage could put at risk your family or life. There are a multitude of options on the market and I wanted to take a look at the capabilities to ensure you as security-minded persons make smart choices. Something I kept coming back to is trust. In the end you are in some ways trusting the country and service providers. Unless you are running your own server in a country with very liberal privacy laws you are going to be at risk. Keep that in mind that you are at best going to get plausible denialability.
Let me walk through the factors considered and what they mean:
- Web GPG Encryption – PGP/GPG is an essential part of your email communications or should be. GPG allows you to perform end-to-end encryption so that no matter the transport you can be assured of the information being kept secret. Many offline clients support this option, but very few online webmail providers do. With the closure of FireGPG it is becoming tougher to find with mainstream providers.
- S/MIME – x.509 – Certificate-based encryption can provide another level of assurance. I am becoming less weary of this type of encryption as it requires a trusted Root CA and you are once again dependent on an outside source.
- Encrypted Storage - If you have ever used TrueCrypt or the likes you are familiar with the idea. I want the provider to store my email, but not be able to read it. This goes for their safety and mine. They become just a storage box for my encrypted volumes.
- Filter IP Header – When you send an email there is a chain of information attached by the SMTP server. More secure vendors strip the data that can identify the users.
- Country of Host – I am not going to get in the legal policies. I simply am stating the country where your data is stored.
- SSL Encryption – Are your connections to the various POP3/IMAP/SMTP/Web server encrypted?
- IMAP/POP – Do they offer IMAP, POP3 or both
- Anonymous Alias – When I am working on social engineering the first thing I do is find a forum post and start the scavenge. Some services allow you to create alias that don’t trace back to your true account. Useful for online sites that require registration. Also serves as a good SPAM deterrent.
- Payment Forms - Credit Card, PayPal, E-Gold, Money Order, etc.
- Log Retention – How long are my logs being kept for. Certain countries mandate their storage for n+1 number of days, but what is the policy of the service provider?
- 3rd-party plugin needed – If you are required to utilize Java to login or something else, you know have another attack
- Non-standard Port – In this day and age I am still amazed to find firewalls blocking on port only rather than packet content.
- Antivirus Scans – Since you are practicing good host-based security this is a nice to have. You are practicing good host-based security right?
- Hardware Token Authentication – As I covered prior on the blog, Multi-Factor Authentication is needed to ensure your identity is more than just a username and password. Keyloggers are too prevalent as are MITM attacks. Using a hardware key ensures any authentication captured is good for just a short amount of time.
- Price - How much will this security cost me?
Below is not the all encompassing list. Some of the websites also lacked information so if you have a source to correct some of the data please let me know. In addition if you find other hosts you would like added please let me know. The spreadsheet is large so I am providing a link first followed by an embedded iframe.