01 Apr 2014

Email Security and Privacy

There are a lot of privacy related chat apps that offer end-to-end encryption such as Signal. In a previous article I discuss Secure Remote collaboration tools you can use. But when it comes to email, it was not designed with security in mind. If you must send email, here’s a few tips.

Getting Started With Basics

First off, you’ll want to make sure your accessing email over an encrypted session - SSL. For web based email, make sure all addresses are https://, not http://. Most security researchers agree that Firefox is a secure browser over the others. There’s a good browser plugin for this called HTTPSEverywhere that attempts to make sure all the pages you browse are using the https encrypted versions of the site.

Privacy Badger and uBlock Origin are good browser plugins to prevent tracking. Adblock plus used to be a very popular plugin, but has since decided to allow companies to pay to get around their block list, so this one is no longer recommended.

Email desktop applications should also use SSL (ports 587 and 995, not 25 or 110). For mobile devices, instructions to enable SSL encryption are here.

Encrypting the Content

There are solutions to encrypt your content such as S/MIME but by far the most secure solution for email is Pretty Good Privacy (PGP), or it’s open source equivalent, GPG. The main drawback is that the other person receiving email needs to also have GPG set up as well.

GPG works by exchanging public/private keys between you and the sender; establishing end-to-end encryption. GPG encrypts your email right until the user on the receiving end decrypts it. Other email services may encrypt an email but decrypt it once arrived at their location. There’s a great video with instructions on setting it up here. You can also check out written instructions.

There are solutions that automate the encryption steps for you. Protonmail is a great example. It’s simple to use but sending to a non Protonmail address is still unencrypted unless you incorporate GPG.

If you want to send encrypted content by email without any changes to your email setup, you can include an attachment that’s an encrypted archive. You’ll need to disclose the password to the other party by some other means. Make sure it’s over a secure channel such as Signal.

Here’s an example: if you’re both using macOS, you can create an encrypted disk image. From there add your content, text file, word doc or any files you want. Then send the encrypted disk image to the other person. If they don’t use the same platform as you, VeraCrypt is the recommended multi-platform encryption program.

NOTE: You should also use this to send files over services such as WeTransfer or YouSendIt. FireFox Send and Riseup Share are secure alternatives to these services.

As a last resort, you can send a password protected Word/Libre/OpenOffice document in lieu of an encrypted archive.

Anonymizing Your Location

Encryption protects your content but it doesn’t protect your location. To do that, access your email using it’s web-based version over Tor Browser. Tor Browser hides your true location.

Desktop email apps like Outlook or Apple Mail may send other information about who you are for analytics and debugging purposes. If you want to use an app instead of web-based, use products that are open-sourced. With open-sourced software, security researchers can review the code to make sure it doesn’t contain spyware. Thunderbird is a good open sourced email client.

Tor Browser does not protect your other apps that connect to the internet. There is a plugin for ThunderBird called TorBirdy. It routes ThunderBird connection through the Tor network so that the receiver will not know your location. Using TorBirdy with Thunderbird is a good solution.

Forensic Email Evidence

You’ve encrypted your email and anonymized your location. However, your computer may contain cache or historic data of your emails.

A workaround is to use a bootable live OS that wipes it’s memory afterward. You’d use the OS while working with and sending sensitive information. Tails is a great solution. It works with TorBrowser out of the box.

Working on Mobile

These tools are all good if you are on a desktop computer but on a mobile device these tools are less available. Apple released instructions to enable S/MIME.

A paid enterprise solution is Blackphone or iPGMail for GPG.

But the most popular secure app that is free is still Signal.

Anonymizing Your Mobile Location

First, keep in mind that the phone company knows where you are. You can buy a burner phone in cash but remember that the cell towers can triangulate where you are. An extreme solution is to have a second device such as an iPod touch for sensitive correspondence. That way it doesn’t ever connect to a cell tower.

In either case, you’ll want to use a VPN on the device. Instructions for setting this up are here. A free VPN is VPNBook. However, paid VPNs like LiquidVPN and Pia VPN make it clear that they do not keep any traffic logs.

As a last resort, you can use a proxy such as one found on proxylist.hidemyass.com. Instructions on setting up a proxy are here. This is not an ideal solution compared to a VPN.

With free proxies, security is even more placed at the mercy of the proxy - some proxies keep detailed logs and could be a honeypot. Additionally, iOS apps that use lower level socket communications in place of standard communication frameworks bypass the proxy. Some example apps that bypass proxy settings include Clash of Clans, KIK Messenger, Opera Mini, Pinger, Spotify Premium, and Tango.

For the technically inclined, a robust option is to set up your router to use a VPN and then all your connected devices are automatically routed through it (minus cell connections).


Last but not least, your computer can capture email content if it has spyware or malware installed. You’ll want to install a virus scanner to prevent this. ClamAV is free and open-sourced but requires you to be tech savvy to install it.

These suggestions are for the casual user who wants to add layers of privacy to their communications. If you’re working on very sensitive content, check out the Privacy For Investigators and Whistleblowers article.