Online security: How to protect your email

In the previous post of our series exploring Online Security we looked at how journalists can surf the web safely and anonymously.

In this post DW Akademie’s Natalia Karbasova asked online security expert Jens Kubieziel for advice on email security for journalists as well as finding out how secure is Google’s Gmail and other established email services.

To start with, what basic rules would you recommend in order to maintain secure email communication?

I’ll try to make a short list of issues which seem important to me:

1. Make sure that you are working on a clean system. If you use your own computer, you should install antivirus software. This software should update its virus signatures on a regular basis and check your system. Users which often have to work in an internet cafe could use a live system which boots from CD or USB stick.

2. Use HTTPS. If you connect to your webmail, make sure HTTPS (like https://example.org) instead of HTTP. This encrypts your connection and all data which go to the webmail server.

3. Use a safe password. Many users use quite insecure passwords, ranging from “password” to “123456”. You should use a password which has no obvious connections to yourself or your environment. Sites like http://www.yetanotherpasswordmeter.com give you an impression how safe your password is.

4. Use better authentication if possible. Google offers its users so called two factor authentication. This means that you first log in with your username and password. In a second step Google sends a SMS with a number to your mobile phone. Only if you enter the correct number into Google you get access to your account.

5. Be cautious. Whenever you try to open an email from strangers keep in mind that they might trick you into opening malicious attachments or malicious websites. It is often feasible to upload questionable attachments to sites like VirusTotal. More than 40 virus scanners check the file and report any findings.

How secure are well-established services like Gmail, Hotmail and Yahoo? Which email provider would you suggest for secure email communication?

If I could choose freely, I’d choose an autonomous provider, like riseup.net. Along with other providers in this field, they take security and privacy very seriously. For me it is important that a provider encrypts my traffic and by doing this secures my data. Furthermore, they should keep as little data as possible. This minimizes my risk if an attacker somehow gains access to the provider’s data. Riseup.net as well as other providers fulfill this in a near perfect way.

If I had to choose between Gmail, Hotmail and Yahoo, I’d probably choose Gmail over the others. Gmail has shown that it takes security of its users very seriously and it also had no data leak as far as I know. The Gmail interface shows the address of your last logins. If they think that your account might have been hacked they show a warning. So at least you know that something has happened and can react appropriately. However, Google as well as probably every other commercial and free provider will automatically scan your email to show you adds. This can pose a risk for your privacy.

Jens Kubieziel, online security expert

Would you recommend email clients over web interface?

Email clients have several advantages over webmail. First of all they are more convenient. A client downloads all messages onto your computer. You can now work without any network connection, prepare your mails and send all when you’re online again. Also, clients usually have much more flexibility than a web interface. They offer more customization possibilities. If you want to encrypt your emails, it is quite hard to do it within webmail and easy within a client software. In general using a client also allows you to use webmail. So you can have up to some point the best of both worlds.

 Are there useful plugins to provide more security to your email communication?

I know quite a few useful plugins. Generally I recommend Mozilla Thunderbird as a mail client. If you use it, the first recommendation would be Enigmail. This enables you to encrypt your emails whenever possible. It is quite an easy-to-use this plugin. If you need to send emails through Tor or JonDonym, the plugin TorBirdy comes in handy. It is easy to install and has some useful default settings.

Does it make sense to use services such as Hushmail which allegedly offer more security?

Well, it might be useful up to some point. As the former NSA employee and whistleblower William Binney says, you should consider every web-based crypto-software as broken or backdoored. If you need to have safe encryption you should use some software like GnuPG which is locally installed on your computer. If you consider this using a “secure” provider which encrypts your mails for you gives you not much incentive. It is more important that the provider processes your mail in a secure way and keeps as little data as possible.

There are a number of remailers out there which help users to send anonymous mails. Which one would you recommend?

Mixmaster is one of the actively used and stable running remailers. Mixminion and the Cypherpunk remailers have weaknesses and should not be used. I run two Mixmaster instances each processing more than 10.000 mails a day.

Every message which is sent through Mixmaster is split to a fixed size and encrypted. When the message is sent, it is handed over to several servers. Each server can only remove one layer of encryption and has no possibility to look inside the message. The server stores your message, waits a random amount of time and sends it to the next in a random way. So an attacker has no possibility to map incoming and outgoing messages at one server. Even if an attacker runs a server it does not decrease your security as long as you use more than one remailer.

Jens Kubieziel is digital security expert and author of the book Anonym im Netz (Anonymous on the web) He advises companies and government agencies on securing their IT systems and networks. Kubieziel also trains activists and journalists on issues such as secure usage of Internet tools and censorship circumvention.