Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security of secure email services

G

gregmac19

macrumors regular
Original poster
Jul 28, 2016
199
146
On another thread (Apple Promotes iCloud's Advanced End-to-End Encryption Feature as Data Breaches Increase) someone pointed out to me the following (Ref: Post #48):

"Cameron Jay Ortis testified in Ontario Superior Court that a foreign ally told him of a plan to encourage targets to begin using Tutanota, an online encryption service that he called a "storefront" operation created by intelligence agents to snoop on adversaries.

Ortis said he began enticing investigative targets through promises of secret information, with the actual aim of getting them to communicate with him via Tutanota."

Thus, I wondering how I can be certain if a secure email service is actually secure.
 
Bigwaff

Bigwaff

Contributor
Sep 20, 2013
1,956
1,283
How can you be certain any secure service is actually secure? Why pick on email services?
 
  • Like
Reactions: kitKAC
G

gregmac19

macrumors regular
Original poster
Jul 28, 2016
199
146
Bigwaff said:
How can you be certain any secure service is actually secure? Why pick on email services?
Click to expand...
I am mainly concerned about email services because I can easily keep other personal information off servers I don’t control. For example, all my backups are done locally instead of using cloud storage. (Of course, I always keep at least one of my backup drives off site.) Additionally, I use a password manager where my vault is stored on my computer, and I sync via local WiFi. However, with email I am stuck trusting others, which in my case is Tuta.
 
Bigwaff

Bigwaff

Contributor
Sep 20, 2013
1,956
1,283
gregmac19 said:
I wondering how I can be certain if a secure email service is actually secure.
Click to expand...
Risking being snarky here but… there really is no way to be certain unless you install, set up, and run your own email server, which you can most certainly do. Otherwise, you’ll have to rely on reviews of email services from reputable sources.
 
BrianBaughn

BrianBaughn

macrumors G3
Feb 13, 2011
9,674
2,427
Baltimore, Maryland
  • Like
Reactions: Brian33 and chown33
chown33

chown33

Moderator
Staff member
Aug 9, 2009
10,767
8,468
A sea of green
Bigwaff said:
Risking being snarky here but… there really is no way to be certain unless you install, set up, and run your own email server, which you can most certainly do. Otherwise, you’ll have to rely on reviews of email services from reputable sources.
Click to expand...
Not only that, but you'd have to write all the software yourself. And that would only be trustworthy if you were an expert in security & cryptography. Here's a recent example of a public failure on that front:
arstechnica.com

Nothing’s iMessage app was a security catastrophe, taken down in 24 hours

Nothing promised end-to-end encryption, then stored texts publicly in plaintext.
arstechnica.com arstechnica.com

You'd also have to write your own compilers and other development tools, because "Reflections on Trusting Trust" is a thing.

Then you'd have to make sure that anyone you hire can't possibly be convinced into undertaking an insider attack. Every organization on the planet can have someone in it who can undermine security, even well-known organizations with lots of security experience:
www.npr.org

The Air National Guard disciplines 15 members in wake of Discord intel leak

The Air Force says it's disciplining 15 members following it's investigation of Jack Teixeira, an Air National Guardsman accused of classified leaks online.
www.npr.org www.npr.org

If this seems like it's heading down a rabbit-hole of twisty passages all different, it is. Welcome to the world of security development.
 
L

lx-is

macrumors newbie
Dec 17, 2023
3
5
I'm familiar with the referenced Tutanota story; it does not discredit the security of Tutanota. Any service could've been used in this case—Gmail, Proton, etc. I encourage you to read through Tutanota's blog post regarding this story.

gregmac19 said:
I wondering how I can be certain if a secure email service is actually secure.
Click to expand...
Email is inherently in insecure communication standard. Services like Tuta or Proton try their best to improve upon email by implementing end-to-end encryption where possible, but there are still inherit flaws. PrivacyGuides.org has a good article on the security of email, or perhaps lack there of.

That said, I don't think it's too difficult to trust the claims of secure email providers like Proton or Tuta. They're both open-source, which, alone is not a strong point of trust, but they are also regularly audited.

More importantly, they've stood the test of time. A 2021 story stirred similar conversation when Proton logged the IP address of a French activist as ordered by Swiss authorities. While many criticized Proton for this, I believe it showed the limited data Proton had access to on their users. A fair criticism was that Proton did not make it clear enough that they could log this if ultimately required to by authorities.

As for iCloud Mail, Advanced Data Protection does not extend to it, per the iCloud data security overview. Email end-to-end encryption is hard and likely not worthwhile for Apple to undertake.

If security and privacy is one's utmost priority, email simply isn't the way to go. Instant messengers like Signal offer multitudes greater protection. You have to ultimately trust an email provider's servers to encrypt your emails immediately and to immediately discard any non-encrypted copies. With Signal, for example, it's trustless; a compromised server would not compromise end-to-end encryption.
 
  • Like
Reactions: blotchy-veil, Brian33, gregmac19 and 1 other person
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom