Email Threat Models

Email Threat Modeling DIY Encrypted Email

In a continuation of my suite on threat modeling, this post will address email threat modeling specifically.  Selecting an email provider (or set of email providers) can be difficult if privacy and security are your chief concerns.  Gmail is abyssmal when it comes to privacy, but even paid providers struggle to match its security.  Selecting an email provider for sensitive communications should be done based on your threat model(s), and you may end up maintaining several accounts for different purposes.  It is my hope that these threat models will provide some clarity into what threat(s) each email provider defends you against.  I also hope this helps you choose a setup that you are comfortable with.

Tier 3.1 – Hotmail/Yahoo!/GMX:  The free, mainstream providers are at the lowest tier of my threat model.  Though incredibly popular, these providers offer sub-standard security.  They also scrape and sell your data aggressively.  I would hesitate to use these providers under any circumstances.

  • Use if: you need a misattributed email that will send or receive no sensitive content.  I may occasionally use an account of this nature as a “throwaway” for signing up for online accounts that are non-sensitive or mission critical.
  • Do NOT use if:  you value privacy or security.

Tier 3 – Gmail:  I place Gmail slightly higher on the threat model spectrum.  The reason is that Gmail does offer excellent security. I have mentioned this in both the Windows and iOS books.  Gmail lets you use long passwords, two-factor authentication, and closely monitors logins and login attempts.  Gmail is also the most common email provider in the US.  This lets you hide in the noise and keeps you safe from hackers and some foreign governments.  However, Gmail also aggressively markets your data and is necessarily compliant with US law enforcement and intelligence community demands.

  • Use if: you need strong security but do not care about privacy, and for reasons previously mentioned for Tier 3.1 accounts.  Also, consider Gmail in specific circumstances (see Tier 0).
  • Do not use if:  you value privacy or your threat is the US government.

Tier 2 – FastMail/Kolab/Riseup: Email providers in this tier offer excellent privacy.  Your emails are stored in an encrypted format and never scraped for marketing data.  Providers in this tier offer decent security, though none (that I have found) is quite as good as Gmail’s.  I like and have personally used FastMail, Kolab, and Riseup.  However, both of these providers stand out from the herd and should not be used for sensitive communications or if you are attempting to keep a low profile.

  • Use if: the privacy of your communications is very important.  Use for business communications where the vast majority will be unencrypted, anyway.
  • Do not use if:  There is little reason not to use these providers, especially the ones that offer two-factor authentication.

Tier 1 – Mailvelope/ProtonMail/Tutanota:  It’s no secret that I am a fan of ProtonMail. Among those who know it me, it is equally clear that I am not a fan of ProtonMail when working against certain adversaries.  As ProtonMail says in their own threat model statement, if you are the next Edward Snowden, ProtonMail is probably not the best choice for you.  Why not?  Most importantly because your traffic looks different.  When your traffic looks different than the overwhelming majority of traffic it is easily targeted.  It is easy to find in a “red-Corvette-on-a-highway-full-of-brown-pickups” kind of way.  It stands out.  So what is ProtonMail good for?  I use ProtonMail when there is no special threat against me.  It defeats mass surveillance.  Effort has to be made to either decrypt my traffic OR get an implant on my machine that can read my messages.  I have no defense against this, but it will cost my adversary time and money to read messages.  ProtonMail also protects me very well from corporate surveillance.  They don’t scrape my email. and don’t sell data about me to third parties.  This is obviously defeated if I send a message to a Gmail, Hotmail, or Yahoo user.  ProtonMail also does not protect my metadata.  Tutanota and Mailvelope share comparable threat models with ProtonMail.  I have written about Tutanota before on the blog, and Mailvelope in the Windows book.

Email Threat Modeling

  • Use if: privacy is important to you but you are under no specific threat.  These providers are excellent for your personal/non-operational communications.
  • Do not use if: your threat model indicates a Category III or IV attacker, or if this would unacceptably elevate your profile.

Tier 0:  Tier 3 Provider or Gmail with PGP: If I belive I am targeted for collection I have not doubt that my ProtonMail communications could still be exploited.  I don’t think ProtonMail’s PGP implementation is faulty, but an adversary with sufficient sophistication could exploit the scripts that display the messages in my browser.  This is a big problem with any in-browser crypto.  As a result, I wouldn’t use ProtonMail for extraordinarily sensitive communications, i.e. for those upon which my life or liberty depended. Instead I would revert to “old school” manual PGP encryption.  This form of crypto, while somewhat intimidating to initially set up, is by far the most secure.

First, it provides two strong layers of encryption: your traffic is encrypted through your HTTPS connection to and from the provider’s server.  If you are in a hostile country this means anyone inspecting your packets will only see TLS-encrypted data.  They also won’t be able to tell that your data is encrypted with a second layer of PGP encryption, making it less alerting. However, if the TLS-encryption is compromised you really need that second, very strong layer.  This is best of both worlds: your traffic looks totally normal and non-alerting, but is strongly encrypted.  This is also better than using a service like ProtonMail because your messages are not encrypted in your internet browser.  Instead they are stored and encrypted locally through a mail client like Thunderbird. For the actual email account, I recommend using a Tier 2 or 3 provider.  Using a Tier 2 provider has the advantage of protecting your traffic from scaping and data-mining.  However it may be slightly more alerting than a Tier 2 provider like FastMail or Kolab.

This is the crypto that I have complained about in the past as being too difficult to implement.  Even though it has gotten vastly easier in recent years it is still somewhat tricky, but I would be remiss for not discussing.  Beginning Wednesday, May 18 I will be posting a twice-per-week, bite-sized tutorial on using manual PGP.

Email Threat Modeling

  • Use if: privacy is important to you but you are under no specific threat
  • Do not use ifLearn it.  Live it.  Love it.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

Leave a Reply