Comparison of ciphermail
A big shock for everyone was the revelations of the creator of Lavabit, Ladar Levinson - about how he was forced to disclose the correspondence of all users of his service. He closed the service in order not to do this (although he seemed to obey orders to disclose the correspondence of individual users before). An interesting detail of this event was that the owner was explicitly forbidden to report the order in any way (the so-called gag order, order of silence).
But a holy place is never empty - with the closure of Lavabit, work began on other encrypted mails. This review is about projects that have already started in this area.
For starters - a little cold water on a hot head. All services from the review load the code for encryption (most often - openpgp.min.js) in javascript, that is, on the fly, when you open the mail page. This allows, in case someone gets control on the service / server / path to the server, slip a code in your browser instead of or together with the encryption library to intercept your password.
All services in the review are in beta.
Protonmail
A project that raised a round start-up sum at indiegogo. The project code is currently closed (disclosure in plans). The service itself in the initial stage - gives access only as capacity grows. The service requires two passwords - one for login and authentication (you can reset it if you forget), the other - to decrypt your data. The service itself does not know the second password, and changing it will not work without losing all the data. Openpgp.min.js is used, although minimized, but without obfuscation, so you can always check whether everything is correct. Another thing is that you are unlikely to check constantly. Encryption is built on AES-256 and RSA-2048.
The set of functions is quite wide (in addition to the standard mail features). You can send an encrypted message as part of the service. You can send an encrypted message to another person outside the service - then just a notification and a link to the message that opens after entering the password will come to his mail. He needs to somehow inform the password again. And another important opportunity is to configure the destruction timer in the message - then after a certain time it will be impossible to read it.
Of the standard features, there is no way to create folders or categories for messages. Current restrictions - 500 MB of space, 1000 messages per month. In the future, it is planned to take money for exceeding the quota. Servers are located in Switzerland. There is legislation on the receipt of data, however, the creators of the service believe that it can only be applied publicly, through the courts. However, it is alarming that the transparency page has not been updated since November.
Scryptmail
A service from the USA that is actively applying the practice of a “ warrant canary ” to counter the silence warrant. It is also interesting that the source code of the service is open . Judging by them, the development is based on the Yii framework.
Unlike protonmail, access to the mailbox is given immediately after registration. When creating an account, only one password will be asked. After that they will offer to download a token, which will restore access to the account, but will not save from the loss of its data. In the options, you can enable two-step authentication, as in protonmail. Encryption functions are mainly set by the cryptojs and forge libraries, and not even minimized ones.
The possibilities of working with encryption keys are somewhat wider than that of Protonmail. You can reset the password only with the help of a special token, and not by mail, as in protonmail. You can also save or vice versa download RSA public and private keys that are used in message encryption. AES-256 encryption. The bitness of RSA keys is set by payment - the more you pay, the greater the bitness, from 1024 for free to 4096.
Functionally, this service is on par with protonmail. An interesting feature is temporary (disposable) addresses. There can be three of them in a free account at the same time. You can reset any of them at any time. However, they can only be used to receive letters, not send them. Of course, as part of the service, all letters are protected, and the fact of correspondence is also protected - no one will know who you wrote to and when. As well as protonmail, it is possible to send a secure message outside the service. True, it will be available only 14 days - here the protonmail option is required. There is also the so-called SafeBox - for secure storage of the keepas password database.
Folders for messages are available, standard functions are implemented in full. The service has a configurable sleep timer when there is no activity. The servers are located in the USA, and in general the service lives in the jurisdiction of the USA. It is in the United States that the topic of privacy is now actively moving forward because of Snowden. U.S. privacy laws may be reformed. So far, the shadow of the Snowden scandal certainly puts pressure on the service. A limit of 1000 messages and a protonmail-like business model are present here.
Tutanota
Similar service from Germany. Its source code is also open . An important advantage is its presence on mobile devices ( IOS , Android ) - thus, there is some guarantee that javascript will not be replaced. An interesting feature is the use of only one password. When creating an account, the password “salts”, is passed through a hash (bcrypt), after which it also encrypts the key pair created immediately. The disadvantage of this approach is the inability to reset the password - all that remains is to register a new account.
So far, metadata - the very fact of correspondence - is not encrypted. The encryption itself takes place using the AES-128 and RSA-2048 algorithms. The basic capabilities of the service lose to all of its competitors. How long have you been using mail without the ability to save a draft document? Tutanota has three folders - inbox, sent, and trash. You can communicate with users of the service and with external users with encrypted messages.
Free account limit is 1Gb. Servers are located in Germany. According to the creators of the service, this jurisdiction is even better than Switzerland. The business model of the service is providing a plug-in for Outlook and corporate mail in general. Also, the service was examined (pentest) by specialists .
General impressions
The most complete service at the moment is Scryptmail. If your jurisdiction (USA) does not bother you, then you can start using it. The most promising is tutanota - all the same, the only password and the availability of applications captivates with convenience. Protonmail is suitable for those for whom the United States, for various reasons, looks compromised, but does not want to wait for tutanota.
And most importantly - before you register your mail, think about it - do you need it?
PS On the way still lavaboom , there is still unseen.is with a very interesting jurisdiction - Iceland. It also has encryption, but it is not there as ubiquitous as in the services described above. And there is of course Mailpile and i2p or tor mail, but all these tools are much more complicated and less accessible to ordinary users.