Episode 20: How to Lock Down Your Email
Rethinking Email for Privacy and Security
|David Koff||Oct 23, 2019|
There’s one technology we all use that’s not really evolved since the 1960s: electronic mail or… email. Email was born before the Internet, making it nearly 60 years old. Originally, the technology was intended for a small number of users to communicate with each other on a shared Unix mainframe (a giant computer with 50-100 user accounts) and with other mainframe computers in other locations. For that specific purpose at that specific time, email was great! But the 1960s were a different time and very few people had access to a Unix mainframe computer to send one another electronic mail.
The Latest Info
60 years later and it’s astounding to see what’s happened to humble email. Despite newer messaging technology like texting, social media, Slack and even video chatting, email is not only still going strong, it’s actually thriving. In 2017, 296 billion emails were sent on average… per day.
This is nothing short of miraculous and highly questionable because email isn’t very safe, very private or very convenient. Let’s take a look at the most glaring vulnerabilities of email and offer a few solutions to help reduce or eliminate them.
Vulnerability #1: One-Factor Authentication
“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.” — White House Cybersecurity Advisor, Richard Clarke
By default, all it takes to gain access to your email is a username and password, something tech professionals refer to as “one-factor authentication”. One-factor authentication doesn’t present much of a challenge to a clever and malicious hacker, so ask yourself: what legal, medical or financial information would be available with access to your email? Worse, what damage could be inflicted upon you, your friends, your family, and your business partners with such access? Ask Mat Honan: a popular writer for such publications as WIRED, Honan was famously hacked in 2012 and saw his Gmail, Twitter and iCloud accounts all get hijacked, defamed and then outright destroyed. While that sucked for Mat, it was almost 100% preventable. Let’s take a look at how…
How to Prevent It:
Solution #1: Implement two or more factors of authentication. One of the simplest ways to help protect against one-factor authentication is to require everyone, including you, to pass through multiple security checkpoints to gain access to your email. While this adds an extra 5–10 seconds of time to your login process, it may save you lost weeks or even months of damage control due to a malicious hack. The rationale behind using multi-factor authentication is sensible: if your email credentials were stolen, any malicious hacker would still be forced to provide a second (or third) challenge to gain access to your email. That simple fact stops most hacks dead in their tracks. Fortunately, the most popular webmail services offer the use of two-factor authentication and help pages to learn how to activate them.
Pro tip: I highly recommend using the free app “Authy” on your iOS and Android devices. It allows TouchID/FaceID confirmation on newer iPhones, stores encrypted backups of your data and allows your two-factor authentication (also known as “2FA”) codes to be shared across a number of devices. That makes it an ideal tool for individuals, families or small businesses who may use different iOS and Android devices to generate challenge codes.
Time Required to Implement:
If you’re not familiar with 2FA, I’d leave an hour of time to download Authy, set up the app on your smart devices and then step through the process of linking your webmail (and other sensitive) accounts. Authy provides easy-to-follow guides on how to set up two-factor authentication on many popular websites and services. I use Authy to safeguard my Dropbox, Twitter, Amazon & Facebook accounts because I NEVER want those accounts hacked.
Vulnerability #2: Sending Data Via Clear Text
“Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge.” — Bruce Schneier
If we assume that we’re always at risk when working online (and we should!), then sending email (or any text via the internet) is a very risky proposition. That’s primarily because — by default — email is sent in clear text, a format that’s not encrypted. That makes the content of your messages very easy to read by curious or malicious individuals that work for your ISP or for your company IT team. It also makes it possible to view and capture your email address so that whoever intercepts the message also knows who sent it.
How to Prevent It:
Solution #1: Protect your general surfing by using a commercial VPN. Corporations have been using virtual private networks (or VPNs) for years because the software ensures that all network data is encrypted. Individuals can purchase and use VPN services as well, usually for about $60-$70/year. It’s a powerful tool if you can afford it. Here’s why: even if you and a would-be hacker were on the same public WiFi network, your data would be encrypted by using a VPN and thus rendered nearly inaccessible. I’ve written in-depth about how to pick the very best VPN service to protect your data and your privacy. There is only a small group of VPN providers that work hard to protect you. For that reason, I’m a fan of the following five VPN programs:
NordVPN, headquartered in Panama
SaferVPN, headquartered in Israel
Cactus VPN, headquartered in Moldova
Hide.me, headquartered in Malaysia
BlackVPN headquartered in Hong Kong
Solution #2: Protect your email by using either PGP or Proton Mail. PGP, which stands for “pretty good privacy”, is one of the oldest, best and safest tools available for encrypting your email. Emails encrypted with PGP can’t be read by anyone, except for you and your intended recipient(s). So, if you dislike Google, Yahoo, Outlook, and other email providers from having the ability to access and reading your email — and they do! — then encrypting your emails is a simple and smart way to prevent anyone from snooping on your communications. PGP has only two obstacles:
If you send emails encrypted with PGP, then all of your recipients will also need to set up and install PGP as well.
PGP can be challenging to set up and install for the average person, even with easy-to-follow guidelines like these.
For a simpler way to implement PGP, just use ProtonMail. The service is a free and easy-to-use webmail client that implements PGP automatically in the background. Nice touch… Even better, there’s no set up needed: if you already use Gmail, Yahoo, or Outlook, you’ll know how to use ProtonMail. There’s only one requirement: if you send emails encrypted with ProtonMail’s version of PGP, then all of your recipients will also need to have a free or paid ProtonMail account as well.
Solution #3: Protect being tracked online by using the Brave web browser. This amazing and free browser helps eliminate trackers, most intrusive ads, and forces users to only surf to secured (or https) websites. It’s available for macOS, Linux, Windows, Android and iOS, so there’s no reason not to use it.
Time Required to Implement:
Downloading, enabling and configuring good VPN software should only take 15min of time. Downloading and using the Brave web browser only takes 5min. Setting up a free ProtonMail account takes 5-10min. PGP setup can take 30-60min.
Vulnerability #3: Transmission, One-Factor Receiving & “Eternal” Email
“If privacy is outlawed, only outlaws will have privacy.” — Philip Zimmermann
I’ve grouped these vulnerabilities together because they form some of the core concepts around which email is built. But what if those core concepts could be challenged or changed?!?
Email requires transmitting your message from point A to point B. Does it though? For those who believe that sending encrypted data isn’t safe enough, suppose we re-designed this core functionality of email to halt the transmission of data? This raises an obvious question: if there’s no transmission of data, then how would our emails get sent? The short answer: they wouldn’t be sent. #MindBlown
We can’t force our email recipients to also use two-factor authentication. If we can’t be 100% certain that all of our recipients are protecting our data, then we can’t be 100% certain that our data is safe. But what if we could force our recipients to have and use multi-factor authentication?
We have no control over how long our messages last on other people’s servers. With the amount of space that free webmail providers like Google, Yahoo and Microsoft offer, there’s hardly a need to ever throw emails away. Therefore, even if we’re diligent about deleting all sensitive messages from our own servers, we can’t force others to do the same. But what if we could prevent sensitive messages from being stored on other servers in the first place?
So if you’re curious about how in the world any of this is possible - and you should be - keep reading…
How to Prevent It:
Solution #1: Force recipients to use a password in order to view email. InfoEncrypt is a clever and free service that allows you to send encrypted emails that don’t pass through their servers. Additionally, you’re required to provide a password to both encrypt and decrypt your message. Provide this password to your intended recipient(s) and you’ve got a reasonably secure and easy method of forcing two-factor authentication upon your recipients.
To use InfoCrypt, head to their website and type your message. Enter your password & confirm it in the spaces provided. When ready, click the “Encrypt” button as shown here. You’ll see your message encrypted a few moments later.
If you like, you can now copy/paste and send this encrypted message via any normal method - email, text, etc. - and know that snooping eyes won’t be able to view your note. All that’s left is for you to give the password to your recipients (via some method other than email, of course) for them to view and read the message intended for them. Magic! One neat, new feature: just send a link to your message instead!
Solution #2: Just use ProtonMail. There’s a reason that ProtonMail gets my highest recommendation as the ultimate email solution. Designed by scientists at CERN and MIT, the system is thought to be NSA-proof:
it’s kept on servers in Switzerland, who - as a country - maintains far stricter privacy laws than those of the US
all servers are located in a secure vault 1000 meters under the rock, making them near impossible for malicious actors to access physically
it offers groundbreaking security features in its free tier such as automatic PGP encryption between ProtonMail users, expiring messages, and the ability to send encrypted messages to people off the system
Initially, ProtonMail looks just like any other webmail interface. But once you’ve logged in, you’re prompted for a second password that decrypts your account. If you include two-factor authentication using Authy (and you should), that’s three-factors: quite secure.
ProtonMail is just as easy to navigate and use as any other webmail service. By default, messages from one ProtonMail user to another are encrypted with a version of PGP: zero set up is required. That’s pretty incredible. However, you can also encrypt messages to anyone outside the ProtonMail system. This function works similarly to how InfoEncrypt works, but is more seamless because it’s built right into the system. You’ll still need to choose an encryption/decryption password for your message but ProtonMail allows you to include a hint for that password when your notification is delivered! #WayConvenient Recipients don’t receive your email, but rather a link to view that email on ProtonMail’s servers, encrypted to everyone who doesn’t possess the password.
Finally, ProtonMail allows you to set an expiration time on the message. This tool ensures that only the intended can view messages you want only them to see. By default, ProtonMail messages don’t expire. If you choose to leverage this amazing tool, the longest expiration you can set is for four weeks. I personally set sensitive messages to 2 hours or less. Occasionally, someone misses that window of opportunity. That’s fine: I’d rather be safe than sorry when it comes to very sensitive communication, so I’m always willing to resend. It’s worth the peace-of-mind.
Time Required to Implement:
In brief, here are the tools to help you fix the most common email and data communication problems:
Secure your email accounts by implementing two or more factors of authentication. Do this by using the free Authy app on your iOS or Android device to manage your authenticator codes.
Use PGP or ProtonMail to encrypt your email communications
Purchase and use a commercial VPN to help encrypt all of your day-to-day internet surfing. Choose a worthy VPN company that protects your privacy and security.
Install and use the free Brave Web browser on all of your computers and smart devices to
Use InfoEncrypt for free to encrypt and password protect emails that you can send in any common email program.
Use ProtonMail for free to combine sending links, forcing the use of a password to view your emails and expiring messages in one powerful tool.
And that’s a wrap for today’s episode, everyone. Thank you again, for reading and being a subscriber. Let me know your thoughts in the comments section or by email.
As always… surf safe.
Click here for my guide on how to choose a privacy-focused VPN.
If you’re looking to set up a VERY secure iPhone, click here.
For a super cool way to NOT give your personal email address to everyone, click here.
Click here for a crash course on how to keep your devices updated.