diff options
Diffstat (limited to 'content/entry/using-email.md')
-rw-r--r-- | content/entry/using-email.md | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/content/entry/using-email.md b/content/entry/using-email.md index 85ea2b1..c19fd7a 100644 --- a/content/entry/using-email.md +++ b/content/entry/using-email.md @@ -27,12 +27,12 @@ The best alternative to self-hosting is to pick an email service provider wisely * Migration support ## Free Software -The first and most important requirement is that the email provider uses exclusively free software. This means their website and webmail portal do not require proprietary Javascript[3]. Javascript licenses should be included somewhere on the site or it should work without Javascript enabled. Also, all backend software should be free. In other words, if an email provider uses Mac or Windows to host the email server, it's as good as garbage and you shouldn't touch it with a ten foot pole. It should probably run on GNU/Linux or FreeBSD. Good email providers support IMAP and POP3 for accessing email. Those protocols allow you to access emails from your own email client[4] on any device. More on that later. Now onto security and privacy. +The first and most important requirement is that the email provider uses exclusively free software. This means their website and webmail portal do not require proprietary JavaScript[3]. JavaScript licenses should be included somewhere on the site or it should work without JavaScript enabled. Also, all backend software should be free. In other words, if an email provider uses Mac or Windows to host the email server, it's as good as garbage and you shouldn't touch it with a ten foot pole. It should probably run on GNU/Linux or FreeBSD. Good email providers support IMAP and POP3 for accessing email. Those protocols allow you to access emails from your own email client[4] on any device. More on that later. Now onto security and privacy. ## Privacy and Security The email provider should have a policy of not keeping logs. This brings me to my next and important point that the email provider needs to reside within a privacy-respecting country. The legal requirements for collecting logs and sharing user data are going to differ depending on which country it's in. Using an email provider based in the US or the UK is a very bad idea. Those countries don't have strong privacy considerations and your email data (and metadata) won't be safe. Email providers in those countries can't guarantee safety of your emails. You can get a lot of information about what data is collected just by actually reading the Terms of Service when you sign up. Don't use an email provider like Gmail, Outlook, or Yahoo that logs all your emails and sells them to advertisers. If it's in the Terms of Service that the service shares non-trivial data with third parties, then that email service is garbage and you shouldn't use it. In fact, good email providers will never share any data without a court order first. In order to take an email provider's claims of protecting your data seriously, the email provider should have a transparency report providing as much detail as is legal about what information they can be forced to turn over, when, and how often it actually happens. -Also, email providers can't share information about you they don't have. If the email service provider offers anonymous sign up (they don't request your name, address, phone number or other PII), this is a good sign. They should also offer anonymous payment mechanisms (cash or cryptocurrency). You should not provide personal information just to sign up for an email account. Any email service that requires you to probably doesn't care very much about your privacy. For security, your email provider should use two-factor authentication to prevent your account from being stolen. In your browser, check the email service's website for TLS 1.3. If the email service website doesn't support TLS 1.3, that's a bad sign. Check that they support DANE/TLSA. They should claim to encrypt the hard disks of the email server or the email accounts themselves to prohibit data theft. They shouldn't ever send any email data unencrypted. It should always use TLS. The email service should provide you with "inbound encryption". Inbound encryption means you can generate a keypair and provide the email service your public key to encrypt your emails with. This means the email service encrypts your emails, as they are received, on their servers with a key only you have access to. If your emails are later stolen or requested via court order, the service will only be able to provide encrypted versions of your emails unreadable to anyone except you. +Also, email providers can't share information about you they don't have. If the email service provider offers anonymous sign up (they don't request your name, address, phone number or other PII), this is a good sign. They should also offer anonymous payment mechanisms (cash or cryptocurrency). You should not provide personal information just to sign up for an email account. Any email service that requires you to probably doesn't care very much about your privacy. For security, your email provider should use two-factor authentication to prevent your account from being stolen. In your browser, check the email service's website for TLS 1.3. If the email service website doesn't support TLS 1.3, that's a bad sign. Check that they support DANE/TLSA. They should claim to encrypt the hard disks of the email server or the email accounts themselves to prohibit data theft. They shouldn't ever send any email data unencrypted. It should always use TLS. The email service should provide you with "inbound encryption". Inbound encryption means you can generate a key pair and provide the email service your public key to encrypt your emails with. This means the email service encrypts your emails, as they are received, on their servers with a key only you have access to. If your emails are later stolen or requested via court order, the service will only be able to provide encrypted versions of your emails unreadable to anyone except you. Another good sign is if the email service supports access over Tor. The webmail client should support access over Tor Browser. It shouldn't block tor connections. If it has an onion address, then the email service went through extra trouble for Tor support. As I said, email providers can't share information about you they don't have. If you connect over Tor, you are protecting your IP address. That means you don't have to trust the email service not to log your IP when you access email. @@ -42,7 +42,7 @@ I've gone over some of the technical details, but I haven't mentioned the busine Nothing I've mentioned gives you a 100% guarantee that the email provider is secure, will stay in operation, doesn't sell your data to advertisers, or is competent. But the more criteria that the email provider meets, the better the chances that it's a good one. At some point you have to say "Okay, this email service meets so many criteria of being ethical that it either actually operates ethically or is so good at faking it I could never hope to tell the difference anyway". Once you do enough research where you can confidently say that, then you should consider using it. There are other features email services provide that I haven't mentioned such as email aliasing and email storage space. Those depend heavily on how you use email and if I listed all possible features of an email service, I'd never finish this post. But I think I have covered some of the key features to look for when choosing an email service. # Using an Email Client -The most common way by far to access email nowadays is using webmail which is a shame. Webmail is when you access your email account in the browser. Remember that email predates the web, so it doesn't rely on the web at all. It's just that people have been spoiled by web apps and never need to leave the browser environment any more. Using an email client, also known as a user agent, is a more satisfying way to use email. It provides functionality such as easy account navigation, email filtering, email flagging, calendaring, contacts, and more. Webmail also provides the same features, but often requires running proprietary Javascript to accomplish the same tasks. Using an email client gives you a single, unified user experience that you can customize to your liking for all email accounts, even if the accounts are on different email services. Using an email client empowers you to use inbound encryption, managing your encryption keys yourself. I just want to quickly mention that Protonmail[5] requires installing a proprietary bridge application[6] for IMAP and SMTP support. If you want to use Protonmail with your own email client, you'll have to install their software. I'm not trying to pick on them in particular. I just want to point out it's more secure to use email clients that work for any email provider, not client programs that the specific email service has homebrewed even if they are free software programs. Individualized email clients and client-related programs likely have less code review and less scrutiny which means you're less secure using them. Some good email clients are Thunderbird[7], Evolution[8] or Mutt[9] if you prefer a terminal. Microsoft Outlook[10] is common, but it is proprietary. Don't use it. +The most common way by far to access email nowadays is using webmail which is a shame. Webmail is when you access your email account in the browser. Remember that email predates the web, so it doesn't rely on the web at all. It's just that people have been spoiled by web apps and never need to leave the browser environment any more. Using an email client, also known as a user agent, is a more satisfying way to use email. It provides functionality such as easy account navigation, email filtering, email flagging, calendaring, contacts, and more. Webmail also provides the same features, but often requires running proprietary JavaScript to accomplish the same tasks. Using an email client gives you a single, unified user experience that you can customize to your liking for all email accounts, even if the accounts are on different email services. Using an email client empowers you to use inbound encryption, managing your encryption keys yourself. I just want to quickly mention that Protonmail[5] requires installing a proprietary bridge application[6] for IMAP and SMTP support. If you want to use Protonmail with your own email client, you'll have to install their software. I'm not trying to pick on them in particular. I just want to point out it's more secure to use email clients that work for any email provider, not client programs that the specific email service has home-brewed even if they are free software programs. Individualized email clients and client-related programs likely have less code review and less scrutiny which means you're less secure using them. Some good email clients are Thunderbird[7], Evolution[8] or Mutt[9] if you prefer a terminal. Microsoft Outlook[10] is common, but it is proprietary. Don't use it. ## POP3 Since most email users have been totally spoiled by the web, they have never heard the terms POP3 and IMAP. When you use an email client, you will have a choice of which protocol you prefer. POP stands for Post Office Protocol. The first version of POP was created in 1984. POP3 fetches emails from the remote email server, then deletes them from the server. It can be configured not to do that, but that's its main benefit. If you only check email from a single device and you don't want your emails hanging around on someone else's computer, then POP is the way to go. Sent emails are stored in the client you sent them. Deleted emails are only deleted in the client you deleted them in. So POP is not a good protocol if you are using multiple devices to check email. It doesn't try to sync across devices. POP is also good to use if you have very little space allocated to you on the remote server, but you regularly send and receive large email attachments. @@ -51,7 +51,7 @@ Since most email users have been totally spoiled by the web, they have never hea IMAP stands for Internet Messaging Access Protocol. It was created in 1986. IMAP makes use of the remote email server. All messages are stored on the remote server. When you delete an email, it is deleted on the server. When you send an email, it is stored on the server. When you read an email, the server marks it as read. If you switch devices, your email inbox will look the same. It has a consistent experience across multiple devices. This is probably what you want to use most of the time. # Email Use Cases -Even if you follow this guide on picking an email service and you use an email client and use 2-factor authentication and inbound encrypt all your emails and use POP3, it's likely that your correspondents are using Gmail, Outlook and Yahoo. Even though you could have the most secure email setup short of self-hosting, everyone you email is still using proprietary Javascript with no 2FA unencrypted webmail with every email being parsed and sold to advertisers and mass surveilled. My point is don't use email for personal correspondence. The fact is email is just an old insecure protocol. It doesn't even use end to end encryption because it comes from a different era. You can use PGP to encrypt your emails, but it has so many problems[11] that I can't recommend it for regular use. Almost no one uses it, it's difficult to use, and has many downsides. If you have to use email for personal or business correspondence, use PGP to encrypt. But the best advice I can give is just to avoid using email. +Even if you follow this guide on picking an email service and you use an email client and use 2-factor authentication and inbound encrypt all your emails and use POP3, it's likely that your correspondents are using Gmail, Outlook and Yahoo. Even though you could have the most secure email setup short of self-hosting, everyone you email is still using proprietary JavaScript with no 2FA unencrypted webmail with every email being parsed and sold to advertisers and mass surveilled. My point is don't use email for personal correspondence. The fact is email is just an old insecure protocol. It doesn't even use end to end encryption because it comes from a different era. You can use PGP to encrypt your emails, but it has so many problems[11] that I can't recommend it for regular use. Almost no one uses it, it's difficult to use, and has many downsides. If you have to use email for personal or business correspondence, use PGP to encrypt. But the best advice I can give is just to avoid using email. ## Email Privacy The best time to use email is when it's required. When you're signing up for a website that requires email for instance. You don't have to only have 1 email account either. I use several email aliases depending on the purpose. You can use different email accounts for every service you sign up for if you want. There's throwaway email accounts available if you need to send or receive email quickly and then ditch the account. I wouldn't recommend using email for receiving newsletters or information that you have another way of accessing. I might make another post talking about RSS, but it's basically a web feed. RSS readers can pull content from all the websites that support RSS that you're interested in without you actually visiting those sites. It's a similar experience to using an email client, but with less of a digital footprint. With email, your email server has a record of which feeds you are subscribed to. With RSS, there is no "account". No digital footprint showing you subscribed to that feed is necessarily created. If you anonymize RSS over Tor, then even a passive adversary like your ISP will have a hard time figuring out which news feeds you read. Even if you just visit the news site directly, that's still arguably better for your privacy in terms of minimizing your digital footprint. @@ -62,7 +62,7 @@ In summary, the most privacy-preserving way to use email is to avoid using email If and how you segregate out your email accounts is up to you. This is just an optional extra step you can take. Using multiple email accounts doesn't always make your emails more private or your accounts more secure. It just improves "unlinkability". A common example of this is having a personal email and a work email. Keeping your personal life and your work life separate is important for many people. You wouldn't want your workplace to know all the services you're signed up for and you wouldn't want to be receiving work emails on your personal email account. # Motivation -Those are my tips for getting the most out of email. It's a lot of information to take in, but I wanted to be thorough. My motivation for writing this post as I said in the beginning was seeing the way most people use email. Until we have a widespread protocol that supercedes email, we should at least get the most out of it. And the way most people are using email right now is the absolute worst way to use it. There's a lot of things in computing that aren't harder to do a different way, it's just that people haven't been shown the better way of doing things. Most people don't know anything beyond webmail despite the fact that email predates the web. I wrote this post to promote my preferred way of using email. I hope you have found it useful. +Those are my tips for getting the most out of email. It's a lot of information to take in, but I wanted to be thorough. My motivation for writing this post as I said in the beginning was seeing the way most people use email. Until we have a widespread protocol that supersedes email, we should at least get the most out of it. And the way most people are using email right now is the absolute worst way to use it. There's a lot of things in computing that aren't harder to do a different way, it's just that people haven't been shown the better way of doing things. Most people don't know anything beyond webmail despite the fact that email predates the web. I wrote this post to promote my preferred way of using email. I hope you have found it useful. Link(s): |