PG - Secure Mail Takes Professionalism - Jeremy Brown & Ms. Cheryl Biswas

hey everybody uh it's guy mcdoodfellow co-chair of the besides las vegas proving ground track our next talk is entitled i wish google could just not be evil a security base of comparison of major and not so major email providers by jeremy brown who was mentored by cheryl biswa hello and welcome to my presentation secure mail takes professionalism a security meta comparison of notable email providers jim wang said it best your email address is the center of your digital life from shopping to social media court cutting to crowdfunding all state to only fans the modern internet collapses without a platform independent communication hub since email is of such critical importance it isn't fundamental that we never lose possession of our email

accounts lest we fall to ruin we have put our digital eggs in one basket now as andrew carnegie once said we must watch that basket there are hundreds of commercial email providers on the internet many boasting about their commitment to their customers privacy and security but marketing copy doesn't amount to much when the ministry of state security starts poking around so how's the average netizen supposed to differentiate between who is and isn't full of hot air i discovered the difficulty of answering this question while searching for a new email provider last year after reading one too many articles on my android phone about the tricks google uses to access user data i was fed up i cannot remain in this

ecosystem i said to myself switching from the chrome app to the gmail app to tell my local group of infosec nerds more information we kind of knew already switching to firefox was easy and migraine to ios was also painless but email wasn't so simple finding a new host for my most precious digital asset required weeks of research ultimately resulting in this presentation while conducting my research i realized the most important category for measuring security is operational competence the quality of their infrastructure the maturity of their processes etc but finding publicly available information on operational competence is not impossible it's not like companies will brag about their 10 year old servers that have never seen a

spectre update this realization was demoralizing until i stopped thinking like a computer scientist and started thinking like an actual scientist at which point the path forward was obvious if i can't directly measure operational competence i'll just have to measure what's most likely affected by operational competence and hope for the best in the end i settled on four categories i believe cover most security related concerns and price to normalize the comparison between providers i decided to use the chromeland security advisory system to keep this presentation under three hours i limited my comparison to the largest providers and the most notable privacy focused providers with a bone thrown in for the masochists who sell post their email

beginning with google the first category is legal jurisdiction which covers intelligence sharing agreements and the laws of the country or region where data would be stored and while i did make an effort to consider other people's situations my analyses in this category will be from the viewpoint of a u.s citizen residing in the u.s your mileage may vary google offers email hosting as part of their cloud services product which has changed its name twice since i started the slides for this presentation so i'll call it google apps google gives customers the option to store their data either entirely in the u.s entirely in the eu or anywhere google chooses unsurprisingly data stored in the us can

be retrieved through normal means such as orders from secret courts but with the passage of the cloud act foreign governments are now able to demand data from u.s companies with court orders that haven't been naturalized using a mutual legal assistance treaty or mla as i am a u.s citizen residing in the u.s the act states foreign government should not be able to obtain my data through a cloud act request but that's a pinky swear more than anything looking internationally like any respectable tax dodging multinational corporation google's eu headquarters is in ireland and irish laws may come into play but google has data centers throughout the eu and you should generally expect the gdpr to apply to data stored in the

eu with an asterisk for assorted cloud action anagons i want to say storing data in the us is no worse than any other privacy respecting country but i don't believe i can do so as long as the cloud act is in force next is security related features which covers things that we generally consider such two-factor authentication or 2fa decent spam and phishing detection and a sufficiently robust account recovery workflow to nobody's surprise google has a strong showing with support for 2fa using industry standard one-time password codes and universal second factor dongles the paranoid among us may appreciate the advanced protection program but since successfully contact contacting google support is np-complete the basic account recovery flow is

likely sufficient for most if social engineers can't get customer support on the phone they can't steal your account from under you i hear a lot of gripes about google spam detection but since i receive a thankfully small amount of email i've never really experienced an issue security adjacent features is where the categories become a bit more subjective but i believe these features offer true benefit to security google apps has native support for a catch-all address a life saver when you want to discover who might be reselling your information sometimes you need to reply from an address originally considered one way requiring the ability to use an alias google apps allows 30 active aliases for each user

lastly google apps includes access to google's office replacement this may be the most controversial security related feature but i think it's the most important ransomware is the largest threat to computing today and macro latent documents are the most common method of ransomware infection so documents handled in the cloud aren't documents that can spread ransomware on a local network legal resilience is another high subjectivity category that might attempt to answer the question how hard will a provider fight for its users this category consists of all the news articles and court document documents i could find showing the provider fighting assorted court orders i couldn't find that many instances of google fighting court orders but the ones i could find were substantial

so i feel comfortable saying google won't immediately roll over upon receipt of a subpoena lastly is price which i don't assign much weight to since most everyone watching this is overpaid at the time of this presentation google charges six dollars per user month for the bottom tier google apps so for a baseline template of one user as a primary account and one use one user to hold catch-all emails expect to spend 144 dollars per year if the standard two-month discount for annual prepayment is available the price drops to 120 per year after google is the other 800 pound gorilla of email microsoft microsoft allows customers to store their data entirely in the us like google

with similar legal consequences internationally microsoft also allows customers to store their data either entirely inside germany or entirely inside france as well as storing it inside the eu generally france and germany are both part of the second seniors of europe more commonly known as 14 eyes but france is part of the more exclusive group known as nine eyes as a member of the eu data stored in germany is covered by the gdpr but germany has its own data protection law conferring additional rights for data owners and additional responsibilities for processors all of google's jurisdictional issues are present with microsoft so they get the same rating microsoft's implementation of security related features exhibits the differences between an old tech company

and an older tech company microsoft offers the standard level of spam and phishing detection for their email offerings by default but depending on your plan for an extra charge customers who store their data outside germany can enable defender for office 365 which claims to offer enhanced virus scanning for incoming attachments enhanced phishing detection and link rewriting 2fa is a mixed bag while the ms webmail client supports otp codes across all browsers microsoft decides to not support u2f when using firefox and for the record i'm assuming youtube app dongles work with safari otherwise i have to wonder what they're doing up in redmond microsoft's security adjacent feature set isn't as strong as google's the most impactful one is access to an

online version of office but currently the only way to get a catch-all address is to use a hack that might not work depending on your plan microsoft email accounts get 400 aliases you can reply from but even though the feature was supposed to have been launched late 2020 it's still not possible to reply from an alias using the outlook web client thankfully these are ancillary features but lack of confidence from the wonkiness of tfa support is compounded by the lack of native support for a catch-all address moving to legal resilience one of the more surprising discoveries from this research is microsoft's willingness to use its lawyers to fight on their users behalf in court successfully quashing multiple gag

orders i wish they'd use those lawyers and lobbyists to shoot down the cloud act and make governments go through the mlats they already had but i suppose that would have been asking for too much finally there's the question of price which microsoft has done its level best to make as difficult to answer as possible you might have noticed some features were available depending on your plan that's because by my count microsoft offers no fewer than 13 different products which offer some form of email hosting even after discarding the products that require using godaddy as a registrar or don't support using custom domains there's so many needlessly similar ones left i assume this is some sort of marketing

strategy to be thorough i asked swift on security about lesser known plans and was told about a microsoft 365 e621 tenant which offers outlook web online and an unmonitored windows upgrade license that lets you fully disable telemetry collection but i haven't been able to find any information about that plan on the microsoft website pricing correlates with desire to embrace the microsoft ecosystem but if email and cloud office are all you need the top choices are microsoft 365 business basic at 120 per year or an office 365 e1 tenant at 192 dollars per year following the baseline template from before not counting the extra two dollars per user month for defender for office 365. the first and largest privacy focus

provider of the comparison is protonmail protonmail is headquartered in switzerland using data centers in switzerland and germany to store its customers data as switzerland is not an eu member there is no requirement for swiss companies to conform to the gdpr however article 13 of the swiss constitution explicitly grants everyone the right to privacy in relation to their mail and telecommunications which the swiss federal act on data protection says applies to non-citizens as well choosing to use a data center in a 14 eyes country when the company takes such a strong stance on privacy seems strange but as an outsider germany's additional laws on data privacy on top of the gdpr look strong enough to provide some

comfort first on mail has only basic security features supporting just otp codes for 2fa alongside spam and vision detection their subreddit suggests can be hit or miss an additional layer of pen-based encryption is available for data stored in their ios app protonmail security adjacent feature set is also basic professional tier accounts can access catch-all addresses and five aliases with the option to purchase more on a yearly basis the lack of some cloud substitute for office increases vulnerability to ransomware but this is about the best that can be expected from a company without silicon valley resources in terms of legal resilience despite the number of court orders protonmail claims to have challenged in their transparency report

there was no public information supporting such no news reports covering a legal challenge or court documents available online it's possible said information is stored somewhere outside of search engines but i find this strange considering i've found information on legal challenges for smaller competitors in terms of pricing while protonmail's base cost isn't particularly eye watering trying to get close to parity with the other providers can get expensive quick the baseline template costs 16 dollars per user month or 150 dollars per year but the professional plan only provides five aliases per user attempting parity with google's 30 aliases would cost an additional five dollars per user month or 45 dollars per year costing more than the equivalent

microsoft servers with fewer features this is somewhat disappointing but as stated earlier this might be the best that can be expected without silicon valley resources protonmail's closest competitors to tenota tutanota is headquartered in germany and only uses german data centers so customer data should be protected by both the gdpr and germany's data protection act like with protonmail i see some hypocrisy in operating a company with a strong privacy stance in a 14 eyes country but like i said with protonmail germany's privacy laws should temper most objections like proton male 2 to nota doesn't have much in terms of dedicated security features two to notes it supports u2f dongles in addition to otp codes for 2fa

but their spam and phishing filters leave much to be desired unsurprisingly tutanota has a basic security adjacent feature set joining at the premium tier grants five aliases per user and the ability to use catch-all accounts but unlike protonmail the additional aliases available for purchase apply across all users in an account that said is currently not possible to set the sender name for individual aliases so if you want to send an email as xerocool instead of dave murphy you have to change your settings so all your email will be sent to zerocool until you change it back no cloud-based office substitute is available in regards to legal resilience i was surprised to find reports of tutanosa

standing up for its users in court and finding a court order to implement mailbox surveillance despite being such a small company they lost but it's the thought that counts here as two denoted plans are denominated in foreign or currency units instead of freedom bucks two denotes as the only provider in the comparison whose price cannot be directly compared to the others currency conversion isn't so difficult but the numbers are guaranteed to be different between when i created this presentation and when you view it creating a premium tier account according to the baseline template cost 2.86 cents per user month or roughly 29 dollars per year the closest package to match google's aliases costs as much as the email

service bringing the total to roughly sixty dollars per year the final provider in this comparison is hush mail arguably the first privacy focused email provider being gmail to public release by six years hush mail has the most unusual corporate structure of all the providers in this comparison the main company hush communications is incorporated in delaware with its headquarters in canada but everyone's data is stored in canadian data centers and managed by hush communications canada or hcc a canadian subsidiary hcc has to conform to canada's gdpr equivalent and assuming hcc is based in vancouver alongside hush communications will also have to comply with british columbia's data privacy law spending operations into a subsidiary will exchange today

but between compressing data before encryption and the resurgence of zoot suits i'm willing to chalk that up to 90's weirdness harshmail claims not to be subject to u.s court orders perhaps being headquartered in canada does void u.s jurisdiction but absent seeing some case law i don't believe this theory and consider it a u.s provider moving to security related features hashmail's feature set matches other smaller providers with support for only otp codes for 2fa that said when 2fa is enabled flushmail automatically generates an app password for connecting to pop and imap without going through 2fa and somehow that app password includes your normal user password there are potential ways to do this that don't require the normal user password

to be stored in plain text but their failure to explain how the system works concerns me houshmail's security adjacent features are somewhat better than the other smaller providers business to your accounts get unlimited aliases using a hush mail specific domain but additionally get a pool of 100 aliases to use for a custom domain business accounts also gain the ability to use a catch-all alias with their custom domain the lack of a cloud-based office equivalent is disappointing like with the other smaller players how hush mail response to court orders is most likely why it isn't the default choice for a privacy focused email provider viewers with longer memories might remember this story but to recap hashmail divulged the contents of a

customer's messages to authorities as the result of a court order yet at the time the only way to obtain unencrypted messages between hush mail customers was to obtain a user's passphrase either through modifying the code to access the webmail client or modifying the java applet used for client-side access the lack of any straight answer as to what the company did or did not do suggests hush mill implemented some sort of vulnerability to collect this information and the stigma has followed them ever since i haven't found any information about hush mail fighting court orders since so i feel comfortable in saying much hasn't changed in terms of cooperating with authorities marshmallow charges six dollars per user

month for the business tier plus a 10 account setup fee but the lack of annual payment options for this tier only is strange at this price the baseline template would cost 144 dollars per year in line with other providers and now we arrive at the wild card self-hosting your email i originally hadn't planned to make this part of the comparison since everyone who hosts their own email likely does it differently but i figured infosec nerds would be the one group of people where if i didn't at least mention the concept no small number would either ask me why i didn't cover it or claim self-hosting doesn't have any of these issues if you're self-hosting you get to choose

where your emails are stored but hosting your email server internationally for increased privacy will likely backfire since you will still be where you think your laws suck so your local law enforcement can target you instead of your server moving on to security related features let's be honest your email setup is a raspberry pi that's maybe just one generation old running a version of debian you haven't upgraded since you installed it and email software from the third post down on rsl posted if by some chance your setup supports 2fa you don't have it enabled in regards to security adjacent features self-hosting means you can run anything you want cloud storage a self-hosted version of office the world is your oyster however unless

you decided you wanted all those things when you began sell posting laziness likely overtook you so you only have functional enough email on the subject of legal resilience if a court order arrived at the colo hosting your email server and you're not renting out half the colo expect them to roll over of like a well-trained dog if for some reason they instead tell the authorities to send it to you unless you have successful start-up exit money you won't be able to fight it when it arrives so you'll roll over anyway determining a price for self-hosting your own email is tricky because if your time is in any way valuable you've already spent too much and if it

isn't the rest of the process will suck you dry anyway assuming you only spend about one hour maintaining your email server a big assumption you're spending more than microsoft would charge if your time is worth 200 per hour even if your time's worth only half that you're within spinning distance of most of the providers in this review even with writing your time off as a learning experience you'll still have to pay the cost of running a computer somewhere either your own in a colo or someone else is in their data center you could stick your email server on the best special low end box has but does that really sound like the best idea for privacy or security

even the cheapest dedicated servers are forty dollars per month so after six months you spent more than microsoft would have charged you to handle your email for a whole year now that the weeks of research has been compiled into the technicolor table shown here what can be said about the state of email security to recap operational competence is supposedly the best indicator of email providers ability to protect their users from threats on the internet but since there is so little direct intelligence on the internet about it this presentation attempted to compensate by using more public aspects of a provider service that hopefully correlate so was this goal met i don't think so microsoft hasn't figured out how to make

wild card aliases work in their 24 years of running an email provider but i still have more faith in them protecting me from a bt or threat than to denote so what does this mean aside from the fact that i should stop pretending to be a scientist on the internet i believe this shows the signals of high operational competence are more fundamental than features providers can stick in checkboxes for comparisons at this point i think the least worst signal for determining operational competence might be the size of a dedicated security team not the conclusion i wanted but it's the one i can't shake at least for now the big g still has my email and on that downer of an ending i

conclude my presentation i do tweets which are generally less depressing my handle is on the screen if you wanted to read this presentation with additional research that was cut for time you can use the qr code at this point we can open up for questions hey everybody i'm here with our speaker jeremy that was a fantastic talk that was i i was really surprised with i was not expecting to see some of the results i was seeing for for google and for microsoft um yeah go ahead i was just gonna say i i know since i am also an infosec nerd we tend to give the big uh like the big corporations kind of a hard time

but i like as i was going through this to sort of try and justify my reasoning to move away from a big corporation i was surprised to find how well like they actually like they will actually try to take privacy and security seriously like i've heard uh like a common bromide from someone i follow on twitter is google tries to make very sure that your information is only readable by yourself and google and it kind of like if you think about it that way it really does make sense that the things that i show in my talk are what you actually see sure that does bring us to mouse's question so when you talk about gmail

and the fact that the only people who can see it are yourself and google what about the privacy of data from google itself mouse says she worries about discussing original research in email that while it might not be written by humans it's still processed analyzed and classified by algorithms specifically designed to surface information google can use for its own profit did you find anything to that to that regard when you were doing your research or is that something that you really didn't worry about not directly because i figured if i'm if i were willing to let google host my email i'd since practically all email is unencrypted they're just going to be able to see everything anyway

and also most likely if you're emailing somebody and you're not using google the person you are emailing is using google so they're going to see it no matter what but also i don't have the link on me right now because i write about this a while ago but i believe google says like google said at one point in time that they weren't going to be scanning emails for you know ads and such if you were like a paying customer on google apps so i i think if you're paying to have google host or email it's a lot less likely that they're going to be parsing it for you know uh i guess useful information as opposed to

just uh checking to make sure it doesn't look like uh a phishing email or it looks like spam right and you also run into the cia triad here i mean i've used protonmail for years and one of the big problems is that while the emails are encrypted um and that gives you good security that means you can't do full-text search for contents of your email that's a problem that they've been trying to figure out but it's an issue right so yes you can have security yes you can protect people from looking at your email that means that you lose some functionality as well so on that topic what are some things that you would like to see companies

doing that they're not currently doing oh man that's a whole nother talk in and of itself [Music] let's say let's start with passwords so everybody knows passwords are generally terrible right now what would be a neat thing for one thing i would love to see smaller companies like two to note and protonmail do is switch from using uh passwords directly to using things like uh uh password dedicated key exchanges or pages so uh they would essentially they would essentially stop the transmission of passwords over the wire and you could compute things locally send those things to the server to log in that you wouldn't that wouldn't be useful for like replay attempts or replay attacks uh the thing i've been

looking at for a while now is called opaque and it is essentially a password authenticated key exchange password authenticated yes key exchange that would essentially allow people to enter their passwords on their local devices and have them never leave their local devices which would be a really neat security feature another thing that i have been looking at is uh dime so after uh after lavabit imploded uh lidar levinson created dark mail and after like in the per in the process of creating dark mail he came up with essentially a replacement for smtp uh not exactly smtp but like the whole email workflow called dime it's the why is it dark internet male i forget what the e stands

for but essentially it replaces it replaces smtp pop and imap with and with an encrypted metadata minimized form of email and even though you know dark mail has been around since 2013 2014 the last the last version the last update to the dime specifications was in 2018 nobody's like i haven't seen anybody take up the like take up the mantle of creating at least a test deployment of this to see if it's actually worthwhile in you know mid to large scale deployments i think like one of the things you notice about the smaller companies like protonmail and 2tonota is that they kind of use their encryption as a sort of mode so you can you can encrypt emails between

protonmail customers and between two to note to customers but there's no way to go back and forth and dime could essentially be a way to bootstrap uh like encrypted emails to a larger community than just a single provider okay but those are the two biggest things that i would like to see companies do sure uh one question that we had i think we have time for a couple more uh jeremy's uh let's see um who was that that asked that okay az desertgator asked is it possible the lack of legal information about proton miles because they are in switzerland so anyone challenging knows it is likely to be a waste of time that may prevent some people but i don't

think it would prevent enough people to the point that i couldn't find information on it so say if the u.s department of justice wants to get information about a proton male customer like they don't care that they don't care that proton mills in switzerland they're still going to file some sort of court document and i would have expected to see i would have been i would have expected to be able to find that court document show uh see it get rejected or whatever and potentially even see a blog post from protonmail saying hey we uh we push back on the usdoj good for us but i couldn't really find anything like that sure uh another question is have you looked

at true sona i have not specifically looked at true sona uh i tried to limit it to the ones that most people would know but uh you know i could always look at other ones and add onto the blog post that's at the end of my talk okay i think that's all the time we've got but thank you very much this was a fantastic talk i know a lot of people took a lot of value from it and i i think you've done some some good work here so thank you thank you