Clandestine Communications Part Three: Email Domains

Clandestine Communications Part One: One Time Pads (OTPs)

Clandestine Communications Part Two: Steganography – A Smile is Worth A Thousand Words (Literally)!

_____________________________________________________________________________________________________________________________

The next set of articles in out Clandestine Communications series will be brief overviews of encrypted email services and message apps, file/hard drive encryption, and VPN.

I stress that these are very brief overviews. I highly recommend that you take a look at the training calendar and attend one of the Privacy, Security and Anonymity classes offered by Kilo, a friend and current member of the SOF community. The first class already filled up, but there is a class being offered September 21-22 in NC and a class in March 7-8 2020 in NC as well. Kilo will be using the vast knowledge he has to give you all you ever wanted to know about anonymity and digital security. Once again, I highly recommend the class.

_____________________________________________________________________________________________________________________________

Part Three of our Clandestine Communications series is focusing on “off the shelf” email domains. This would, of course, require you to get a new email address – an action that, given the surveillance state’s relationship with Google, Yahoo, etc, cannot be done too quickly. However, there are ways to harden current email addresses such as Gmail, and that will be the purview (shout out to Mueller for popularizing that word) of Part Four. There are really only two sites that I have both a familiarity with and would recommend. Those sites are Tutanota and Protonmail. I am sure that there are others out there that are both paid and free, and you can feel free to chime in down below. These are the only two that I have familiarity with, and I will give a brief overview below.

When you create your passwords, make it have CAPITAL and lowercase letters as well as numbers (1234), symbols (!@#$) or even spaces. You may even want to employ a password manager such as KeePassXC to ensure a secure password.

ProtonMail (https://protonmail.com/)

Headquartered in Geneva, Switzerland, ProtonMail is a fantastic email service. Offering both free and paid subscriptions, it is Open Source and very easy to use.

Right off the bat, you need two passwords to log in – one to enter the account, and one to decrypt the email inbox.

EDIT: Apparently this is only true for legacy accounts like mine created before December 2016. New accounts default to one password. Thank you to the commenter who pointed this out.

When ProtonMail was originally released, two passwords were necessary to enter your account, a Login password and Mailbox password. This was done for security reasons to ensure end-to-end encryption. However, after extensive and careful study, our research team developed a way to provide the same level of privacy and security with just a single password. Technical details can be found here.

Because this improves the usability of ProtonMail, this is now the default for all newly created accounts. For Legacy accounts (those created before December 2016), we also provide the option to switch to One Password Mode. Two Password Mode will continue to be supported, and more information about Two Password Mode is provided at the bottom of this article.”

It has a robust set of settings including authentication logs (which will tell you every time a login attempt is successful or fails as well as a logout occurs – all with timestamps) and two factor authentication so that you can add an addition layer of security to the account.

The service is incredibly user friendly, and is located in a country that has incredibly strong privacy laws. It avoids the Five Eyes and the Fourteen Eyes countries

The one downside is that the Free account only allows for 500mb storage and 150 messages per day.

The Plus account, which costs $4.00 /Month, provides you with 5gb storage, 1000 messages a day, and the ability to send encrypted messages to those without protonmail accounts. It also allows for custom domains and up to 5 email aliases.

The Visionary account, which costs $24.00 /Month, provides 20gb storage, unlimited messages per day, and access to ProtonVPN (virtual private network). It also has multi-user support and allows for up to 50 email aliases.

Tutanota (www.tutanota.com)

Tutanota is “domiciled” in Hanover, Germany and was started in 2011. The name Tutanota, according to the FAQs, is derived from Latin and contains the words “tuta” and “nota” which means “secure message”

By default, the emails between Tutanota accounts are encrypted just like in ProtonMail. You can also set up a password with someone who does not have a Tutanota account and you can still send them an encrypted email where they would use that password to get in (obviously send them the password via snail mail or, better still, physically hand them it). It also has an encrypted Calendar function built in as well.

The Free account allows for 1gb storage but limits you to Tutanota domains only. The big upside to Tutanota, however, is that it is much cheaper for it’s Premium accounts.

The Premium account starts out at €12 / year and allows for custom domains and 5 aliases. You can also purchase additional storage space – 10gb (€24 / yr), 100gb (€120 / yr), or a whopping 1tb (€600 / yr)

The Pro account costs €60 / year and provides 10gb storage, custom domains, and 20 aliases.

My biggest complaint about Tutanota is that it does not, to my knowledge, have a feature in your contact book that allows you to make a “group”. If you regularly email a preparedness group, you have to select each person individually to send them a group message as opposed to just creating a “Preparedness” contact group.

Non-Encrypted Email Services

I know that some people will chime in that they really wish their Gmail/Yahoo/AOL etc accounts could be hardened and encrypted instead of having to create a new account. My first reaction is simply to question why, if creating the accounts are so easy, would you not want to do this? Moving past that, we will be looking at using Mozilla Thunderbird and Enigmail to encrypt other email services using PGP.

 

Spread the love
                

Share This Story, Choose Your Platform!

About the Author: admin

12 Comments

  1. Kilo July 30, 2019 at 13:27

    Great article.
    Thanks for the shout out for the upcoming classes.
    One work-a-round for the lack of a ‘group’ function in Tutanota is this:
    1. Create a standard email message and add all pertinent contacts in the ‘To’ or better yet, the ‘Bcc’ line just as you would need to do in creating your initial ‘group’.
    2. Send your message.
    3. The next time you need to send a message to your ‘group’, go back to your initial message and click ‘reply all’, change your subject line to something relevant, and delete the content of the initial message and replace it with the content of the new message. The people in the ‘To’ or the ‘Bcc’ line will remain the same as if they were a ‘group’.
    One additional comment regarding all email traffic is that the subject line is not encrypted, even with Protonmail, Tutanota, or using any of the PGP/GPG derivatives. It is something to consider when compiling your message traffic as this part of the metadata is exposed.

    • Patriotman July 30, 2019 at 20:41

      Excellent additions and sage advice as always brother. Your class cannot be recommended enough.

  2. Lori T July 30, 2019 at 20:56

    Protonmail only requires one password as far as I know, and we’ve been using it for over a year now. We also use the companion product proton vpn, and you get a discount if you already are a paid subscriber of protonmail. A cool feature of protonmail is that you can have an email addresses like [email protected] and if you want to be able to see where and how your email address is getting sold or shared, you can add to it like samsmith+ap.protonmail.com. it comes in handy occassionally. really for best privacy and the ability to unsubscribe from a shared or sold email address, blur (https://dnt.abine.com) has the best email masking that forward (if you want) to your primary protonmail account. when you reply to the masked email forward, the recipient doesn’t know your ‘real’ email address. basically they are burner emails that let you decide how long they work for and they forward to whatever email you want so you don’t have to login to two different email services.

    • Patriotman July 30, 2019 at 22:19

      Really? My account requires two, but I have had mine for quite a long time. I wonder if they changed that?

    • Patriotman July 30, 2019 at 22:22

      Ahah! They did change it:

      When ProtonMail was originally released, two passwords were necessary to enter your account, a Login password and Mailbox password. This was done for security reasons to ensure end-to-end encryption. However, after extensive and careful study, our research team developed a way to provide the same level of privacy and security with just a single password. Technical details can be found here.

      Because this improves the usability of ProtonMail, this is now the default for all newly created accounts. For Legacy accounts (those created before December 2016), we also provide the option to switch to One Password Mode. Two Password Mode will continue to be supported, and more information about Two Password Mode is provided at the bottom of this article.

      https://protonmail.com/support/knowledge-base/single-password/

  3. Tengu July 31, 2019 at 11:55

    All good and fine but you had better us prepaid visa’s (harder to do now) or bitcoin to make the purchase.

    Better not get on any cameras buying the prepaid visa

    Better never open your account from any IP address that can be traced to you.

    A good deal of tradecraft and forethought is needed to get reasonably close to privacy.

    Tengu
    28 years in infosec.

    • Patriotman July 31, 2019 at 12:48

      While I wholeheartedly agree, I am hoping to baby step people into hardening their digital footprint.

      The concepts you talk about are explained in depth in the class I reference.

  4. Anonymous August 1, 2019 at 09:43

    5

  5. Kilo August 2, 2019 at 12:25

    To add another recent addition to Tutanota, they were the first to have a secure/encrypted calendar. Many have tried or promised this feature in the future, but Tutanota was the first to make it a recent reality. Now, if they can make a mobile version, it would be great.

    To give context, a person’s calendar, when in a digital form, gives their entire pattern of life. Where they are going to be, when they are going to be there, and often who they are going to be with. This information should be secured.

    Until Tutanota released their calendar, the only safe way to do this digitally was on a personal/private cloud sever like Nextcloud.

  6. Matt in Oklahoma September 8, 2019 at 21:00

    This might be of interest

    Hong Kong Protestors Using Mesh Messaging App China Can’t Block:

    https://www.forbes.com/sites/johnkoetsier/2019/09/02/hong-kong-protestors-using-mesh-messaging-app-china-cant-block-usage-up-3685/

  7. Ed Carp February 15, 2020 at 12:08

    “I know that some people will chime in that they really wish their Gmail/Yahoo/AOL etc accounts could be hardened and encrypted instead of having to create a new account. My first reaction is simply to question why, if creating the accounts are so easy, would you not want to do this?”

    Because people don’t want to change email addresses because everyone and their brother has their old one? Just a guess.

    Why not just use a browser addin like MailCrypt? It works with all browser-based email sites. I use it with gmail all the time.

    • NC Scout February 15, 2020 at 12:41

      There’s a LOT of reasons this is bad. Especially Gmail. Just because the content is encrypted it’s sender and receiver are not, and worse, once the key is used, If the mail is left in the browser it is effectively compromised.

      Running encrypted email IS NOT for communicating with family and friends.

Comments are closed.

GUNS N GEAR

Categories

Archives

Spread the love