I am building something and looking for some advice.
If you want to send an encrypted message or email to another person. Which protocol/app you would use if you only have the user email?
This excludes all apps or protocols depending on phone number.
Appreciate any thoughts.
PGP is the commonly used however it
does require skills and maintenance.
Take a look at https://protonmail.com/ this is very secure and easy to use.
PGP can be misconfigured, and is a pain to deal with. Not only that but there’s a fundamental weakness in the server design for PGP which is allowing someone to flood the certificate servers and cause lots of problems.
If you want easy-peasy completely encrypted email have you and your friend get free Protonmail accounts.The free tier gives you 150 messages/day and 500Mb storage.
Actially only 1 of you (the sender) needs protonmail
Or just zip with a password and call the other person to tell them the password, if it’s not mission critical data.
Yep Proton mail is the best.
As for encrypting Zipp, DMG files and the like, my concern is that once a unauthorized 3rd party gets a hold of the file they can spend as much time and resources as they want without anyone being able to stop them or even knowing that it is going on. After all they can run the cracking tools off line on a local machine. Or rent some super computer powers from Amazon…
It all depends big of a target you are and the sensitivity of the files. Some information should never go online or on a computer for that matter.
Any handling of email / cloud storage by a 3rd party requires trust. Protonmail has a great reputation and has great core values but still one has to trust…
Alternatively one could setup a local (mail) server and only allow trusted partners connect via VPN to your own server. Witch however puts all the pressure and responsibility on you to keep it secure. Frankly this is a task that entire teams of highly skilled individuals barely can keep up with and even then one is never 100% certain.
After all the centrifuges that were off the grid in Iran got hacked. It just took enough resources and time to get in.
Having said that, Protonmail is a very good bet for most mortal beings…
Ditto what others are saying about proton mail – it is the simplest solution for most people. I consider myself a Mac Power User and I wouldn’t touch PGP with a ten foot pole when Protonmail makes it dead simple to have highest level security.
FYI, one of my friend’s is US special forces and he said protonmail is the only mail service they can use. If it’s good enough for him…
I have worked really closely with DoD in my current role and in the past. Trust me when I tell you that ProtonMail is NOT approved for use…
Really…I must have misunderstood my friend then. Are there specific vulnerabilities that make it not approved?
Having spent a lot of time in privacy-related fora, the worst I’ve seen about Protonmail is that (a) they use anonymized crash logs via Crashlytics (which is located in the USA) - like virtually every app does on your phone fyi, and (b) ProtonMail requires text message activation for any account created through TOR, in which case premium/donation option is intentionally disabled – which does not affect privacy, only anonymity.
You can see the Swiss-based company’s Transparency Report here.
If DoD has concerns about Protonmail, I suspect it largely involves the Dept’s loss of control over seeing employees and contractors pass through the service.
The requirement for having to activate with a text message is a bit more nuanced and not mandatory.
I was specifically referring to trying to buy an account over Tor.
It’s not about the vulnerabilities, but more about policy. The data centers are not DoD owned or operated or sit on US soil, they don’t have a DoD/Federal certification, and what approved authority has verifies their implementation of OpenPGP. One thing I can tell you is that the DoD understands that email is probably their most important threat vector, having been an incident handler for them. Maybe your friend meant that they like what protonmail has done?
Exactly. There’s a reason you haven’t seen a large scale outsourcing of email like you’ve seen from other civilian agencies.
Yeah, I can’t be too sure what he meant, but that all makes sense. Thanks!