On YouTube, I had the pleasure of @Braxman_Basedman show up in my stream. He got me critically thinking about email, especially the MTA steps where content is passed between email servers in plain text (Base64 and such). So, something like ProtonMail may still give up identity information (i.e. relationship mapping) if I were to use it (or other email clients) to send mail outside ProtonMail because it is email (as opposed to SMS which is not secure yet Brax claims is more secure than email) because of a MTA step (regardless of port used). Is this correct?
That said, I am curious what the community would rank in a list of the top least secure tools/methods (like email, SMS, web browsing, etc) from least secure for privacy at the top of the list. Granted there are likely details and tactics that affect ranking. Yet, is there a list that could be seen “as general guidelines” what tools give up more privacy information?
I ask this as a “newbie” to understand what tools in general I may (incorrectly) think of as secure related to privacy, yet aren’t. Curious. Thanks!
Just to clarify, this doesn’t paint a full picture. (FYI, the person you pinged isn’t actually them, I’ve messaged that user to change their information to avoid confusion) The main thing I want to outline is services like Proton, Tuta, etc. all offer E2EE options to prevent this. Both services offer the ability to password-encrypt emails via a web-portal to allow E2EE for all external contacts - even for people not using the service or using PGP. This is located in the send menu and isn’t hard to use. Beyond that, Proton Mail also integrates with PGP efficiently, allowing anyone who is using PGP to easily interact with Proton users via features like WKD-lookup.
It’s a nuanced issue, and much of the anti-proton/anti-tuta/anti-encrypted email points don’t quite outline the incredibly valid use-cases the services provide: they make E2EE for email easier for users in a more transparent, FOSS environment. No, they’re not solving all of email’s issues, no they’re not perfect, but failing to outline some of the obvious and largest selling points of these providers - even going as far to claim SMS is better than them is pretty drastic and misses their core offering. Using email with E2EE is IMO leagues better than using SMS, and for me solves many of Email’s issues, including almost all of the ones you’ve brought up. @Jonah is more knowledgable than I am here, so any thoughts he has are much appreciated too
To answer your second question, very personal preference, my worst to best:
Standard email (Unlike SMS, a standard email can’t just be intercepted by someone outside my home)
Thank you very much @Henry for sharing your insights on email and list of worst to best. It’s not lost on me that there are differing opinions and taking it all in as one learns about their sources (building trust) is part of the process. Your points on email above are super helpful to clarify my misunderstanding. Bravo! Love to hear input from @Jonah
For the list you shared (your expert opinion), don’t underestimate the ripple effect. Your input here contributes to my family and my friends.
When I share what I have learned, that’s how ideas spread. In fact, at my dinner table I will be discussing privacy, email and the list more than once. Why? Because I have a family member going to college in a few years and will be making decisions on her own. While the world changes, I want her to get good advice so she may critically think about privacy, security and her life. While these topic may seem basic to advanced folks in the community, folks learning need to start with the basics and build. I appreciate you and the community members that share their opinions. I will discern carefully myself to test knowledge for truth. #grateful
Ultimately this sort of thing will always come down to your threat model, because there aren’t black and white answers to “what is the most private” or “most secure” tool out there. Every single tool is going to protect against certain threats, and if you don’t know what is threatening you then there’s no way to protect yourself. It’s not the answer a lot of people like to hear because people hope there’s just a checklist they can follow or a service they can use to become magically private and secure, but it’s the truth.
With email specifically, I would never use it for anything besides getting transactional emails from services I sign up with and establishing first contact with someone when there’s no other option: If someone emails me the first thing I do is move communication to something like Signal or Element. I tend to agree with @Henry’s list here, but the difference between 4/“E2EE Email” and 5/“Secure E2EE Messaging” is a difference in orders of magnitude. There is simply no excuse in my opinion to use email for person-to-person communication when significantly better options are available.
Obviously you can’t ignore email security entirely, it is still the key to entry for most of your online accounts. But trying to secure email for communication between people is kind of like putting lipstick on a pig so to speak, haha
Also, as far as whether Braxman is correct about the points you mentioned, I would say probably not generally speaking, but I haven’t watched his video or heard his specific points. That is entirely dependent on the configuration of the sending and receiving email servers, but most email servers nowadays use TLS (like HTTPS) when communicating with each other, not plain text.
Helpful @Jonah , thank you. I will think about my threat model as that is a starting point. Point well taken about certain tools to address certain threats. For email, I am playing with sharing the idea with friends to move to Signal instead of email. However, most of my friends feel little “pain” here as email is so ingrained for the “older generation.” Still, I realize my efforts are time over target. Convert those who are open minded. In closing, good point about TLS being used by most email servers. I will explore 5/Secure E2EE Messaging for family when email is necessary. Bottom line it will be a good “failing forward” lesson over our current (less private) habits. #grateful