Securemail

[UncleEbenezer]

If you want to send mail securely, acquaint yourself with PGP and the Web of Trust. Established technology, no resorting to third-party services, no scope for government backdoors[1], and no cost.

I very occasionally use it, but the vast majority of my email is sent in clear text, knowing that it's not secure but also that it's no skin off my nose if someone other than the intended recipient wastes their time reading it. Mainly I use PGP for signing (prove that the mail really is from me) rather than encryption (prevent eavesdropping).

If it matters to you, the US government *does* have backdoors to snoop on your unencrypted communications. Providers of network equipment are required by law to provide it (see for example Cisco on the subject). There is a fair bit of evidence that government snooping goes beyond that. The Aussie government has recently legislated itself deeper snooping powers. The current fuss over Huawei may very well mean they refused to go beyond the "lawful interception" described by Cisco, and are being punished for that.

[1] unless they're right in there and eavesdropping your every keystroke and mouse action.

[Alaric]

Can 'they' intercept it in transit?

The answer to that has always been "yes". But it's not peer to peer anyway. Your email goes to a central "post office" and your recipient goes to the central post office and reads it on any number of his devices. Depending on the rules of his and your devices, the email may be deleted from the central post office once read or remain there until such time as the central office purges it.

[UncleEbenezer]

Can 'they' intercept it in transit?

The answer to that has always been "yes". But it's not peer to peer anyway. Your email goes to a central "post office" and your recipient goes to the central post office and reads it on any number of his devices. Depending on the rules of his and your devices, the email may be deleted from the central post office once read or remain there until such time as the central office purges it.

That "central post office" is simply not true on anything bigger than a company intranet that happens to be set up that way.

What is true is that mail is sent to the recipient's post office: a mail server for the recipient's domain - which might be a single post box (as in a personal domain) or a huge global service like gmail. The recipient can then choose to leave it there (keeping it accessible from all devices), or to download it to their own device. Typically you use IMAP for the first or POP for the second.

[Infrasonic]

You can get a 500MB free inbox with proton mail which is encrypted and does PGP.
https://protonmail.com

As email is so ubiquitous these days there are issues around ID theft/spoofing from sensitive info gleaned from it, especially if combined with data breaches elsewhere and social engineering.

I'm moving all my banking/utilities correspondence et al over to my Proton account, away from generic email like Outlook.com and Gmail. I'll keep those services going for non sensitive email.

[formoverfunction]

You can get a 500MB free inbox with proton mail which is encrypted and does PGP.
https://protonmail.com

As email is so ubiquitous these days there are issues around ID theft/spoofing from sensitive info gleaned from it, especially if combined with data breaches elsewhere and social engineering.

I'm moving all my banking/utilities correspondence et al over to my Proton account, away from generic email like Outlook.com and Gmail. I'll keep those services going for non sensitive email.

Some time ago I decide to seperate my email, so I now use seperate accounts for finance, social media, "news".

I decided to keep my more general email address (for OS update, app stores etc), but the remainder I shared between Proton, Tutanota and Mailfence.

I also make use of Trashmail and gorilla mail, espceially when signing up and not being sure how much mail I might get. Trashmail is free and the "alias" you create dies after 1 month. It gives you time to change the address on the site.

It's also important you use different identities, not the same = name@provider.com

I decided to "pay" Tutanota as they don't have Proton's multiple income streams. I also make use of the multiple alias they let you create.

Food for though; I used to same email address for years....until I had my identity cloned. Someone had identified me across numerous sites and services via that address.

[Infrasonic]

Some time ago I decide to seperate my email, so I now use seperate accounts for finance, social media, "news"

Same here, I've got about 20 (including aliases).
As far as possible I try an avoid using my real world ID for any of them, although with things like my domain email that's not really possible as people want a person specific address to correspond with for business and the domain host require my real ID, address and CC number on their system as it's a paid for service.

Yahoo still do their free disposable alias addresses, I just avoid putting any real world info onto their servers like my real name, address, phone numbers et al as their security hasn't proved the best over the years (a few large hacks...). I use that account as an email newsletter aggregator only.

10 minute mail are still good if you want some marketing info without giving out a real address, put dummy info into their database if required. Using the marketers own contact details works well, or a load of zeroes for telephone numbers still works much of the time. If not, a real area code and then zeroes.
https://10minutemail.com/10MinuteMail/index.html

Because spam and phishing are such issues theses days it's becoming increasingly difficult to use email successfully (your email actually going to an inbox rather than spam or bounceback/blackholed) without whitelisting addresses on both sides, which isn't great from a security perspective as it means your contacts database is sitting on servers potentially awaiting a hack.
At least with the multiple addresses approach you can limit the potential damage by keeping your whitelisted contacts address specific, rather than one huge contacts database.

Much of the security news that you see in the technical press is 'theoretically possible' stuff done in a lab, rather than real world 'in the wild' actually happening now breaches.
Encryption is being used more and more throughout the networking chains, so although it's good to take a defensive approach generally to security, you have to draw the line somewhere as it will never be 100%.

[AleisterCrowley]

You can get a 500MB free inbox with proton mail which is encrypted and does PGP.
https://protonmail.com

As email is so ubiquitous these days there are issues around ID theft/spoofing from sensitive info gleaned from it, especially if combined with data breaches elsewhere and social engineering.

I'm moving all my banking/utilities correspondence et al over to my Proton account, away from generic email like Outlook.com and Gmail. I'll keep those services going for non sensitive email.

That's very useful, thanks Infrasonic

I have set up an account

AC

[Slarti]

Do I need It?

I can't think why anyone would want to see my boring emails anyway and I do have a r'obust' password for my account., which is changed fairly regularly.

The securemail ads that ive bèen getting basically say that anyone can read my emails (welll they would say that wouldn't they.)....but how? Can 'they' intercept it in transit?

I think I'm going back to pencil and paper!

1) You read adverts/spam that you get?

2) Email has always been a bit like sending a postcard, anybody who comes across it can read it. With the added bonus that they can send it on to all and sundry at no cost to them.

3) Unsubscribe from the adverts. If they stop they are probably from a real company, if they don't they are from scum.

Slarti

[stevensfo]

Wow, thanks for all the info about temporary and more secure emails. Apart from Proton, I hadn't heard of any of them.

I had a bad experience a few years ago with scam emails followed by another wake-up call when I discovered that Vodafone had been quietly taking money every month for a service I never used. It was my fault for not cancelling it correctly and it was linked to a bank account that I rarely checked. So now I tend to use cards like Revolut, Transferwise and Monzo for all the things where in the past I used to use my main credit cards. I get real-time notifications on the phone apps and keep the balances low, transferring money to them only when required.

Whether it's getting older, increased paranioa or too many James Bond films, I'm not sure, but I tend to be quite imaginative about things like ID, addresses, personal info etc. Not for important documents naturally, but I take the old English common law view that as long as I'm not committing fraud, I can be whoever I like. I can't remember the last time I used my real DOB.

Stay safe!

Steve