Author: InvisibleUser Team
Categories: Communication Privacy
In this guide, you will learn how secure email communication works. Not only your provider matters. A secure email client is equally important and perfectly complements a secure email provider like ProtonMail or Tutanota.
To read our review on the most secure email providers for privacy, visit the page “Encrypted Email Providers“.
An email client is a program that helps you access and manage emails without opening the website in your browser. They often provide additional functions like calendars, contact management, news and RSS feeds.
Popular ones are Windows Mail, Microsoft Outlook, eM client, Postbox, Mailbird and the free and open-source Mozilla Thunderbird. Out of these, Thunderbird is our favourite. It is a full featured email client that provides you with tools to organise everything related to email communication. It is completely free and not plagued by all the backdoors and lack of transparency of Microsoft’s programs.
Thunderbird is the application we recommend for privacy purposes. It offers many useful plug-ins that expand its features or increase privacy and security. Later, we will go into greater detail with the Enigmail plug-in for encrypted communication. This email client is available for Mac, Windows and most Linux systems. Besides being good for privacy, Thunderbird filters spam and manages emails in folders. It also provides you with import/export functions for emails, the calendar and contacts.
The application has very well developed security features. It can establish TLS/SSL-encrypted connections to servers for synchronising emails and is very stable. TLS/SSL means that the HTTPS protocol will be used. Therefore, Thunderbird is the secure email client of choice for many companies. It is so secure that it is even used by the French military. That means that Thunderbird matches the security requirements for the NATO’s closed messaging system. As with most Mozilla open-source projects, there is a fantastic documentation and community support available on the Mozilla website.
Unfortunately, Mozilla has stopped in-house development of new features for Thunderbird in 2012, so the interface is a bit clunky, but the client is still supported and its security features are up-to-date. In 2017, Mozilla even added new members to the Thunderbird development team. We expect to see further improvements in the following years.
You are required to create an account, but otherwise it is a great application. The client is, however, not primarily designed for secure email communication. The reason we mention it is because Thunderbird could scare away new users, who would then use a proprietary alternative that is much worse for their privacy.
We are not going to lie, Thunderbird looks old-fashioned, Windows 98-style old-fashioned. Mailspring on the other hand, is simple and modern and the coding community has checked the source code for issues and has not found any backdoors. It is available on GitHub and on the official website.
To reach privacy that is equal to Thunderbird with Enigmail, you can send PGP encrypted text and files via Mailspring. Software we highly recommend for PGP encryption is GnuPG for Linux, GPG Suite (Mac GPG/GPGTools) for macOS and Gpg4win for Windows.
Enigmail is a Thunderbird plug-in designed to integrate PGP encryption from GnuPG (OpenPGP standard) into Thunderbird. It lets you encrypt, decrypt and sign emails in a very convenient way, while using Thunderbird’s full-featured email client.
To run Enigmail, you have to install the latest version of GnuPG for your operating system, which is available at the GnuPG website. Setting up, configuring and using Enigmail is very easy. You can create new key pairs, a public and a private key, and secure them with a password. It is also possible to import and store the public keys of your contacts in Thunderbird and manage them. Enigmail even supports searching for peoples’ public keys in online databases.
We will now get into setting up Enigmail:
button) and then
Addons>Extensions. That opens the Add-ons Manager. Search for Enigmail and install it with one click. Restart Thunderbird.
button) and hover over OpenPGP. Select
Key Management. Click
Generate>New Key Pairand select your account, passphrase and key strength (>2kb is plenty). Hit
Generate key. You will be asked to generate a certificate. Do that too and save it in a secure location. If someone can access your certificate, that attacker can decrypt your emails, so choose wisely. Restart Thunderbird.
OpenPGP. Right-click your key and choose
Send Public Keys by Email. A window opens, choose the recipient. Your public key (
.asc file) will be attached to the email. Send it.
button) and hover over
Key Management. Go to
File>Import Keysand import the
.asc file. Restart Thunderbird.
Writeand type in the recipient’s email address and your message. Then, click the
OpenPGP buttonon the top and tick the boxes
Encrypt Message. Click
OKand type in your password. The email gets encrypted and you can send it.
There is a severe vulnerability called Efail in all versions of Enigmail before the 2.0.5 version, so make sure you get the most recent one. Download it directly from the developer’s website.
The vulnerability occurs when a user activates displaying all HTML content for emails, instead of only simple HTML content. Also, loading additional content has to be enabled. That can then start malicious code within the HTML email. When you open an email, you decrypt it as usual, but the malicious code could potentially send an unencrypted copy of the email to the attacker. It is not specific to Enigmail, because its origin is related to Thunderbird. In version 2.0.5 it was fixed.
All in all, Enigmail is a fantastic option for email privacy. Compared to encrypted email providers like ProtonMail and Tutanota, it has the advantage that you can still use your old email account. You are therefore able to take advantage of its features. It is then possible to keep your 15GB of free Gmail or Outlook.com storage and you are not restricted to 500MB of ProtonMail or 1GB of Tutanota accounts. This has, however the disadvantage that Google still sees who you contact. They do not see what you write, however, because that is encrypted by Enigmail.