Tools Secure Email Providers Lead image: Lead Image © Kirill Bodrov, 123RF.com
Lead Image © Kirill Bodrov, 123RF.com
 

Posteo, Mailbox.org, Tutanota, and ProtonMail compared

More Secure Email

Encryption and server locations in Germany and Switzerland are sought-after attributes in the search for a more secure and reliable email service. We compare four providers who promise to protect your privacy. By Ferdinand Thommes

It is a truism that nothing is actually free from the vast majority of email providers who offer free email forwarding and a webmail client: Most ad-supported services collect users' data to evaluate and resell it. Each document published from Edward Snowden's treasure trove just makes the situation more threatening – the amount of metadata and email that intelligence services store for evaluation is difficult to comprehend.

When the US mail service Lavabit [1] – where Snowden was a customer – was brought to its knees by the FBI because the owner refused to disclose the SSH key to his server and thus his customer's metadata, it became clear to many European users that a local provider offering the most secure email possible was the better choice – even if it cost a little more each month.

Trust Is Important

Trust involves not only the services provided, but where the data is actually stored. Since the NSA affair, many people no longer trust service providers from the United States. Having a service provider located in Germany (or other German-speaking country) might not guarantee greater data security or privacy, but the data protection regulations there do give rise to a level of trust more than in many other countries. This prompted a closer look at four email service providers from German-speaking countries (Table 1).

Tabelle 1: Email Providers Compared

Posteo

Mailbox.org

Tutanota

ProtonMail

Mailbox from EUR1

Yes/2GB

Yes/2GB

Free/1GB

Free/500MB

Storage space expansion

Yes

Yes

Yes

Currently no

Free trial

14 days

30 days

NA

NA

Webmailer

Yes

Yes

Yes

Yes

Address book

Yes

Yes

Yes

Yes

Calendar

Yes

Yes

No

No

Mobile synchronization

Yes

Yes

No

No

Apps for smartphones

No

No

Android/iOS

In preparation

Ad-free

Yes

Yes

Yes

Yes

Use own domain

No

Yes

In preparation

In preparation

Server location

DE

DE

DE

CH

Email encryption in browser

Yes

Yes

Yes

Yes

Anonymous registration/payment

Yes/Yes

No/Yes

No

Yes

Passwords stored encrypted

Yes

Yes

Yes

Yes

Encryption with SSL/TLS

Yes

Yes

Yes

Yes

Fully encrypted inbox

Yes

Yes

No

Yes

Penetration tested

Qualys SSL-Test A+

Qualys SSL-Test A

Syss GmbH

Audits [2]

TLS 1.2

Yes

Yes

Yes

Yes

HTTPS/HSTS

Yes

Yes

Yes

Yes

DANE/DNSsec

Yes

Yes

Yes

Yes

Perfect Forward Secrecy

Yes

Yes

Yes

Yes

One-time passwords (OTP)

Yes

Yes

No

No

Two-factor authentication

Yes

Yes

No

Yes

Groupware functions

No

Yes

In preparation

In planning

In our lab comparison, I placed special emphasis on particular criteria: security, data protection, data minimization, spam protection, transparency, sustainability, and freedom from advertising. Additionally, I looked at the functionality offered as a basic service by all the providers. In doing so, I attached great importance to whether the email provider met the five standards for secure email, as established by the US civil rights organization Electronic Frontier Foundation (EFF). This involves encrypting communications in the data center and between email servers using HTTPS and HSTS [3] and Perfect Forward Secrecy (PFS) [4].

Posteo

Posteo [5], out of Kreuzberg, Berlin, has been in existence for six years and is thus the oldest of the email providers tested. The service provider, located not far from the place where Konrad Zuse first put his Z3 computer [6] into operation, has existed since 2009 and is advertised as being "green, secure, ad-free."

From Posteo, you can get email and synchronizable calendars, as well as address books that can also be encrypted for EUR1 per month. The mailbox has 2GB of storage space, and email is retrieved via POP3 or IMAP. You can reserve additional storage space or more than the two alias addresses included for a tiny amount per month. Memory can be expanded by up to 20GB; each additional gigabyte above the basic offer costs EUR0.25 per month. So, for 20GB, you end up paying EUR5.50 per month.

Posteo does not provide its own apps for mobile devices, but integration into the mobile K-9 client [7] works without problem. Using the CardDAV and CalDAV protocols, you can synchronize your addresses and appointments (Figure 1) between several computers or mobile devices in the web front end (Figure 2).

You can synchronize dates and addresses between your computers and mobile devices with Posteo using CardDAV and CalDAV.
Figure 1: You can synchronize dates and addresses between your computers and mobile devices with Posteo using CardDAV and CalDAV.
Posteo provides only a single vertical split, meaning the webmail provider wastes a huge amount of space on a widescreen display.
Figure 2: Posteo provides only a single vertical split, meaning the webmail provider wastes a huge amount of space on a widescreen display.

Posteo provides an intuitive web client (Figure 3), but it can also be integrated easily into Kmail, Thunderbird, and other popular email clients. Registration is simple: You just need to enter the desired email address and password. The customer remains completely anonymous both here and during the checkout process – if desired. Payment can be made by direct debit or PayPal, by post, or directly into the company's mailbox. Customers determine the desired anonymity themselves.

The Posteo webmail client provides the most important functions, and you can optionally create your email in HTML format.
Figure 3: The Posteo webmail client provides the most important functions, and you can optionally create your email in HTML format.

In any case, Posteo promises not to attempt to link email addresses and real names. This step ensures that the provider cannot assign mail to a billing account even if asked to do so by the authorities. Posteo proved that it is serious about protecting privacy after a visit from officials with a disciplinary complaint and a criminal complaint against the officers [8]. The proceedings are still pending.

Sustainability is an important aspect in the Posteo concept [9]. The Posteo server not only consumes green power, but the provider also took ecological aspects into consideration when selecting the furniture for its offices. On the technical side, open source software is used across the board, and Posteo naturally gives back its in-house developments as free software on GitHub [10].

The hard disk drives in the company's Linux servers, which are located in a data center in Frankfurt, are encrypted with dm-crypt/LUKS. Communication between the servers is also encrypted. In the browser, Mailvelope [11] takes care of OpenPGP encryption (Figure 4), and TLS provides security in transit.

To read or write encrypted email in the Posteo webmail front end, you need to install the Mailvelope browser extension.
Figure 4: To read or write encrypted email in the Posteo webmail front end, you need to install the Mailvelope browser extension.

DNS-based Authentication of Named Entities (DANE/TLSA) has also been used since May 2014 to avert weak points in the TLS protocol. PFS also makes sure that any intercepted email is not decrypted, even if – as happened at Lavabit – the operator's private SSH key has been compromised.

Since November 2014, Posteo has also provided secure two-factor authentication [12] in the web client. Additionally, the provider is currently working on end-to-end encryption [13], which it intends to roll out at no extra charge for all users of currently some 100,000 mailboxes. Optional input encryption has been available since January 2015.

You can get help using Posteo's many functions in the webmail provider's quite detailed documentation. Problems brought to their attention by email were dealt with quickly; in one case, however, this took three working days. Posteo is looking to expand its service in the future. Interested parties can test the Posteo email service free of charge for 14 days; afterward, the minimum charge is EUR12.

Mailbox.org

The provider Mailbox.org [14] belongs to Peer Heinlein Support GmbH, which provides Linux training in addition to web hosting and email services. Mailbox.org (Figure 5) started in February 2014, and its servers are in Berlin, where the company also is located. Although Mailbox.org has only recently offered its services in their current form, Heinlein and his colleagues already have around 20 years of experience as service providers to email providers.

The Mailbox.org central portal informs you about upcoming events, recently edited documents, and the latest email in the Inbox.
Figure 5: The Mailbox.org central portal informs you about upcoming events, recently edited documents, and the latest email in the Inbox.

As with Posteo, the basic Mailbox.org service costs EUR1 per month, which includes 2GB of storage, three aliases, and 100MB of storage for the office solution that was added at the end of last year and is based on the Open-Xchange [15] groupware product. This also provides task scheduling, word processing, and data exchange in the style of Google Docs or Dropbox (Figure 6).

Along with its email function, Mailbox.org comes with a complete office suite with word processing, spreadsheet, and online storage.
Figure 6: Along with its email function, Mailbox.org comes with a complete office suite with word processing, spreadsheet, and online storage.

You can draw on the WebDAV protocol supported natively by many file managers for data synchronization with Linux. For mobile devices, apps like OX Drive for Android [16] let you use the online store conveniently on the road (Figure 7). Mailbox.org positions its office solution as an alternative to Google Apps or Office 365.

With Drive, Mailbox.org assumes the role of Google Drive or Dropbox. Open-Xchange apps, such as OX Drive here, are also available for mobile operating systems.
Figure 7: With Drive, Mailbox.org assumes the role of Google Drive or Dropbox. Open-Xchange apps, such as OX Drive here, are also available for mobile operating systems.

The service also collaborates with the Open-Xchange developers on OX Guard mail and file encryption, which is currently in testing. Two other plans let you increase your mail storage to 5 or 25GB, whereas the 100MB of storage space remains the same for Office. With its offer of an account with 20GB of storage space for EUR1 per month, Heinlein is cheaper than Posteo and also provides basic office functionality. The most expensive plan, OfficeXXL offers 50GB of storage space for email and 500GB for Office documents, which is reflected in the cost of EUR25 per month. However, in terms of formats, it is already well prepared for corporate use [17].

When you sign up with Mailbox.org, unlike with Posteo, you need to supply your first and last names; these do not, however, have to be your real names. Heinlein is very particular with the password: The service will reject the password unless it meets strict specifications. Mailbox.org has offered two-factor authentication via YubiKeys with secure one-time passwords since June 2014.

The Mailbox.org webmail client looks very tidy (Figure 8), provides a good range of settings, and allows additional email addresses from other providers to be integrated quickly. Heinlein has outsourced the relocation of email from these other email providers to an external provider who charges EUR3 per relocation.

With its view split in three vertically, Mailbox.org also works well on computers in widescreen format.
Figure 8: With its view split in three vertically, Mailbox.org also works well on computers in widescreen format.

Posteo offers a collection service from any number of suppliers free of charge. Posteo also switches off forwarding after six months to remind the customers to abandon unsafe providers – extensions are possible, however. The relocation service worked quickly in both Mailbox.org and Posteo, handling around 10,000 email messages without any problems. Mailbox.org does not have its own apps, but it is working with the K-9 developers, among others, on developing a PGP keyring for Android devices and more extensive PGP support in K-9. Mailbox.org cooperates with the CalDavSync and CardDavSync developers to synchronize calendars and contacts.

Encryption in Mailbox.org relies on SSL/TLS and PGP (Figure 9). Input encryption that works with apps K-9 Mail, and Android Privacy Guide (APG) also works for Mailbox.org. SSL/TLS is always used if the other side also supports it. Encrypted dispatch can be firmly stipulated via the email address ich@secure.mailbox.org. If the other side does not use SSL/TLS, the email is not sent. You can give this address to third parties to receive email on the matching account.

You can upload the PGP key that you previously created on your computer and which is required for encrypted email traffic in the Mailbox.org settings.
Figure 9: You can upload the PGP key that you previously created on your computer and which is required for encrypted email traffic in the Mailbox.org settings.

Mailbox.org, like Posteo, also supports DANE as an additional security feature. In contrast to Posteo, the Heinlein service does not yet encrypt address books and calendars. It has, however, announced this feature, although no date has been set. Mailbox.org is also committed to ecology and sustainability, although not quite as consistently as Posteo. However, green electricity from LichtBlick and other providers, a fair bank, and fair working conditions without temporary workers and trainees help calm customers' environmental and social consciences.

Tutanota

Tutao GmbH from Hanover is the company behind the Tutanota [18] – whose name comes from the Latin for "secure message" – email service (Figure 10). A direct comparison with the other providers does not make sense because Tutanota currently offers few functions. On the other hand, it surpasses the performance of its competitors with its end-to-end encryption and by disclosing the entire source code [19]. Additionally, Tutanota charges no fees for the basic model, and the company has no plans to change this approach in the future.

Tutanota makes encrypted communication very easy, but the functionality is limited to the essentials.
Figure 10: Tutanota makes encrypted communication very easy, but the functionality is limited to the essentials.

The offer by Tutanota is currently limited to one webmail client. The email service cannot be used with mail clients such as Thunderbird because the end-to-end encryption used here cannot be readily implemented in the clients. The free offer includes 1GB of storage and currently does not offer any additional convenience on top of the basic functions. For example, no migration tool is offered, which customers could use to transfer their email from the previous provider. However, full encryption, which includes the subject and all attachments, works much more easily. The Tutao servers are located in Germany, and they store all email in encrypted form, even if the user sends them in an unencrypted form.

The service automatically encrypts email to another Tutanota address. The recipient can open the email in the web client with no further action and can also automatically send an encrypted replay. Encrypted email also can be exchanged without much effort with recipients who do not have a Tutanota account. To this end, both sides need to agree on a password that should have the usual security features. The sender writes a message and enters the password in their web client.

The receiver, using Gmail for example, receives an email informing them of the receipt of an encrypted mail. A link directs the receiver to the Tutanota webmail, where entering the previously agreed password will decrypt the email. After that, you can then turn off the requirement to enter a password for future correspondence. The answer reaches the Tutanota account in encrypted form; however, decryption works without entering a password because this is where the password was entered in the first place. The password is thus linked to the sender's address.

Tutao offers seamless integration of full encryption in Outlook for paying users [20]. Unlike the free offer, you can send the required password by SMS for decryption with Outlook.

The whole Tutao offer was subjected to a penetration test by Syss GmbH, in which it was not possible to hack the system or gain access to sensitive data. Apps for Android and iOS are available in the respective app stores; Tutao is currently working on extensions for the web mailer. An encrypted calendar will be added shortly. The developers are considering Office functions for collaborative work in the future. The company wants to offer these and other features, including more storage, as a commercial service.

In the future, Tutanota will be looking to offer users the ability to use their own domains with the service, just like the advance features you can add to Mailbox.org. This, however, would essentially remove the user's anonymity.

ProtonMail

The fourth provider is ProtonMail [21] from Switzerland. Several students developed the idea for this service in 2013 at the nuclear research center CERN and at MIT. The initial funding came from a crowdfunding project at Indiegogo [22]. Instead of the targeted $100,000, the developers received more than $550,000 right away – a record at Indiegogo at the time.

The service now has users in more than 120 countries and an office in San Francisco as well as Geneva. When registering your account, you therefore have to wait up to a few weeks for ProtonMail to activate your account. The web mailer is simple (Figure 11), offers 500MB of memory for free, allows you to send 1,000 email messages per month, and provides an address book. Commercial extensions are due to be added in the future. ProtonMail has messages with determinable expiration dates in the program as a special feature.

The ProtonMail servers are located in Switzerland. Users of the service therefore benefit from the country's disclosure policies.
Figure 11: The ProtonMail servers are located in Switzerland. Users of the service therefore benefit from the country's disclosure policies.

ProtonMail offers several encryption models. The system sends email between ProtonMail users natively through a secure tunnel. This end-to-end encryption can also be used by ProtonMail for sending to other mail providers, but not for receiving from them again, unlike with Tutanota.

Unlike the other providers mentioned here, ProtonMail is subject to Switzerland's data protection laws. The advantage of this is that the authorities and intelligence agencies who collect particularly sensitive personal data are obligated to inform the stakeholders about this. By definition, mandatory disclosure also applies to data that supports profiling.

Which Provider to Choose

Currently, Posteo and Webmail.org without doubt provide the largest range of functions. Posteo focuses on maximum user anonymity and offers an attractive business model for customers who value sustainability and environmentally correct behavior.

The range of functions from all the providers is certainly enough for everyday use, even if the emphasis differs somewhat. The web clients still struggle with minor hiccups, especially if the respective windows remain open in the browser for several days. In our lab, the Mailbox.org web client performed slightly better. The service uses a simple interface that also works well on widescreen displays because of its optional vertically split view. Anyone who places value on complete anonymity will be best off using Posteo; Mailbox.org does well with its additional office functions for collaborative work and its 20 years of experience.

Tutanota might offer a free basic model – but money should not be a decisive factor when making your decision. However, a free account decreases the inhibition threshold, making the service available to everyone. The end-to-end encryption, even for users without a Tutao account, can hardly be surpassed in terms of simplicity, and Tutanota is the first to offer the opportunity to encrypt simply but securely. However, the service does lack some features, meaning that Tutanota is only really useful for email that you need to encrypt. The service also works with Android and iOS. Users will have to wait and see where Tutanota is heading. When asked, the company spokesperson stated that more functions would be added and that the initial focus had been full encryption.

The newest provider from our survey, ProtonMail, has been in business for less than one year. The service is still in the beta phase; however, it is blooming into a serious competitor for Posteo and Webmail.org with its coffers well-filled by crowdfunding.

Like Gmail [23] and Yahoo Mail [24], the major providers here are also working on simple-to-use full encryption. It's always nice to see how small providers encourage large companies to do good. For example, when Posteo presented a transparency report [25] in May 2014, Telekom followed suit the same day, although they had previously declared that it was up to lawmakers to make disclosing this information mandatory.

Conclusions

Absolute security does not, and probably will not ever, exist in IT – certainly not as long as governments and their services try to control users' data. Only recently, President Obama called for back doors in encryption software [26].

The providers presented here considerably improve security and anonymity compared with the big freemailers, without requiring too much detailed knowledge. However, this will not be enough if you're the next Edward Snowden: In this case, you should look at much more complicated applications, such as I2P messenger [27] or Pond [28].