From c5f35e5c763352c6e40db13d909d5f17a6c102c3 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Sun, 26 Jul 2020 17:36:08 +0100 Subject: [PATCH] Adds Warning to Encrypted Email Section --- 5_Privacy_Respecting_Software.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/5_Privacy_Respecting_Software.md b/5_Privacy_Respecting_Software.md index 66bb979..ee789f5 100644 --- a/5_Privacy_Respecting_Software.md +++ b/5_Privacy_Respecting_Software.md @@ -222,6 +222,9 @@ See [OpenTechFund- Secure Email](https://github.com/OpenTechFund/secure-email) f - **[CriptText](https://www.criptext.com/)** - CriptText is another option- it's encrypted, free and open source, but works a little differently from convectional mail. There is no cloud storage, and all email is instead stored on your devices. This greatly improves security- however you must be signed into the app (either on desktop or mobile) in order to receive mail. If you are not signed in, then mail sent to you will be permanently lost. For mobile users, your device can be offline or in airplane mode for up to 30 days before mail becomes discarded. The client apps are very good, email is synced seamless between devices, and you can enable automated and encrypted backups. Since your email is stored on your device, they are able to work offline- due to this, there is no web client. Encryption is done with the [Signal protocol](https://en.wikipedia.org/wiki/Signal_Protocol) (rather than PGP), and there are a bunch of really neat features that you can use while communicating to other Criptext users. Criptext is still in beta, but with an extremely smooth user experience, and no noticeable usability bugs. +### Word of Warning +- When using an end-to-end encryption technology like OpenPGP, some metadata in the email header will not be encrypted. +- OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. You should take great care to keep your private keys safe. ### Self-Hosted Email If you do not want to trust an email provider with your messages, you can host your own mail server. Without experience, this can be notoriously hard to correctly configure, especially when it comes to security. You may also find that cost, performance and features make it a less attractive option. If you do decide to go down this route, [Mail-in-a-box](https://mailinabox.email/), is an easy to deploy, open source mail server. It aims to promote decentralization, innovation, and privacy on the web, as well as have automated, auditable, and idempotent system configuration. Other ready-to-go self-hosted mail options include [Mailu](https://mailu.io/1.7/) and [Mail Cow](https://mailcow.email/), both of which are docker containers.