It has been brought to our attention that recent versions of Mail on OS X (perhaps starting with 10.10, but definitely since 10.11), will re-download all of your email from your email server. And since your server doesn’t encrypt your email, that’s a serious concern.
This means that the following attack is possible to bypass Espionage’s protection of your email:
- While Mail’s folder(s) are locked and empty, open Mail.
- Follow the dialogs and allow Mail to import your messages.
- Wait for a while as your email is re-downloaded.
We do not believe this behavior existed in older versions of OS X, but we still should have noticed earlier. Our sincere apologies for not having done so ourselves, and our sincere thanks to the customer who reported this issue!
During our investigations, we were not able to find any folder that could be encrypted to prevent this from happening. This has lead us to conclude that Mail must be fetching account information directly from OS X’s keychain.
Mitigation
Unless Apple changes their code for Mail.app, there doesn’t appear to be a way to prevent it from using the credentials in OS X’s Keychain to re-download all messages—where, we should emphasize, they are unencrypted.
There are at least three mitigations:
Option #1: Move messages to the “On My Mac” section
In the sidebar on the left that shows all of your accounts and mailboxes, there should be a section that says “On My Mac”:
If this section is missing you can make it to appear by creating a new “local” folder via the Mailbox menu: Mailbox > New Mailbox… and then: Location: On My Mac.
All folders in this section correspond to folders only on your Mac (and not the server). Therefore, any messages moved into these folders should disappear from the server and won’t be re-downloaded by Mail.
You can use Mail’s Inbox Rules (via the Preferences) to automatically move messages to one of these local folders. The downside is these messages will not be synced to your other devices.
Option #2: Use GPGTools to encrypt messages
You can use the wonderful GPGTools software to store, send, and receive messages that are encrypted even on the server. However, this approach isn’t for everyone as it may be somewhat less user-friendly, and it requires that the recipient also be using GPG.
Option #3: Don’t use Mail.app
Use an email app that either does not store its credentials in the Keychain, or (if it does) does not re-download everything if its primary data folder is missing.
You can verify this yourself by encrypting the data folder of an app like Thunderbird and then opening the app while its folder is locked. If it does not re-download everything, then at least the messages on your computer should be safe. The messages on your email server or on your friend’s computers… are a different story.
Conclusion: Email Must Die
I have spent a good portion of my life attempting to fix email and on the general problem of secure messaging. You’d think this would be easy, right? Wrong!
Here’s what my quest has involved so far:
- Started a company to support the development of a generic folder encryption product (Espionage).
- Starting a non-profit, which led to the creation of DNSChain and various offspring projects.
- Diving deep into blockchain technology.
- Creating an open-source project to simplify self-hosting and migrating your email.
Yet here I am, 8 years later… Email is still an unsolved problem and it is only getting worse. The complexity of self-hosting means more people are relying on companies like Google and Microsoft, and this has led to a centralization of the entire system. These entities are now using their position to further discourage self-hosting by (possibly illegally) dropping or junking email from correctly setup email servers, using spam as an excuse to secure their monopoly.
It’s because of this that I’ve come to the conclusion that email must die.
I’ll leave you with a few email related tweets:
1/ Email is one of the worst communications systems ever invented. SPF, DKIM, SMTP, POP3, IMAP, plaintext, insecure, broken nightmare.
— Greg Slepak (@taoeffect) March 3, 2015
2/ Google and other hosting companies *LOVE* this broken system because it makes everyone depend on them for this service. Locks ‘em in.
— Greg Slepak (@taoeffect) March 3, 2015
3/ I am seriously starting to think that maybe the best thing to do with email might be to just get rid of it.
— Greg Slepak (@taoeffect) March 3, 2015
Looks like I correctly predicted @Yahoo would fail to meet end-of-year deadline to end-to-end encrypt all email.https://t.co/wJg2QL4k4i
— Greg Slepak (@taoeffect) January 1, 2016
Email died somewhere around here, possibly well before then: https://t.co/RihepnBryrhttps://t.co/y39DRdmgYA
— Greg Slepak (@taoeffect) February 13, 2016
Use Airmail instead. Mail on OS X has always been a pain to use.
I agree that email is a morass of problems. But I don’t think it should die.
IMHO it’s still the best messaging tool for work and academic environments where people need to be able to manually prioritize and document.
I hope we’re not limited to browser based email in the future. I read 17 accounts and need a client to let me know when new mail arrives. 17 tabs in a browser is not efficient.
By “die” I mean be replaced with a better system that doesn’t have all of its problems. You know, the “platonic ideal” of what email should be. 🙂
Agreed.
Years ago Microsoft had a proposal for spam free email. IIRC they would make the protocols and techniques free or public domain. Because it was Microsoft the industry laughed.
Microsoft’s research group has many top-notch computer scientists. Sadly, very little of what they come up ends up in Microsoft’s products. Maybe if they used Macs… 😉
My production Mac runs Snow Leopard and it’s Mail.app. IMHO the best Mail.app ever.
Hi Greg, i just came across the empress project via this post, can I ask are you still moving forward with that project at all? Thank you!
Hi encrypt, I would say that Empress is “on hold”, but not that I’ve abandoned it. It’s just that at the moment there are much higher priorities that I must focus on.
Proton Mail
https://protonmail.com
Familiar with it?
Comments about it?
Yes, very familiar. These belong to a genre of centralized email services that have fundamental problems due to their centralization, and it’s why I did not list them in this post as alternatives.
If the email addresses used are provided by Apple (i.e. iCloud), I’m fairly certain they are covered by Apple’s two factor authentication (if enabled). I recently updated to OS 10.11, and had to authenticate my iCloud addresses with a pin sent to a trusted device. Likewise, I had to do the same for a gmail address while setting up Mail.
I agree with your assessment about centralized email services such as Goggle. I stopped using anything, “Google” when I learned they scanned my email messages.
I have been satisfied with a service called “Fastmail”because of their reliability and believed, security of my information.
Do you have an opinion about Fastmail?
I haven’t used it, so no, however like basically all email services there will be various security-related issues with it, which can be perfectly OK if your goal isn’t to have a private conversation with someone.
Resurrect Eudora – email’s been a depressing experience since it died the death. I used to keep all mail and settings in a PGP disk; if it wasn’t mounted, Eudora did nothing as it had no access to settings, so completely fail safe.
Agreed though, the whole mess needs looking at from the ground up. Not holding my breath!
A partial solution is to place the Mail folder in an encrypted disk image and use a corresponding symlink from the Library (user) folder. Mail will not launch without the disk image being unlocked.
I say partial, because theoretically someone could overwrite the symlink with an empty Mail folder and messages would be re-downloaded, but in practice someone would have had to overcome the other security measures in place so the security of Mail would probably be the least of your worries.