[Security] Protecting Mail On Recent Versions Of OS X

It has been brought to our attention that recent versions of Mail on OS X (perhaps starting with 10.10, but definitely since 10.11), will re-download all of your email from your email server. And since your server doesn’t encrypt your email, that’s a serious concern.

This means that the following attack is possible to bypass Espionage’s protection of your email:

  1. While Mail’s folder(s) are locked and empty, open Mail.
  2. Follow the dialogs and allow Mail to import your messages.
  3. Wait for a while as your email is re-downloaded.

We do not believe this behavior existed in older versions of OS X, but we still should have noticed earlier. Our sincere apologies for not having done so ourselves, and our sincere thanks to the customer who reported this issue!

During our investigations, we were not able to find any folder that could be encrypted to prevent this from happening. This has lead us to conclude that Mail must be fetching account information directly from OS X’s keychain.

Mitigation

Unless Apple changes their code for Mail.app, there doesn’t appear to be a way to prevent it from using the credentials in OS X’s Keychain to re-download all messages—where, we should emphasize, they are unencrypted.

There are at least three mitigations:

Option #1: Move messages to the “On My Mac” section

In the sidebar on the left that shows all of your accounts and mailboxes, there should be a section that says “On My Mac”:

On My Mac

If this section is missing you can make it to appear by creating a new “local” folder via the Mailbox menu: Mailbox > New Mailbox… and then: Location: On My Mac.

All folders in this section correspond to folders only on your Mac (and not the server). Therefore, any messages moved into these folders should disappear from the server and won’t be re-downloaded by Mail.

You can use Mail’s Inbox Rules (via the Preferences) to automatically move messages to one of these local folders. The downside is these messages will not be synced to your other devices.

Option #2: Use GPGTools to encrypt messages

You can use the wonderful GPGTools software to store, send, and receive messages that are encrypted even on the server. However, this approach isn’t for everyone as it may be somewhat less user-friendly, and it requires that the recipient also be using GPG.

Option #3: Don’t use Mail.app

Use an email app that either does not store its credentials in the Keychain, or (if it does) does not re-download everything if its primary data folder is missing.

You can verify this yourself by encrypting the data folder of an app like Thunderbird and then opening the app while its folder is locked. If it does not re-download everything, then at least the messages on your computer should be safe. The messages on your email server or on your friend’s computers… are a different story.

Conclusion: Email Must Die

I have spent a good portion of my life attempting to fix email and on the general problem of secure messaging. You’d think this would be easy, right? Wrong!

Here’s what my quest has involved so far:

Yet here I am, 8 years later… Email is still an unsolved problem and it is only getting worse. The complexity of self-hosting means more people are relying on companies like Google and Microsoft, and this has led to a centralization of the entire system. These entities are now using their position to further discourage self-hosting by (possibly illegally) dropping or junking email from correctly setup email servers, using spam as an excuse to secure their monopoly.

It’s because of this that I’ve come to the conclusion that email must die.

I’ll leave you with a few email related tweets:

13 thoughts on “[Security] Protecting Mail On Recent Versions Of OS X

  1. Reply

    Brian

    Use Airmail instead. Mail on OS X has always been a pain to use.

  2. Reply

    Samuel Herschbein

    I agree that email is a morass of problems. But I don’t think it should die.

    IMHO it’s still the best messaging tool for work and academic environments where people need to be able to manually prioritize and document.

    I hope we’re not limited to browser based email in the future. I read 17 accounts and need a client to let me know when new mail arrives. 17 tabs in a browser is not efficient.

    1. Reply

      Greg Slepak Post author

      By “die” I mean be replaced with a better system that doesn’t have all of its problems. You know, the “platonic ideal” of what email should be. 🙂

      1. Reply

        Samuel Herschbein

        Agreed.

        Years ago Microsoft had a proposal for spam free email. IIRC they would make the protocols and techniques free or public domain. Because it was Microsoft the industry laughed.

        Microsoft’s research group has many top-notch computer scientists. Sadly, very little of what they come up ends up in Microsoft’s products. Maybe if they used Macs… 😉

        My production Mac runs Snow Leopard and it’s Mail.app. IMHO the best Mail.app ever.

  3. Reply

    encrypt

    Hi Greg, i just came across the empress project via this post, can I ask are you still moving forward with that project at all? Thank you!

    1. Reply

      Greg Slepak Post author

      Hi encrypt, I would say that Empress is “on hold”, but not that I’ve abandoned it. It’s just that at the moment there are much higher priorities that I must focus on.

  4. Reply

    William Lane

    Proton Mail

    https://protonmail.com

    Familiar with it?

    Comments about it?

    1. Reply

      Greg Slepak Post author

      Yes, very familiar. These belong to a genre of centralized email services that have fundamental problems due to their centralization, and it’s why I did not list them in this post as alternatives.

  5. Reply

    Mark

    If the email addresses used are provided by Apple (i.e. iCloud), I’m fairly certain they are covered by Apple’s two factor authentication (if enabled). I recently updated to OS 10.11, and had to authenticate my iCloud addresses with a pin sent to a trusted device. Likewise, I had to do the same for a gmail address while setting up Mail.

  6. Reply

    Larry Bankester

    I agree with your assessment about centralized email services such as Goggle. I stopped using anything, “Google” when I learned they scanned my email messages.
    I have been satisfied with a service called “Fastmail”because of their reliability and believed, security of my information.
    Do you have an opinion about Fastmail?

    1. Reply

      Greg Slepak Post author

      Do you have an opinion about Fastmail?

      I haven’t used it, so no, however like basically all email services there will be various security-related issues with it, which can be perfectly OK if your goal isn’t to have a private conversation with someone.

  7. Reply

    Mark

    Resurrect Eudora – email’s been a depressing experience since it died the death. I used to keep all mail and settings in a PGP disk; if it wasn’t mounted, Eudora did nothing as it had no access to settings, so completely fail safe.

    Agreed though, the whole mess needs looking at from the ground up. Not holding my breath!

  8. Reply

    Andrew

    A partial solution is to place the Mail folder in an encrypted disk image and use a corresponding symlink from the Library (user) folder. Mail will not launch without the disk image being unlocked.

    I say partial, because theoretically someone could overwrite the symlink with an empty Mail folder and messages would be re-downloaded, but in practice someone would have had to overcome the other security measures in place so the security of Mail would probably be the least of your worries.

Leave a Reply to Samuel Herschbein Cancel reply

Your email address will not be published. Required fields are marked *