• Doods@infosec.pub
    link
    fedilink
    arrow-up
    1
    arrow-down
    1
    ·
    8 months ago

    So what should we do then? switch to something else? Host our own email service?

    I really don’t know.

    • firefly@neon.nightbulb.net
      link
      fedilink
      arrow-up
      1
      ·
      8 months ago

      It depends upon your security needs and risk assessment.

      Are you a whistleblower?

      Are you handling confidential business, financial or legal communication?

      Are you being monitored by state agents?

      Are you sharing love letters with someone?

      Are you discussing or transferring confidential records?

      You have to look at and assess your use case before you can decide on a solution.

      No matter what your risks are, every solution should ALWAYS include end-to-end encryption in which the parties own and control their own encryption keys and identity on their own devices, not in the cloud.

      That is the baseline. Then depending on your situation there are other factors and solutions to consider on top of the baseline.

      When you own and control your encryption keys on your own device, then no third party can turn over your keys to a hostile entity. If you encryption is dependent upon a third party, they own your encryption and you have zero security, no matter how much they promise you.

      Here are a few secure communication software examples for consideration:

      Onionshare: https://onionshare.org/
      Retroshare: https://retroshare.cc/
      Bitmessage: https://bitmessage.org