As someone who has read plenty of discussions about email security (some of them in this very community), including all kind of stuff (from the company groupie to tinfoil-hat conspiracy theories), I have decided to put too many hours some time to discuss the different threat models for email setups, including the basic most people have, the “secure email provider” one (e.g., Protonmail) and the “I use arch PGP manually BTW”.

Jokes aside, I hope that it provides an overview comprehensive and - I don’t want to say objective, but at least rational - enough so that everyone can draw their own conclusion, while also showing how certain “radical” arguments that I have seen in the past are relatively shortsighted.

The tl;dr is that email is generally not a great solution when talking about security. Depending on your risk profile, using a secure email provider may be the best compromise between realistic security and usability, while if you really have serious security needs, you probably shouldn’t use emails, but if you do then a custom setup is your best choice.

Cheers

  • @wazoobonkerbrain
    link
    English
    13 months ago

    An attempt to a comprehensive threat model for emails

    That’s the subtitle, is it missing a word?

      • @[email protected]
        link
        fedilink
        English
        2
        edit-2
        3 months ago

        It would sound better as one of the following:

        • An attempt at a comprehensive…
        • An attempt to create a comprehensive…

        I don’t think it’s grammatically incorrect (native speaker, but not a grammar expert), it just sounds odd.

        • @wazoobonkerbrain
          link
          English
          23 months ago

          I considered recommending “attempt at” but “an attempt at a model” still sounds weird. OP went with “to create” which sounds better 🙂

      • @wazoobonkerbrain
        link
        English
        13 months ago

        It does. How about

        An attempt to summarize a comprehensive threat model for emails

        Or, in place of summarize - define, or outline?