Some Thoughts on Better Online Privacy Through E-mail Use_

🇺🇦 Resources to help support the people of Ukraine. 🇺🇦
March 19, 2022 @14:34

I think a lot about digital privacy and security. It is a subject that I care quite a lot about it and I am continually trying to optimize my posture in the ever changing landscape. A recent batch of phishing probes sent by IT security at $DAY_JOB got me thinking about the role of e-mail accounts in a person's over-all digital security posture. Even though e-mail is being used less and less for personal correspondence it is still the backbone of most online identity, either as the authentication identity itself or as the primary method (perhaps along side SMS or TOTP) for account recovery and and password reset. This makes it a particularly important vector and lots of account compromise and takeover attacks start with e-mail. It is also the primary method people get tricked into giving away their credentials in phishing attacks, opening it as a popular attack vector.

The sections below describe what I think could be an optimal way to manage e-mail to protect your online privacy and limit exposure in the event of your data being leaked in the next data breach. This is balanced with what is practical in reality as a security plan that is too complex is ultimately not adhered to and therefore is worse than not having one at all as there is a false sense of security in having a plan. It also assumes that best practices are followed in other fields, using good, unique passwords for each account, leveraging a good password manager so you don't need to remember them, enabling 2FA wherever possible, making sure you have number port protection turned on for your mobile devices, etc. There are lots of good resources on general security posture out there and this in no way replaces any of that advice, this is just a look at one facet that may help protect you in this dystopian hellscape we are creating for ourselves.

Finally, always remember that you can't lose what you don't share and there is no substitute for good backups.

Work / Life Balance

Initially it seemed like this didn't need to be said but with the way people are using the Internet these days it probably does. Keep your work and personal e-mail separate. Do not sign up for anything at your work address that isn't for work. Always be prepared to walk away from any of those accounts upon termination of employment. Remember that any correspondence through your work e-mail is visible to the IT department and the vendors providing your work e-mail address. In some cases it remains the property of your employer beyond your employment with them and there are lots of features in enterprise e-mail systems that retain messages even if they have been deleted. Keeping accounts separate is just good practice from a work/life balance perspective as well. I find that it helps to truly unplug at the end of the work day. From a security standpoint it also serves to reduce the domain of compromise in the event of it being attacked or compromised. Your employer likely has a team of people who will work to clean up a breach but if your private accounts get compromised via your work e-mail they are unlikely to help you recover those. Furthermore in the example of the recent round of fake phishing sent out by $DAY_JOB, they included really realistic looking e-mails from various services like Dropbox, mirroring the increased sophistication of the automated attacks that are floating around but were super easy for me to identify because not only do I not have an account with the spoofed services, I wouldn't have signed up for them using my work e-mail.

Separation of Roles

Ideal

I think in the ideal case you will want 3 different addresses. The first for general correspondence. This goes on your resume, your website, you give it to your friends. It is used as the account recovery e-mail for the other two accounts. That is it though, don't sign up for any other services with it. This way when it gets out onto one of the widely-circulated 'credential stuffing' lists that are out there it is useless. They may SPAM you or send you phishing mails but they won't get them into any of your accounts. The second e-mail is for high-priority accounts only. Think anything that touches your money. Use this for online banking accounts, credit cards, investments, etc. This is where I was tempted to suggest having separate ones for each account in this category but that's a lot of work and I think it crosses the line into too much complexity to manage for most people. The third account is for everything else. Use it for social media accounts, forums, loyalty programs, streaming services, etc.

Alternatives

Many e-mail providers support sub-addresses which all deliver to the same mailbox. Using this will thwart credential stuffing attacks but will not protect you in the case of e-mail account compromise. That being said it is better than nothing. In my case, my e-mail supports the use of + as the separator so given my e-mail address of matt@going-flying.com I could use matt+mybank@going-flying.com for my bank.

E-Mail Vendors

Suggesting everyone go out and get 3 personal e-mail accounts might seem a bit daunting, and the knee-jerk reaction is probably to sign up for a bunch of free accounts from Google or Microsoft but I suggest that you avoid this route for a few reasons. Google and Microsoft are the two largest e-mail providers and it is almost certain that your employer is using one or the other to provide your e-mail. This means that a compromise could effect both your work and personal accounts, rendering moot what we are trying to do here. Back in the old days when the Internet was young, you would get an e-mail address from your ISP and use that. Many of the grey-beards on USENET (Internet forums before the web) still use these and prior to running my own e-mail server all my e-mail addresses were provided by my ISP; however, like many users I have experienced the absolute nightmare of changing e-mail addresses when switching ISPs (or when said ISP went out of business).

Bring Your Own Domain Name

The most reliable option is to buy a domain name and use that. I've been using Gandi as a registrar for over a decade now and am a happy customer. While I don't use it they have extremely reasonable rates for e-mail hosting and if they ever do go away you can transfer your domain to another registrar and move your mailbox and not have to go change your e-mail address with every service you've ever signed up for.

E-mail Providers

If buying a domain name isn't in your wheelhouse (and it probably isn't for most) the other option is to look at dedicated e-mail providers. There is a list that can get you started on Wikipedia. I use Protonmail for some test accounts but be aware that the free accounts are a bit limited. I'd personally avoid Yahoo! mail because they are fairly invasive from a privacy perspective, and are large enough that they are constantly under attack.

Train Your Brain

The reason I put correspondence between real people in a separate bucket from your catch-all address is several-fold. Most necessarily it gives you an account to use as a recovery mechanism for the other two. It also let you unplug from the deluge of notifications that sites send you. This way people you may actually correspond with can reach you but those incessant (and insipid) pleas for your attention from social media can languish unopened somewhere safe. Imagine being able to have new e-mail notifications turned on again? Wouldn't that be something. Similarly having high-value accounts go to a dedicated address means that receiving e-mail at that address should be seen as a critical event to be investigated.

Conclusion

It may seem like a little extra effort, but compartmentalization has long been used across many different disciplines as a way to increase security and reduce the 'blast radius' of failures. It really is no different with your digital life. Start by sharing only what you need to, because you can't lose what you don't share, then compartmentalize what you do share. All things for you job (even if you freelance and you are your own employer) in one bucket, anything that touches your money in another, anything that involves signing up for any other type of online service in a third and then correspondence in a fourth.

I'd be interested in knowing what you might think of this. It's by no means perfect but I tried to strike a balance that would actually make it a practical, usable system. Having several domains and running my own e-mail server I used to have a dedicated e-mail address per account but found it eventually quite tiresome to manage even with a good password manager and a bunch of bespoke tooling and filtering. I have been able to keep e-mail alerts turned on for both my phone and laptop though so I suppose that part was a success.

Subscribe via RSS. Send me a comment.