SCRYPTMail is a brand new encrypted email provider, at the moment still in beta testing, signing up is straight forward and it only takes seconds, there were 500 accounts available when I did. All you need is to pick an username and a password, during sign up you will also be asked to create an account password and a passphrase that is used to decrypt your email inbox. Email messages are encrypted in your computer from the beginning and the passphrase never leaves it, SCRYPTMail is unable to decrypt or facilitate decryption of your data.
The messages and attachments you send are secured with open source encryption libraries, a collection of written code and subroutines used by programmers, implementing AES-256 encryption, the sender keeps a private key that nobody knows and the receiver gets to read the message with a public encryption key. There is no IMAP or SMTP, encryption is done with Javascript and a web browser is needed for it to work.
SCRYPTMail encrypted email provider
SCRYPTMail can be used to securely communicate with users of insecure email services like Yahoo and Gmail, when you compose a message you will see a checkbox at the bottom of the page asking if you would like to “Encrypt email sent to outside users“, ticking the box will generate a 5 PIN password that has to be entered before the message can be read. SCRYPTMail will then send a link instead of the full message and the receiver has to click on the URL taking him to a secure server where he can retrieve the message.
Unfortunately I see a downside with the automatically generated PIN, the first one is that a numeric password of 5 numbers is not very strong, specially, as the length of the password is already known when launching a brute force attack, the second problem is that, since you have to transmit this PIN securely to the other end, it is not practical to do this with every single email you send, it would be much more convenient if SCRYPTMail allowed you to choose your own secret alphanumeric password and this could be kept for more than one message. You also have the choice of sending the email unencrypted if using a PIN is too much trouble but in that case you don’t really need SCRYPTMail for this.
To protect your account from hijacking if your laptop is lost an automatic session time out logs you off after 15 minutes of inactivity, you can see a count down timer while you are logged in, it resets to 900 seconds when you click on a tab or do some other action. The user can’t change the preset time out to a lower or higher number. Another security feature monitors that only one active connection is possible at a time, I tested this opening SCRYPTMail in two browsers, Firefox and Chrome, by the way, SCRYPTMail blog claims that it only works in Chrome but I had no trouble using it in Firefox, I logged in at the same time to see what happens and the first connection logged me out when I simultaneously logged in with the other browser. There was no warning of why I was being logged out, I expected blocking of the second login but it never happened, I could not understand how this feature protects me of anything if the intruder that gets in kicks me out of my account without even a notice saying why this is happening.
Private and public encryption keys can be regenerated again in settings without having to redistribute them to others as encryption and decryption take place in your computer with Javascript. Encryption keys strength can be chose by the user in settings, the default is RSA keys of 512/1024 bits, theoretically it can be changed to up to 2048/4096 bits, the options are listed although greyed out and I could not select them, what managed to do is to export the RSA encryption keys after entering my passphrase and store them offline.
I sent myself a couple of test messages to make sure that SCRYPTMail hides the sender’s IP in the email headers, it did and it also revealed that their mail server is in the USA hosted with a company called Linode, SCRYPTMail headquarters are also in the USA, this can be a deal breaker for some but unlike Hushmail, SCRYPTMail is not able to read your data and they never have access to your encryption keys. I am much more worried about their PIN number being short than the email service not being hosted in a USA.
This email service intends to roll out as a paid service once it is ready, with planned time delay to send messages and a bigger email inbox for paying users. I don’t think it is too bad for a beta version, but having reviewed Tutanota email service recently, I noticed that SCRYPTMail and Tutanota both have the same clean simple webmail interface, perhaps they are both using the same open source framework, I don’t really know, it looks like it.
My conclusion is that if I had to choose I rather go with Tutanota, they appear to be more polished and their services are free, they also have a full team behind them as opposed to SCRYPTMail being a one man operation at the moment, but is good having alternatives to Hushmail and if the choice was in between Hushmail or SCRYPTMail, I would go with SCRYPTMail because the company does not have access to your private encryption keys.
Sergei
Great article and good observations. I will include your recommendations into feature/bug list.
As for comparing with tutanota, which is great service, we opened our doors this week, when tutanota operates for more than a year. It’s no way to excuse any bugs of course
hacker10
Hello Sergei,
I am glad the post can be useful to improve the service. SCRYPTMail beta has been launched two or three days ago, it was to be expected that something could have been overlooked, but the security model foundation looks sound to me. The company is making it impossible for their own staff to read the data, this is a good protection system for the customer and company alike.
It is not easy to trust your privacy to a USA or UK company when you know that their government security agencies are serving communications providers with abusive surveillance orders, it seems that the only way to go in this age is a zero knowledge, zero access policy.
Best of luck,
hacker10
Pat
I emailed my gmail account from Scryptmail and it went directly to spam. Others are reporting the same experience.
hacker10
Hello Pat,
Thank you for reporting about your experience with SCRYPTMail. I can only write about what I see, and, during my testing, I emailed two test messages to my Fastmail account using SCRYPTMail and I had no problem at all.
hacker10
chris
HI,
For me is https://tutanota.de/ better than Scryptmail!
I mailed my gmx account with Scryptmail and i found the mail in the spam but with tutanota no.
Lucy
We cannot trust traditional email anymore. B******* on the other hand bypasses cloud storage servers making it very safe to send secure email. Check it out: **************
hacker10
Listen Lucy, Yusuf, Ingrid, or whatever fake nick you are using now.
I run a very small blog that allows to remember most of the comments, specially those posting about a product, this is your third comment (different months) recommending the same company passing yourself off as a different person, I know it is you because your IP never changes it remains 71.194.2.92, a Comcast address.
I think that, on top of being retarded for not educating yourself about using a VPN to change your IP, you need to have big balls to try and spam my blog with a service that I HAVE ALREADY REVIEWED here.
I am now going to delete all of your fake comments and modify the review to reflect that I have been spammed by that company.
Think about this before posting fake comments again. Next time come clean and say that you are the same person, I would not have a problem with that, I only have a problem with lies and cheaters.
hacker10
Sergei
@pat, this is well known issues with new services, regardless of making correct headers and use DKIM signature, emails from unrecognized companies, may go to spam. As it happened with scryptmail,
if you mark such emails as not spam, it will never go to Spam again. Tutanota, already have been on the market for more than a year and those proved to be legitimate company.
In fact, scryptmail provide SPF and DKIM signature for service, when tutanota only SPF.
Another feature I noticed tutanota is missing is to reset your password or secret phrase, when Scrypt mail will provide you with such option starting from Nov, 25 2014
JESSY
@Sergei , how encrypt scryptmail the metadatas??
Sergei
@JESSY its complex question.
if you send to gmail or other services short answer would be: you can’t. server need to know who to send message and which server to connect.
if within scryptmail domain, message is encrypted with public key and every recipient try to decrypt it, only intended recipient will be able to decrypt message
I hope that answers your question.
JESSY
That mean the metadatas are not encrypted ?
Or only if the mail will be send between two scryptmail users??
Sergei
@JESSY yes. Metadata is not protected if it goes to outside network.
Raymond Popowich
@Pat Has your experience sending email from SCRYPTmail improved over time? I tested sending to several email services and now that their initial set of IP addresses have had time to burn in, and earn a perfect 100 sender score, I don’t have any problems sending to Gmail or other large email providers.
Raul
GUYS we are talking about secure emails providers , right? NOw the question is : You really would to trust emails providers based in U.S?? Scryptmail is based in Texas. U.S . No really?????? Nobody knows what NSA and PRISM is ? GOOD YEAHHHHH
John Lindley
This “secure email” service is not to be trusted. They are based in the US, meaning the US g*******t can shut SCRYPTMail down whenever they feel like it or monitor users’ activity.