gf4
/
personal-security-checklist
mirror of https://git.hackliberty.org/Awesome-Mirrors/personal-security-checklist
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Re-writes the Email Section

pull/25/head
Alicia Sykes 2020-05-17 15:17:05 +01:00 committed by GitHub
parent 7bff8fcc3a
commit 000a9b5377
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 24 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
README.md
View File

@ -121,7 +121,7 @@ This section outlines the steps you can take, to be better protected from threat
## Emails
Nearly 50 years since the first email was sent, theyre still very much a big part of our day-to-day life, and will probably continue to be for the near future. So considering how much trust we put in them, its surprising how fundamentally insecure this infrastructure is. Email-related fraud [is on the up](https://www.csoonline.com/article/3247670/email/email-security-in-2018.html), and without taking basic measures you could be at risk.
Nearly 50 years since the first email was sent, it's still very much a big part of our day-to-day life, and will continue to be for the near future. So considering how much trust we put in them, its surprising how fundamentally insecure this infrastructure is. Email-related fraud [is on the up](https://www.csoonline.com/article/3247670/email/email-security-in-2018.html), and without taking basic measures you could be at risk.
If a hacker gets access to your emails, it provides a gateway for your other accounts to be compromised (through password resets), therefore email security is paramount for your digital safety.
@ -130,21 +130,30 @@ The big companies providing "free" email service, don't have a good reputation f
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Have more than one email address** | Recommended | Keeping your important and safety-critical messages separate from trivial subscriptions such as newsletters is a very good idea. Be sure to use different passwords. This will also make it easier to recover a compromised account, in the case of a breach
**Keep security in mind when logging into emails** | Recommended | Your email account should be top of your priorities in terms of security. Use a strong password and enable 2-Factor authentication. Only sync your emails with your phone, if it is secured (encrypted with password). Follow [browser](#browser-and-search) and [networking](#networking) best practices when logging in to your account
**Always be wary of phishing and scams** | Recommended | If you get an email from someone you dont recognize, dont reply, dont click on any links, and absolutely dont download an attachment. Keep an eye out for senders pretending to be someone else, such as your bank, email provider or utility company. Check the domain, read it, ensure its addressed directly to you, and still dont give them any personal details. Check out [this guide, on how to spot phishing emails](https://heimdalsecurity.com/blog/abcs-detecting-preventing-phishing/)
**Control who has your email address** | Recommended | Control who has your email address - To avoid receiving unwanted spam mail, or being susceptible to a phishing attack, be conscious about who you share your email with. Don't publish it in plaintext online (e.g. in a comment), since bots often scan the internet for any personal details like these
**Disable Automatic Loading of Remote Content** | Recommended | Email messages can contain remote content such as images or stylesheets. These are often automatically loaded from the server. But to protect your privacy, you should disable this, because when your mail client or browser requests this content, your IP address and device information is revealed to the server. For more info, see [this article](https://www.theverge.com/2019/7/3/20680903/email-pixel-trackers-how-to-stop-images-automatic-download)
**Don't Share Sensitive Data via Email** | Optional | Emails are very easily intercepted. Further to this you cant be sure of how secure your recipient's environment is. Therefore emails cannot be considered safe for exchanging confidential or personal information, unless it is encrypted
**Dont connect third-party apps to your email account** | Optional | If you give a third-party app or plug-in (such as Unroll.me, Boomerang, SaneBox etc) full access to your inbox, this makes you vulnerable to cyber attacks. Once installed, these apps have unhindered access to all your emails and their contents
**Consider switching to a secure email provider** | Optional | Secure and reputable email providers such as [ProtonMail](https://protonmail.com) and [Tutanota](https://tutanota.com) allow for end-to-end encryption, full privacy as well as more security-focused features. Unlike typical email providers, nobody but you can see your mailbox, since all messages are encrypted. See [this guide](https://github.com/OpenTechFund/secure-email) for details of the inner workings of these services. Other encrypted mail providers include: [CounterMail](https://countermail.com), [HushMail](https://www.hushmail.com/tapfiliate/?tap_a=44784-d2adc0&tap_s=724845-260ce4&program=hushmail-for-small-business) (for business users), [MailFence](https://mailfence.com?src=digitald), [see more](/5_Privacy_Respecting_Software.md#encrypted-email). For a comparison between services, see [this article](https://restoreprivacy.com/private-secure-email)
**Subaddressing** | Optional | To keep track of who shared/ leaked your email address, consider using [subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing). This is where anything after the `+` symbol is omitted during mail delivery, for example you the address yourname+tag@example.com denotes the same delivery address as yourname@example.com. This was defined in [RCF-5233](https://tools.ietf.org/html/rfc5233), and supported by most major mail providers (inc Gmail, YahooMail, Outlook, FastMail and ProtonMail). Better still use aliasing / anonymous forwarding
**Use Aliasing / Anonymous Forwarding** | Advanced | Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox. Effectively allowing you to use a different, unique email address for each service you sign up for. This means if you start receiving spam, you can block that alias and determine which company leaked your email address. <br>[Anonaddy](https://anonaddy.com) and [SimpleLogin](https://simplelogin.io/?slref=bridsqrgvrnavso) are open source anonymous email forwarding service allowing you to create unlimited email aliases, with a free plan. More options include: [33Mail](http://33mail.com/Dg0gkEA), [ForwardEmail](https://forwardemail.net) (self-hosted), [SimpleLogin](https://simplelogin.io/?slref=bridsqrgvrnavso), and this feature is also included with [ProtonMail](https://protonmail.com/pricing)'s Visionary package.
**Use a Custom Domain** | Advanced | When you don't own your email domain name, the organisation providing it may not be around for ever, and you could loose access to all accounts that were registered with that email. However with a custom domain, even if your mail provider ceases to exist, or you are locked out, you can take your domain elsewhere and continue to have access to your email address.
**Sync with a client for backup** | Advanced | Further to the above, to avoid loosing temporary or permeant access to your emails during an unplanned event (such as an outage). Consider syncing your emails to a secure device, like your primary laptop, via IMAP. This will not remove any messages from the server, but will ensure you have always got a full offline backup of all important communications
**Have more than one email address** | Recommended | Consider using a different email address for security-critical communications from trivial mail such as newsletters. This compartmentalization could reduce amount of damage caused by a data breach, and also make it easier to recover a compromised account
**Keep Email Address Private** | Recommended | Do not share your primary email publicly, as mail addresses are often the starting point for most phishing attacks
**Keep your Account Secure** | Recommended | Use a long and unique password, enable 2FA and be careful while logging in. Your email account provides an easy entry point to all your other online accounts for an attacker
**Disable Automatic Loading of Remote Content** | Recommended | Email messages can contain remote content such as images or stylesheets, often automatically loaded from the server. You should disable this, as it exposes your IP address and device information, and is often used for tracking. For more info, see [this article](https://www.theverge.com/2019/7/3/20680903/email-pixel-trackers-how-to-stop-images-automatic-download)
**Dont connect third-party apps to your email account** | Optional | If you give a third-party app or plug-in (such as Unroll.me, Boomerang, SaneBox etc) full access to your inbox, they effectively have full unhindered access to all your emails and their contents, which poses [significant security and privacy risks](https://zeltser.com/risks-of-email-search-services/)
**Don't Share Sensitive Data via Email** | Optional | Emails are very easily intercepted. Further to this you cant be sure of how secure your recipient's environment is. Therefore emails cannot be considered safe for exchanging confidential or personal information, unless it is encrypted/ or both parties are using a secure mail provider
**Consider Switching to a Secure Mail Provider** | Optional | Secure and reputable email providers such as [ProtonMail](https://protonmail.com) and [Tutanota](https://tutanota.com) allow for end-to-end encryption, full privacy as well as more security-focused features. Unlike typical email providers, your mailbox cannot be read by anyone but you, since all messages are encrypted. Providers such as Google, Microsoft and Yahoo scan messages for advertising, analytics and law enforcement purposes, but this poses a serious security threat
**Use Aliasing / Anonymous Forwarding** | Advanced | Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox. Effectively allowing you to use a different, unique email address for each service you sign up for. This means if you start receiving spam, you can block that alias and determine which company leaked your email address. More importantly, you do not need to reveal your real email address to any company. <br>[Anonaddy](https://anonaddy.com) and [SimpleLogin](https://simplelogin.io/?slref=bridsqrgvrnavso) are open source anonymous email forwarding service allowing you to create unlimited email aliases, with a free plan
**Subaddressing** | Optional | An alternative to aliasing is [subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing), where anything after the `+` symbol is omitted during mail delivery, for example you the address yourname+tag@example.com denotes the same delivery address as yourname@example.com. This was defined in [RCF-5233](https://tools.ietf.org/html/rfc5233), and supported by most major mail providers (inc Gmail, YahooMail, Outlook, FastMail and ProtonMail). It enables you to keep track of who shared/ leaked your email address, but unlike aliasing it will not protect against your real address being revealed
**Use a Custom Domain** | Advanced | Using a custom domain, means that even you are not dependent on the address assigned my your mail provider. So you can easily switch providers in the future and do not need to worry about a service being discontinued
**Sync with a client for backup** | Advanced | Further to the above, to avoid loosing temporary or permanent access to your emails during an unplanned event (such as an outage or account lock). Thunderbird can sync/ backup messages from multiple accounts via IMAP and store locally on your primary device
**Be Careful with Mail Signatures** | Advanced | You do not know how secure of an email environment the recipient of your message may have. There are several extensions that automatically crawl messages, and create a detailed database of contact information based upon email signitures. If you send an email to someone who has something like this enabled, then you are unknowingly entering your details into this database
**Be Careful with Auto-Replies** | Advanced | Out-of-office automatic replies are very useful for informing people there will be a delay in replying, but all too often people reveal too much information- which can be used in social engineering and targeted attacks
**Choose the Right Mail Protocol** | Advanced | Do not use outdated protocols (below IMAPv4 or POPv3), both have known vulnerabilities and out-dated security.
**Self-Hosting** | Advanced | Self-hosting your own mail server is not recommended for non-advanced users, since correctly securing it is critical yet requires strong networking knowledge - [read more](https://www.reddit.com/r/selfhosted/comments/6h88qf/on_selfhosted_mail_servers/). That being said, if you run your own mail server, you will have full control over your emails. [Mail-in-a-box](https://github.com/mail-in-a-box/mailinabox) and [docker-mailserver](https://github.com/tomav/docker-mailserver) are ready-to-deploy correctly-configured mail servers that provide a good starting point
**Always use TLS Ports** | Advanced | There are SSL options for POP3, IMAP, and SMTP as standard TCP/IP ports. They are easy to use, and widely supported so should always be used instead of plaintext email ports. By default, the ports are: POP3= 995, IMAP=993 and SMTP= 465
**DNS Availability** | Advanced | For self-hosted mail servers, to prevent DNS problems impacting availability- use at least 2 MX records, with secondary and tertiary MX records for redundancy when the primary MX record fails
**Prevent DDoS and Brute Force Attacks** | Advanced | For self-hosted mail servers (specifically STMP), limit your total number of simultaneous connections, and maximum connection rate to reduce the impact of attempted bot attacks
**Maintain IP Blacklist** | Advanced | For self-hosted mail servers, you can improve spam filters and harden security, through maintaining an up-to-date local IP blacklist and a spam URI realtime block lists to filter out malicious hyperlinks. You may also want to activate a [reverse DNS lookup](https://en.wikipedia.org/wiki/Reverse_DNS_lookup) system
**See also** [Recommended Encrypted Email Providers](/5_Privacy_Respecting_Software.md#encrypted-email)
**Recommended Software:**
- [Encrypted Email Providers](/5_Privacy_Respecting_Software.md#encrypted-email)
- [Anonymous Mail Forwarding](/5_Privacy_Respecting_Software.md#anonymous-mail-forwarding)
- [Pre-Configured Mail Servers](/5_Privacy_Respecting_Software.md#pre-configured-mail-servers)
## Social Media