PRISM Proof Cloud Email Services

IntroductionCloud email services use SSL certificates to encrypt the conversation between your browser and the HTTP server, this encrypted traffic is called HTTPS. Most HTTPS certificates allow for a master key to decrypt the encrypted traffic, however this is not true for certificates which use a temporary session key which is individual for each user. This is known as SSL ephemeral mode.

This article is a survey of free cloud email services. It lists services by their affiliation with the NSA, their support for HTTPS, their support for SSL ephemeral mode, and the physical location of their servers. By carefully choosing a cloud email service, users can be confident that their traffic is not entering the network of the United States. Additionally if their traffic did enter the United States, the SSL certificate of the cloud service they select supports ephemeral mode which prevents the NSA from gaining a master key to decrypt network traffic.

Lists of free cloud email serviceshttp://ubuntuforums.org/showthread.php?t=2125732http://email.about.com/od/freeemailreviews/tp/free_email.htmhttp://capturedbloggingtips.com/2013/03/6­best­alternatives­to­gmail/

https://en.wikipedia.org/wiki/Comparison_of_webmail_providershttp://prism­break.org/#email­services

Individual cloud email services that support HTTPShttps://www.gmx.comhttps://www.hushmail.com/https://mail.google.com/https://www.zoho.com/mail/https://mail.aol.comhttps://www.icloud.com/https://www.outlook.com/owahttps://mail.live.comhttps://mail.yahoo.com/https://www.mail.com/int/https://shortmail.com/https://www.inbox.com/https://lavabit.com/https://www.fastmail.fm/https://mail.yandex.com/https://www.mail.lycos.com/https://www.nokiamail.com/https://www.rediff.com/https://mail.riseup.net/https://www.contactoffice.com/https://webmail.xmission.comhttps://ojooo.com/https://mail.opera.com/

Private key disclosed to law enforcement (PRISM/FBI etc)https://mail.google.com/https://mail.aol.comhttps://www.icloud.com/https://www.outlook.com/owahttps://mail.live.comhttps://mail.yahoo.com/https://www.hushmail.com/

Private key not disclosed to USA law enforcement (this list is used for the remainingtests)https://www.gmx.comhttps://www.zoho.com/mail/https://www.mail.com/int/https://shortmail.com/

https://lavabit.com/https://www.inbox.com/https://www.fastmail.fm/https://mail.yandex.com/https://www.mail.lycos.com/https://www.nokiamail.com/https://www.rediff.com/https://mail.riseup.net/https://www.contactoffice.com/https://webmail.xmission.comhttps://ojooo.com/https://mail.opera.com/

Domains that use Ephemeral Diffie­Hellman key exchange on HTTPSwww.gmx.com ­ DHE_RSAwww.mail.com ­ DHE_RSAshortmail.com ­ DHE_RSAlavabit.com ­ DHE_RSAwww.mail.lycos.com ­ DHE_RSAmail.riseup.net ­ DHE_RSAwww.contactoffice.com ­ DHE_RSAwebmail.xmission.com ­ DHE_RSAojooo.com ­ DHE_RSA

Domains that use Ephemeral Diffie­Hellman key exchange on POP3:995pop3.inbox.com ­ DHE­RSA­AES256­SHApop3.ojooo.com ­ DHE­RSA­AES256­SHApop.contactoffice.com ­ EDH­RSA­DES­CBC3­SHA

Domains that use Ephemeral Diffie­Hellman key exchange on IMAP:993imap.inbox.com ­ DHE­RSA­AES256­SHAimap.ojooo.com ­ DHE­RSA­AES256­SHAimap.opera.com ­ DHE­RSA­AES256­SHAimap.contactoffice.com ­ EDH­RSA­DES­CBC3­SHA

Domains that use Ephemeral Diffie­Hellman key exchange on SMTP:465smtp.inbox.com ­ DHE­RSA­AES256­SHAsmtp.riseup.net ­ DHE­RSA­AES256­SHAsmtp.xmission.com ­ DHE­RSA­AES256­SHAsmtp.ojooo.com ­ DHE­RSA­AES256­SHAsmtp.opera.com ­ DHE­RSA­AES256­SHA

Domains with POP3 but no POP3 encryptionpop.rediffmail.com:110

Domains with IMAP but no IMAP encryptionimap.rediffmail.com:143

Domains with SMTP but no SMTP encryptionsmtp.rediffmail.com:587

Company geographic locationwww.gmx.com ­ Germanywww.mail.com ­ Germanyshortmail.com ­ United Stateslavabit.com ­ United Stateswww.mail.lycos.com ­ United Statesmail.riseup.net ­ United Stateswww.contactoffice.com ­ Franceinbox.com ­ United Stateswebmail.xmission.com ­ United Statesojooo.com ­ Germanymail.opera.com ­ Norway

Server geographic locationDNS domain to ip address resolution and round robin:This is where things start to get a bit more complicated. By looking up the DNS records for a domain you will find that some organisations have servers located across several countries to get better speeds. By looking up the DNS records for gmx.com you will see that gmx have domains registered for different geographies such as gmx.net, gmx.at, gmx.ch, gmx.co.uk, gmx.es, gmx.fr and gmx.com all of which can resolve to multiple ip addresses for requests to the same domain. By visiting the following web page you can do a quick lookup to list the ip addresses for the domain but beware as the addresses listed are not always the ones accesses by your browser. http://who.is/dns/gmx.com

Try running the following command to download the dns records:dig +nocmd gmx.com any +multiline +noall +answerYou may also notice that by pinging mail.gmx.com several times you will get a different ip address in the response every time. This is due to the DNS server responding with a single ip from a list of ip addresses using the round robin algorithm for load balancing.ping mail.gmx.com ­> 212.227.17.184ping mail.gmx.com ­> 212.227.17.174ping mail.gmx.com ­> 212.227.17.184

URL redirects and Cross­Domain­Single­Sign­On (CDSSO):In some cases you may log into a domain such as gmx.co.uk by entering your credendials but you will be redirected to gmx.fr. If the cookie is sent to your browser from the co.uk domain and the fr domain requests the cookie from the first domain then your browser will block the second domain from reading the cookies as it violates the cross­domain policy. By using Cross­Domain­Single­Sign­On web applications are able to authenticate across several domains allowing the user to log in only once. For the purposes of knowing where your data is being stored in the cloud, the best guess you can make is to assume it is coming from the final domain you have been redirected to.

Email portsThe POP3 port for inbound emails is 110 or port 995 if you want to use secured POP3. The IMAP port for inbound emails is 143 or port 993 if you want to use secured IMAP. The SMTP port for outbound emails is 25/2525/587 or 465 if you want to use secured SMTP. If your cloud mail server allows connections over non­secure ports and your traffic is crossing american cyberspace then emails received on ports 110, 143, 24 and 2525 can be captured by the NSA as the traffic is not encrypted between one mailserver and other (Alice ­> [https] ­> gmail.com ­> [plaintext] ­> gmx.co.uk ­> [https] ­> Bob). An interesting project would be to survey how different mail servers interact when exchanging mail documents, do they always attempt to use SSL and downgrade if it is not available or do they have to be forced to use it? If mail servers use SSL by default when available then the communication would be secure between the web interfaces and also between the mail servers (Alice ­> [https] ­> gmail.com ­> [ciphertext] ­> gmx.co.uk ­> [https] ­> Bob).

Compare the certificate types of https/pop3/imap/smtp using the following bash shell script:#!/bin/bash

list="www.gmx.co.uk:443pop.gmx.co.uk:995imap.gmx.co.uk:993smtp.gmx.co.uk:465www.zoho.com:443pop.zoho.com:995imap.zoho.com:993smtp.zoho.com:465www.mail.com:443pop.mail.com:995imap.mail.com:993smtp.mail.com:465www.shortmail.com:443imap.shortmail.com:993smtp.shortmail.com:465www.lavabit.com:443

pop.lavabit.com:995imap.lavabit.com:993smtp.lavabit.com:465www.inbox.com:443pop3.inbox.com:995imap.inbox.com:993smtp.inbox.com:465fastmail.fm:443mail.messagingengine.com:587mail.yandex.com:443pop.yandex.com:995imap.yandex.com:993smtp.yandex.com:465www.lycos.com:443pop.lycos.com:995imap.lycos.com:993smtp.lycos.com:465www.nokiamail.com:443nokia.pop.mail.yahoo.com:995nokia.imap.mail.yahoo.com:993nokia.smtp.mail.yahoo.com:465www.rediff.com:443www.riseup.net:443pop.riseup.net:995imap.riseup.net:993smtp.riseup.net:465www.contactoffice.com:443pop.contactoffice.com:995imap.contactoffice.com:993webmail.xmission.com:443pop3.xmission.com:995imap.xmission.com:993smtp.xmission.com:465ojooo.com:443pop3.ojooo.com:995imap.ojooo.com:993smtp.ojooo.com:465mail.opera.com:443pop3.operamail.com:995imap.opera.com:993smtp.opera.com:465"

for i in $list;

doecho ­ne "$i:\t"echo "EOF" | openssl s_client ­crlf ­connect $i 2>1 | grep ­o "Cipher is[^>]*"done

Additionally to check if a port is open try the following commands (type “quit[enter]” to exit telnet):telnet pop.gmx.co.uk 110nmap ­T5 ­p 110 pop.gmx.co.uk

By determining if the ports are open you can assume the service is running on the port, however this is not always the case. Also be aware that some servers block port scanning. Try the following bash shell script to use nmap to test if ports are open on the cloud servers:

#!/bin/bash

http="www.zoho.comwww.mail.comwww.shortmail.comwww.lavabit.comwww.inbox.comfastmail.fmmail.yandex.comwww.lycos.comwww.nokiamail.comwww.rediff.comwww.riseup.netwww.contactoffice.comwebmail.xmission.comojooo.commail.opera.com"

pop="pop.gmx.co.ukpop.zoho.compop.mail.compop.lavabit.compop3.inbox.compop.yandex.compop.lycos.comnokia.pop.mail.yahoo.compop.riseup.netpop.contactoffice.compop3.xmission.compop3.ojooo.compop3.operamail.com"

imap="imap.gmx.co.ukimap.zoho.comimap.mail.comimap.shortmail.comimap.lavabit.comimap.inbox.comimap.yandex.comimap.lycos.comnokia.imap.mail.yahoo.comimap.riseup.netimap.contactoffice.comimap.xmission.comimap.ojooo.comimap.opera.com"

smtp="smtp.gmx.co.uksmtp.zoho.comsmtp.mail.comsmtp.shortmail.comsmtp.lavabit.comsmtp.inbox.comsmtp.yandex.comsmtp.lycos.comnokia.smtp.mail.yahoo.comsmtp.riseup.netimap.xmission.comsmtp.ojooo.comsmtp.opera.com"

#http pop imap smtpfor i in $http;doecho ­e "\n$i:"nmap ­T5 ­p 80,443 $i | egrep "http$|https$"done

for i in $pop;doecho ­e "\n$i:"nmap ­T5 ­p 110,995 $i | egrep "pop$|pops$|pop3$|pop3s$"done

for i in $imap;doecho ­e "\n$i:"nmap ­T5 ­p 143,993 $i | egrep "imap$|imaps$"done

for i in $smtp;doecho ­e "\n$i:"nmap ­T5 ­p 25,2525,587,465 $i | egrep "smtp$|smtp$"done

Final noteEnsure your browser is using the “HTTPS everywhere” extension when browsing these domains. If you bookmark a cloud email service, be sure that you are using the absolute ip address of the server to lock its geographic location. So for example, bookmarking www.gmx.com which could bring you to the servers in the USA or Germany, instead bookmark https://213.165.64.202/ which is the German ip address as opposed to bookmarking https://74.208.5.85 which is the ip address for the US server. A useful extension for geolocation of servers is “Flagfox” which attempts to perform geolocation of the server currently delivering the content for the web page.

ConclusionIt should be noted that no single cloud service provides SSL certificates in Ephemeral mode for all their services (HTTPS/POP/IMAP). Additionally out of the 20 service surveyed that provide HTTPS there are only 3 that are not based in the United States. It was possible to shortlist the top 3 services to bronze, silver and gold based on the results of this brief survey.

Winners:#1 ­ ojooo.com (DHE_RSA on https/pop3/imap/smtp, and they’re base in Germany)#2 ­ contactoffice.com (DHE_RSA on https/pop3/imap, and theyre based in France)#3 ­ inbox.com (DHE_RSA on pop3/imap/smtp)

Worst security award:#1 ­ rediffmail.com (no security implemented on any protocol)

Normally if the traffic happens to pass through american telecommunications networks the NSA will tap into the fibreoptic systems in the network backbone of the country and record all the traffic in their Utah data centre and will keep it for up to 5 years in cold storage on hard drives before discarding it. An famous case of the NSA tapping major network backbone is the fibreoptic tap in “Room 641A” when the NSA split the fibre optic communications cable in AT&T’s communications station.

By choosing a mail service that uses a different encryption key for every network

communication, your traffic will be secured against the NSA from taking your traffic out of cold­storage and decrypting it using the compromised master keys used to generate the SSL certificates. These master keys are normally compromised by the NSA simply walking into a corporation and demanding the keys from the owners. However this is not possible with SSL certificates that are operating in Ephemeral mode as a different key is used for every connection and is then discarded immediately. However this technique will not prevent the NSA or other surveillance organization from demanding physical access to the companies servers and simply copying the data off their hard drives.

Future workAn interesting project would be to survey how mail servers interact to exchange messages when a secure communications channel is available. Does Postfix mailserver attempt to use SSL before downgrading to a plaintext alternative. Does Microsoft Exchange server attempt to use SSL before downgrading to a plaintext alternative?

Sources:1. PRISM Accomplices ­

https://upload.wikimedia.org/wikipedia/commons/c/c7/Prism_slide_5.jpg2. PRISM Network Graph ­

https://upload.wikimedia.org/wikipedia/commons/0/01/Prism_slide_2.jpg3. Explanation of Ephemeral Diffie­Hellman key exchange ­

http://blogs.computerworld.com/encryption/22366/can­nsa­see­through­encrypted­web­pages­maybe­so

4. DH vs. DHE and ECDHE and perfect forward secrecy ­http://stackoverflow.com/questions/14034508/dh­vs­dhe­and­ecdhe­and­perfect­forward­secrecy

5. Geographic ip mapping tool ­ http://www.geoiptool.com/en/6. HTTPS Everywhere ­ https://www.eff.org/https­everywhere7. Flagfox ­ https://addons.mozilla.org/en­us/firefox/addon/flagfox/8. NSA Utah Data Centre Yottabyte Storage Capacity ­

http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1

Last edited: Tuesday, July 16, 2013 at 1:35:15 PM ISTContact hughpearse@gmx.co.uk