User Tools

Site Tools


email_alternatives

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
email_alternatives [2019/08/06 18:40] โ€“ neilemail_alternatives [2021/07/29 14:29] (current) โ€“ neil
Line 3: Line 3:
 ====Key points: ==== ====Key points: ====
   * [[#Email is probably not the most secure choice, so consider alternatives|Email is probably not the most secure choice, so consider alternatives]]   * [[#Email is probably not the most secure choice, so consider alternatives|Email is probably not the most secure choice, so consider alternatives]]
 +  * [[#Consider a client portal|Consider a client portal]]
 +  * [[#End-to-end encryption may not protect you from a compromised device|End-to-end encryption may not protect you from a compromised device]]
   * [[#Instant message or SMS-like apps|Instant message or SMS-like apps]]   * [[#Instant message or SMS-like apps|Instant message or SMS-like apps]]
 +    * [[#Matrix / Element (used to be called Riot.im)|Matrix / Element (used to be called Riot.im)]]
     * [[#Signal|Signal]]     * [[#Signal|Signal]]
     * [[#WhatsApp|WhatsApp]]     * [[#WhatsApp|WhatsApp]]
 +    * [[#Threema|Threema]]
 +  * [[#Real-time chat (i.e. alternatives to Slack)|Real-time chat (i.e. alternatives to Slack)]]
 +    * [[#rocket.chat|rocket.chat]] 
   * [[#Ways of sharing large or sensitive files|Ways of sharing large or sensitive files]]   * [[#Ways of sharing large or sensitive files|Ways of sharing large or sensitive files]]
     * [[#zend.to|zend.to]]     * [[#zend.to|zend.to]]
Line 20: Line 26:
 Chances are email is not the best tool for the job, but it is so engrained in the corporate world that moving away from it completely is unlikely to be viable. Chances are email is not the best tool for the job, but it is so engrained in the corporate world that moving away from it completely is unlikely to be viable.
  
-Even with [[email#consider_pgp_gpg_for_email_encryption|PGP/GPG]], email is not particularly secure. If you can fit it into your operating model, alternatives to email are likely to offer better security.+Even with [[email#consider_pgp_gpg_for_email_encryption|PGP/GPG]], email is not particularly secure. If you can fit them into your operating model, alternatives to email are likely to offer better security.
  
 While the solutions here offer strong security, they lack (by design) some of the features which make email so popular and useful. For example, the ability to forward a message chain to someone, or to create "matters" and file correspondence against them. While the solutions here offer strong security, they lack (by design) some of the features which make email so popular and useful. For example, the ability to forward a message chain to someone, or to create "matters" and file correspondence against them.
 +
 +====Consider a client portal====
 +
 +Some practice management systems include a client portal: an online system where you can send and receive messages, and drop off (and perhaps receive) documents for clients.
 +
 +Some [[#Ways of sharing large or sensitive files|file transfer tools]] offer similar functionality, but are not integrated into a practice management system.
 +
 +Before relying on this, you'll want to make sure it offers appropriate security for your needs, especially if it is hosted by a third party, who might have access to your privileged messages and documents.
 +
 +As with any software, if you do make use of a practice management system and a client portal, make sure you, and your clients, [[cloud#ensure_you_cannot_be_locked_in|have a convenient way of getting your and their data out of the portal]] and onto some other system, in case you want to move away from it. 
 +
 +====End-to-end encryption may not protect you from a compromised device====
 +
 +End-to-end encryption is a method of securing communications, designed to mean that other the sender and recipient of the communication are capable of seeing the content of what has been sent. Someone in control of a network element carrying the communication may still see the existence of the communication, and the parties to it (i.e. the sender and the recipients) but, because they do not have the ability to decrypt the communication, they cannot see the content of what is being exchanged.
 +
 +This can be contrasted with the [[email#secure_the_connection_between_your_mail_server_and_the_mail_server_of_your_recipient|server-to-server]] encryption you're encouraged to set up on your mail server. This should prevent someone spying on network traffic from seeing the communications between your server and the sender's, but it does not protect you if someone has lawful access to, or has compromised, the sender's mailserver or your own mailserver.
 +
 +While end-to-end encryption protects against some infrastructure access or compromises, it does not necessarily guarantee protection in all situations. In particular, if the device on which you receive and decrypt the encrypted communication (e.g. your phone, or your computer) is compromised, the attacker may have access to the plain text (decrypted) communications content, because they are attacking it once the encryption has been removed. 
 +
 +> The implant also has access to the user's keychain, which contains passwords, as well as the databases of various end-to-end encrypted messaging apps, such as Telegram, WhatsApp, and iMessage, Beer's post continues. ([[https://www.vice.com/en_us/article/bjwne5/malicious-websites-hacked-iphones-for-years|Vice report on iOS vulnerability]].)
 +
 +End-to-end encryption remains valuable, but you need to [[securing_your_computer|protect the device you are using]] for those communications. For example, [[securing_your_computer#turn_on_disk_encryption|encrypting your computer's disk]] [[securing_your_computer#don_t_use_an_administrator_account|not using an account with administrative rights for your day-to-day activities]], and [[securing_your_devices#only_install_software_apps_from_trusted_sources|only installing software from trusted sources]].
  
 ====Instant message or SMS-like apps ==== ====Instant message or SMS-like apps ====
  
 If you want a secure alternative to instant messaging or SMS, consider these. If you want a secure alternative to instant messaging or SMS, consider these.
 +
 +Unlike email, none of these are interoperable, meaning that, if you want to use one of them, the people you want to talk with need to use that service too. Conversely, if the people you speak with each prefer a different service, you may have to sign up to multiple services, so you can chat with each of them.
 +
 +====Matrix / Element (used to be called Riot.im) ====
 +
 +[[https://www.matrix.org|Matrix]] offers a [[https://element.io|web interface]], as well as [[https://element.io/get-started|native applications (e.g. for macOS, iOS, and Android)]].
 +
 +It offers text-based chats between individuals and groups, as well as file transfer, and voice and video calls.
 +
 +It offers end-to-end encryption across devices, mobile phones and web interface, allowing for easy synchronisation of the encryption keys through QR codes or emoji. 
 +
 +You can run your own server, if you wish (a bit like email), or else you can sign up to someone else's server, such as the project's own matrix.org server.
 +
 +You do not need a phone number to sign up.
 +
  
 ====Signal=== ====Signal===
Line 32: Line 75:
 Signal is mainly a mobile app, but it has desktop counterparts. Signal is mainly a mobile app, but it has desktop counterparts.
  
-It offers end-to-end encryption, without you needing to do anything.+It offers end-to-end encryption, without you needing to do anything (although it may not protect you if your device itself has been compromised).
  
 It requires the other person (or people, as it has group messaging) to also have Signal. It requires the other person (or people, as it has group messaging) to also have Signal.
Line 44: Line 87:
 === WhatsApp === === WhatsApp ===
  
-If you don't mind giving data to Facebook, WhatsApp offers simple end-to-end encryption.+If you don't mind telling Facebook who you talk with and when, WhatsApp offers simple end-to-end encryption.
  
 Like Signal, it offers group messaging. Like Signal, it offers group messaging.
Line 53: Line 96:
  
 You can download it [[https://www.whatsapp.com|here]]. You can download it [[https://www.whatsapp.com|here]].
 +
 +===Threema ===
 +Unlike Signal and WhatsApp, Threema does not require a phone number to set it up. If you don't have a phone number, or just don't want to link a phone number to an app, this might be worth a look.
 +
 +
 +====Real-time chat (i.e. alternatives to Slack) ====
 +
 +===rocket.chat ===
 +
 +[[https://rocket.chat|rocket.chat]] is a self-hosted alternative to Slack. You can have real-time chat between other lawyers in your firm, and it also integrates with Jitsi for audio and video conferencing.
 +
 +You can also configure permissions to enable secure chat channels with clients, separating them from each other.
  
 ==== Ways of sharing large or sensitive files ==== ==== Ways of sharing large or sensitive files ====
Line 75: Line 130:
  
 Make sure you delete the file from the platform when it has been transferred. Make sure you delete the file from the platform when it has been transferred.
 +
 +As Dropbox is very popular, it may be used as a vector for [[email#Be aware of phishing email|phishing campaigns]], where someone is sent an email purportedly linking to an attachment on Dropbox, but actually serving up malware.
  
 ===Nextcloud === ===Nextcloud ===
email_alternatives.1565116818.txt.gz ยท Last modified: 2021/07/06 09:26 (external edit)