Encrypted email service SCRYPTMail

SCRYPTMail is a brand new encrypted email provider, at the moment still in beta testing, signing up is straight forward and it only takes seconds, there were 500 accounts available when I did. All you  need is to pick an username and a password, during sign up you will also be asked to create an account password and a passphrase that is used to decrypt your email inbox. Email messages are encrypted in your computer from the beginning and the passphrase never leaves it, SCRYPTMail is unable to decrypt or facilitate decryption of your data.

The messages and attachments you send are secured with open source encryption libraries, a collection of written code and subroutines used by programmers, implementing AES-256 encryption, the sender keeps a private key that nobody knows and the receiver gets to read the message with a public encryption key. There is no IMAP or SMTP, encryption is done with Javascript and a web browser is needed for it to work.

SCRYPTMail encrypted email provider

SCRYPTMail encrypted email provider

SCRYPTMail can be used to securely communicate with users of insecure email services like Yahoo and Gmail, when you compose a message you will see a checkbox at the bottom of the page asking if you would like to “Encrypt email sent to outside users“, ticking the box will generate a 5 PIN password that has to be entered before the message can be read. SCRYPTMail will then send a link instead of the full message and the receiver has to click on the URL taking him to a secure server where he can retrieve the message.

Unfortunately I see a downside with the automatically generated PIN, the first one is that a numeric password of 5 numbers is not very strong, specially, as the length of the password is already known when launching a brute force attack, the second problem is that, since you have to transmit this PIN securely to the other end, it is not practical to do this with every single email you send, it would be much more convenient if SCRYPTMail allowed you to choose your own secret alphanumeric password and this could be kept for more than one message. You also have the choice of sending the email unencrypted if using a PIN is too much trouble but in that case you don’t really need SCRYPTMail for this.

To protect your account from hijacking if your laptop is lost an automatic session time out logs you off after 15 minutes of inactivity, you can see a count down timer while you are logged in, it resets to 900 seconds when you click on a tab or do some other action. The user can’t change the preset time out to a lower or higher number. Another security feature monitors that only one active connection is possible at a time, I tested this opening SCRYPTMail in two browsers, Firefox and Chrome, by the way, SCRYPTMail blog claims that it only works in Chrome but I had no trouble using it in Firefox, I logged in at the same time to see what happens and the first connection logged me out when I simultaneously logged in with the other browser. There was no warning of why I was being logged out, I expected blocking of the second login but it never happened, I could not understand how this feature protects me of anything if the intruder that gets in kicks me out of my account without even a notice saying why this is happening.

Private and public encryption keys can be regenerated again in settings without having to redistribute them to others as encryption and decryption take place in your computer with Javascript. Encryption keys strength can be chose by the user in settings, the default is RSA keys of 512/1024 bits, theoretically it can be changed to up to 2048/4096 bits, the options are listed although greyed out and I could not select them, what managed to do is to  export the RSA encryption keys after entering my passphrase and store them offline.

I sent myself a couple of test messages to make sure that SCRYPTMail hides the sender’s IP in the email headers, it did and it also revealed that their mail server is in the USA hosted with a company called Linode, SCRYPTMail headquarters are also in the USA, this can be a deal breaker for some but unlike Hushmail, SCRYPTMail is not able to read your data and they never have access to your encryption keys. I am much more worried about their PIN number being short than the email service not being hosted in a USA.

This email service intends to roll out as a paid service once it is ready, with planned time delay to send messages and a bigger email inbox for paying users. I don’t think it is too bad for a beta version, but having reviewed Tutanota email service recently, I noticed that SCRYPTMail and Tutanota both have the same clean simple webmail interface, perhaps they are both using the same open source framework, I don’t really know, it looks like it.

My conclusion is that if I had to choose I rather go with Tutanota, they appear to be more polished and their services are free, they also have a full team behind them as opposed to SCRYPTMail being a one man operation at the moment, but is good having alternatives to Hushmail and if the choice was in between Hushmail or SCRYPTMail, I would go with SCRYPTMail because the company does not have access to your private encryption keys.

Visit SCRYPTMail homepage

Comments (15)

  1. Sergei 18 November, 2014
  2. hacker10 18 November, 2014
  3. Pat 20 November, 2014
  4. hacker10 20 November, 2014
  5. chris 20 November, 2014
  6. Lucy 20 November, 2014
  7. hacker10 20 November, 2014
  8. Sergei 24 November, 2014
  9. JESSY 24 November, 2014
  10. Sergei 24 November, 2014
  11. JESSY 25 November, 2014
  12. Sergei 25 November, 2014
  13. Raymond Popowich 28 May, 2015
  14. Raul 16 September, 2015
  15. John Lindley 29 December, 2015

Leave a Reply