Browsers, E-mail, & Web Apps forum

General discussion

E-mail Security: Gmail vs. Neomailbox, Hushmail, etc.

by Traulinger / January 3, 2011 5:25 AM PST


My apologies if this question has been covered. I searched the forum, but unfortunately, didn't come up with the answers I was looking for.

What makes a secure email services such as Neomailbox or Hushmail any more secure than Gmail? Gmail already defaults to HTTPS during the login, so my entire session is as secure as any other website I might transact important information with (bank, Ebay, etc.)

I'm assuming that once my sent mail leaves the Gmail server, it is sent in plain text to its recipient. Wouldn't this be the same for any paid provider? They aren't encrypting their sent bound mail as they have no way for it to be un-encrypted by the recipient.

From my research, the only truly secure end-to-end method would be public\private key encryption, but this is impractical for me given the number of contacts that I need to connect with on a month to month basis (not to mention how non-technical many of them are).

Perhaps I'm missing the true benefit of a paid secure e-mail provider. Could someone shed some light on this issue?

Discussion is locked
You are posting a reply to: E-mail Security: Gmail vs. Neomailbox, Hushmail, etc.
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: E-mail Security: Gmail vs. Neomailbox, Hushmail, etc.
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
I think you know the answer.
by R. Proffitt Forum moderator / January 3, 2011 9:46 AM PST

If plain text email ever leaves that garden (server) then it's game over.

But there is a simple reason why there is no such service today. Do we really need to cover that?

Collapse -
I may not know, however.
by Robert_B2 / January 3, 2011 6:47 PM PST

Well, in my case, yes, we do need to cover that Happy
Can you elaborate on why such services do not exist?
Another Bob.

Collapse -
To understand this.
by R. Proffitt Forum moderator / January 4, 2011 4:17 AM PST

It will take a book to cover it entirely so let's use the case of PGP and what happened to its author over the years. Also look at the export controls on encryption that is too good.

Here in the US you know there is a limit on encryption so I hope the summary of PGP and export controls is a quick way to cover why this is the way it is.

Now about the email that leaves some secure email server. Since you don't want to use end to end security any email that goes out will be in plain text. That's how emails work today. And since any encryption system must be one our governments can crack, that in short form means it is not entirely secure.

Does that help?

Collapse -
by Traulinger / January 4, 2011 5:50 AM PST
In reply to: To understand this.

It does help, Bob. I'm still confused, however, as to why anyone would pay a "secure" email provider, if the end result is the same as a free provider.

Perhaps someone else can chime in on that.

Collapse -
Please Elaborate
by Traulinger / January 4, 2011 3:53 AM PST

I'm with Bob. Would you mind elaborating a bit.

Also, I'm inferring from your response that my assumption about paid providers and free providers is correct: They both only offer protection up to the point that mail is sent from their service to another.

If that's the case, why would anyone pay for such a service?

Collapse -
A few differences...
by John.Wilkinson / January 5, 2011 10:13 PM PST

For most users, Gmail, Yahoo Mail, and Hotmail are the obvious choices given their prevalence, integration with other services from the companies, sleek user interfaces, ever-increasing feature lists, etc. It's hard for a small provider to compete with the market dominance of those stalwarts. However, there are some differences that give other providers a leg up, including:

1.) Encryption of the emails. SSL provides a secure channel between you and the provider, but does nothing to protect the email on the provider's servers or after the email is sent to the recipient. You can encrypt the emails yourself, a feature that an increasing number of email clients support, but some providers provide that functionality via their webmail interfaces and may even encrypt/decrypt them automatically. (The latter means your email provider must be given a copy of your passwords/keys, which is often undesirable.)

2.) Access restrictions. Instead of sending your email to the recipient outright, the provider may send him/her a link to the provider's website where the recipient must enter a password you chose in order to access the email. This means you may be able to set a limit to the number of times the email is accessed, prevent it from being forwarded, restrict viewing to a certain time/date span, etc. And if the recipient has the same provider, or the recipient's provider has a partnership with your provider, the recipient may never need to leave his/her inbox to access the content, a more convenient alternative to following a web link.

3.) Country of business. Much like many people choose to store their earnings in Swiss bank accounts due to the strict banking privacy laws in Switzerland, some like to have an email provider with no ties to the US or another country. That makes it harder for a company or government to obtain a search warrant to obtain your emails, access logs, etc. from the provider.

4.) Anonymity. When you send an email, it typically includes your IP address, which tells the recipient your internet service provider and an approximation of where you live. In addition, once the recipient has your email address, he/she can use it to spam your account. However, some providers display their company IP address instead of yours to protect your identity and also offer disposable email aliases to protect you from spammers.

Of course, there are many other ways a provider can differentiate itself, but those are four of the top security-related aspects to consider.

Hope this helps,

Collapse -
by Traulinger / January 6, 2011 2:34 AM PST
In reply to: A few differences...


Thanks so much for your thorough reply. It definitely helps with some of the questions\issues I was wondering about.

My wife and I are in the process of transitioning from a stateside role, to a foreign position with a non-profit that we work for. They have requested that we migrate to a secure email provider, but I've yet to take the plunge, as I have so much energy invested in my Gmail (contacts, labels, filters, etc.), and was hoping that I might be able to offer a plausible explanation as to why a paid provider isn't any better than my current solution.

I'm not sure if I'll be able to convince them of that. In the end, however, (and I know I sound like a broken record), I still see both as suffering from the same dilemma: sent mail leaves each service provider unencrypted.

Regardless, I appreciate your thoughts. They were very helpful.


Collapse -
May I?
by MarkFlax Forum moderator / January 6, 2011 2:44 AM PST
In reply to: Thanks

Intruding into this conversation here, but I noticed your post above. While I don't know the full details, isn't there an easy way?

Simply, retain your Gmail account for personal use and sign up to your new employer's own email system for work use. I dont' see why any prospective employer would insist that someone's existing emails, contacts, etc be migrated to their own service. Just start afresh with them.

Or is that too simple?


Collapse -
Good Though, But...
by Traulinger / January 6, 2011 6:00 AM PST
In reply to: May I?


I suppose I didn't provide enough details earlier. This may seem odd, but our home office doesn't provide email (with the exception of those working at headquarters). We can expense any service that we purchase, but we're on our own in finding it. Their preference just happens to be that we use a secure provider.

As it is, the vast majority of contacts I have in Gmail are work related (since in my current position, I was already using Gmail for work - I don't work out of headquarters). I know this seems somewhat "rag-tag" and perhaps a bit unprofessional. This is just the way that it is. While I am stateside, using Gmail isn't an issue. But being abroad, their criteria for service providers changes to some extent.

I'm planning on contacting the director of IT for our organization and running these questions by him. He may be able to shed some light on their policies and whether I might get an exemption from the current standards. He's a great guy who I have met on a number of occasions, so I don't think he'll mind me discussing this with him.

I appreciate everyone's thoughts. I'd still be interested in hearing any other thoughts should you have any. Thanks!


Collapse -
When speaking with the IT director...
by John.Wilkinson / January 6, 2011 11:30 AM PST
In reply to: Good Though, But...

Be sure to have him define "secure provider." Most are satisfied with a provider that uses SSL to encrypt data transfers between you and the provider, in which case Gmail would qualify. In fact, Gmail offers corporate and university services, with some of the leading employers and universities abandoning their Microsoft Exchange servers in favor of Google's cost-cutting alternatives. At the same time, however, many companies and universities take the position that no email account is secure enough for sensitive communications, reserving them for traditional mail, phone calls, and in-person communication. It may be that GMail meets his qualifications after all.


Collapse -
Great Point
by Traulinger / January 6, 2011 1:04 PM PST

Great point, John. I'll be sure to ask him to define "secure provider" and make mention of the number of entities dropping Exchange for Google's services. I have plans to touch base with him tomorrow and will be sure to let you all know what I hear.


Collapse -
Gmail good but not that good
by richteral / January 22, 2011 3:37 AM PST
In reply to: Great Point

I believe it was last year that a number of Gmail accounts got compromised; in my case it was demonstrated by suddenly having to go through a security procedure to get a new password, and not because I had forgotten the original one.
It might be worth investigating Fastmail (now part of Opera, paid-up); not sure what happens to mail that leaves their servers, but over many years it has proved extremely reliable and secure. Where it definitely beats Gmail is in keeping the track of logins over two weeks, which is a useful facility for checking on when and by whom the account has been accessed.
Another option is using Comodo SecureEmail, which disposes of PGP keys et al.

Collapse -
Why pay? Because it's not the same as free...
by porsche10x / January 22, 2011 5:45 AM PST

Ok, so the email is no longer secure after it leaves the service, but that's not the whole story. Plenty of people will pay for secure e-mail WITHIN the service, maybe a small company with no IT manager looking for a simple, turnkey solution. Maybe this company has employees at remote locations. Maybe they need to exchange documents securely with a few suppiers or customers. It might be easier to just get them to use the same service.

Also, a critical-mass thing might occur. If the service is useful and well-marketed, then enough people might use it for "everyone" to be on the system. You use it, tell a friend, and so on...

Collapse -
Security in email world
by claudestephane / January 23, 2011 1:25 AM PST

Great discussion. Clearly the problem adds inconvenience for security's sake, which are willing to incur. The store & forward approach has been around for quite a while, requiring opening another app & logging in. Webmail like gmail works well, as long as you can convince ALL your secure co-workers to use same ssl provider. As for them being hackable or rather crackable, anything build by man can be defeated by woman. }:-}}

Collapse -
Neomailbox appears to be a fraud
by Fog_Bev / February 6, 2015 2:10 AM PST

After doing considerable research, I chose Neomailbox as a mail service for my domain. As it turns out, their mail service is incredibly unreliable. Plus, technical support is slow, if not flat-out non-existent. There is no phone number or physical address that anyone responds to.

In December 2013 my service stopped working, again; and by January 2014, Neomailbox flat-out ceased to respond to my pleas for help. After struggling to accept the reality that I had forwarded all my domain's e-mails to such an unresponsive vendor, I eventually moved all my mail service to another provider. In the meantime, I also completely lost many, many months of e-mails.

All this experience, of course, did not prevent their automated system from alerting me that my account expired. They want me to pay them for service I never received; and renew!

At this stage, I seriously doubt that they deploy the level of security they allege to. This is a very disorganized entity, and/or fraudulent.

Collapse -
Just checked. 10/13/04
by R. Proffitt Forum moderator / February 6, 2015 2:17 AM PST

I went to my Gmail and looked up my oldest email and found 10/13/04. That's over a decade I've had that email and given it's worked for that long and shows no sign of going away, why not try them today?

PS. This thread is more than 1494 days old so it's unlikely that many will respond here. Let's try making a new discussion next.

Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.