Criptext: encrypted email service review
Attempt signing up to an online account, service, subscription, without an email. You can’t. Most of our digital interactions with third party services require an email.
The first email service I ever used was Hotmail, then after years of dealing with poor spam management I migrated completely to Gmail, had a clean slate, slight better spam protection, and undeniably better UX, one key (email) to rule them all (accesses/logins/signups).
Then I found Bitcoin and cryptocurrencies, and compulsively migrated to Protonmail, for the sake of my privacy, underlying technology, “legal protection”, and their position on privacy rights. We all know any government with a swift use of the pen can sweep under the carpet any privacy Gmail might have.
Although I still use Protonmail at the moment and is one of the safest email services out there, I am now migrating fully to Criptext. Why settle for a service that might have holes in its architecture?
- Back in July I co-wrote a piece about how Protonmail appeals to jurisdiction, trust and “not bullet-proof” key management tackling.
- Nadim Kobeissi a computer science researcher specialized in applied cryptography and a professor at New York University’s Paris campus, published in November “An Analysis of the ProtonMail Cryptographic Architecture”.
- With important data breaches taking place lately, i.e. Marriot, Under Armour, and Quora. These occurrences joined the biggest data breaches of all time, ranking #2, #6, and #11 respectively.
It’s important to point out that since Criptext doesn’t store your data, you’re not at risk should any breach take place.
The beauty of Criptext is its simplicity:
All your emails are locked with a unique key that‘s stored on your device alone, which means only you and your intended recipient can read the emails you send.
Criptext‘s source code is open to the entire privacy community to see. We actively work with our open source community to improve on the software in order to provide the best email experience.
The Criptext email service utilizes the open source Signal Protocol library, which protects your privacy and security throughout your entire Criptext experience.
No Cloud Storage
Criptext doesn‘t store any emails in its servers. All your emails are stored on your device alone, which means you‘re in control of your data at all times.
Unlike ProtonMail that stores your encrypted keys and all emails on their servers, which allows ProtonMail users to access their emails through any browser, better accessibility but inherently flawed.
Side by side, lets say everything on both email services work as expected architecture wise… worst case scenario for both, we throw away the jurisdiction which happens frequently:
- On ProtonMail: “they” could have access to your encrypted keys and emails on ProtonMail’s servers, “they” would have to decrypt.
- On Criptext: “they” would need to have physical access to a device were you are logged in, save that you don’t log off.
I rather have physical ownership of my emails and encryption keys, than trust a jurisdiction and hopes that encryption can keep at bay nosy entities.
In my opinion, I would say the safest way to email, is with Criptext.
“If you don’t own your private keys, you don’t own your email”.
This said, lets talk about UX, and functionalities. Lets walk it through…
1. Install Criptext: go to criptext.com, download from the device you will be using Criptext from.
2. Registration: find a username available, enter your First and Last name, and enter a strong password. Easy peasy.
3. Adding a second or third device: same procedure as step #1, enter your chosen username from step #2.
In this case I installed first on my laptop, then on my iPhone, then obligatory your 2FA will be given from any device you already are logged in.
You grant access, and in my case took less than 10 seconds to sync mailbox from my laptop. Flawless!
4. emailing Criptext users: same as ProtonMail, every email to same email service are by default encrypted, no opt-out.
5. emailing non-Criptext users, encrypted: unlike ProtonMail, Criptext prompts you to use the encryption feature, just enter a passphrase and send through a secure channel.
Encrypted emails for non-Criptext users are hosted on Criptext servers up to 10 days.
6. emailing non-Criptext users, un-encrypted: you can opt-out by simply disabling the feature on the prompt directly.
7. Reading an encrypted email: the user that receives an encrypted email from Criptext to its non-Criptext email, will have to enter the passphrase in order to access the email on Criptext servers. As mentioned on point #4, it will have 10 days to retrieve it.
8. Pin/Touch ID/Face Recognition Lock: last but not least, the account can be auto locked, or you can specify the the time frame you wish it locks itself.
If for some reason you forget your Pin, or someone attempts 10 times and fails, all data from emails on Criptexts will be erased from the device, sorta self destructing messages a la Mission Impossible. Sweet feature!
Features that are still pending to be implemented by Criptext
- Delete account
- Manual Mailbox Sync from Settings
- Backup and Restore data to an existing Cloud Platform
- Multiple accounts
- Self-destruct emails
- Detailed email headers
- Contacts list
- Gifs display
- Send contact
- Send location
- More languages
I really dig how Criptext architecture was built around no bullshit compromises around privacy, feel as confident about my email privacy as having my Bitcoin on a hardware wallet.
There are few features and functionalities that are still pending to be deployed, as for example the multiple accounts, and Self-destruct emails, in order for me to fully dump ProtonMail.
I currently pay $183/year for 20 GB of storage, 5 addresses, 1 custom domain. We all ProtonMail users are paying a hefty premium on unnecessary and flawed storage hosting, once Criptext starts charging a fee for premium features which is inevitable I expect them to charge at least half of what ProtonMail charges me currently, my assumption is solely for the storage hosting cost.
No-brainer for me, Criptext has superior architecture than ProtonMail, easily Criptext could overtake ProtonMail as the defacto encrypted email service for privacy enthusiasts and the crypto community alike.
If you enjoy the read, follow me on Twitter, is good for Karma.