FastMail Security

Overview

FastMail takes care to ensure that your information is safe and secure.

TLS/SSL Access

We support TLS/SSL with all of our protocols. TLS/SSL is designed to encrypt all traffic and prevents eavesdropping, tampering, and message forgery on any communication between your computer and our servers.

In most cases, enabling TLS/SSL involves only changing a few settings in your email client or how you use our website.

  • Web

    When you login via our homepage, just use the Secure Login button to login. This will switch to https mode which is the secure (SSL) web access protocol. After using the Secure Login button, all traffic in both directions for the remainder of your login will be secure and encrypted.

    Note also that when you do this, we'll put a cookie on your computer letting us know that you prefer Secure Logins. Then next time you go to our homepage, Secure Login will be the first and default login button on the page for future sessions. The cookie doesn't contain any private information, it just lets us know that you'd prefer a secure session in the future by default.

  • IMAP/POP/SMTP

    The standard email protocols support two ways of using SSL. Either pure TLS/SSL over a different port number, or something called STARTTLS that takes a regular connection, and changes it to a secure one after connecting.

    We recommend where possible using the secure port numbers, because this means the entire connection is always encrypted and won't even work if the encryption can't be started. The STARTTLS mechanism requires both sides to negotiate a secure connection, and if there's a problem or software bug, they might silently fall back to a non-secure connection.

    Most email clients will let you specify that you want to use a "Secure connection" for each of the IMAP/POP/SMTP protocols, and ask you what port to use. The secure ports are respectively: IMAP=993, POP=995, SMTP=465

  • DAV

    DAV is built on top of HTTP, the same protocol websites use, so to enable TLS/SSL for DAV, you just have to ensure that everywhere you specify the access URL, you use https://dav.messagingengine.com instead of http://dav.messagingengine.com.

  • FTP

    FTP is a rather old and well-established protocol that by itself includes no encryption. Unfortunately there are now two completely different protocols with similar names that support encryption.

    FTPS - this is an update to the classic FTP protocol that adds support for SSL connections. We DO support this protocol.

    SFTP - this is an entirely new protocol that works over another protocol called SSH. It bears no resemblance to FTP except in its name. We currently do NOT support this protocol.

Servers/Software

Maintaining secure servers requires putting in place a careful security policy.

  • Only allow necessary communications

    Many unexpected forms of attack come from failing to close potential vulnerabilities, including database port access, SSH port access, etc. We use kernel-level firewalling to only allow connections on the services provided by each machine

  • Keep track of software updates

    Software contains bugs, so we keep track of the software we use and any security vulnerabilities so we can upgrade as soon as an issue is reported

  • Use software systems that take security seriously

    We use Debian as our operating system base because they take their security responsibilities and updates seriously. In most cases an update for a security problem will be available within hours of the reported problem.

Physical

All our servers are hosted at a secure facility at New York Internet. As their website notes:

"Data Center security is a top priority for NYI. We have taken extreme care to install the utmost security so that our customers know that their data is safe. Our Data Centers are located at heavily protected buildings where the security personnel are on guard 24x7. Other security features include biometric fingerprint readers on door locks, strategically placed cameras and motion detection, doors equipped with alarm system."

Limitations

Note that while communication between your computer and our servers is encrypted, any email that you send that has to go to another server has to pass over the internet in an unencrypted form.

The only way to ensure end-to-end security with email is to use email encryption software such as PGP or S/MIME. Both of these systems require the creation of certificates, and run on your computer and are attached to your email client to encrypt/decrypte the email.

Providing secure end-to-end encryption via webmail is impossible. There are basically two options, both flawed.

  • Keep private key on server and encrypt email on server

    Although all traffic between the server and client may be encrypted via SSL, and then the email itself is encrypted on the server before being sent to the world, the unencrypted email is still available on the server between the SSL and encryption stages.

  • Use javascript/java to encrypt email on the users browser

    In theory because the javascript/java has to run on the user's browser, the user could look at the code to see it's secure, but the reality is that no-one would really ever do that, and there's nothing stopping someone sending a javascript/java program that sends the encrypted email back to the server, as well as the encryption key, so the server can decrypt it.

Famously Hushmail, which allows you to use both of these options, recently admitted that the US government compelled them to turn over the unencrypted emails of a number of users.

Their contention on how secure they are then relates to what it requires to get a court order. From the Wired article Hushmail state:

"That's also backed up by the fact that all Hushmail users agree to our terms of service, which state that Hushmail is not to be used for illegal activity. However, when using Hushmail, users can be assured that no access to data, including server logs, etc., will be granted without a specific court order. Smith also says that it only accepts court orders issued by the British Columbia Supreme Court and that non-Canadian cops have to make a formal request to the Canadian government whose Justice Department then applies, with sworn affidavits, for a court order."

A similar requirement applies to FastMail, and as our terms of service state, we won't release any data without the required legal authorisation.

Again to summarise, to get secure end-to-end encrypted email, you must use an email client and a security system like PGP or S/MIME.