The Curious Case of secMail

Email services on Tor have always been a topic of discussion for activist types and a target for hackers of all varieties. On the clearnet, your email is your de facto internet ID, forget Facebook, LinkedIn or anything like that, your email address is your identity. If you need to reset a password, you get a confirmation sent to your email address. If your email address is compromised or you lose access to it somehow, depending on your provider you may be fucked. It isn't that much different on the darknet, email addresses are commonplace on market places and other services so pseudonymous individuals may contact each other and they are typically those Tor-only email services as they are easily accessible and anonymous OOTB.

But lets take a look at what this particular website says. On the front page (pictured above) we can see their logo, followed by four tabs listing the login page, signup page, FAQ and an about page. Let's look at the login page first (since it is pictured), we can see it supports advertising, so we can at least deduce that they have some way of generating income aside from whatever they are using already which is a good sign. The ads themselves appear to be randomized and things like stolen CC's etc seem to be permitted from what I've seen. Now let's look at the bottom part of the page. They claim to be your number 1 email service, typical advertising, nothing to see here. Then it says "an email that protects your privacy", now it's important to note something here; we have no idea who these people are that are running this service and even onymous providers on the clearnet don't take accountability for their actions all that much, so what incentive is there for an anonymous provider like secMail? Next we have a bold claim: "used by hundreds of activists", this is likely just more advertising schtick as there is no possible way to prove this one way or another without compromising the security of their users. Now let's get into this next portion to the right side, most of it is just repeating what's already been said or what should just go without saying but one part caught my eye. "We are using the safest security protocols, so you don't have to worry about nothing", this is extremely vague wording and I honestly don't know what to make of it, it kind of reminds me of those ads for generic VPN services that overemphasize terms like "military grade encryption". The fact that they don't elaborate is sort of sketchy.

We can skip the signup page as it looks nearly identical to the login page albeit sans the posturing and advertising.

Time to look at the FAQ.

Okay a basic explanation, nothing of importance. Except maybe that ",for sure" at the end, that's kind of odd.

They way the word this is important, it showcases their lack of real privacy policy, not that it would matter much anyway as they cannot be held accountable for any wrongdoing since this is an onion service. To be fair, they are correct, you shouldn't trust anything like this on the darknet. However that does not excuse the lack of information given. Email is not exactly the most secure method of communication overall, so much metadata is leaked when sending an email and unfortunately, PGP does not encrypt this.

Okay, they'll bring it in the future, that's cool.

This one really irks me. This is clearly a question that would be asked by more knowledgeable people in the fields of computer security and privacy activism etc but they barely provide an adequate answer to the question. They say they built it with a focus on security, yeah no fucking shit, as if it weren't clear already. Then they just say hidden and untraceable. That tells us nothing of the security they've supposedly implemented. Then they elaborate on the clearnet proxy followed by more vague wording. An anti-spam filter? Wow it's not like every other major service has that too. Patches to your webmail client? The least they could've done is elaborate on what those patches are or even just provide an external link to another site that explains it.

Once again, they don't elaborate at all. And what does "in the next weeks" even mean anyway? We have no way of knowing when this page was last modified so this same FAQ could be nearly two years old for all we know (unless someone can confirm dates for us).

The last three FAQ's I didn't bother to list are just links to their BTC donation address, their PGP key and their contact page to set up ads on their site.

Now, to the about page.

So they begin by proclaiming to be a group of researchers and amateurs. Wait, WHAT?! Amateurs?! I wouldn't want to use a service administrated by a group of amateurs, not a service like this which according to themselves is used by political activists! You'd think they would be professionals to be advertising and running a service like this. I don't care that they say "don't trust us" and that they say to use PGP, both clients and servers need to be 100% serious about security. It's clear from looking at their own site that they aren't fully on board with that, I'm willing to bet if their servers eventually get broken into, they'll likely just brush it off by saying you should've used PGP without giving any regard to affected users and the potential danger that they may be exposed to as a result.

Something else that seems to be overlooked, and in fact this particular trait is what caused me to delve into and research this service in the first place. Their clearnet proxy. Their service is a lot like an older service that died years ago, that service was known as SIGAINT. Another onion service providing email and a clearnet proxy. In 2015, a large amount of SIGAINT user accounts were compromised. Mind you this wasn't a result of SIGAINT itself being hacked, rather it was precisely because their clearnet proxy webpage was configured in the manner that secMail's proxy page currently is right now. It provides a direct link to their onion service and lacks a HTTPS security certificate. Meddling with connections these days is usually not that easy since almost every major web service utilizes HTTPS security, however without it, interfering with a connection is extremely easy. Lacking a HTTPS certificate on its own isn't the worst thing in the world, however the fact that their clearnet proxy is known to officially link to their onion service makes this issue extremely problematic. Changing the link is trivial since there is no security in place whatsoever. This is how SIGAINT users got hacked. If you read this article, you will learn that the budget required to pull off this kind of attack on users requires a miniscule amount to pull off, a mere $400 a day is all it took for crying out loud! That's within the budget of a variety of non-state actors and if a state-actor wanted to pull this off, they would likely do far worse damage.

The Letter

I had initially considered not posting this to my site as I believe this could possibly cause more harm than good, but I feel like I have to do this. I had sent an email to their support address (support@secmail.pro), addressing my concerns and requesting that they do something about them. After a few days, I got a response from their support email and unfortunately, it wasn't exactly what I had hoped to receive.

I'll address the points made in their reply. To begin, we have: "We are constantly implementing new features and improving our security, most of the changes are not noticeable to our users."

What exactly is that supposed to mean? Sure they aren't noticeable, but why can't you document them for those that do care and do want to know how you administrate things? If most of the changes aren't noticeable and you don't at least document them like many other services do, how are we supposed to even know that you're doing anything at all? You say things like "don't trust us" but simultaneously say things like "we protect your privacy" (mind you without even having an official privacy policy at all). If you yourself (or selves) explicitly say you can't be trusted, how can we trust you when you give meaningless crap responses like this?

Now the next point they make: "The thing happened with sigaint.org was that some exit nodes changed the clearnet url content (sigaint.org), to modify the deep web URL contained there and manipulate its users by establishing a honeypot on the deepweb."

Yes I am well aware! I explained it and linked you a news article about it in my email to you, I don't need you to reiterate it in a shittier fashion. The thing is, your clearnet proxy is still configured like that to this very day! It has no HTTPS security at all and has a direct link to the onion url to your service, this is the precisely insecure setup that let the SIGAINT user compromise happen in the first place, yet here you are acknowledging it yet still doing nothing about it despite running your service for over two years now!

Moving on, this is where they try to excuse their incompetence: "Nowadays, most of the exit nodes are monitored and kicked out if they modify pages intentionally."

Now this is just pure bullshit. While it is true that bad exit nodes can be booted off the network, they are not caught instantly and the network is not monitored intensively enough to detect MiTM attacks in real time, this is why HTTPS is important. Just take a look at this article for further details, the exit nodes cannot pragmatically be monitored and regulated in the fashion that secMail is suggesting in their email, if anything this is likely just an excuse to be lazy or perhaps a result of sheer incompetence.

Onto the final point: "It is not one of our priorities right now to establish TLS security, but we will do it in the future (Lack of time?)."

I want you to look at this Reddit post. This is secMail's initial advertisement of their service on the /r/Onions, a subreddit dedicated to the topic of Onion Services. Their original post was made on February 14th of 2017. That was around two and a half years ago. All this time, the most obvious and noticeable flaw in their security was their clearnet proxy's configuration since everybody already knew about the SIGAINT fiasco at that time. They have had over two years now to implement TLS or at the very least take the direct link to their onion service off the clearnet proxy site page so that there is a much smaller chance of compromise.

If you scroll through the comments, you'll find some interesting things. Most notably they claim that they have been running their service for over six months prior to the initial posting, so that would mean that they have been running for a total of nearly three whole years. Not only that but they also had their webserver incorrectly configured and one of the commenters in that thread had to point it out to them. It also turns out that someone pointed out their lack of HTTPS to them already, yet here we are.

I should also point out that they never did directly address the V3 Onion protocol concern at all. It doesn't take much to configure, it actually requires a mere addition of one line in the TORRC file. To be absolutely fair, V3 Onions were not a thing when they started out and weren't until some time in 2018, however there isn't a reasonable excuse for why they haven't set one up by now.

The Takeaway

There's one thing to takeaway from this, and that is to carefully choose your providers. Services like Riseup, Disroot and others are fine choices for activists and the like that absolutely need a good provider for their various needs, shady services like this are not. You could choose to use secMail if you want, but judging from what we have seen, they do not appear to be the most competent individual(s), if you do decide to use them, please be sure to use PGP at the very least and practice good OPSEC above all else. A lot of the criticisms toward secMail could easily be applied toward just about any other email provider that operates exclusively in the darknet.