CTemplar’s 4 Wall Protection
4 Wall Protection was defined by the CTemplar team with the goal of helping people review their privacy needs. Imagine that your privacy is a four-walled fortress. If a wall is missing, then an enemy can quickly get into your fortress. Therefore it’s vital that you make sure you receive adequate protection in the places that are important.
We feel CTemplar is the most secure email service because it has the strongest features. Here are the “4 Walls” we do best.
- Wall 1: Metadata Protection:
- We are the only secure email service that encrypts metadata.
- Icelandic law protects us from deleting all logs of your metadata.
- Wall 2: The Only “Zero Access” End-to-End Encryption: We offer 4096-bit end-to-end encryption.
- Wall 3: Strongest Legal Protection: Iceland has no data retention laws that apply to webmail. When you press “delete” it’s instantly deleted.
- Iceland legally allows us to offer total anonymity.
- Iceland is outside the “14 Eyes” and has no US MLAT Treaties.
- We require an Icelandic court order to turn over your data. If we turn over your data, it will only be encrypted information.
- Wall 4: Company: We formed the company in Seychelles because it gives the maximum protection for company records in the world.
- We do not record or list any of our user’s data for corporate reasons, and our Seychelles corporation legally allows this.
- We are owned by those that built the site. No global corporations. No secret government sponsors
A service that offers end-to-end encryption is worthless if they can decrypt your emails and give them to anyone who asks. The strongest fortress in the world is not secure if a wall is missing or gate wide open. People desiring the highest level of protection should not buy discount services. Conversely, people that only require minimum security protection may not need the strongest protection.
Your privacy is your fortress, be sure you get the privacy protection that meets your needs.
The CTemplar Team
Protonmail strengths not mentioned above: Protonmail launched May 16, 2014 and CTemplar launched September 5th 2018. Protonmail’s added experience in this industry has created a more polished service than CTemplar. Protonmail also maintains the OpenPGPjs library that we use. We are grateful for their contributions and wrote a post about it.
Tutanota’s strengths not mentioned above: Tutanota was the first secure email service to go open source for F-Droid.
- Brute force attacks are only successful when thousands of combinations can be rapidly attempted. CTemplar, Tutanota & Protonmail all disable login attempts when multiple failed password attempts are detected.
- The “Zero-Knowledge Password Proof” involves hashing and salting users passwords. You can read a simplified version or the version published by Stanford’s cryptography department. When this technology is utilized no one is able to know the users password except the user. The webmail service only has the users hashed password and can not reverse the hash. Only the user can log into their account.
- Subresource Integrity (SRI) makes it impossible for an attacker to hack you (serving malicious code) during your website visit. CTemplar was the very first secure email service to enable this functionality. You can read more about it here, or here.
- CTemplar developed a combination of SRI & Checksums that has never been used before. This makes it impossible for CTemplar to hack you (serve you malicious code). You can read more about this on our blog post about it. This makes CTemplar the very first “Zero Access” end to end encrypted webmail service provider. We are the first webmail service that cant access users data even if we wanted to.
- The “14 Eyes” are a group of 14 countries that have agreements to share information with each other. Edward Snowden revealed that this agreement results in extensive privacy violations. The majority of privacy experts strongly recommend that you should avoid using a service within the 14 eyes.
- MLAT treaties require broad and all-encompassing cooperation. If the US asks for data from a country with an MLAT treaty then the country must do everything within its power to provide what is requested. The treaty can be utilized to turn your mobile device into a tracking device recording your location. An example of this is the Swiss MLAT treaty which can require a Swiss company to “make every effort to ascertain
the whereabouts and addresses” of their users. Countries with MLAT treaties include Belgium, Switzerland, and Canada.
- Users use 2 Factor Authentication (2FA) to provide greater security for their accounts. Some email services, like Protonmail, maintain backdoor access to all users 2FA. They provide this as a service so they can restore access to users’ accounts if a user loses 2FA.
- Users who log into their account will be shown an “Anti-Phishing Phrase”. If you log into your account and you do not see that phrase then you know that you have logged into a fake website that is trying to steal your account. When a user notices the absence of this phrase they should visit “www.ctemplar.com and change their account’s password immediately. CTemplar is the first to offer Phishing Protection.
- Protonmail and CTemplar both accept Bitcoin. Tutanota does not. Bitcoin is NOT anonymous. CTemplar is the only email service that accepts payment using the most anonymous currency, Monero(XMR). Currently, we are only accepting Monero (XMR) payment via email. After the user sends the Monero the user’s account will be credited & upgraded. Some service allows paying with cash through the mail. However, this can be problematic with recent developments in tracking physical mail.
Does having open-source code eliminate this risk? No, because open-source code is just an act to encourage users’ trust. The audited code in GitHub might not be the same code that is sent to you from a companies private server. There is no assurance or promise that the code hosted is the same as the one is served.
Currently, all end-to-end encrypted email services can hack their users and decrypt all of their data except us. We can provide this level of protection using an implementation of checksums that haven’t been used before. We are proudly the first “Zero Access” end-to-end encrypted email service that is not able to decrypt our own user’s emails.
How Did We Solve This With Checksums?
Our checksum implementation allows our users to compare the code served to their browser with the code in GitHub within 15-30 seconds. Usually, comparing code can take hours or days. With checksums, you can do it in seconds.
First, the file index.html starts the platform loading process and determines what is loaded, but when doing so, could pose a couple of risks:
In any case, if anyone wants to manually verify if our “index.html” hasn’t been tampered and is the same as the one being served, we have a guide in GitHub.
At the time of writing, our current checksum is:
SHA-256 checksum of “index.html”:
The CTemplar Team:
Disclaimer: Checksums do not protect you from hacks from your browser, OS’s, plugins, mobile ISP providers, running process software, or the Intel Microprocessor hardware backdoor. We do not protect against keyloggers that may be installed on your computer.