Review of the biggest web-based email providers

We decided to review some of the biggest email providers out there. We tested both integrity and security but also the functionality of the email-service. Please note that this research are based on dates between 1 January and 10 February of 2016. Down below is our final results, so enjoy!

Results


Security and Privacy features

https://docs.google.com/spreadsheets/d/1W29NiRuCNoYQqfX3nWdftciyrUwaUC2ARRcva7G9qTA/edit?usp=sharing

Click here to see the full image.

Functionality

https://docs.google.com/spreadsheets/d/1yIFOFHPVlQy9VYNQiNYPukPG89LBBHJ7YgxyYPt5IqE/edit?usp=sharing
Click here to see the full image.


What we tested



Bitcoin, *coin ability - Does the email-provider provides methods to pay with Bitcoin or other digital currency?

Countries - Within which countries does traffic being sent though? Data grabbed from dnsdumpster.com

CSP - Does the web-based email client have an enforced CSP-ruleset active? Note that this has been checked when a user logs in and views emails, not on the front page.

DNSSEC - Is the domain(where the user logs in) protected with DNSSEC? Data grabbed from dnssec-debugger.verisignlabs.com

HPKP - Is the domain(where the users sees its emails) protected with HTTP certificate pinning?. Both Enforced and Report-Only results count.

HTTP-header grade - What result does the website get on securityheaders.io? Please note that although securityheader.io does not verifies the results we did it after hand.

IP-leak - Are IP-addresses leaked when viewing an HTML-formed email. Example: YES/YES means that the IP leaks automatically without the user allowing to and the other YES is after the user allows it. This has been tested with both emailprivacytester.com and HTTPLeaks.

SSLlabs Grade - What result does the front page get on SSLabs?

Tor support - Does the email provider offer an official .onion-adress for users to use?

Third-party-services - Is the provider using third-party services such as Google Analytics, Google Fonts, Cloudflare and so on.


Why we tested these stuff



We tested those stuff that could directly impact the privacy and security of the user whilst using the service.

We focused on the security of the domain, the software and also the privacy. We checked if there was any protection when reading an mail. Is your IP leaked and how does the protection look like.

Also, the functionality was also tested. If the provider lets users to change, revoke or remove their keys from the server. If a user can use the service with a third-party client such as Thunderbird, mutt and/or Outlook.

Based on our experience and these tests we do not recommend Hushmail and safe-mail.


Who's the best provider?


Best web security - Ghostmail.com

Most simplistic service - Scramble.io

Most functions - Posteo.de

Most affordable service - Protonmail.ch