In addition, while the code for the service has been placed on Github it lacks documentation and includes no license file. Thus, it is not truthfully completely open source. Despite this, putting the code on Github is better than keeping it hidden away under lock and key. On the other hand, it does not appear to have undergone any third-party audits.
On the surface, ScryptMail email provider appears to have a lot of strong features. In our scryptmail review we take a detailed look at some of its claims - to see if it is worth spending your time and money.
How much does ScryptMail cost?
ScryptMail is a low-cost email service, which can be used for free. For free, users gain access to 300 Mb of email storage. Users can opt to “refill” their account with balance with either PayPal or Bitcoin.
Once money has been added to the balance of their account, the user can opt for individual upgrades such as custom domains, aliases, stronger PGP key encryption, and various other features.
These are charged individually and are fairly reasonably priced. However, considering it is possible to get fully-featured secure email providers for just 1 Euro per month (Tutanota or Posteo, for example) paying for this service is going to work out a touch expensive if you start to bolt on numerous features.
ScryptMail Features
- Free email account available
- Baked in PGP encryption
- PIN encrypted emails
- Encryption at rest
- Spam folder
- Contacts
- Aliases (paid only)
- Custom domains (paid only)
- Two-factor authentication
- Email filtering
- Blacklist feature
Privacy
Being based in the US is always considered a problem when it comes to privacy. US-based firms can be served warrants and gag orders that force them to begin snooping on their users on behalf of the government. If the firm breaks a gag order (which forces it to keep that surveillance a secret) employees at the firm could be prosecuted and face jail time.
A mirror of ScryptMail’s webmail service is available on the deep web via Tor; which is great for people who want to sign up and access their emails anonymously. For people not ready to jump into the internet’s underbelly, a webmail client much like those provided by many other email clients is available in your browser via the internet.
The privacy policy reveals that the firm stores some connection logs: Last login time, IP address, User-agent, and API call. Confusingly, however, the policy then reads: “We have no ability to match an IP to a specific user account.” These appear to be a direct contradiction.
In addition to this problem, ScryptMail has a warrant canary and transparency report that has not been updated in some time. An out of date Warrant Canary - that has been sitting untouched since 2016 - appears to reveal that the company has been served a warrant. This alone is enough reason to stay away from the service. The transparency report reads:
- We had 8 requests from law enforcement agencies to access log file for the specific time for certain users
- 8 requests for access time and IP were granted
The good news (if you can call it that) is that the transparency report reveals that the firm does indeed collect connection logs including user IP addresses. Thus we are left with no option but to severely dissuade consumers from using this VPN.
Security
All communication with ScryptMail’s servers happens via TLS/SSL (HTTPS), and the firm says it implements HSTS to mitigate against Man in the Middle attacks, as well as certificate pinning (to resist impersonation by attackers). However, tests run by Qualys SSL Labs reveal that the firm only scores a B for the strength of its SSL implementation (because the server's certificate chain is incomplete). This is a poor score, that suggests the firm does not actually implement HSTS.
Where storage is concerned, the firm claims that all email data is encrypted at rest using strong AES 256 encryption and the firm claims Forward Secrecy is implemented for added security. All in all, this means that the firm appears to handle emails in a secure manner. However, there are some caveats...
ScryptMail was coded by a single developer, and, since it was released in 2014 the developer has only updated it once in January of 2015. This definitely rings some alarm bells, and like other people have pointed out on Reddit and elsewhere; it is hard to believe that a service developed by just one person - and that never gets updated - is actually secure against hackers or government intrusion.
As to the firm’s claim that it encrypts all metadata, it is worth noting that although encrypting all metadata while it is at rest is possible (so that at least ScryptMail can’t access that information) - it is not possible to conceal who sent an email (and when) from other email providers. Metadata must be included in the header of an email for it to be delivered, and this data is exposed when the email is sent across the net. Thus, metadata could be collected en masse (by intelligence agencies or a MitM attack) while in transit.
For those who prefer to add two-factor authentication to their account, the feature is available from within settings and can be set up to work either with a physical Yubikey or using Google Authenticator.
Ease of Use
Starting a ScryptMail account is easy and you do not need to hand over any personal data if you prefer not to. This is great, because we prefer email providers that do not ask for a phone number or a previous email address for verification.
With your account created, you are prompted to download the secret token for your account. The secret token is described by ScryptMail as the “ultimate tool to your account” because it can be used to reset the password or secret phrase that is used for logging in. However, it is worth noting that in addition to the token it is necessary to have the password or secret phrase as well (so be sure not to store these together!)
With access to webmail granted, we decided to check how easy it is to import contacts. Sadly, we could find no way to import contacts using a CSV file, which means that you will need to add contacts manually - one by one.
Next we decided to email with encryption. We could easily find the PIN encryption method (which requires you to share the password outside of ScryptMail with the sender in some private way).
However, setting up the webmail to send PGP encrypted emails is not at all obvious. Eventually, we were able to ascertain that to send PGP encrypted emails you must create a contact for the recipient and add their public key from within contacts.
Following that, you can create an email and a green padlock will appear by default which reveals that the email is protected with PGP. Your PGP keys are available by navigating to Menu > Settings > PGP Key. Here you can access your PGP key and ask to refresh it, you can also copy in pre-existing keys if you already have them.
Aliases are available only if you pay for the service, the same is true of custom domains. However, having the option to upgrade to these features is handy for anybody that particularly likes using ScryptMail. Overall we found this an easy email client to use, as long as you are pretty tech-savvy and don’t mind digging around in the client figuring out for yourself.
Customer Support
Anybody who wants help has the option of reading through the Blog and FAQ section of its website. However, while the guides are informative, it is hard to find any helpful tutorials about setting up PGP encryption or sending PGP encrypted emails, for example. In addition, the content does suffer from not having been written by a native English speaker.
We emailed support for some information on this and a few other things. However, we received no ticket to let us know that the email had been received. What’s more, no reply ever came (we had waited three days at the time of writing).
For this reason, anybody who is a beginner to using secure email clients are advised to look elsewhere if they are going to need any help in setting up or using the service. It would appear that SyncMail is completely unmanned.
ScryptMail Conclusion
Overall we found this email account fairly easy to use, particularly for anybody who has experience using PGP and encrypted email providers. The lack of IMAP and POP is definitely a drawback that will put many consumers off, and the inability to import contacts via CSV is extremely annoying.
For free this email account would probably be recommended if it weren’t for the out-of-date warrant canary and concerns surrounding the fact that it appears to have been abandoned by its developer. The transparency report and privacy policy also raise concerns as do its base in the US (which we fear has been compromised by the authorities).
Overall, we don’t feel comfortable recommending this service due to its privacy issues, and for this reason, we generally recommend looking elsewhere.