1. Home
  2. Mailfence Security Analysis: An Overview

Mailfence Security Analysis: An Overview

This guide provides you with an overview of the Mailfence security analysis.

No email provider can guarantee to be 100% secure and private. Every service will have its tradeoffs, and it’s important to be aware of those before choosing one.

The following table provides a high-level security analysis of our email service with respect to the type of information and the level of protection that it holds.

Type of Information

Level of Protection

Source of random data when creating new PGP keysEntropy collected via the client device
Password encrypted in transmission from browser to web serverSSL/TLS
Password securely stored on web serverSHA256 (iterated and hashed)
Private key passphrase exposurePassphrase check for all crypto-activity always occurs on the client side – and never gets exposed to the server
Encrypted private key in transmission between browser and web serverTwo-layers of encryption:
1- With user passphrase (via AES)
2- TLS/SSL
Encrypted private key in storageWith user passphrase (via AES)
Private key decrypted on web serverDoes not apply to Mailfence – as all the private key en(de)cryption occurs on the client side with the user passphrase
End-to-end encrypted messages during transmission from client browser to Mailfence serversTwo layers of encryption:
1 – OpenPGP
2 – SSL/TLS
End-to-end encrypted messages body and attachments during transmission between web server and recipient email account1 – OpenPGP
2 – STARTTLS (if supported by recipient)
End-to-end encrypted messages body & attachments encrypted in storage on web serverOpenPGP
End-to-end encrypted messages body & attachments known to web serverNo (except sent & draft items) – crypto-operations concerning end-to-end occurs on the client side
Message headers encrypted during transmission from browser to web serverSSL/TLS
Message headers encrypted during transmission between web server and recipient email accountSTARTTLS (if supported by recipient)
Message headers in storage on web serverNot encrypted

Vulnerability analysis

The following points apply to emails sent using end-to-end encryption:

AttackLevel of Protection
Attacker is listening to your Internet connectionProtected
Attacker gets access to email stored on the serverProtected
Attacker gets access to the server’s databasesProtected
Attacker compromises webserver after you have accessed your emailProtected
High-level MiTM attack – where an adversary sends you a false code for all the crypto-related operations to checkNot protected
Attacker has access to your accountProtected (but the sent end-to-end encrypted messages will be viewable in clear text)
Attacker has access to your computer before you access your email (and can install programs such as key logger/malware…)Not protected

In case of any doubt or question, feel free to reach out to us via support@mailfence.com

Was this article helpful?
Need more details?
We have documented the whole application.
CHECK DOCUMENTATION