Data privacy & cybesecurity for normal people
TheNewOil.org

2022 Review: CTemplar

Disclaimer/Disclosure of Interest: The New Oil has a CTemplar referral code. If you sign up using this code, we get one free month of Prime membership.

What is Zero-Knowledge/End-to-End Encrypted Email & Why Do You Need It?

CTemplar is a new up-and-comer in the encrypted email space, founded in 2018 as far as my research can tell. Encrypted email is a bit of a misnomer. Technically all emails are “encrypted,” but in this context we mean specifically “end to end” encrypted, also known as “zero-knowledge.” This means that the provider can’t read your inbox, which is – in my opinion – a must-have for any person who values their privacy and security. Many people argue that zero-knowledge email providers are overhyped – or worse – because you’re only securing half of the chain. If I email someone at a Gmail address, the contents are still exposed on Google’s servers. However, in my opinion, that’s still cutting your attack surface in half. If we’re both using Gmail – or if one of us is using another provider like Yahoo – that’s just twice the opportunity for a data breach, warrants, or an insider threat. Sure, you may not get the full benefit without both parties using encryption, but it still counts for something.

The Good

CTemplar starts out the gate strong with some impressive claims. First off, they offer an onion address for Tor users. As veteran readers may know, this is one of the first steps toward making a service truly anonymous. The next step is that they offer payment via Monero, which unlike Bitcoin is truly private by design. If your threat model isn’t quite that hardcore, they also offer Bitcoin and fiat currencies via Stripe. So far so good.

On their about page, they claim to be independently owned and funded without any grants or investments due to the invasive nature of such arrangements. They base their encryption on PGP – a win in my book as it allows non-users to initiate a secure conversation with you if they have your public key (which you can freely post/share anywhere) and allows you to add the keys of other non-users so you can securely email them without the additional step of an external password (a la Tutanota and ProtonMail). They have also open sourced all their clients (Android, iOS, and desktop) as well as their web client and several other libraries, but that should be expected if I’m writing about them given that open source is a requirement for us to consider listing a service. They also offer a free-tier, though you do have to request an invite from a user you know or from CTemplar directly. This is a bummer, but it’s primarily aimed at fighting spam, which I completely understand. Abuse like that can sink a new company.

Finally, jurisdiction: CTemplar as a company (Templar Software Systems Ltd, to be exact) is based in the Seychelles, an independent island nation off the East coast of Africa. Data – according to their website – is stored in Iceland. This does provide two considerable layers of protection against Eyes surveillance.

The Bad

For all of CTemplar’s strong points, there’s a few objective concerns. First and foremost, let’s tackle that anonymous signup thing: CTemplar’s onion link redirects to clearnet (aka the regular “ctemplar.com” address) when attempting to signup or login. While this doesn’t make anonymous signup impossible – as they still do not require any kind of phone number or email address – it does make it incredibly difficult for those with very high threat models. This is compounded further by their Monero payment system: you have to to email them. But wait, there’s a catch here: as I said before, you have to request an invite. This automatically obliterates any chance of truly, hardcore anonymous sign up. You have to contact them from some sort of existing account, which may or may not be anonymous depending on which account and how you set it up. You could probably be reasonably safe by asking someone that you trust in person – assuming you know anyone in person who uses CTemplar – but such an exchange would still have to be done intentionally and carefully. Again, this only affects people with particularly high threat modeling – and the onion/clearnet issue does appear to be a legitimate bug outside of their control – but it still feels kind of misleading and puts users who want or need maximum anonymity in a very tough spot where they have to tread with immensely more care than usual.

My next complaint is more personal than objective: I find the company to be remarkably opaque. A while back, I wrote about their catastrophic data loss incident (note: they have since changed their practices to ensure this doesn’t happen again) which I also listed on the website as a “con” because – in my opinion – they never formally addressed it. During an unrelated correspondence with the company, they informed me that they did officially address it here. As such, I removed that “con” but personally I think Reddit is a pretty poor replacement for an official company bulletin board of some kind, especially when you have an official blog on your official website. I get that a blog is a useful marketing tool (which is why I don't mind but actually really enjoy all the articles they post), but it’s also a good way to communicate important news with your audience in an official, trusted capacity. Like I said, this is all subjective. CTemplar is not my company, and I can’t tell them how to run it or what they should and shouldn’t do, I can only offer my perspective. I don’t want to have to follow their subreddit – no matter how official – just to get official important updates that aren’t marketing pieces. The point of a blog is that I get the official, important news. I don’t want to subscribe to their subreddit where I’m now getting all the user posts – which range from “casual discussion” to “help tickets.” I just want the official, noteworthy updates.

Furthermore, perusing their subreddit reveals some noteworthy but troubling things. Take this post, for example, where a user asked for some clarification on the company’s latest transparency report. Notice a lack of response from the company? What about that onion bug I mentioned earlier? No official company response, only responses from other readers. Even a post as simple as where the blog’s RSS feed can be found was answered by a reader. You could make the argument that since the questions were answered there’s no need for the company to officially weigh in, but in at least the first two cases I personally would feel a lot better with official input. That said, I have spoken with the company on two separate occasions and in both cases I found their support to be responsive, helpful, and professional, so maybe I’m just nitpicking with the Reddit thing. Like I said, this is subjective and has no real bearing on the quality or security of the service itself, so feel free to disregard all of that if you don't care.

Moving away from my personal opinions there a couple other smaller, objective drawbacks to the service. First, both cryptocurrency payment methods require annual plans and cannot be done monthly (I guess that particularly makes sense with Monero since it must be processed manually by the company). While I’m a fan of paying annually as it almost always means a cheaper price, not everyone has that kind of financial stability. Second, the Seychelles have no data privacy laws at all as far as my research could tell. Being located out of any kind of Eyes country does still provide a layer of protection, but it would also be a nice plus if the company’s country of origin provided some additional legal legal protection. And, just to touch on the criteria we list: the service is centralized and not audited. Personally I don’t really consider either of those dealbreakers: the company is new enough that they may not be able to afford a full audit yet, and as far as decentralized email, while I do see the value of such a thing (mainly being harder to take down or seize the data), email is already interoperable and CTemplar relies on PGP so I don’t see this as tremendously important.

Conclusion

Email is not secure. I think that’s always worth pointing out. Email was never designed to be 100% secure. You never know who might print it or forward it, and there’s also a bunch of super-technical issues with both email itself and PGP that literally cannot be fixed. You should never trust your life to email (which is one reason why Snowden didn’t just email his documents to people). Yet email is still a widely-used tool that permeates almost every service we use in some way, shape, or form. For that reason alone, it’s worth trying to get a secure email provider to mitigate the risks as much as possible. CTemplar is a solid choice of email provider with multiple layers of data protection (both legal and technical), PGP-based encryption for interoperability, a free tier that should work for most users, and some great bonuses like green energy, Monero, and a number of other features that show that they really are trying to take user security and privacy seriously. While they are a young company, they are coming up fast. They’ve still got plenty of room to grow in terms of features (for example, I would love to see an email export feature for personal backup reasons) but they’ve already got enough to make them worth considering if you still need an encrypted email provider, or if other options haven’t convinced you. I strongly encourage you to check them out, maybe sign up for a free tier, and see how you like it.

You can learn more and sign up for CTemplar here. If you do, consider using our referral code (OjgEXLVR). It gives us one free month of Prime membership.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.