the_simple_computer

Tough Love: A Review of CryptoHeaven Secure Email

October 2, 2012

This site is no longer being maintained so anything below could still be accurate, or very outdated.


Recently I was asked by CryptoHeaven to take a look at their secure email service and write up a review. I was flattered. The only thing anyone asks me for these days is free furniture. I did not include CryptoHeaven in tSc’s webmail for better privacy writeup because it only has a limited-time free trial but since a polite request beckons, I will give CryptoHeaven the full attention of my waking hours. Possibly more.



What is CryptoHeaven?

CryptoHeaven provides a handful of services intended to be exactly what its name implies, a cryptographic heaven for your online communication. Their open source desktop client manages your CryptoHeaven account which includes email, chat and cloud storage while they also provide webmail access and secure form inserts for website submissions. The best part? CryptoHeaven uses true end-to-end encryption, not just SSL. Even CryptoHeaven states they have absolutely no way of accessing your messages.

This is basically how it works: When you first run the CryptoHeaven client software, you create an RSA key pair and set the key length & prime certainty. The private RSA key is then encrypted with what CryptoHeaven calls your passcode, a hashed and salted output of your username & password. This passcode is then the input for creating what CryptoHeaven refers to as your private key (not to be confused with the private RSA key). This new AES-256 encrypted private key is used by the client program to encrypt/decrypt all of your communication to/from their servers. In addition, all this takes place inside a TLS 1.0 connection.

When creating your private AES key, you can choose to keep a copy stored on CryptoHeaven’s servers which allows you to access your account without the software installed. If you do this, your private key is then encrypted again with a hash of your public RSA key, which CryptoHeaven does store locally. CryptoHeaven cautions against storing your private key on anything but your own restricted property. Incoming mail from non-CryptoHeaven addresses is encrypted with your public RSA key before being stored on their servers.

CryptoHeaven has a free demo account for 100 MB lasting 3 months with a choice of 5 mail domains. Then there are paid personal and business accounts which increase the amount of storage and the number of aliases. CryptoHeaven’s root business account also allows unlimited user accounts, mail hosting for any domain you may already have, and HIPAA and GLBA compliance for storage of medical and financial data. CryptoHeaven is registered in the Commonwealth of Dominica (Caribbean) but their mail servers and other offices are in Toronto and Mississauga, Canada.

All that sounds like quite a lot of win we’re dealing with, I can’t wait to soak it up. The versions of CryptoHeaven used for this article were 3.6.3, 3.7 and 3.7.3 in Linux Mint Maya, Xubuntu 12.04 and Windows 7, all 64-bit.


Start From the Beginning...

Installing in Windows

CryptoHeaven’s client software is written in Java and thus, requires some Java libraries on the computer. CryptoHeaven maintains their own Java 6 environment for the Windows client application which is downloaded during installation. Why not just direct people to Oracle’s website? Security and user experience is the answer.

CryptoHeaven's Java VM is not a full Java SE installation, it only includes the libraries needed by their client application. Thankfully, this means there are no bundled web browser plugins and indeed, if you were to look anywhere outside of C:/Program Files/Cryptoheaven, you would find no trace of Java. There's not even anything registered in Programs and Features besides the CryptoHeaven client.

CryptoHeaven also knows that nobody likes the constant nagging of Java SE updates, with their frequent popups and requirement for administrative privileges. With the CryptoHeaven maintained Java, there isn’t any of this and the JRE libraries update with the client software.

CryptoHeaven’s Java build is only intended for the desktop client because obviously without Java browser plugins, you can't access your account with a browser through CryptoHeaven’s website. For that, you will need a full Java install on the computer you’re using. Oracle Java or OpenJDK, version 6 or 7—they all qualify.

If the CryptoHeaven client's installer detects JRE already on the computer, then the CH-supplied Java isn't installed. An interesting note: If you already have Java, CryptoHeaven’s installer will choose the client application's architecture based on that preinstalled Java. So if you have Windows 7 x64 but you downloaded Java with, say...Firefox (Firefox in Windows is only x86), CryptoHeaven will install as 32-bit unless you install JRE x64 separately. With no pre-installation Java presence, you’ll wind up with 64-bit versions of both CryptoHeaven’s Java and the client software.

Since a full Java Runtime Environment does give you Java’s full attack potential, put some time into setting up Microsoft's EMET or AppArmor to restrict Java’s capabilities. Sandboxing is another option, as is click-to-play plugins in your browser.

Installing in Mint

CryptoHeaven for Linux comes in .deb, .rpm or shell script forms and there’s no privately packaged Java. Java updates are still handled through the repositories and while this does give you a full JRE installation with browser plugins, you still can set Click-to-Play plugins and confine them to Java's default AppArmor profile. I installed the Java 6 IcedTea plugin from Mint’s repo which pulled in all the proper JRE stuff to get CryptoHeaven working.

Aside from Cinnamon or XFCE versus Aero, the clients look and behave (almost) exactly the same. Yes, almost. I did have two early problems and I’m ashamed to say they were both in Linux. CryptoHeaven installed, but placed the .desktop configuration file into /opt with the rest of the program. The result was no way to launch CryptoHeaven outside of the terminal. Once I added a Categories entry to the desktop file and moved it to /usr/share/applications, CryptoHeaven was 'officially' installed. This persisted with each CryptoHeaven version I tried.

CryptoHeaven and Cinnamon (Mint’s flagship desktop environment) did not play well together. The Address Book, Instant Messenger and My Local Files selections in the folder tree didn’t open in the main window. All the other folders displayed when selected, but then I went over to Xubuntu (which uses the same Java packages as Mint Maya) and CryptoHeaven worked fine. This is not a problem with CryptoHeaven’s client; the issue is the still-fresh state of Cinnamon’s development and specifically, the desktop effects. Maybe the backported version 1.6 doesn’t have this problem, but I only tested in default Maya using Cinnamon 1.4.


On the Desktop

On first appearance, CryptoHeaven’s client comes off as pleasant and familiar, well-organized and easy to use. Mail, file storage and chats are what you handle directly in the application but a tip: through it is the only way to sign up for a free demo account. You can’t do that on CryptoHeaven’s website and it took me a while to figure that out.

For version 3.7, the client application's icon theme got a Humanity-esque facelift to replace the older Windows XP look. As with most mail clients, first there are a lot of icons, windows and indicators to take in but you can change most of this to however you prefer and any toolbar or menu can be reduced to its bare minimum. I found CryptoHeaven's client interface actually allows more customization than Claws Mail or Thunderbird.

In the message composition window is a mini office applet which gives you tables and graphs, scientific symbols and even language diacritics. There’s highlighting, text alignment, numbering and bullet points too—all without the encryption generator complaining about HTML text. I liked how the client shows the number of open network connections it’s using. An extremely minor detail practically useful to few, but fun nonetheless. The client doesn’t allow for proxy configuration though, it must use the system's network settings.

Within the CryptoHeaven virtual campus I had omnipotent control and oversight of my mail messages. I could revoke sent emails or set expiration dates and view message received & read times. Attachment sizes are unlimited and when sending a message, there is the option of plaintext or AES so communicating with non-CryptoHeaven accounts is easy. A message’s properties showed me all kinds of things which almost nobody will know what they are (see the screenshot to the right). Through the client you can also make voicemail prompts for when someone contacts you while you're away.

With a CryptoHeaven business account, the account manager has complete administrative control over users. Password recovery can be denied, private keys can be designated for online storage or off, users can be barred from communication with non-CryptoHeaven mail accounts. The mighty admin can even cap a user’s storage capacity and bandwidth.

My admin influence faded as I stepped out of the CryptoHeaven kingdom to mingle with non-CH users. While all mail sent to CryptoHeaven accounts from non-CH addresses is received in plaintext, messages are encrypted (unfortunately on disk, not in RAM) before being stored. Attachments for external emails are limited to 30MB and of course the revoke feature & read receipts won’t work with Gmail or others. There is the option to set up a question/answer decryption policy for non-CryptoHeaven recipients of your mail, similar to Hushmail or Cyber-Rights. But beware, if your recipient does not have Java installed or the privileges to install it, they cannot read your message.



On the Web

CryptoHeaven has two ways you can access your account when away from the desktop client. Both are through their website and both require Java browser extensions. Your first option is the Web Start applet, which uses Java Web Start to download and launch a .jnlp contained version of CryptoHeaven’s client. The applet is essentially equivalent to the Desktop version with all the same features and capabilities. Performance suffers though, as the startup time increases compared to the locally installed client.

The Web Start applet downloads to Java’s cache directories and is intended to stay there for quicker succeeding launches. It even makes a desktop icon for you though the newest release, 3.7.2, didn’t do this so there was no way to restart it without going through CryptoHeaven’s site.

Your second option to access CryptoHeaven without the deskop software is the Web Edition. This uses a Java plugin to open an online version of CryptoHeaven’s client through your internet browser. It’s mainly offered as an alternative for users who have problems with the Web Start version. Other than the Web Start desktop icon, I found them both reliable. After searching the most obvious places, I also was not able to locate any temporary files which would trace back to the use of CryptoHeaven’s Web Edition, so if you wanted to leave minimal traces of your CryptoHeaven session on a potentially untrusted computer, Web Edition would be the way to go.


CryptoChat and CryptoVault

CryptoChat is the name given to CryptoHeaven’s secure instant messaging system. Like emails, chats are sent only after being AES encrypted on your computer. System tray popups and sound indicators for chat events are a nice touch and each window in the client allows you to separate it from the rest of the program, so you can open a small chat window in the corner of the screen and minimize the rest of the CryptoHeaven client. CryptoHeaven doesn’t have video chat but when using the Web Start version, Java gives a notification saying it has access to your camera. CryptoHeaven told me that the client doesn’t have direct access to the webcam.

File uploads and downloads worked as expected and I was pleased to see a progress readout for uploads. Some big name cloud hosting services don’t even have such a nicety and you also get file versioning from the past 30 days. Do not plan on backing up your music collection though. A starter personal account begins at only 200 MB and that’s storage for the entire account. Emails, chats, attachments and uploaded files; CryptoHeaven isn’t intended for bulk personal storage.

You can open files directly from within the client to view or edit, but I found this didn’t work in Linux (both Mint and Xubuntu); all files downloaded to /tmp but their corresponding programs were never launched. Any files you save to disk from your CryptoHeaven account can either be simply deleted or you can perform a 2 pass randomization wipe from within the client.

Group collaboration and sharing takes a few quick clicks to set up and you can organize any assortment of shared folders you wish, even share your entire inbox. You can specify read and/or write access for each person but you can only share with CryptoHeaven users. You can email a file as an attachment to non-CryptoHeaven addresses, but there’s no public folder or file links like with Dropbox and such services.

Just How "Anonymous"?

Before going further, let's first clear something up. CryptoHeaven has a page on their site outlining their anonymous email service. Yet like many areas of CryptoHeaven’s website, this can be confusing. CryptoHeaven has one email service. There’s no feature or account level distinction between their "anonymous" email or their "secure" email because they are the same thing.

CryptoHeaven’s mail headers do not contain IP addresses of their origin and this includes messages to non-CH email accounts. CryptoHeaven's FAQ says that IP addresses are not logged, nor associated with accounts and their privacy policy states that connections made to their webserver, for things like downloading the client or upgrading an account, are removed after 30 days.

User IDs

Each CryptoHeaven account has a unique identifier. It’s used on the backend of the service to resolve email addresses and load the correct mailboxes, contact lists, encryption keys, etc. You can change your CryptoHeaven email address(es) as many times as you like and can set up multiple aliases for a single account but the unique ID remains the same. As CryptoHeaven themselves put it, "This is the glue that holds the account together." Each user account generated under a business root account will have its own user ID too. Though it was not directly answered, this identifier is likely tied to personally identifiable information of paid account holders.

It was explained to me that CryptoHeaven’s priority is secure communication, not hiding a user’s identity. That's fine, but I was still surprised at how prominent the CryptoHeaven user IDs are displayed in the client software. They’re everywhere—the window title bar, inbox, mail headers. Yes, your CryptoHeaven user ID is included in every email’s header, including messages to non-CryptoHeaven email addresses. Here is a text file for your viewing pleasure.

If you have a paid account, this puts claims of anonymity into serious question because you’re simply hiding behind a user number instead of an IP address. Remember, you can change your CryptoHeaven email address as many times as you like and have several different aliases but they all tie back to your user ID, even if you delete those addresses later. Anyone can make a CryptoHeaven account, install the software and search the user database (just as, for example, you can search for people in Skype). This will match even a partial user ID to any and all CryptoHeaven email addresses tied to that user ID.



From within the CryptoHeaven environment, I can at least see the intention of including the user ID in mail headers. CryptoHeaven is big on verifications, checksums and such things. Also, it’s on the pretense that you’re already communicating with other CryptoHeaven users whom you trust. However, I see absolutely no reason for the user ID to be leaked out of the CryptoHeaven cloud and it should be quick work to add an SMTP filter to remove this identifier from mail to non-CH accounts.

The flip side of all this, is that a CryptoHeaven free trial account requires no personal information, not even an activation email. CryptoHeaven also informed me that they do accept Visa gift cards and billing information is kept only for active accounts. This info is stored on offline servers separate from those of their main systems. As a possible final assurance, here is a quote from one of my email conversations with CryptoHeaven:


We do not respond and have never provided information to any court orders originating from outside of Canada as they are invalid.


Sweat the Small Stuff

Over time, there emerged some things that I really liked about CryptoHeaven and some which sent my obsessive-compulsive brain dangerously close to Core Exit Temperature.

I noticed that the program icon for the desktop client is strikingly similar to the Log Off icon from Windows XP’s start menu. This disturbed me on a visceral level I was unprepared for.

CryptoHeaven’s account structure makes no sense but this works to the customer’s advantage. Let’s say you want a subscription for 1 year, just for yourself. You can either go with a personal account giving you a 200 MB inbox for $66, or a business account with a 5 GB inbox for $59.90. There are other options too, and a 2 GB business account costs only $20 a year. Make no mistake, that is spectacular value for the money but it leaves no incentive whatsoever to buy a personal account which gives less of everything but costs over three times more.

Every time I sent an email to someone not in the contacts list, I was asked if I wanted to add them. This is annoying. There should be a selection to either ask, add recipients automatically or do nothing. When the CryptoHeaven client is opened, the mail and file storage folder trees are condensed unless there is new mail in your inbox or an unread chat message. Since most of the time I had no new mail, I did not enjoy expanding the menus after each program start just to access my inbox. The cleint should remember a user’s tree view choice.

Interjection!

In the end, there were really only two things I strongly disliked about CryptoHeaven. The user ID in mail headers was one, but the second? Their website. For some quick context, I spent several years toiling in the fields of sports marketing. Part of what I did was design work—a lot of it—so for better or worse, scrutinizing how a company presents itself has become ingrained into my subconscious.

CryptoHeaven’s website is the primary point of exposure people will have to the company, and it needs to be completely gutted and started anew. The updated CryptoHeaven client looks good. It’s clean and crisp, intuitive and professional. In total contrast, the rest of CryptoHeaven’s branding is outdated, inefficient, unattractive and clearly neglected. I’d even go so far as to advocate for a new logo, or at least fixing what looks like a stray Photoshop layer in the C of CryptoHeaven.

The website is painfully verbose and the amount of unnecessary repetition is remarkable. Some pages just seem like an effort to cram as much stuff into the piñata as possible with no regard to anything else. Worse is that so much of it amounts to cheap feeling advert lines more appropriate for late-night television commercials than a cryptographic service provider.

So take heed CryptoHeaven, here is a free consultation. What needs to change? For starters, each product should have its own dedicated page without overlap of other content. Theming and terminology should be consistent within the entire CryptoHeaven ecosystem and the site should be intuitive to navigate, not headache-inducing. Each page destination should have a clear and single route to it. For example, move all support info to the Support page with an organized table of contents.

The repetitive content needs to go. Burn the current sidebar which contains largely the same information as the main windows. There should be no pages which repeat the rest of what the the site has already said but with a different URL. Just one example? Here is the first page of the Security FAQ. It takes 4 paragraphs to get to anything concretely informative, which is then duplicated on the second page. Oh, and if you hunt enough through the website, you’ll find 5 different FAQs! [1, 2, 3 (scroll down), 4, 5]

Then there’s the ridiculous blue ribbon and Comodo SSL rollover. These pedestrian assurances are like the green checkbox in an antivirus program. If you really sleep better at night with a “You’re Protected!” popup from the taskbar then okay, whatever melts your butter, but these are still tacky sales relics of the late 1990′s. The money-back guarantee displayed everywhere elicits subtle psychological tones ranging from a lack of confidence in the service to the mental association with television adverts for gimmicky products; the type of commercials people use for toilet or refrigerator breaks. It’s great to have a money-back policy, but state this in an FAQ and/or the terms of service, then be done with it. CryptoHeaven is much more serious of a product than kitchen knives which supposedly never dull.

CryptoHeaven’s online presence is almost non-existent. Searching the name mainly brings up their website; no blog references and barely any forum chatter or reviews which don’t just parrot features. There are forks of the CryptoHeaven client (HighVIP and MDEmail.net) which use their server framework and yet, CryptoHeaven’s homepage doesn’t even link to their Facebook or Twitter profiles. In late 2012, there’s also credibility to be lost in a website which, by the copyright date, hasn’t been updated since 2010.

Less is more, my friends. I realize CryptoHeaven has limited resources but in this modern economy, it would not be infeasible to pay a recent college graduate in beer and iTunes Store gift cards for a simple, organized and attractive website.


And When You Come to the End...Stop.

Though CryptoHeaven doesn’t directly say so, it’s clear that their service is intended for businesses rather than individuals. CryptoHeaven needs other people using it (and Java) for everyone to get the most out of it. To the individual or family who takes advantage of the business account pricing, you will still be satisfied. I only wish there was somehow external mail client integration. Regardless, the individual is definitely in a great position. Between services like CryptoHeaven and the GPG, OTR and SpiderOak/Wuala avenues, there are plenty of options available if your intentions don’t include coordinating a professional network of secure communication.

However, if you do need always-on encrypted channels between hordes of employees and clients, now you’ll experience CryptoHeaven in its element. It’s the high-strung, whale-tailed 911 GT3 RS which you have no reason for driving to the farmer's market, but you would kill to have for a weekend on the Nordschleife.

CryptoHeaven has a strong, stable product with over a decade of ripening. Their website's disorganization doesn't do potential customers many favors, but fortunately that shortcoming doesn't appear to have affect the software's quality. I came into this trial thinking CryptoHeaven was aiming to do for anyone what multiple other services and companies already do rather well. Sure, CryptoHeaven does that, but they take things further by doing for businesses and organizations what few other services do at all.

And now, your moment of zen:

Share this article.