CTemplar Review – A New Secure Email With Pros and Cons
|Storage||1 – 50 GB|
|Free Tier||Up to 1 GB|
CTemplar is a newer secure email service that claims to be, “The most secure & private email service in the world.” But can it really stand up to these bold claims — or is this merely marketing hype in a competitive market?In this CTemplar review I set out to answer this question by creating an account and testing out the service. Does CTemplar have what it needs to take on the big boys in this space? Let’s find out!
- Strong encryption standards (4096-bit RSA) with built-in support for end-to-end encrypted emails (using OpenPGPjs)
- 100% open source code
- Based in Iceland, with some of the strongest privacy laws in the world
- Passwords protected by “Zero Knowledge Password” technology
- Zero logs; IP address stripped from emails
- Anonymous signup options (no phone verification)
- Support for Bitcoin, and Monero payments
- Self-destructing emails and Dead Man’s Timer
- Can send encrypted emails to non-CTemplar users
- 2FA and anti-phishing support
- Email Subject line only encrypted in paid plans
- Above-average prices
- Metadata not encrypted (work in progress)
- No support for IMAP/SMTP and third-party email clients (work in progress)
- Mobile apps and web interface; no desktop clients
CTemplar features overviewCTemplar uses the proven encryption algorithms of OpenPGPjs to apply 4096-bit RSA encryption to your email and contacts. All data is encrypted in transit and at rest. The only place the data is decrypted is in your browser or email client. While their encryption is based on PGP, CTemplar offers paid subscribers the ability to encrypt the subject line of messages, a privacy-boost over the other leading PGP-based service, ProtonMail. Additional interesting features of CTemplar include:
- The ability to sign up for the service anonymously, paying for your account with the Bitcoin or Monero cryptocurrencies.
- Open source code, including apps.
- Android and iOS mobile apps, with Google-free access to the Android App through F-Droid.
- Premium accounts with a range of additional benefits.
- The ability to send encrypted emails to non-CTemplar users.
- Dark and Light themes.
CTemplar company history and funding sourcesCTemplar is a Seychelles-based company that was founded in 2017. The Seychelles is generally regarded as a privacy-friendly location, with a constitutionally guaranteed right to privacy, no mandatory data retention requirements, and an independent legal system. CTemplar is a small organization (around a dozen employees at the time of this review) that is completely self-funded and pledges never to accept corporate or government funding. This too should reduce the risk that they can be pressured into sharing data on their customers.
CTemplar servers and data securityCtemplar stores all your data on servers in Iceland. Iceland has very strong privacy laws, perhaps among the best in the world. Beyond that, the country is not part of the 14 Eyes surveillance alliance, or the international data-sharing MLAT treaties. In other words, like the Seychelles, Iceland is a highly-rated country for online privacy and a good place for your data to be stored. This all looks excellent. But what would happen if some high-priced lawyer, or government bureaucrat were to pressure CTemplar to turn over your data? Here’s what the company has to say on the subject,
CTemplar will only comply with valid Icelandic court orders. When presented with a valid Icelandic court order, we will give them your content. Due to our zero access password technology, we do not know your password/passphrase so we are not able to decrypt your emails.
CTemplar technical specificationsCTemplar relies on the OpenPGPjs encryption library for the 4096-bit implementation of PGP they use to encrypt your email and contacts. They are in the process of implementing encrypted metadata as well, which will greatly increase your privacy when using their service. In addition, they use TLS to protect your data while in transit.
CTemplar hands-on testingI used a free CTemplar account, along with F-Droid version of the newly-released Android app, for testing in this review.
Creating a free CTemplar accountWhile I signed up for the account I used to test CTemplar a while ago with no issues, today you need to enter an invitation code during the signup process for a free account. Here are three ways you can get one according to their website:
- – Request a code from one of your CTemplar contacts who has a paid account
- – Send a message to their team: email@example.com
- – Contact them on social media
Signing in to CTemplarTo sign in to your encrypted CTemplar account, just go to their homepage and enter your login credentials into the fields below:
The look and feel of CTemplarHere’s what the CTemplar email view looks like. Nothing fancy, just clean and easy to read. On the left side of the CTemplar mailbox you’ll find a list of the predefined email folders, along with an Add Folder option for creating your own. As is common with privacy-oriented email services, CTemplar blocks remote content like images by default. Note: If you are using the encrypted Subjects option, it can make viewing your mailbox clumsy. To get around this, you can decrypt all of the subjects of the current page by clicking on the lock icon. Here’s the Contact view: As you can see, the CTemplar interface is menu-based, rather than drag-and-drop. That is, you select one or more items by setting the checkboxes to the left of them, then selecting an option to act on them. CTemplar doesn’t offer a lot of optional views for your email or contacts, but if you select the General tab in Settings you can switch between light and dark mode, as well as control how many email messages appear on a single page. Interestingly, there is also an option to write custom CSS (Cascading Style Sheets) that changes how your mailbox appears. This isn’t a capability too many of us are equipped to take advantage of, but certainly opens up possibilities. Clicking the Settings button in the top right of the window brings you to a large range of settings and other options, including filters, rules, whitelists, and blacklists. If you go to the Security tab in Settings, you’ll be able to adjust some unusual security settings. You have the ability to enable or disable:
- Subjects encryption – Encrypt the Subject line of messages. Only available with paid CTemplar accounts. While I would prefer that the Subject line was always encrypted, the ability to enable this is good motivation to upgrade to a paid plan.
- Contacts encryption – CTemplar doesn’t encrypt contacts by default. If you enable this option, CTemplar will encrypt your contacts for better privacy and security. However, when this is enabled, CTemplar can no longer suggest contacts when you are composing messages. Also, when this is enabled, it will be impossible to search contacts.
- Attachments encryption – CTemplar doesn’t encrypt attachments by default. If you enable this option, message attachments will be encrypted for better privacy and security. However, when this is enabled, CTemplar doesn’t support attachments in the body of a message. Among other things, that means images in the body of messages will automatically be extracted from the body of the message and converted to external attachments.
- Anti Phishing – I’ll let the CTemplar folks explain this one themselves, “The Anti-Phishing phrase allows users to link a custom word or phrase of your choice to your CTemplar account. Once set, if you ever log into your webmail and your Anti-Phishing phrase is either missing or incorrect, you may be the victim of phishing.”
Composing messagesThe CTemplar default is to compose messages using an HTML editor in a small pop-up window. The editor has a good range of HTML options, along with some more exotic offerings:
- Encryption for non-CTemplar users – Requires sharing a password with the recipient through an alternate channel. When you send an encrytped message to a non-CTemplar recipient, the recipient receives an email with a link to the CTemplar web client. Once there, the recipient needs to enter the shared password to decrypt and read the message.
- Self Destruct Email (paid plans only) – Configure a message to automatically delete itself on a particular date and time. This only works if both you and the recipient are using CTemplar. You can’t make a message sent to a Gmail account (for example) self destruct.
- Delayed Delivery (paid plans only) – Specify the date and time to send the message.
- Dead Man Timer (paid plans only) – Create a message that will be sent only if you do not log into CTemplar for the specified amount of time. For example, you could use this to send an email containing the login information for your Bitcoin wallet to your children if you were to die or become incapacitated.
Searching for messages in CTemplarCTemplar offers partial support for searching messages. You can search for email addresses and words or phrases in the Subject line of messages. As of now (April 2020) you cannot search the body of messages. This is one place where CTemplar (and ProtonMail) fall behind another leading secure email service, Tutanota. Tutanota has been offering full-text search capabilities (searching the bodies of messages as well as the header information) since 2017. Tutanota creates an encrypted search index that is stored on your device. The email search only needs to decrypt and search this index, rather than each individual message. I’m not going to claim I understand the nuances of the Tutanota approach. I will say that I have been using Tutanota for years and the search works pretty darn well. (See our Tutanota review here)
The CTemplar Mobile AppsIn March of this year CTemplar rolled out their mobile apps. They have an iOS app, along with a standard Android app and an Android app on F-Droid. Here’s what the CTemplar Android app looks like: Since the apps have only been out for a month, and only have a handful of reviews, I can’t really tell you much about how well they work. They get decent ratings in their respective app stores, but the sample size is too tiny to say more than that they look promising.
Is CTemplar really secure?CTemplar is more secure than the typical email service. After all, services like Gmail and Outlook.com read your messages to help them send targeted ads your way. That can’t happen with a secure email service like CTemplar, since they cannot decrypt your messages. That said, there are still aspects of your email and contacts that are not encrypted as of today. Things that are not encrypted by default in CTemplar’s design are:
- Subjects of messages
- Message attachments
- Contact data
- CTemplar can be compelled by law to disclose information about their users. As of April 2020, their Transparency Report listed 7 requests for user information. None of those requests were accompanied by an Icelandic Court Order, and non of the requests were granted. Realize that all email services must abide by local laws.