How FastMail provides a secure service

FastMail takes care to ensure that your information is safe and secure.

Secure access to mail

We mandate all connections to our servers, be it for webmail or via an email client, to use Transport Layer Security (TLS) and Secure Sockets Layer (SSL) encryption. TLS/SSL prevents eavesdropping, tampering, and message forgery on any communication between your computer and our servers.

We only allow necessary communications

Many unexpected forms of attack come from failing to close potential vulnerabilities, including database port access, SSH port access, and so forth. We use kernel-level firewalling to only allow connections on the services provided by each machine.

We keep track of software updates

Software contains bugs. We track the software we use and any security vulnerabilities, and upgrade as soon as an issue is reported.

We use software systems that take security seriously

We use Debian as our operating system, because they take their security responsibilities and updates seriously. In most cases an update for a security problem will be available within hours of the original report.

Physical location security

Our main servers are located at New York Internet (NYI) in New York City, USA. Their facility is a high security, video monitored location; with backup power, air conditioning, fire systems, 24x7x365 monitoring, and onsite technical support. As their website notes:

Data Center security is a top priority for NYI. We have taken extreme care to install the utmost security so that our customers know that their data is safe. Our Data Centers are located at heavily protected buildings where the security personnel are on guard 24x7. Other security features include biometric fingerprint readers on door locks, strategically placed cameras and motion detection, [and] doors equipped with alarm systems.

NYI does a whole lot more to ensure security, including their hardware, best-practices, and routines. You can read all about them on their homepage.

Limitations

While communication between your computer and our servers is encrypted, any email that you send to another server may have to pass over the internet in an unencrypted form.

The only way to ensure end-to-end security with email is to use email encryption software such as Pretty Good Privacy (PGP) or Secure/Multipurpose Internet mail Extensions (S/MIME). Both of these systems require the creation of certificates, run on your computer, and are attached to your email client to encrypt/decrypte messages.

Providing secure end-to-end encryption via webmail is impossible. There are basically two options, both flawed:

  1. Keep a private key on the server and encrypt email on the server

    Although all traffic between the server and client may be encrypted via SSL, and then the email itself is encrypted on the server before being sent to the world, the unencrypted email is still available on the server between the SSL and encryption stages.

  2. Use Java or JavaScript to encrypt email in the browser

    Because the script has to run on the user's browser, you could look at the code to see it's secure. In reality, no one would ever do that. In addition, this method can't prevent someone using malicious scripts to send encrypted messages back to the server, as well as the encryption key, for the server to decrypt.

Famously, Hushmail, which allows you to use both of these options, admitted that the U.S. government compelled them to turn over the unencrypted emails of a number of users.

Their contention on how secure they are then relates to what it requires to get a court order. In a Wired article, Hushmail stated:

All Hushmail users agree to our terms of service, which state that Hushmail is not to be used for illegal activity. However, when using Hushmail, users can be assured that no access to data, including server logs, etc., will be granted without a specific court order.

A similar requirement applies to FastMail, as our Privicy Policy states. We won't release any data without the required legal authorisation from an Australian court. As an Australian company, we do not respond to US court orders.