ProtonMail: End-to-end encrypted email
protonmail.chA secure mail startup founded by CERN and MIT scientists in 2013. > https://protonmail.ch/blog/protonmail-threat-model/ I'm always skeptical of browser/JS based crypto, but it is nice to see that they're at least upfront with the risks involved in doing such a thing. They probably downplay the risk of a MITM attack a little much, but otherwise I'm glad to see they're realistic about possible weaknesses of the platform. Yes, but they are clearly playing a bit fast-and-loose with things here. The whole point of end-to-end encryption is that it's a "trust no third parties" model (other than whoever provided your crypto software, which you can verify anyway). This is slightly better than Lavabit, but you're still trusting ProtonMail, who are providing the crypto implementation to your browser every time you use it. Depending on how it's implemented, they could potentially unilaterally revoke all your past secrecy by changing the Javascript code to capture your private keys. Plus, they're offering self-destructing e-mails, which is impossible to provide, so already there's a bit of snake oil there. If they said, "It's not possible to provide real self-destructing e-mails, but you can set it up so that (assuming you trust us), we'll delete the messages from our servers after a certain amount of time, which is the best anyone can do." Instead they say that they are "more ephemeral than SnapChat." Do you trust OpenSSL? > Do you trust OpenSSL? Good question, but one with no influence on whether I trust protonmail. The threat model is different: Openssl is so widely deployed that all is lost for me if it's broken. I'd assume protonmail uses it for it's SSL connections (the webserver pretends to be an apache). If there's an exploit, the attacker can at any time MITM my connection to protonmail and at his discretion inject javascript that captures my decryption password or message. All very fair points! Read the comments here[1] and have a guess how 'upfront' they were of the risks involved three weeks ago. Pay attention to the dates. This sounds really good. The only disappointment is that it seems there is no business model that allows email providers and services like this to provide Unlimited encrypted email (no limitations i.e. Gmail-esque) absolutely free to all users. I'd be willing to gamble that if anyone could sustain this for a couple years, people would leave Gmail in droves, no one I know likes having to use the USA/NSA/google/big brother tagteam, but they still don't value the invasion of privacy enough to pay for it. I also was confused about the free forever part until I found they actually have a tiered pricing model. Edit: here is what they say: "Forever Free We believe privacy is a fundamental human right and should be available for everyone. That's why we offer multi-tiered pricing including a free version that anyone can use. Let's bring privacy back to the people!" If Google doesn't provide a serious End to End encryption solution for Gmail, then I will probably use it, too, within a year (unless something better comes along, say like a DarkMail-enabled service). BUT, and it's a big but, I'd only use it for normal e-mails, just because I want to raise a big enough obstacle for NSA to read even my normal e-mails. However, I would not use it for anything too sensitive. I don't trust ProtonMail for that, and since it doesn't have real end to end encryption, you have to trust ProtonMail. From reading the service description, this is an encrypted messaging service that happens to have email notifications. I can't write messages with my preferred mail client, can't read messages with my preferred mail client and I can't access my (old) messages while offline. non-protonmail-users will receive a notification with a link that they received a message, not the actual message that they can keep for archiving purposes, offline use etc. I wonder if and how they handle searching mailboxes. Neat, but not mail. edit: typo. darn. If you used your preferred mail client, it wouldn't be encrypted end to end. This isn't a resolvable difference without running a local mail server decrypting the messages. Virtru integrates with your existing email client so that you can send end-to-end encrypted email from your existing email account: https://www.virtru.com/other-platforms disclaimer: I am a software engineer at Virtru. Happy to address any questions/comments! That sounds awfully like a DRM wrapper around the content. What happens if the virtru keystore goes down or is unreachable (temporarily or permanently). Do I have access to the messages I sent/received? Can the sender retroactively change access to the content? Where's your warrant canary? > If you used your preferred mail client, it wouldn't be encrypted end to end No? Both S/MIME and GPG provide E2E encryption and work with traditional mail clients. Both provide offline access. They also have their problems, but that's another story. My point is: This is a neat system. It certainly has it's own set of advantages and disadvantages, but it's a centralized system that does not work very much like mail. So don't call it mail. > If you used your preferred mail client, it wouldn't be encrypted end to end. Unless you and your recipient use something like GnuPG. And none of the employees are US citizens that can be compelled by the US government in a way that they're not allowed to talk about it (even to other employees) to compromise the security of the service? I'm not sure that having a Swiss company makes any difference in a case where people have ties to the US. Does anyone else know better than me on this topic? edit: It looks like the goal is that you don't even have to trust protonmail: "For this reason, we are also unable to do password recovery. If you forget your decryption password, we cannot recover your data." https://protonmail.ch/pages/security_details.php There are some clues to be found on the page: "ProtonMail is developed both at CERN and MIT and is headquartered in Geneva, Switzerland. We were semifinalists in 2014 MIT 100K startup launch competition and are advised by the MIT Venture Mentoring Service."
ProtonMail is developed both at CERN and MIT and is headquartered in Geneva, Switzerland. We were semifinalists in 2014 MIT 100K startup launch competition and are advised by the MIT Venture Mentoring Service. > It looks like the goal is that you don't even have to trust protonmail. Sorry to say, but that goal is unachievable with that setup. They provide you with the code that does the decryption. It's a simple thing to enable that code to send back the decryption password and store it on their servers. So every time you decrypt a message, you'd either have to evaluate all the javascript they send your browser, or put your messages at risk. There's a similar problem with GPG/SMIME implementations: I have to trust the people writing that decryption code, but that's a bit simpler - they can't easily target me directly and the churn is much lower. I don't think you need to worry too much about the US secret services (directly). But you can worry about the Swiss secret services. And probably by extension the German and French secret services. Which means you have to (by extension) worry about the US secret services anyway. Note that France and Germany probably have much more direct dealings with Switzerland than the US has -- so pressure from these governments/the EU is more likely to hold sway, than any direct pressure from the US (but, as with all things, if a nation state consider you a legitimate it's probably game over anyway). [edit: see other comment wrt MIT -- I was probably too optimistic.] It appears they silently closed a critical vulnerability recently [0] [0] https://twitter.com/StackSmashing/status/474214532114812928 My name is on https://protonmail.ch/blog/protonmail-security-contributors/ because I reported a critical XSS vulnerability to them when they were previously mentioned on here. All you needed to do was send an email which contained a From header with script embedded in the name part: The security details page[1] makes for interesting reading. Hopefully the new norm is 'E2E' encryption. It's actually starting to feel inevitable, and the hopelessness that followed in the wake of the 'Summer of Security' is perhaps evaporating bit by bit, through universal encryption, bit by bit. - > Messages are stored on ProtonMail servers in encrypted format. They are also transmitted in encrypted format between our server and users’ browsers. Messages between ProtonMail users are transmitted in encrypted form completely within our secured server network. Because they never leave our secured environment, there is no possibility to intercept the encrypted messages enroute. Emphasis mine. That doesn't sound like E2E encryption to me. End to end means it's encrypted user-to-user, not server to user, or user to server to user. It sounds more like they have something slightly more secure than an e-mail service like Gmail, but still very vulnerable to subpoenas, backdoors and so on. Read on. It goes on to advise how they allow encrypted mail being sent to external providers, as well as self-destructing messages. The blurb also discusses the limitations of the system quite openly. This part is only noting that inter-user messages never even leave their 'secured environment'. By all accounts it does seem as well secured as any other provider I've looked into. My point is that it's not end to end encryption. Everyone keeps promoting it like that when it's not, and like they finally solved the compromise between E2E and user convenience, when in fact they didn't. Basically, it's Lavabit, but perhaps a little more secure than that in terms of regular threats. But an order like the one Lavabit obtained would force them to shut down, too (unless they agree to provide the backdoor), because it;s not E2E. If it was, such an order wouldn't have any power over them. tl;dr ProtonMail is a competitor to Lavabit and Hushmail, not PGP. It's nice, but suffer from similar problems as all web apps: They have your encrypted keys, all they have to do is send you a different "client" (change the js/ui) the next time you log in, and they can snoop your encryption password. They can of course be forced to do this. I also wonder about their claim to "expire" mails -- I assume they mean only for mails internal to protonmail -- as any other expiry would have to rely on the recipient using a cooperating pgp/gpg and/or cooperating pop/imap client. Yes, plenty of trust issues. I presume/would hope that they would leave a prominent warrant canary if compelled by Swiss agencies to make any amendments. I understood 'expiring' mails to mean those accessed directly on their servers, following notification by email, subsequently deleted at the pre-agreed time. I could just have an active imagination. Don't get me wrong, I'm not fully sold on the outfit, particularly for practical reasons, but am intrigued. This made me chuckle... From the threat model article here: https://protonmail.ch/blog/protonmail-threat-model/ "NOT RECOMMENDED: Edward Snowden – If you are Edward Snowden, or the next Edward Snowden, we would not recommend that you use ProtonMail. And in case Mr. Snowden was foolish enough to try, we have already blocked the username snowden@protonmail.ch" Wonder what the cost is going to be when it goes live. Running infrastructure in those DC's can't be cheap (compared to regular co-lo facilities). Thats on top of probably having to deploy more gear (or higher perf gear than a regular email provider) since the work load is probably CPU heavy. Looks interesting, but I think if you trust non-open source encryption, you are basically a knave. Even with really smart people behind it, unless it's completely open, they could be compelled to put backdoors into it. So, if I send an ecrypted protonmail to someone else's yahoo mail, what happens? Is it only encrypted in the protonmail ecosystem? True end to end encryption would mean everything is transferred as an encypted thing, and only people with a key can open it. If any email you send out ultimately is unencrypted so that the other side can read it, we aren't much closer than where we started are we? If an email ends up in an unencrypted IMAP mailbox on a server somewhere, how is that more secure than what happens now? I think it sends them a note that says, "Someone at ProtonMail sent you a message - click this link and enter the password they gave you to open it!" Presumably they'll have some way to distribute the password in some ephemeral or slightly out-of-band way. It's probably less secure than messages within their environment, but it shouldn't ever hit another mailserver in plaintext (ideally ProtonMail wouldn't even have the plaintext anyway). What a great project with what looks like 3 really talented guys. My one gripe is the @protonmail.ch domain requirement. I wonder how they will stand up against requests from the swiss government regarding lawful intercept access. Which, for larger providers is mandatory to participate in. In true end-to-end encryption, this would probably not matter, since you can hand over all the encrypted e-mails you want and no one's going to be reading them unless they have your private keys. That said, the nature of in-browser crypto is such that they (or anyone who controls their servers) could intermittently change the JS code they are serving in such a way that it captures your private keys and decrypt all your e-mails. So it really depends on your threat model. This service is somewhat more secure than Lavabit, but incrementally and not by leaps and bounds. It also constrains the attack model (in the Lavabit model they could be coerced to give the plaintext directly, in this case they would need to be coerced to actively steal their users' private keys). There is no true E2E if you run it inside a browser. And even if it would be application based (PGP, S/MIME), it would still leak metadata like crazy. With all the threat models, I come to the conclusion, that there is no real E2E possible _at_all. All known platforms have been compromised, either by lawful interception/state trojan means or by direct hacking. This is a dupe of https://news.ycombinator.com/item?id=7757420. Lavaboom.com has similar goals but is based in Germany. It's also webmail. I'm one of the co-founders if you have any queries. > "we plan to open-source key parts of our code as well later on." Great! Why not open source all of it? I find it hard to trust a closed service especially after what happened with gmail. Curious, what happened with gmail? Because of their little suicidal robots that scan the email and then go boom (targeted advertising), i keep getting viagra ads everywhere.
Plus there's the whole NSA thing as well... EDIT: Of course there's adblock and i dont see the ads on my main browser but when logging in on another computer in a public space... BAM, penis pills >Great! Is this a unicorn or moon on a stick statement? [1] Anybody know when this is finally opening up for more sign ups?? The site uses Google Analytics. Easy to deduce the service's usefulness in a critical situation from there… TOR? EDIT: Just to expand on that a little. For as long as Snowden sports a TOR sticker on his laptop, or until I hear otherwise, I'll continue recommend its use for basic privacy needs. And as mikegioia notes, it is only used on the front page. You could also block the script, failing that! It's just their homepage, most of their other pages don't even run javascript: https://protonmail.ch/login.php
All I did to find this vulnerability was sign up for an account and then plonk the email address they gave me into https://emailprivacytester.com/ (of which I am the author) From: "<script>Do evil</script>" <address@example.com>