Vid shows how to easily hack 'anti-spy' webmail (sorry, ProtonMail) • The Register Forums

5 min read Original article ↗
  1. Gene Cash Silver badge

    "Roth had notified them about the hole via Twitter"

    I guess that's why he's a security researcher and not a security professional.

    1. Monday 7th July 2014 22:21 GMT diodesign (Written by Reg staff)

      Reply Icon

      Re: "Roth had notified them about the hole via Twitter"

      Actually, Roth contests what ProtonMail suggested - and said he emailed in the vulns.

      https://twitter.com/StackSmashing/status/468221482150404096

      C.

    2. Tuesday 8th July 2014 00:30 GMT Franklin

      Reply Icon

      Re: "Roth had notified them about the hole via Twitter"

      I'm definitely more "security researcher" than "security professional," and on several occasions have notified firms of vulnerabilities and abuse by Twitter...when emails, phone calls, and other more orthodox channels of communication have been ignored.

      Sometimes, public shaming works where reasonable discourse doesn't.

    3. Tuesday 8th July 2014 05:14 GMT Anonymous Coward

      Reply Icon

      Re: "Roth had notified them about the hole via Twitter"

      The guy does have a big ego though, he wants people to know about him.

      I mean, they didn't tell him they had patched the vulnerability did they?

      After all the work he had put in to it? Didn't he have a right to know?

      How rude.

  2. Tuesday 8th July 2014 03:34 GMT IainT

    Thomas got in touch with us to make clear he'd contacted the firm directly. Professional is the title I'd use.

  3. Tuesday 8th July 2014 04:14 GMT Christian Berger

    Well browsers are not suitable for this

    Even if there was no cross site scripting hole in there, you could still get a fake certificate and do man in the middle.

    The whole browser thing may need to be replaced by something much more simpler and based on actual security.

    1. Tuesday 8th July 2014 10:45 GMT Not That Andrew

      Reply Icon

      Re: Well browsers are not suitable for this

      Something like an email client perhaps?

      1. Tuesday 8th July 2014 18:23 GMT Christian Berger

        Reply Icon

        Re: Well browsers are not suitable for this

        Yes, or a terminal. Why don't we have "GUI Terminals" to which I can send a simple form and they render it, have the user fill it out and return it. Kinda like HTML used to be before webdesigners took over.

        1. Tuesday 8th July 2014 20:27 GMT Anonymous Coward

          Reply Icon

          Re: Well browsers are not suitable for this

          You're talking X terminals or NC stations. The catch is that you have to trust the server in these operations. The idea they're trying to pull off is to have effectively secure e-mail such that not even the server can read it, even under duress. Oh, and do it with turnkey simplicity so that even the stupid can do secure e-mail.

  4. This post has been deleted by its author

  5. Tuesday 8th July 2014 11:38 GMT The Mole

    Being too generous

    I think El Reg is being way too generous on protonmail. How and where the email is composed and encrypted is irrelevant. The web based client shouldn't be trusting what is sent to it and should have been written from the ground up to be secure against malicious input.

    1. Tuesday 8th July 2014 12:19 GMT Anonymous Coward

      Reply Icon

      Re: Being too generous

      The bootnote shows that the problem is basically intractable. There's no way to secure against malicious input since it can come from areas outside its sphere of influence, such as a device driver or tampered hardware. Basically, if SSL is not an option, then JavaScript security is not an option, either. Think of SSL like a bridge over a canyon where torrential rapids run. It's basically the only way across, and if that's not an option, then..."You Can't Get There From Here." It's related to the First Contact problem of secure communication: how can Alice and Bob prove themselves to each other if they've never met before and don't trust a third party to do it?

  6. Tuesday 8th July 2014 16:27 GMT Anonymous Coward

    How to spell snakeoil?

    P-R-O-T-O-N-M-A-I-L

    And it should have been obvious to any IT professional why that is the case.

    They claim they could not read user's encryption keys, but they provide the software that handles the keys. And can replace it without the user's knowledge. Yet, despite this obvious false claim, and having been called out on it, they *still* claim they could not obtain user's passwords.

    That is either world class incompetent, or plain disingenuous.

    Either way, nobody I would want to trust with my communications.

    Any chance for the poor sods who were stupid enough to back these people to get back their money?

  7. Monday 14th July 2014 16:17 GMT Anonymous Coward

    Protonmail is Not Secure As it may be unencrypted

    Protonmail is Not Secure As it may be unencrypted

    https://vimeo.com/100714271

  8. Saturday 8th November 2014 02:19 GMT warmbrother

    Hmmm ... is there anything at all out there that you know of that actually works and does not scan / dump one's email ? Thanks!

  9. This post has been deleted by its author

  10. Wednesday 3rd December 2014 21:04 GMT scryptmail

    I can welcome people to try scryptmail.com now in beta,

    we do email encryption and attachments, all scripts hosted on our servers, so information you leak is minimal.