
ProtonMail now offers elliptic curve cryptography - _eigenfoo
https://protonmail.com/blog/elliptic-curve-cryptography/
======
KirinDave
This announcement is an example of why I am not using ProtonMail anymore.
There are a lot of things they do that sound very good on marketing materials,
but upon examination are security theater.

For example, they claim, "We have chosen a particular elliptic curve system
known as X25519, which is fast, secure, and particularly resistant to timing
attacks. It’s simple to implement".

However, previously they've said that they use Indutny's library [0]. This
library is somewhat infamous because its leadership deciding to discard any
pretense of defending against timing attacks on the grounds that would make
the library "too slow." [1]

There are other options. They could have used something with good timing
attack resistance from WebCrypto. Those options exist. Folks with more skill
than I have recommended P-256 as an option.

[0]:
[https://protonmail.com/blog/openpgpjs-3-release/](https://protonmail.com/blog/openpgpjs-3-release/)

[1]:
[https://github.com/indutny/elliptic/issues/128#issuecomment-...](https://github.com/indutny/elliptic/issues/128#issuecomment-302593662)

~~~
glaurung_
Out of curiosity, what did you switch to? I'd like to leave Gmail and Proton
Mail seems to be pretty well recommended. Is Fast Mail a better option?

~~~
qqn
I've been using Tutanota for almost a year now and it's pretty good. I'm no
expert on encryption but that part also seems pretty solid [0,1]. NordVPN
"leans towards" TN over PM, but only for convenience and not security (that's
more or less equal between the two)[2]. However, PM is based in Switzerland
(not bound by GDPR), while TN is in Germany (bound by GDPR and other privacy
laws that the EU is really progressive in pushing, compared to the rest of the
world)[2]. That said, PM is what Cambridge Analytica was using to overthrow
governments so I suppose that has to be pretty secure[3].

PM pricing is €48-288/y while TN is €12-60/y[4,5]. Both have freemium options
too; I'm paying €12/y for TN just to receive support (more to be able to
message them with feedback, really).

My only complaints w/TN is that it's a bit slow; notifications will remain
even seconds after I'd read the mail, and sometimes (especially in the
beginning) I would hit "Del" twice or more for the same email because it would
remain in my inbox, ultimately accidentally deleting the emails after it in my
inbox (something I noticed only after refreshing the tab, which -- annoyingly
but also securely -- would cause me to have to log in again).

I ultimately went with TN because of one thing, however: I can export emails.
Yes, it's a hassle, and yes, I have to generally do it by hand, bundle by
bundle, but I love being able to have all my emails archived offline. Plus,
with their new (beta) desktop client, this should be even easier[6]. I'm
staying with them for now because they're the only ones (that I know of) who
encrypt both your emails and your contacts, as well as the subjects, contents,
and attachments of all the emails you send[7]. This is HUGE for me. However,
the moment a better service comes along who does all this and who is smoother,
faster, I won't mind switching ship. Especially because the name is so
annoying to tell people, especially over the phone ("Puta? Duda? T like Dom or
like Tom?"). Yes, I get it means "secure message" in Latin, but come on now.
Just use a simple word already. Or do what PM did and enable a neat shorthand
domain (pm.me, how neat is that?[8]). Though they also do offer custom domain
names so I suppose this isn't too much of an issue, I just haven't had time to
properly look into this yet.

After reading this thread though I'm curious to find out more about FastMail.
But Australia, uhhh... Five Eyes, no thank you.

[0]: [https://tutanota.com/security](https://tutanota.com/security)

[1]: [https://tutanota.com/blog/posts/innovative-
encryption](https://tutanota.com/blog/posts/innovative-encryption)

[2]: [https://nordvpn.com/blog/tutanota](https://nordvpn.com/blog/tutanota)

[3]:
[https://reddit.com/r/ProtonMail/comments/85vgca/cambridge_an...](https://reddit.com/r/ProtonMail/comments/85vgca/cambridge_analytica_ceo_alexander_nix_caught_on)

[4]: [https://protonmail.com/pricing](https://protonmail.com/pricing)

[5]: [https://tutanota.com/pricing](https://tutanota.com/pricing)

[6]: [https://tutanota.com/blog/posts/desktop-
clients](https://tutanota.com/blog/posts/desktop-clients)

[7]: [https://tutanota.com/faq/#what-
encrypted](https://tutanota.com/faq/#what-encrypted)

[8]: [https://pm.me](https://pm.me)

~~~
protonmail
ProtonMail actually has a dedicated export tool:
[https://protonmail.com/support/knowledge-base/export-
import-...](https://protonmail.com/support/knowledge-base/export-import-
emails/)

ProtonMail also encrypts emails, contacts, contents, attachments, of all
emails you send and receive, with end-to-end encryption.

However, the most important differentiator is the trust model. ProtonMail has
Address Verification, which means it is trust on first use, which is
significantly more secure than the trust on every use model Tutanota uses for
key distribution. Details here:
[https://www.reddit.com/r/ProtonMail/comments/b84kd3/why_is_p...](https://www.reddit.com/r/ProtonMail/comments/b84kd3/why_is_protonmail_better_than_tutanota/ejyu35v/)

------
lvh
X25519 is great, but it doesn’t make Protonmail (really, OpenPGPjs) a net safe
communications mechanism.

It inherits all of the flaws inherent in OpenPGP, including optional
authenticators (which lead to EFAIL), kitchen sink bulk protocols complete
with negotiation (did you know your public keys specify what algorithms you
like?), lack of forward secrecy, repudiability, et cetera.

We should stop using RSA. But RSA isn’t what was keeping OpenPGP from being a
great secure communications channel. That’s aside from the question if it’s
meaningful to say you control your keys if you use OpenPGPjs served up every
time by a third party. (I say that being extremely on the PGP apologia side of
the scale compared to some of my peers!)

~~~
Forbo
Shouldn't it be possible to have the library built in to the browser? I can't
seem to find any information on attempts to make that happen, either directly
by browser developers or as an add-on.

~~~
lvh
Sure: that’s WebCrypto. The main problem it solves is that you don’t really
want your AES implementation to be in JS which is only a small part of the
problem. You still have the problem that the site would be telling you to do
with all of that good crypto, and you still need to do key management.

You could do all of this well if WebCrypto was good and you had a
WebExtension, or an Electron app, or some other way where you weren’t just
going to do whatever the website tells you to do.

(That is not a blanket security recommendation in favor of Electron. XSS does
not normally get me RCE.)

~~~
Boulth
Interestingly there is such an extension: [https://github.com/tasn/webext-
signed-pages](https://github.com/tasn/webext-signed-pages)

tl;dr version is one pins all resources on the page with Subresource Integrity
hashes and signs the page. The extension verifies the signature matches before
rendering anything.

~~~
lvh
Neat! I haven't audited it but a quick look through the README suggests the
approach is sound.

~~~
Boulth
Too bad there is nothing like that built into browsers directly. I guess not
only security related webapps could take advantage of it.

------
brendyn
I was silly enough to sign up without looking in to it because it was
recommended on HN. Then I realised they need this bridge software to connect.
I asked about it stating I'd like to build it my self and confirm it is libre
software. They just sent back a generic link to a .deb beta file. I had a look
and its got this eula.txt with the standard you-have-no-rights. Messaged them
again asking what they intended to do license-wise and they ignored me.
Someone else has written their own bridge and put it on github but it's a bit
of a joke to have to do that. Not sure what to move to now, mailbox.org was
another I saw recommended.

My email history: \- gmail.com > US spying, escape. \- lavabit.com > Shutdown
due to US government legal attack. \- Ran my own server > Too much bother,
gave up. \- openmailbox.org > Died for months, ran away with my money. \-
protonmail.com > Sketchy, cancelling it now. \- Free mailbox.org with custom
domain.

~~~
really3452
Seconded. Anyone know of a good email workflow? Rolling your own server no
longer seems practical. From what I have read most email providers now simply
blacklist the email address of an email from sent from a non-major email
service.

~~~
wolco
Use your isp for emailing out and receive email on your own server.

------
ahelwer
Love ProtonMail. Over the past few years I've slowly switched more and more of
my usage onto it as my confidence in the service grows. Gmail now occupies a
similar niche as Facebook in my life, where I keep a vestigial & largely empty
account for those few organizations which still insist on proprietary apps
(Google groups/docs, Facebook groups/chats) for organization.

------
Abishek_Muthian
Off topic

I had a proton email created when it was announced & didn't use it. I found
out that my mailbox decryption for that email id is not working (not sure how,
I use password manager) & I haven't set a recovery email to recover my
account.

I saw a HN comment earlier telling, the user had recovered their Proton mail
account by answering few questions to customer service.

I attempted the same, the issue is that I used VPN to create the email id &
didn't provide any personal details for the account.

They asked questions like,

-Do you remember the exact time and date when your account was created? -When was the last time you have accessed your account? -What is your display name? -Do you remember to which addresses you have sent your last messages? -Do you remember the email subjects of the last sent messages?

I tried to answer the account creation date by using the date of password
creation in my password manager (the login password was working); but the
support didn't seem to buy it.

They were insistent on,

-Can you please tell us if you remember from which addresses have you received your last few messages? -Could you tell us if you have used the ProtonMail account to sign up for some other web services?

I told them, I don't remember receiving email from anyone else & I didn't sign
up for any service

-There is a service that the xxxxx@protonmail.com address has been used to sign up for. Can you please tell us what that service is?

I told them again that I didn't sign up for any service using that email id.

\- Can you tell us the full address below?

no-xxxxx@drxxxxx.com

Even though I could obviously guess the username of that email id. I told them
that I didn't sign up with such service, that it must be a spam mail sent by
some service.

They said,

\- If you have not signed up for this service, the account probably belongs to
someone else.

Then I typed 'no-xxxxx@drxxxxx.com' on Google Search, the instant results gave
'no-reply@dropbox.com' as the first result.

I sent them,

Hey sorry, I remembered the service. I did signed up for Dropbox & used the
account for a while.

The email id you asked was,

no-reply@dropbox.com

They reset the account & I got access to it.

Edit: Had to fix the xxxxx.

~~~
dontbenebby
This would worry me more than drama about one algo choice over another.
Encrypting the data at rest (even it's not perfect) is probably better than
letting it sit around in plain text.

OTOH account hijacking is a well documented[1][2] threat.

I don't like the idea that if I set up a secure password and 2FA someone could
call up Protonmail and go " _Uh yeah, I use, uh... Hulu? Reset my password
please!_ "

[1] [https://www.ftc.gov/news-
events/blogs/techftc/2016/06/your-m...](https://www.ftc.gov/news-
events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-
identity-thief)

[2] [https://www.engadget.com/2016/06/10/hacker-hijacks-deray-
by-...](https://www.engadget.com/2016/06/10/hacker-hijacks-deray-by-
redirecting-his-verizon-phone-number/)

~~~
Abishek_Muthian
It's a valid concern, though in my case there's no other means to check the
ownership albeit being flawed one; note that me having a valid login password/
or not doesn't seem have any impact on me recovering the password as I
contacted them using web form support.

~~~
dontbenebby
Oh, you're on a free account?

So you think it'd be stronger protected if you're paying due to probably
having a CC etc tied?

~~~
hombre_fatal
You'd think, right?

AWS doesn't even consider you the account owner despite you holding the credit
card that they bill for that account.

[https://news.ycombinator.com/item?id=19574672](https://news.ycombinator.com/item?id=19574672)

Our industry is such a shitshow in some massive ways.

------
wil421
Anyone using ProtonMail regularly? I created an account but haven’t used it
much.

How are your experiences? Any iOS users who can comment on their experience
with proton mail and the default mail client?

I don’t went to switch to something that won’t be around in a decade or so.

~~~
wanderfowl
One major issue with the iOS client is that it cannot handle more than one
Inbox. So, if you use two accounts (e.g. home and work), you can only be
logged in in one at a time, and have to go through the full sign-in-sign-out
process each time you want to switch. And my understanding is that the iOS app
doesn't actually cache email offline, so it's not terribly possible to work on
an airplane, etc.

Also, understand that due to the encrypted nature, you can't just point an
IMAP client at their servers. They offer separate software to serve as a
bridge, but it's complicated. So, you are _only_ using their web interface.
They don't offer a native app for OS X, even. So again, no offline mail
processing.

I recently put serious thought into moving my personal and business presences
to PM to support the idea and normalize serious encryption, but ultimately
felt like my need of the security it provides doesn't justify the complexity
and UX compromises it forces. But ymmv.

~~~
Abishek_Muthian
Same with Android, only one account in free version. But I think when switched
to pro, one can use more than 1 proton mail account in their app.

~~~
wanderfowl
My understanding is that this isn't a free/pro distinction, but a "Feature on
the Roadmap". But I'd be delighted to find out I'm wrong.

~~~
Abishek_Muthian
I stand corrected[1], premium users can 'Combine multiple accounts into 1
account'.

[1]:[https://protonmail.com/support/knowledge-base/combine-
accoun...](https://protonmail.com/support/knowledge-base/combine-accounts/)

~~~
wanderfowl
Yep, that's fine, but it's not much of a firewall. And unless I'm mis-reading
this, this doesn't allow you to combine multiple domains.

~~~
lfms_dotfile
I've setup multiple domains on the same Protonmail account. You can create new
addresses (@protonmail.ch/protonmail.com/pm.me/domain) with a paid account
(iirc up to 5 total addresses with Protonmail Plus).

------
__ralston3
As a PM customer of almost a year, I'd definitely say they should focus more
efforts on the UI/UX as opposed to advancing the crypto for now. What's the
point of having the world's most cryptologically advanced, unusable inbox.
Specifically conversation threading/nesting. I don't expect everyone to be as
streamlined as say a Gmail, but basic "1 conversation - 1 email" in the inbox
would be nice for starters.

~~~
calvinmorrison
I really really really like thier conversation threading. Because I get so
many recurring transactional emails (eg bank statements, auto pay, etc) it
makes it very easy for me to view ALL of these in one thread, and not take up
a lot of space in my inbox.

Honestly I wish other providers would give me this sort of 'transactional
email' conversation tie up because it's convienent. I can see in the last 12
months for example, I have always paid my gas bill on time, at a glance too!

------
throwaway_x13zd
While I appreciate advances in cryptography, I would rather protonmail work on
things like getting their bridge returning properly formatted IMAP
responses[1] so we can use whatever clients we want with it.

The mobile experience is fine, but desktop is brutal unless you happen to
prefer one of the few clients they support.

[1]
[https://github.com/Foundry376/Mailspring/issues/429](https://github.com/Foundry376/Mailspring/issues/429)

------
motohagiography
I like protonmail and will likely move my domains to it. I don't use it for
regular social, dating, or sales emails because it is a privacy brand that
creates cognitive friction with people who don't get privacy and security.

If I wanted to grow protonmail, I would emphasize users moving domains to it
because while the brand has exceptional trustworthiness, anything security and
privacy themed runs into the "tacti-cool," problem, where even if it's the
best available and used by real operators, it triggers peoples sense of
illegitimacy, and depends with users who identify with a "rebel," e.g.
"losing" team who are not attractive to other users.

IMO, the same problem killed Silent Circle, and the rest of the cryptophone
market.

When you look at who overcame the tacti-cool problem in security and privacy,
the way a brand like arcteryx did it in clothing, Apple's iPhone has done it
in hardware, WhatsApp did it for messengers, and protonmail is _just_ on the
cusp of it.

There is an opportunity to build a new privacy brand that would be as big as a
FAANG, and if I were running it, I'd fold protonmail into it.

------
elliotec
To answer everyone here, I've been using ProtonMail for 6 months now (and
protonvpn) and I love it. The iOS app is great, the web view could be improved
but isn't bad.

------
doomrobo
Slightly OT, but I didn't see an important question being asked:

What is the motivating threat model of ProtonMail?

If I just want to access my email securely, that's done by HTTPS. If I want an
end-to-end encrypted solution, ProtonMail can provide that, though only for
emails between ProtonMail users. For e2e outside of ProtonMail, I can use PGP.

From what I understand, ProtonMail makes all the PGP stuff easier by baking it
into their UI. Is there anything else it offers other than this convenience?
Are they encrypting incoming mail with recipient keys and throwing away the
original? If so, who is that protecting, and against whom? Presumably the
plaintext was stored by the sender and possibly seen by intermediary servers.
Can I get similar security properties by periodically downloading my email and
deleting it off the server (assuming the deletion is actually happening)?

These are honest questions. I admit I'm skeptical of PM's utility, but I'd
this fits someone's usecase and threat model, I can't argue with that.

~~~
scotch_drinker
I'm using ProtonMail because I'm trying to de-Google-Amazon-Facebook my life
somewhat as another user mentions. I'm tired of being the product and am
willing to pay for certain things.

~~~
doomrobo
So why ProtonMail over any other email provider, besides GMail? Would you be
willing to pay for email?

------
jgowdy
I quit ProtonMail / ProtonVPN after trying over and over and over again to
import mail through their IMAP bridge. They won't provide an open API for
interacting with their mail services so someone can write a better bridge, and
their bridge is very slow, disconnects repeatedly, and basically makes any
migrations impossible. If you're willing to start over with an empty mailbox,
maybe ProtonMail is for you. I eventually gave up trying to move my mail
account in (many tries, with Thunderbird in chunks, with Lamiral's awesome
imapsync tool, you name it), and let them keep the money I paid for a year of
ProtonMail Visionary.

I ended up using StartMail from the StartPage people. It's not perfect, but I
was actually able to migrate to it and use it effectively.

------
philshem
Unsolicited opinion on ProtonMail: I'm a big fan. It's not as flashy as gmail,
but so far my mails haven't been marked as spam, which was happening with
zoho. Unfortunately, zoho doesn't provide free email forwarding, so the
migration to PM is taking longer than hoped for.

I'll probably soon subscribe to PM for two reasons: to use the @pm.me domain
for outgoing (currently only incoming), and for custom domain support. Also
subscribing gets IMAP support (I think).

~~~
wtmt
Note that IMAP support is only through a bridge software that you have to
install and configure.

------
keiferski
This gets asked often, but as someone wanting to get away from Gmail, any
thoughts on Fastmail vs. ProtonMail?

~~~
Leace
They represent vastly different philosophies. Fastmail is direct alternative
to Gmail with good UI and UX but they're based in Australia and against
message encryption as it impacts their UX (for example it's not possible to
index encrypted messages). Protonmail is an OpenPGP company (they directly
invest in OpenPGP.js) but have issues supporting other standards. For example
IMAP/SMTP is available only through a bridge.

~~~
robin_reala
They’re based in Aus, but their servers are in the US (which is why I decided
against switching from GMail to them in the end, and picked someone a little
more local).

~~~
Whatitat90
That means their servers cannot be directly accessed but since they're based
in Australia the company can be compelled to install decryption software
without notifying anyone.

Source: [https://www.youtube.com/watch?v=eW-OMR-
iWOE](https://www.youtube.com/watch?v=eW-OMR-iWOE)

------
usr1987
I tried proton with my own domain... its a hasle, and how about address book
sync and calendar?

------
dlphn___xyz
does it matter if its traffic is routed through counties with a history of
breaching privacy?

