
Show HN: End-to-end encrypted email, based in Switzerland - stockmania
https://protonmail.ch
======
tptacek
This appears to be a PHP wrapper around OpenPGP.js. If the encryption comes
from Javascript loaded by browsers from the servers every time they visit the
site, the encryption isn't "end to end". It's controlled by the server and can
be broken by the server.

Also: the RSA Security logo isn't the logo of the RSA algorithm; it's the logo
of the company that sells RSA tokens.

~~~
pdx
I knew this is the first thing I would read. We are becoming pretty
predictable.

I tire of hearing this repetitively, every time somebody attempts to take this
path, but I recognize you are doing it for anybody that is new and didn't hear
the other warnings.

Isn't the perfect the enemy of the good?

Can we recognize that this is a good first step, and definitely constitutes a
huge improvement over gmail/yahoo type webmail solutions?

You can still quickly add a disclaimer that you hope they quickly begin the
large task of development of native windows/mac/linux/ios/android apps that
will remove the javascript concern.

If you spit on everything that is not perfect, you may be steering people away
from taking any action to protect their privacy.

~~~
acabal
Not in this case, I don't think. If there's a way to break encryption, even in
the smallest way, then it's not _really_ encrypted, and calling it "good
enough" does a disservice to people who actually expect it to be flawless.

Look at Lavabit, which was _good_ but not _perfect_... everyone thought they
were _protected enough_ , and then the government came knocking and all of a
sudden the little gotcha of "Well, Lavabit did have access to your data after
all, even though they promised not to look and also be really careful about
their encryption keys" is the crack they use to blow the entire thing open.
(Though that was a pretty damn big crack, admittedly.)

If there's a way to break in, then it will be broken in to--and then "good
enough" all of a sudden becomes "tragically and dangerously broken" for the
kinds of people who trusted it the most: activists, whistleblowers,
informants, political radicals, etc.

~~~
pdx
That's fair, and I do not want him to stop warning us. I recognize his
expertise.

I just feel that these sorts of criticisms, that are not sandwiched with at
least a little positive message, are keeping people paralyzed in gmail and
yahoo and msn while they wait for perfection.

~~~
tptacek
What positive message are you looking for here? Are you just glad people are
trying to protect people, even if they're failing?

~~~
read
tptacek, can you suggest a design for end-to-end email encryption delivered
through a browser?

As theboss mentioned [1], is:

(a) browser crypto theoretically impossible, is it

(b) that something's practically from browsers today (like build-in crypto
code) for a practical solution, or is it

(c) that existing attempts have not attempted to do something that is
theoretically possible?

If I understood you correctly, you alluded verification might be possible [2]
but it seems there isn't yet a clear description or understanding of what's
possible and what's not.

[1]
[https://news.ycombinator.com/item?id=7757892](https://news.ycombinator.com/item?id=7757892)

[2]
[https://news.ycombinator.com/item?id=7757678](https://news.ycombinator.com/item?id=7757678)

~~~
tptacek
Verification isn't possible in modern browsers. This is an inherently hard
problem, one that has caused some people who've launched carefully-designed
encrypted mail systems to abandon the effort.

~~~
read
Am I understanding you correctly that verification _IS_ possible in browsers,
just not the existing modern ones (e.g. because of limitations in the existing
modern ones) and that browser crypto is possible?

(I recognize it might inherently be a hard problem, but hard does not equal
impossible. I also recognize there are benefits to a simpler solution that can
outweigh the benefits of a harder solution.)

------
kylec
Anyone that values their privacy should never trust a service like this. The
idea of in-browser encryption and decryption is nothing new, and it always
suffers from the fact that the server can replace the client side software at
any time without warning. If you must use a browser, find a plugin that you
trust that works with any webmail service. Better yet, use an actual mail
client and encrypt/decrypt in that.

~~~
fareastcoast
I think the idea of ProtonMail is to serve the part of the population that
mostly uses the browser. Obviously if you wanted to be super secure, there are
more sophisticated methods out there, but they aren't exactly accessible to
the non-HN population. I don't think we should say, just because a perfect
browser based solution isn't possible, this shouldn't exist at all. It's like
saying, do something only if you can do it perfectly.

~~~
tptacek
Even if I thought this was a sensible way to describe the value of the service
(I don't): that's not remotely what this site says. It makes expansive claims
about security, which it can't possibly back up. Why should ordinary people be
expected to trust them with secrets?

------
Jgrubb
Funny, when I hear "Switzerland" I think about how just this morning I heard
that the American IRS has finally broken the long standing tradition of Swiss
banking privacy, and that CreditSuisse will be paying billions of dollars in
fines.

~~~
fareastcoast
Well, selling out American millionaires is one thing, I have a feeling the
Swiss would be less willing to sell out private communications to the NSA.

~~~
tptacek
Because...

~~~
lesterbuck
Because the "neutral" Swiss company Crypto AG was backdoored by the NSA long,
long ago.

[https://en.wikipedia.org/wiki/Crypto_AG#Back-
doored_machines](https://en.wikipedia.org/wiki/Crypto_AG#Back-doored_machines)

------
ctz
> By using a CA owned by the Swiss government, we ensure the highest security
> for our users because it is extremely unlikely SwissSign can be coerced into
> validating another website impersonating us

This is a dangerous and insane misunderstanding of the trust relationships
work in the public CA system.

 _Any_ CA can impersonate _any_ site. _Your_ choice of CA has no bearing on
your exposure to this risk.

(If this were an app or browser extension, you could plausibly pin the right
certificate path to only trust SwissSign. But if you can do that, you can just
pin your certificate and don't need a CA at all.)

------
sneak
Encryption to keys that are not properly authenticated is more unsafe than no
encryption at all.

This holds up "No private / public key management." as a feature. Without key
management (specifically, secure generation, storage, and authentication)
encryption is worse than useless.

------
rdl
Wow. How exactly does one do this given there have been 15 years of well
documented problems with exactly this model of deploying "secure mail"?

------
brute
This is a browser addon, right? Is everything loaded locally? If no, what
prevents you from putting up some javascript that transfers the decryption
password (or the plain text) to you.

Sorry, didn't bother to download and look for the source code, to find out how
the inner mechanics work. The website doesn't give much information either.

~~~
tptacek
No, it doesn't appear to be. They're at pains to say "nothing is installed",
and when I created an account, it loaded "openpgp.min.js" from the server.

------
cmpb
Can I view the source of the actual program? If not, it doesn't serve much
purpose to say that all the cryptographic libraries you use are open-source.
Let me see the source and then I'll see about trying your product.

As an aside, I see other people on this thread talking about the well-
documented problems of in-browser encryption/decryption. Could someone point
me to a list?

~~~
brute
[http://www.wired.com/2012/08/wired_opinion_patrick_ball/all/](http://www.wired.com/2012/08/wired_opinion_patrick_ball/all/)
It's about cryptocat (secure chat) but the same principles apply. Note that
cryptocat has switched to a browser addon-based design afterwards.

------
eliteraspberrie
With respect to their servers' location in Switzerland, if you don't live in
Europe, that will not benefit you. Even the best of laws require you to
actively defend yourself. I for one cannot travel to Switzerland and represent
myself in a Swiss court, at least not at a tolerable cost.

------
IgorPartola
Damn. I got excited for a second that someone had put together a decent mail
client that supports PGP and a hosted email service to rival GMail where the
unencrypted email they store would have some semblance of protection from the
NSA. Too bad this is the same old crypto in JS stuff.

------
praeivis
From the page source: "We only use GA on our Home and Invite pages to view
where traffic is coming from as we prepare for beta. We will be removing GA
and all third party sourced scripts from the site afterwards. - Jason"

So far we are still tracked by GA, so IDK...

------
gesman
Is that similar to zerobin
([http://sebsauvage.net/wiki/doku.php?id=php:zerobin](http://sebsauvage.net/wiki/doku.php?id=php:zerobin))
where server has no knowledge of the content of a message?

------
mrsaint
Interesting that they did not choose to support TLS 1.2 for SSL encryption,
and that they added RC4-MD5 as one of their (few) supported ciphers. Certainly
doesn't make me feel any warmer.

------
hglaser
Is "Based in Switzerland" relevant in this case? I know their government is
historically neutral in major wars. Are they also a good place to base
security-minded companies?

~~~
bjoernw
And whose banks are currently releasing the names of tax evaders to every
country that wants to know... Not saying that's in any way unjust but it does
hurt Switzerland's reputation for being that anonymous safe haven.

------
memming
You can send encrypted emails to non-protonmail users, but they have to click
a link and enter passphrases, and not to mention that the emails will expires?

------
ddorian43
How does searching work ?

