

ProtonMail: End-to-end encrypted email - icot
https://protonmail.ch/
A secure mail startup founded by CERN and MIT scientists in 2013.
======
thecoffman
> [https://protonmail.ch/blog/protonmail-threat-
> model/](https://protonmail.ch/blog/protonmail-threat-model/)

I'm always skeptical of browser/JS based crypto, but it is nice to see that
they're at least upfront with the risks involved in doing such a thing.

They probably downplay the risk of a MITM attack a little much, but otherwise
I'm glad to see they're realistic about possible weaknesses of the platform.

~~~
x1798DE
Yes, but they are clearly playing a bit fast-and-loose with things here. The
whole point of end-to-end encryption is that it's a "trust no third parties"
model (other than whoever provided your crypto software, which you can verify
anyway). This is slightly better than Lavabit, but you're still trusting
ProtonMail, who are providing the crypto implementation to your browser every
time you use it. Depending on how it's implemented, they could potentially
unilaterally revoke all your past secrecy by changing the Javascript code to
capture your private keys.

Plus, they're offering self-destructing e-mails, which is impossible to
provide, so already there's a bit of snake oil there. If they said, "It's not
possible to provide real self-destructing e-mails, but you can set it up so
that (assuming you trust us), we'll delete the messages from our servers after
a certain amount of time, which is the best anyone can do." Instead they say
that they are "more ephemeral than SnapChat."

~~~
duaneb
Do you trust OpenSSL?

~~~
Xylakant
> Do you trust OpenSSL?

Good question, but one with no influence on whether I trust protonmail. The
threat model is different: Openssl is so widely deployed that all is lost for
me if it's broken. I'd assume protonmail uses it for it's SSL connections (the
webserver pretends to be an apache). If there's an exploit, the attacker can
at any time MITM my connection to protonmail and at his discretion inject
javascript that captures my decryption password or message.

------
jfaucett
This sounds really good. The only disappointment is that it seems there is no
business model that allows email providers and services like this to provide
Unlimited encrypted email (no limitations i.e. Gmail-esque) absolutely free to
all users. I'd be willing to gamble that if anyone could sustain this for a
couple years, people would leave Gmail in droves, no one I know likes having
to use the USA/NSA/google/big brother tagteam, but they still don't value the
invasion of privacy enough to pay for it.

~~~
reitanqild
I also was confused about the free forever part until I found they actually
have a tiered pricing model.

Edit: here is what they say: "Forever Free

We believe privacy is a fundamental human right and should be available for
everyone. That's why we offer multi-tiered pricing including a free version
that anyone can use. Let's bring privacy back to the people!"

------
Xylakant
From reading the service description, this is an encrypted messaging service
that happens to have email notifications.

I can't write messages with my preferred mail client, can't read messages with
my preferred mail client and I can't access my (old) messages while offline.
non-protonmail-users will receive a notification with a link that they
received a message, not the actual message that they can keep for archiving
purposes, offline use etc. I wonder if and how they handle searching
mailboxes.

Neat, but not mail.

edit: typo. darn.

~~~
duaneb
If you used your preferred mail client, it wouldn't be encrypted end to end.
This isn't a resolvable difference without running a local mail server
decrypting the messages.

~~~
conorgil145
Virtru integrates with your existing email client so that you can send end-to-
end encrypted email from your existing email account:
[https://www.virtru.com/other-platforms](https://www.virtru.com/other-
platforms)

disclaimer: I am a software engineer at Virtru. Happy to address any
questions/comments!

~~~
Xylakant
That sounds awfully like a DRM wrapper around the content. What happens if the
virtru keystore goes down or is unreachable (temporarily or permanently). Do I
have access to the messages I sent/received?

Can the sender retroactively change access to the content?

------
sudonim
And none of the employees are US citizens that can be compelled by the US
government in a way that they're not allowed to talk about it (even to other
employees) to compromise the security of the service?

I'm not sure that having a Swiss company makes any difference in a case where
people have ties to the US. Does anyone else know better than me on this
topic?

edit: It looks like the goal is that you don't even have to trust protonmail:
"For this reason, we are also unable to do password recovery. If you forget
your decryption password, we cannot recover your data."
[https://protonmail.ch/pages/security_details.php](https://protonmail.ch/pages/security_details.php)

~~~
reitanqild
There are some clues to be found on the page: "ProtonMail is developed both at
CERN and MIT and is headquartered in Geneva, Switzerland. We were
semifinalists in 2014 MIT 100K startup launch competition and are advised by
the MIT Venture Mentoring Service." ProtonMail is developed both at CERN and
MIT and is headquartered in Geneva, Switzerland. We were semifinalists in 2014
MIT 100K startup launch competition and are advised by the MIT Venture
Mentoring Service.

------
flym4n
It appears they silently closed a critical vulnerability recently [0]

[0]
[https://twitter.com/StackSmashing/status/474214532114812928](https://twitter.com/StackSmashing/status/474214532114812928)

~~~
mike-cardwell
My name is on [https://protonmail.ch/blog/protonmail-security-
contributors/](https://protonmail.ch/blog/protonmail-security-contributors/)
because I reported a critical XSS vulnerability to them when they were
previously mentioned on here.

All you needed to do was send an email which contained a From header with
script embedded in the name part:

    
    
      From: "<script>Do evil</script>" <address@example.com>
    

All I did to find this vulnerability was sign up for an account and then plonk
the email address they gave me into
[https://emailprivacytester.com/](https://emailprivacytester.com/) (of which I
am the author)

------
luxpir
The security details page[1] makes for interesting reading. Hopefully the new
norm is 'E2E' encryption. It's actually starting to feel inevitable, and the
hopelessness that followed in the wake of the 'Summer of Security' is perhaps
evaporating bit by bit, through universal encryption, bit by bit.

-

[1]
[https://protonmail.ch/pages/security_details.php](https://protonmail.ch/pages/security_details.php)

~~~
higherpurpose
> Messages are stored on ProtonMail servers in encrypted format. They are also
> transmitted in encrypted format _between our server and users’ browsers_.
> Messages between ProtonMail users are transmitted in encrypted form
> completely _within our secured server network_. Because they never leave our
> _secured environment_ , there is no possibility to intercept the encrypted
> messages enroute.

Emphasis mine. That doesn't sound like E2E encryption to me. End to end means
it's encrypted user-to-user, not server to user, or user to server to user. It
sounds more like they have something slightly more secure than an e-mail
service like Gmail, but still very vulnerable to subpoenas, backdoors and so
on.

~~~
luxpir
Read on. It goes on to advise how they allow encrypted mail being sent to
external providers, as well as self-destructing messages. The blurb also
discusses the limitations of the system quite openly.

This part is only noting that inter-user messages never even leave their
'secured environment'. By all accounts it does seem as well secured as any
other provider I've looked into.

~~~
higherpurpose
My point is that it's not end to end encryption. Everyone keeps promoting it
like that when it's not, and like they finally solved the compromise between
E2E and user convenience, when in fact they didn't.

Basically, it's Lavabit, but perhaps a little more secure than that in terms
of regular threats. But an order like the one Lavabit obtained would force
them to shut down, too (unless they agree to provide the backdoor), because
it;s _not E2E_. If it was, such an order wouldn't have any power over them.

tl;dr ProtonMail is a competitor to Lavabit and Hushmail, not PGP.

------
danesparza
This made me chuckle...

From the threat model article here: [https://protonmail.ch/blog/protonmail-
threat-model/](https://protonmail.ch/blog/protonmail-threat-model/)

"NOT RECOMMENDED:

Edward Snowden – If you are Edward Snowden, or the next Edward Snowden, we
would not recommend that you use ProtonMail. And in case Mr. Snowden was
foolish enough to try, we have already blocked the username
snowden@protonmail.ch"

------
pandemicsyn
Wonder what the cost is going to be when it goes live.

Running infrastructure in those DC's can't be cheap (compared to regular co-lo
facilities). Thats on top of probably having to deploy more gear (or higher
perf gear than a regular email provider) since the work load is probably CPU
heavy.

------
Fede_V
Looks interesting, but I think if you trust non-open source encryption, you
are basically a knave. Even with really smart people behind it, unless it's
completely open, they could be compelled to put backdoors into it.

------
programminggeek
So, if I send an ecrypted protonmail to someone else's yahoo mail, what
happens? Is it only encrypted in the protonmail ecosystem?

True end to end encryption would mean everything is transferred as an encypted
thing, and only people with a key can open it. If any email you send out
ultimately is unencrypted so that the other side can read it, we aren't much
closer than where we started are we?

If an email ends up in an unencrypted IMAP mailbox on a server somewhere, how
is that more secure than what happens now?

~~~
x1798DE
I think it sends them a note that says, "Someone at ProtonMail sent you a
message - click this link and enter the password they gave you to open it!"

Presumably they'll have some way to distribute the password in some ephemeral
or slightly out-of-band way. It's probably less secure than messages within
their environment, but it _shouldn 't_ ever hit another mailserver in
plaintext (ideally ProtonMail wouldn't even have the plaintext anyway).

------
mikegioia
What a great project with what looks like 3 really talented guys. My one gripe
is the @protonmail.ch domain requirement.

------
spacefight
I wonder how they will stand up against requests from the swiss government
regarding lawful intercept access. Which, for larger providers is mandatory to
participate in.

~~~
x1798DE
In true end-to-end encryption, this would probably not matter, since you can
hand over all the encrypted e-mails you want and no one's going to be reading
them unless they have your private keys. That said, the nature of in-browser
crypto is such that they (or anyone who controls their servers) could
intermittently change the JS code they are serving in such a way that it
captures your private keys and decrypt all your e-mails.

So it really depends on your threat model. This service is somewhat more
secure than Lavabit, but incrementally and not by leaps and bounds. It also
constrains the attack model (in the Lavabit model they could be coerced to
give the plaintext directly, in this case they would need to be coerced to
actively steal their users' private keys).

~~~
spacefight
There is no true E2E if you run it inside a browser.

And even if it would be application based (PGP, S/MIME), it would still leak
metadata like crazy.

With all the threat models, I come to the conclusion, that there is no real
E2E possible _at_all. All known platforms have been compromised, either by
lawful interception/state trojan means or by direct hacking.

------
dang
This is a dupe of
[https://news.ycombinator.com/item?id=7757420](https://news.ycombinator.com/item?id=7757420).

------
BillFranklin
Lavaboom.com has similar goals but is based in Germany. It's also webmail. I'm
one of the co-founders if you have any queries.

------
galapago
> "we plan to open-source key parts of our code as well later on."

Great!

~~~
iodfgj
Why not open source all of it? I find it hard to trust a closed service
especially after what happened with gmail.

~~~
xk28
Curious, what happened with gmail?

~~~
iodfgj
Because of their little suicidal robots that scan the email and then go boom
(targeted advertising), i keep getting viagra ads everywhere. Plus there's the
whole NSA thing as well...

EDIT: Of course there's adblock and i dont see the ads on my main browser but
when logging in on another computer in a public space... BAM, penis pills

------
dailen
Anybody know when this is finally opening up for more sign ups??

------
trvz
The site uses Google Analytics. Easy to deduce the service's usefulness in a
critical situation from there…

~~~
luxpir
TOR?

EDIT: Just to expand on that a little. For as long as Snowden sports a TOR
sticker on his laptop, or until I hear otherwise, I'll continue recommend its
use for basic privacy needs. And as mikegioia notes, it is only used on the
front page. You could also block the script, failing that!

