ProtonMail - Encrypted Email

Discussion in 'privacy technology' started by rock_man, Apr 28, 2014.

Thread Status:
Not open for further replies.
  1. rock_man

    rock_man Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    55
    https://protonmail.ch/

    Hosted in Switzerland
    More flexible than Mail1Click - you can send/receive email easily with non-ProtonMail users.
    Optionally password encrypt email to non-ProtonMail users
    Email expirations
    Two passwords: one to authenticate with the service and another to decrypt mailbox client-side. The mailbox password is not shared with ProtonMail. Therefore, zero knowledge.
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
  3. rock_man

    rock_man Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    55
    The SSL Labs score of B is not bad at all, especially for a beta. What is the service lacking exactly?

    How is increasing the RSA key length in a beta service late?
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    No TLS 1.2, Forward Secrecy not preferred and only 1024 bits, supports weak ciphers, no OCSP stapling, no HSTS. Not all are counted in the score.
    Still using 1024 bit RSA keys in April 2014 is late.

    I know it's still a beta, so I guess it's a bit nitpicking. However, for me to use such a service and especially pay for it, I would like a service whose developers have expertise in the matter, and this doesn't give me confidence about that.
     
  5. rock_man

    rock_man Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    55
    Appreciate more details. I'm not sure exactly how "OCSP stapling" and "HSTS" would benefit me as a user. But with regards to the service they provide and the nature of it being "strong encryption", you make some good points. Not all those points I fully understand, therefore, with further lack of details or knowledge about them, I can't comment.
     
  6. ProtonMail

    ProtonMail Registered Member

    Joined:
    May 1, 2014
    Posts:
    3
    Location:
    Geneva, Switzerland
    Hi everybody, this is Andy, one of the ProtonMail devs. I just noticed this thread and wanted to provide some quick answers.

    TLS 1.2
    We're are running a hardened version of CentOS which doesn't support TLS 1.2 yet. When support becomes available through RedHat, we will update accordingly.

    Forward Secrecy
    The decision to not use forward secrecy was so that the user experience would be abstracted from the complexity of typical PGP applications. In other words, for convenience and a better user experience. If forward secrecy is a deal-breaker then you're probably the type of power user who is comfortable using PGP and doesn't have a need for "easy-to-use" encrypted email. Basically, it is not technically possible to implement this while at the same time making encyption completely invisible to the end user. Our philosophy is to try to make encrypted email easy to use so it can gain greater adoption and this is something we had to sacrifice for that goal.

    1024 bits
    We used 1024 during private development but now use 2048, this should have been switched to 2048 before we went to beta, but we forgot to change this until a couple days afterwards. We're currently working on supporting 4096, but our testing thus far (since this happens client-side on your browser) has shown this process can take 15 minutes and freezes your browser in the mean-time, which isn't feasible yet.

    Weak Ciphers
    This we have corrected, it was on our to do list, but not the most urgent thing so it took some time to get around to doing it.

    OCSP Stapling
    Unfortunately, this is also not very well supported yet. Once mult-level OCSP stapling is in Apache, and RedHat supports this, we will update. In general, we follow the Red Hat approach to software security.

    No HSTS
    All links are forced to be HTTPS in our code. HSTS however has now been implemented as well, it was always on the to do list, but we needed to roll out some bug fixes first.

    We appreciate all the feedback, anything that helps us improve our security is appreciated even if it comes in the form of criticism ;-)
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Thanks for your reply :)
     
  8. Dogfather

    Dogfather Registered Member

    Joined:
    Apr 1, 2014
    Posts:
    15
    Location:
    United Kingdom
    Thanks for the quick response. I am trying out your beta and have to say that for ease of use it is excellent.

    As I my work involves people who are not necessarily "techies" but who need a degree of anonymity I have high hopes that we will be able to utilise your service.

    Dogs.

     
  9. WalterWolf

    WalterWolf Guest

    Nice,I applied yesterday today mail came.

    Will there be free plan or/and (only) paid ?
     
  10. ProtonMail

    ProtonMail Registered Member

    Joined:
    May 1, 2014
    Posts:
    3
    Location:
    Geneva, Switzerland
    Our plan is to always keep a free version of ProtonMail available. So if you request a beta account today, you won't get hit with a "pay us now or we lock your account" later on. To pay the bills, we'll have premium plans that offer extras like additional space.
     
  11. Morthawt

    Morthawt Registered Member

    Joined:
    Jul 10, 2008
    Posts:
    79
    Location:
    UK
    Do they have diffi keys as well as rsa?
     
  12. WalterWolf

    WalterWolf Guest

    Thank you,nice to hear that.
     
  13. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://www.forbes.com/sites/hollieslade/2014/05/19/the-only-email-system-the-nsa-cant-access/
     
  14. rock_man

    rock_man Registered Member

    Joined:
    Feb 6, 2014
    Posts:
    55
    What a great article! It's awesome to see a small group of folks team up and deliver something like ProtonMail. It's especially awesome they put their names and faces in public instead of hiding behind an anonymous corporate veil of online presence. It's also encouraging these guys are resisting venture capital investments and selling out.

    Kudos to Jason, Wei and Andy! Keep it pure, guys!
     
  15. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    This does sound really cool! I'll have to give it a try, thanks!
     
  16. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I have the beta access and I must say I like it so far. I like the encryption/decryption being so simple and easy to use, plus the fact that the email can be told to kill itself after a time period. I dont mind paying for this kind of service.
     
  17. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    How is PFS not user friendly? Gmail is using it. It's transparent to the user. It's a Browser/Server interaction only. What am I missing?
     
  18. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Wilders is using it on this very forum.
     

    Attached Files:

  19. WeAreAllHacked

    WeAreAllHacked Registered Member

    Joined:
    May 22, 2014
    Posts:
    28
    I like the "idea". I don't like that it's wordpress. Might signup later. It seems like a interesting project.
     
  20. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
  21. gardentrellis

    gardentrellis Registered Member

    Joined:
    Jul 2, 2014
    Posts:
    1
    Should a privacy service use Google analytics? Is there a risk of browser fingerprinting, and the possibility that users could be tracked and then targeted for further investigation?
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Good point. Big no.
     
  23. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Maybe PayPal got a clue?
     
  25. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Yes, it does, the encryption is forbidden in USA by NSA. :shifty:
     
Loading...
Thread Status:
Not open for further replies.