Secure, encrypted, easy to use, free email: ProtonMail

[ThePythonicCow]

Ever since the US Government forced Lavabit to shutdown in August 2013, and a similar email service Silent Circle shutdown one day later, because they "could see the handwriting on the wall", there has not been a good free, secure, encrypted, but easy to use email service.

Now, there is one: ProtonMail.ch.

There is a waiting line to get an account - I waited 5 months to get my account. You can now send email to my account pauljackson@protonmail.ch, and if you are sending that email from another ProtonMail.ch account, it will be securely encrypted, all the way from your computer, to mine, with no one in between, not even ProtonMail, having the decryption keys.

At some point, perhaps already, once they have enough server hardware online, the waiting time will be reduced to open a new account.

ProtonMail runs all their own server hardware and systems, in order to minimize the risk of some hack being placed in their servers. However even if their servers were hacked, this would not necessarily compromise the security of email sent through them, as email between two ProtonMail accounts is encrypted end-to-end, from the sender's computer to the receiver's. So long as the end users computers aren't compromised, and no one is able to sneak in some hack into the Javascript code that does the encrypting/decrypting, then it would be difficult even for the NSA to spy on what is sent.

ProtonMail was initially funded by an IndieGoGo campaign that ended in July 2014, that raised $US 550,377 (and their goal was only $US 100,000).

They expect to sell premium accounts for money, to fund ongoing operations when that initial funding runs out, but they are committed to keeping the basic account Free, forever. Currently my free pauljackson@protonmail.ch account provides me with 500 MB of email message storage and allows me to send 1000 messages per month. That's plenty for my secure email needs, though I will still be maintaining a separate Fastmail.fm account as my main email service: jackson@fastmail.fm.

Here are the opening comments from a few articles about ProtonMail. Follow the link provided for each article to read more of the article.

From ProtonMail Is A Swiss Secure Mail Provider That Won’t Give You Up To The NSA (TechCrunch.com):

===============

In the wake of the Lavabit’s demise and increased interest in secure mail services, Switzerland-based ProtonMail is looking to zap a little life into the old PGP mail server market. Currently crowdfunded far past its goal of $100,000, the service wants to make it cheap and easy to get a secure email account with just enough paranoia built in to keep you safe.

I asked one of the creators, co-founder Andy Yen, why we should trust them. He said we didn’t have to.

“One of our goals is actually to build a system that does not require trusting us,” he said. “We’ve taken the first step with our zero access architecture which means we cannot actually read any of our users’ encrypted messages. When the code base becomes more mature, we also plan to open source the ProtonMail software.”

The service works by encrypting all the messages in the user’s web browser before it even reaches the ProtonMail servers. This means ProtonMail doesn’t hold the password and can never decrypt user messages. It’s this unique proposition — that there is no way to get everyone’s email if the server is compromised — that seems to have struck a chord with backers.

===============

From NSA-proof email? ProtonMail delivers (GeekSided):

===============

Nobody needs to be reminded about the NSA spying revelations and the very wide net that spying cast. If you’re reading this, the NSA has enough information about you that you’d feel embarrassed if they decided to share it. One of the ways they did (or do) this is intercepting email, which is disturbingly easy to do. ProtonMail wants to make that more difficult.

For instance, as we reported on just a few days ago, Google gets its hands on the majority of emails sent nowadays. And when somebody has all of these easy-to-access emails, those emails are vulnerable to being snooped on. Lo and behold, the NSA broke into Google’s private data centers and had virtually carte blanche access to all user data for quite a while, which includes the content of emails.

Ever since, it’s been hard for many people to figure out what a secure way to send emails would be. First, we need a little history.

The original private email providers go down

Lavabit was the industry leader in this sort of email and it is believed Edward Snowden used Lavabit to communicate once he went rogue from the NSA. See, Lavabit was an extremely secure email service with user privacy as its focus. Emails were always encrypted and unusable for even Lavabit, since they didn’t have the decryption keys (those only belong to the users).

The US government demanded Lavabit build a backdoor in their technology to record email metadata (sender and receiver addresses, subject titles, etc.), something they weren’t willing to do. Not only would this jeopardize Snowden’s communications, but everyone that uses Lavabit. Obviously, at the time, this was all secret so as not to tip off the spying targets.

The government wrote in the charges against Lavabit for contempt of court, “The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat [its] own system.”

Instead of help the US government have unfettered access to its users, Lavabit decided to close down. Even with that measure, Lavabit’s owner, Ladar Levison, could find himself imprisoned. Snowden called that decision “inspring.”

That’s better than HushMail, the “secure” email provider that turned over clear-text copies of email content to authorities when asked in 2007.

Another secure provider, Silent Mail, decided to shut down after hearing about Lavabit’s fate. While they continue to run their other Silent Circle offerings, it was decided that email by its nature was just too vulnerable to guarantee security.

Enter ProtonMail

Seeing the fate of Lavabit and knowing the need for email security after all of the attention paid to the government surveillance, three Harvard and MIT students teamed together to create a new alternative. Where did they meet? Well, they just happened to be working at CERN, which is where the discovery of the so-called “God” particle took place. Over lunch, they decided to put their efforts towards something completely different: it became ProtonMail.

===============

From Best Secure & Encrypted Email Providers (VPNPick.com):

===============

The one that stuck out the most over all other secure email services is ProtonMail. When the leaked documents by whistleblower Edward Snowden first surfaced, scientists at CERN, the European Organization for Nuclear Research, discussed their concerned over NSA surveillance and other programs alike. A group of physicists and engineers collectively put their massive computing capabilities to work at creating and secure email service like no other.

ProtonMail was born and it quickly gained notoriety among the privacy community with its bold stance against government surveillance. They kept full control of all their mail servers in Switzerland to avoid any forced shut downs or requirements to provide any server data to U.S. or other foreign surveillance organizations. Forbes has called ProtonMail “the only email system the NSA can’t access” but what makes them better than most other encrypted email providers? Even Gmail now offers some level of end-to-end encryption.

ProtonMail had a huge response to their Beta launch and are currently at full server capacity and expansion is underway. You can still head to their website and reserve your own @protonmail.ch address and invitations will be sent out as soon as server capacity allows.

• ProtonMail offers full end-to-end email encryption, from start to destination. The encryption happens at the user’s level, making it impossible for ProtonMail to have ever seen the original content. The email is already encrypted when it reaches their Switzerland servers and the recipient’s email password is the only key to that email.
• Unlike most other secure email providers, ProtonMail does not require any kind of setup, allowing just about anyone to easily use the website on their browser on all devices thanks to a clean responsive design.
• ProtonMail does not have the keys to decrypt any of the emails sent across their network, unlike services like Gmail, who do have the power to decrypt email messages. If authorities would request keys, they would not even have that possibility, only retaining encrypted data on the servers.
• Strategically based in Switzerland, ProtonMail will decline any third party requests from overseas organizations or governments. Local government values privacy and has a very low wiretapping and data seizure track record, used explicitly to prevent crime.
• ProtonMail has refused offers from various investors to keep their integrity intact. Instead, they have opted for crowd funding methods to keep them afloat, allowing their user base community to donate to the cause, while keeping conflict of interest investors at bay. This decision has proven to be fruitful as they have recently surpassed 200% of their latest campaign goal amount.
• ProtonMail will be offered free of cost, but with limited storage. As an additional revenue stream, users will be able to pay $5 for 1Gig of inbox storage. The funds are essentially for expansion and maintenance of the infrastructure.

===============

What are the vulnerabilities? There always are some; if some well funded agency wants my data bad enough, they will have it. Someone could get a bug into my computer, which is not in a highly secure environment protected by three layers of carefully vetted and armed guards (who would be no match for the US Military anyway.) Someone could force ProtonMail to sneak a hack into their Javascript code that downloads to each user who encrypts or decrypts email, where the hack leaked the data to someone else. Someone could send a couple of goons to visit me, who could easily get whatever they want out of me after less than a minute of physical brutality.

But ... so far at least ... I don't see anyway for the NSA to bulk collect and read such email, and I don't see a way for a less well funded organization to look at my email without my knowledge.

[ThePythonicCow]

A couple of weeks ago, in the thread A somewhat more secure method for text chatting on the Web than Skype or iChat , I lamented that:

Posted by Paul (here)
The key remaining problem is how to share that password, without it being logged by the NSA's massive computers while it passed over the Web as plain text.

If everyone involved in a chat has a ProtonMail account, than that solves the password problem. Send a password via ProtonMail, and then enjoy the Spartan (simple), but reasonably secure from bulk NSA spying, ChatCrypt.

[Anchor]

Good write up, and it looks like an interesting service. I have a few questions.

When you use the service, will you be disguising your source IP and the ISP you use with TOR or similar?

Where do the keys reside?

How are the random numbers generated - is this done in Javascript ?

Is the source code open for review?

[ThePythonicCow]

Posted by Anchor (here)
Good write up, and it looks like an interesting service. I have a few questions.

When you use the service, will you be disguising your source IP and the ISP you use with TOR or similar?

Where do the keys reside?

How are the random numbers generated - is this done in Javascript ?

Is the source code open for review?

I don't currently disguise my IP address, nor do I use TOR. I don't have a need for such, personally, and TOR has its limitations. Sufficiently large adversaries, able to monitor large portions of the network and provide many TOR exit nodes that are under their control can track traffic flow across TOR, and also view a substantial portion of the traffic on exit. If I did have such needs for anonymous communication, I'd research I2P further.

The password for decrypting your incoming email never leaves your local computer when exchanging email with other ProtonMail clients. ProtonMail has your public key, and sends that down to any other Proton client composing an email to send to you, so that they can encrypt the email that they are sending you locally, within their browser, before it leaves their computer.

I have seen any comments from ProtonMail about their choice of random number generators; so that is likely still an issue, that the developers at ProtonMail likely know about, but which lacks good answers.

ProtonMail presents an overview of their security features here: Proton Security Details.

Your questions are excellent questions. ProtonMail does do encryption in the client browser using JavaScript, and this is not something I'd want to bet my life on. Doing JavaScript encryption when your threat matrix includes a focused attack by the NSA is rather like a bunch of Jihadists in pickup trucks going up against the US Army's M1 Abrams main battle tank. Whichever pickups the tank targets, are toast.

Here's a good article on ProtonMail's security limitations: Is email encryption, as claimed by ProtonMail, possible?, which contains a link to another article on the limitations of doing cryptography within JavaScript: Javascript Cryptography Considered Harmful.

[ThePythonicCow]

Posted by Paul (here)
At some point, perhaps already, once they have enough server hardware online, the waiting time will be reduced to open a new account.

ProtonMail announced on their blog on December 17, 2014, that they had just finished a major round of infrastructure upgrades, and would be inviting almost everyone in the queue over the next month. Looks like I got in right at the end of that month.

Hopefully, those who Request an Invite now will not have to wait five months as I did.

[Maunagarjana]

Thanks, Paul. I've been looking for something like this. I've been using Hushmail, which is flawed, but still better than most.

I'd like to share a few things I've become aware of....not email, but other stuff.

ChatCrypt: https://www.chatcrypt.com/ (which you posted about already, Paul)

Bitmessage: https://bitmessage.org/wiki/Main_Page

PirateSnoop: https://piratesnoop.com/

MegaChat: http://techcrunch.com/2015/01/21/megachat/

[WhiteFeather]

Thanks Paul. I'm awaiting my new email name. Gonna give it a try.

[ThePythonicCow]

Posted by Maunagarjana (here)
Bitmessage: https://bitmessage.org/wiki/Main_Page

...

MegaChat: http://techcrunch.com/2015/01/21/megachat/

Aha - interesting - bitmessage looks like it might be a better way to send passwords, such as for chatcrypt sessions, and megachat looks like it is rapidly becoming a more feature rich chat alternative (sort of the features of Skype plus the security of chatcrypt).

Thanks!

[Anchor]

Posted by Paul (here)
I don't currently disguise my IP address, nor do I use TOR. I don't have a need for such, personally, and TOR has its limitations. Sufficiently large adversaries, able to monitor large portions of the network and provide many TOR exit nodes that are under their control can track traffic flow across TOR, and also view a substantial portion of the traffic on exit. If I did have such needs for anonymous communication, I'd research I2P further.

I am aware of the limitations of TOR, but the fact is, despite those limitations it is useful.

In this instance, the main reason to use TOR is to prevent protonmail.ch operators themselves having access to your IP address. This information, would be a primary input into figuring out who talks to whom. (Assuming that the javascript isnt sending the data in from your client anyway - and then you just fingered yourself as a tor user!).

Posted by Protonmmail.ch
No tracking or logging of personally identifiable information.

Unlike competing services, we do not log user activity. We do not save any metadata such as the IPs used to connect to accounts.

I simply do not believe this and I recommend you don't either - it isnt readily provable one way or the other. Even if they are not logging it, you can bet someone else will be.

Since it is already javascript heavy, you already gave your permission to run javascript from that site, so getting your browser fingerprint is trivial. It could also be logged by them and that is a good way of getting yourself tracked and identified - unless you took steps to avoid that. (TAILS helps here).

I'm not knocking protonmail.ch, a service like this is sorely needed and this one is a great start, but I would not use it in the kind of situations where the consequence of compromise would mean serious harassment for you and who you have been talking to.

I have to be honest and state that my first instinct, when I read this thread was that this service would have the effect of being a "honeypot trap" - (even if the original creators did not intend this).

[AlaBil]

Posted by WhiteFeather (here)
Thanks Paul. I'm awaiting my new email name. Gonna give it a try.

Ditto this for me. Thanks again Paul.

[ThePythonicCow]

Posted by Paul (here)
The password for decrypting your incoming email never leaves your local computer when exchanging email with other ProtonMail clients. ProtonMail has your public key, and sends that down to any other Proton client composing an email to send to you, so that they can encrypt the email that they are sending you locally, within their browser, before it leaves their computer.

My saying that "the password for decrypting ... never leaves your local computer" is a bit over simplified.

More accurately (but speculatively ... see below) stated:

Incoming email is encrypted using public/private keys. Your private key is kept on your local computer (as it should be).

The first of the two passwords you have with ProtonMail is used to login to the ProtonMail.ch website, and is used to establish your "identity" there. While you're logging into the ProtonMail.ch server, your public key is sent to the Proton Mail server, available for others who want to use the ProtonMail server to send encrypted email to your ProtonMail account.

When someone tries to send an email message using the ProtonMail server web to your ProtonMail account, their web browser automatically obtains your public key (the one most recently associated by the server with your ProtonMail account, the last time you logged in). Their web browser downloads your public key to their computer, and encrypts the message they are sending to you. Then their web browser uploads the encrypted message (the key that only your computer has the matching private key needed to decrypt) and places the encrypted message in your ProtonMail Inbox, waiting for you to decrypt and read it.

Your private key is kept locally on your computer, unavailable to anyone else, and is kept encrypted using the second password for your ProtonMail account.

When you login to ProtonMail, during the login process, ProtonMail is able to verify that you provided the correct second password by sending your computer (silently, during the login process) a somewhat random message, already encrypted with your public key. Your web browser, during the login process, takes the second password you gave it, decrypts your private key, gets that somewhat random message from the server, decrypts it, and sends it back as plain text (plain, except that it's still inside the SSL encryption, of course). The ProtonMail server compares that returned somewhat random message with what it just encrypted and sent you, and determines if your computer can successfully decrypt a message that was encrypted using your public key. If that check fails, you see an error message, indicating that the second password you just entered is incorrect.

... Now you can see why I "oversimplified" this and just said "the password for decrypting ... never leaves your local computer" .

Note however ... what I describe above is partially speculation on my part. I haven't yet found a document that spells out the above details entirely. What's on their website seems to have gone through a "marketing filter", to remove the excessive geek content and to add some security theatre, such as mentioning that their disks are encrypted, which should matter little, as the messages on those disks are already well encrypted, with keys that they don't have the private half of, that would be needed to decrypt them.

I had to mentally redesign what I think would be a decent system, that fits all the properties and behaviours that I have observed so far.

[ThePythonicCow]

Posted by Anchor (here)

Posted by Protonmmail.ch
No tracking or logging of personally identifiable information.

Unlike competing services, we do not log user activity. We do not save any metadata such as the IPs used to connect to accounts.

I simply do not believe this and nor should you and it isnt readily provable one way or the other. Even if they are not logging it, you can be someone else will be.

I agree - that claim (no logging) is not one that I trust either. If I wanted to obfuscate who I was (my IP, if not more) then as I stated I would investigate I2P further.

If I had something to communicate that was seriously threatening to any of the bastards in power or their minions, I would probably not put it on ProtonMail. Rather I would design a custom scheme, doing my best to have critical parts, such as keys, passwords and/or one time pads, disappear entirely from the Internet, *before* there was much chance that I was "on their radar" for custom tracking, and if possible also having some critical parts shipped or postal mailed or hand delivered, so that even if they had a perfect record of every byte that traversed the Internet (which I doubt they do), they would still be missing critical pieces.

Of course, the degree to which I could engage in such security measures could easily be compromised by (1) time constraints (2) technical skill levels of those I was trying to communicate with, and/or (3) more capability available to the bastards in power than I realized.

Posted by Anchor (here)
I have to be honest and state that my first instinct, when I read this thread was that this service would have the effect of being a "honeypot trap" - (even if the original creators did not intend this).

There is that risk, yes.

One possible way to determine how serious this risk is: observe how successful they are. For example, it might not have been obvious that Google was "useful" to the intelligence agencies early in the history of Google ... but it's hard to ignore that likelihood now.

This can be a two edged sword, however. Some of the more "useful" whistleblowers, software tools, organizations, and security measures get extra "street cred" (credibility) by enduring an apparent series of attacks from the bastards in power (which attacks may well have been deliberately intended, just so as to have that effect.)

Certainly the "marketing speak" in the ProtonMail web pages doesn't speak to my inner geek.

We are engaged in a long running game, with incomplete knowledge. Such is life ... thousands and thousands of years of life.

[ThePythonicCow]

Posted by Anchor (here)
In this instance, the main reason to use TOR is to prevent protonmail.ch operators themselves having access to your IP address. This information, would be a primary input into figuring out who talks to whom. (Assuming that the javascript isnt sending the data in from your client anyway - and then you just fingered yourself as a tor user!).

ProtonMail necessarily knows -exactly- who talks to who, at least to the level of their accounts on ProtonMail. The ProtonMail server has to provide the public key for the intended recipients of each message to the sender, at the time that the sender is composing and encrypting the message on their computer.

[ThePythonicCow]

One more detail ... the mandatory use of SSL (https) makes it more difficult for casual geeks such as myself to snoop the packets on the wire, to detect improper data leakage.

[Tesla_WTC_Solution]

Heh - Paul, we were watching CONGO the other night.
Of course the movie sucks but the book talks all about cable issues, internet security,
the concept of the "piggyback slurp" technique of simply stealing from wire rather than snooping,
lmao.



edit: for those of us who have "missed" emails and caught it due to fowarded emails from someone else,

it ain't funny any more @@

[13th Warrior]

Hi Paul,

What's your opinion on Start Page and do you know if they have their e-mail service up and running beyond an initial trial basis?

[ThePythonicCow]

Posted by 13th Warrior (here)
What's your opinion on Start Page and do you know if they have their e-mail service up and running beyond an initial trial basis?

Good question.

The company that makes Ixquick ("The World's Most Private Search Engine) and StartPage StartPage, which are quite similar (see here for a description of the differences), have started a secure email product called StartMail.

They put StartMail into beta in late 2013, and launched it for general use in late 2014 at the Privacy Identity Innovation conference (pii2014).

Here are the major differences I see, on first glance, between StartMail and ProtonMail:

• StartMail has about a one year head start, so is a more mature product.
• StartMail has a more "obvious" business model - you pay them $60 per year for an account, whereas ProtonMail is free for the basic account (so will need to earn money some other way.)
• StartMail has a decent Technical White Paper explaining how it works: StartMail Technical White Paper (pdf). ProtonMail only has marketing pablum (that I've been able to find, so far.)
• StartMail can be accessed via IMAP. This is a more secure and useful (for geeky types like myself) means to download email automatically, but it is geeky, as can be seen by these Instructions for using StartMail IMAP encryption in Apple Mail.
• StartMail keeps the crypto keys on their server, not on your local computer. This is a weaker security model. Only SSL (https) protects your email going over the web, and that is not thought to be a very strong (NSA resistant) encryption. You must essentially trust StartMail with the plain text of your messages, and trust that they will never, by coercion, by a stealth hack, or maliciously, leak them. You cannot possibly validate that StartMail is keeping your messages secret. On the other hand, one could, at least in theory, read and understand the JavaScript that ProtonMail uses to encrypt your messages locally, before sending them, and verify that your message is not being leaked, prior to its local encryption, by a much stronger encryption method than SSL. It would be significantly more difficult for ProtonMail to leak your messages with this architecture.
• On the third hand, the computing environment provided by JavaScript running in a web browser is significantly less suitable for secure cryptography work than the typical server environment, opening the way to security compromises by other means.

===

In StartMail's favor, by choosing to perform encryption on their server, rather than using JavaScript in the client's web browser, it avoids some significant problems attempting to perform cryptography using JavaScript within a browser.

The above mentioned StartMail Technical White Paper (pdf) spells out these problems (quoting them):

=======

Among the reasons for rejecting client-side cryptographic operations are:

• Browser JavaScript is not ready for cryptography in terms of programming primitives such as a reliable source of random numbers, mathematical functions etc.
• The malleability of the JavaScript runtime environment means that auditing the future security of a piece of JavaScript code is impossible: the server providing the JavaScript could easily place a backdoor in the code, or the code could be modifed at runtime through another script. This requires users to place the same measure of trust in the server providing the JavaScript as they would need to do with server-side handling of cryptography.
• JavaScript is executed in an environment (the browser) over which the programmer has extremely little control. In these conditions it becomes hard or impossible to perform secure memory management, protect against timing attacks, and so forth.

In simpler terms: JavaScript is a poor environment for handling such a delicate operation as cryptography.

=======

This StartMail Technical White Paper (pdf) has a more extensive discussion of the various technical trade-offs, and is well worth reading, for those who have the interest and sufficient technical background to make sense of it.

There is a short review of StartMail at My Review of Startmail Beta (Paul Bauer)

===

In my summary:

• It is not possible to know which provides better security. Either one, StartMail or ProtonMail, could compromise your email, if they were themselves compromised somehow.
• ProtonMail has in theory a "better" security model (keeping the private key local to your local computer), but depends on a less secure computing environment (JavaScript within your browser), than StartMail.
• StartMail has been around for about a year longer, so is a more mature product.
• ProtonMail basic services are free, whereas StartMail costs $60 per year.

[13th Warrior]

Thank you Paul; very succinct, as always!

[Camilo]

Thank You Paul. I'll give it a try.

[Star Tsar]

Thanks Paul got my account today