Security → ProtonMail - Secure Email (NSA Proof?)

I didn't recall seeing anything on this here as of yet. Any input/feedback/general thoughts on this product?

Article Here

Product "ProtonMail" Here

-Mori-

Nothing software wise is hack proof.The nsa and all other intelligence agencies use and employ hacking and hackers.Could it be extremely resistant sure. NSA proof nope not even close.People here on this forum alone could gain access. I could for sure name 1 or 2 and likely 8 or 9 others.

I don't believe in superpowers (e.g. US's NSA). If you want to send an NSA-proof correspondence, pack you mail content with PGP encryption (AES-256) and send it to your recipient. That's it, content is protected (metadata could be another story to talk about). There is no evidence, that NSA cracks AES-256 so far. Rumors or far-fetched speculations don't count.

Disclaimer - I'm not familiar with ProtonMail service, thus can't comment on it. But let me know, why it's not secure? I'm interested in exact details...

Moriarte , thank you for the link to the article. If people start using solutions like that on a daily basis, I think we all benefit... as we all do from envelopes, used for snail mail correspondence.

If you don't have control over the encryption keys the only entity you can be sure it's secure from is yourself.

So, with ProtonMail the key is not locally controlled?

"Unlike existing solutions, we have completely abstracted away the complex cryptography to make the encryption and decryption completely invisible to user,” Stockman told Cryptocoins News earlier this month after its private beta launched. “There’s no software to install and no keys to generate — it’s just like using Gmail, but way more secure.”

Right on target .... like OP subject "ProtonMail - Secure Email (NSA Proof )" Indeed !!!

Snowy , thank you for clarification. In this case, of course, it's not secure. It should be sole responsibility of the user to create and apply its own envelope for his/her letters. If you ask others to do it for you, you can't expect any security and/or privacy...

Not to thread crap but this post reminded me of the true solution... enter StartMail to the rescue? You've got to watch the video, it was cracking me up.

quote:

---

ProtonMail's segregated authentication and decryption system means logging into a ProtonMail account that requires two passwords. The first password is used to authenticate the user and retrieve the correct account. After that, encrypted data is sent to the user. The second password is a decryption password which is never sent to us. It is used to decrypt the user’s data in the browser so we never have access to the decrypted data, or the decryption password. For this reason, we are also unable to do password recovery. If you forget your decryption password, we cannot recover your data.

...We support sending encrypted communication to non-ProtonMail users via symmetric encryption. When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser which they can decrypt using a decryption passphrase that you have shared with them.
»protonmail.ch/pages/secu ··· ails.php

---

Looks like ProtonMail users do control encryption keys?

Dark Mail could be an interesting solution, check out who is involved:
»darkmail.info/
»www.slate.com/blogs/futu ··· nce.html

How does all this compare to Hush Mail, which has been around for quite a while?
»www.hushmail.com/

»www.ssllabs.com/ssltest/ ··· nmail.ch

They can't even configure their webserver properly for SSL/TLS. It makes you wonder what else they're doing wrong.

They also appear to be running on some really outdated software.

No, for the purpose of Protonmail the user does not control the encryption keys.
The user controls a password but that doesn't control the decryption key which is still the Holy Grail or Achilles Heel, depending on your view, of the system.

Edit to clarify: The user only has control over the users use of content but ProtonMail has the ultimate control of the content.

OK thanks!