protonmail beta

General cryptography discussions not related to DIME or Magma Classic
moss
Posts: 14

protonmail beta

Post#1 » Thu Feb 12, 2015 4:51 pm

looks like protonmail is in beta. They just sent invite out this morning for my new account.

Here's their security info page with requisite lock icons aplenty:
https://protonmail.ch/pages/security-details

KlassikElektronik
Posts: 54

Re: protonmail beta

Post#2 » Fri Feb 13, 2015 11:17 am

So is it a service like https://posteo.de ? Personally, I wouldn't trust any company, but setup my own service. Find some friends who are with you on this one (they know and deserve anyway), rent vroot for 5-10$/month and let's go :) I'd preferably do this with DIME, not Magma Classic, because they keys are not on the server then, and of course less metadata.
Roman Empire died bot because of lead pipes (Calc layer resulted very fast and protected), but it died because of its moral. Many people who sold themselves and their people out regretted it forever. What is money compared to the future of your people.

moss
Posts: 14

Re: protonmail beta

Post#3 » Fri Feb 13, 2015 5:02 pm

It is a service. I'm excited to start my own, but not excited about endpoint security. Just routine checking my auth.log at my home server today revealed an attempt to crack my root password. The log file was 40+Mb of denied access to some ip in germany. I think I will leave that to people who get paid for it.

Protonmail is striving valiantly to ignore the warnings about doing security related code in javascript. They don't make any attempt to sign or validate their javascript ( can you even do that? ). So no guarantees that the code you are running is what they intend. But if you make that leap, then they make you feel good that they have two layers of passwords, one to open and access your account, another to access your messages. So they claim your messages are encrypted at rest on the server.

Interesting that they have a spam folder. Wondering how they accomplish that. Didn't see a spam filter in the the javascript code, though it's obfuscated.

It is easy to use. They have a feature to send arbitrary one-time password protected mails with expiration times. Of course no meta data protection. It is pretty usable web-mail though. It would be an improvement over gmail, if people switched en-masse. Though the false pretention of security can be worse than no promise at all.

Skomorokh
Posts: 2

Re: protonmail beta

Post#4 » Fri Feb 13, 2015 8:02 pm

As a webmail service it's quite usable; on the front-end it's well designed and the performance is getting better. While to my knowledge Tutanota is the only comparable service to have as of yet deployed mobile apps (iOS, Android), ProtonMail has theirs upcoming as well, also their recent certificates upgrade seems a good sign. From a branding and PR perspective they've had a very good start, rallying buzz and an enthusiastic following. For the time being I'm enjoying following it and testing it out against others e.g. LavaBoom when it comes out more etc.

That all said, yes, all of these new players are still building JS-based encryption on top of email as it fundamentally exists today; no metadata protection... and at this early stage, for them taking market share is kind of like battling for the middle-ground between how much convenience people will be willing to give up, more to get out of Google's ecosystem perhaps than anything else, without asking them to change their email behaviors fundamentally... however large or small that total addressable market might be. I for one find myself applauding more the spirit of them than using them in practice, because that leads me to want to have more convenience and functionality out of them than they can currently offer (e.g. "Oh, but I can't connect my mobile mail client to it"... "Oh, but there's no integrated calendar that I can moreover read / write to from my mobile devices"... "Oh, but the 2 deeply email-integrated CRMs I use (each for a different requirements set) can't connect to it" etc.). So it all ends up feeling like an increasingly usable, increasingly attractive-looking and good-feeling, class of tools that nonetheless don't fundamentally give the desired level of privacy and security options that brought them on my radar to begin with. I end up just reminded that for many things, it's kind of hard to get folks out of Google's ecosystem if they've been thoroughly pulled into its many services for a few years, partly per many 3rd parties having built their things off of them. It does, however, prompt one to think critically about how much one really needs and wants secure email, similar to how SilentCircle's suite of tools do regarding use of encrypted phone calls or text messages, and in so doing to make decisions about what constitutes security or not.

One interesting read:
http://paginas.fe.up.pt/~ei09128/2014/07/protonmail/

In any case, and certainly the more surveillance stays in the news, at least some of these platforms likely keep growing when many consumers want to have their cake and eat it too between privacy and convenience (and it's a question of that more than one of usability), similar to how they want to between privacy and (free) publishing / sharing capability on social platforms. Email has conditioned people out of the patience for the "mail" part i.e. something one can handle waiting until one gets home or to the office to check, and arguably out of developing good reading and writing skills a bit too.

On that note perhaps one fringe benefit, or side effect, of DarkMail will be the attraction of a class of users whose levels of average literacy hearken back to the days when mail used to be the actual writing of letters... The irony of course being that there would be no way to evidence for or against that either way. ;)

raellic
Posts: 1

Re: protonmail beta

Post#5 » Fri Oct 02, 2015 2:04 pm

moss wrote:[snip]
Protonmail is striving valiantly to ignore the warnings about doing security related code in javascript. They don't make any attempt to sign or validate their javascript ( can you even do that? ). So no guarantees that the code you are running is what they intend. But if you make that leap, then they make you feel good that they have two layers of passwords, one to open and access your account, another to access your messages. So they claim your messages are encrypted at rest on the server.
[snip]


For validation, I use a SHA-256 javascript to validate the hashes of all the script files against what is on the server. If the validation fails, the user gets a prominent warning that the script files have been altered in transit. I also post the hashes of the javascript files for users to evaluate against what their browser actually downloaded. I suppose the government could pause the HTTP request and alter both the hash values and the javascript on the fly, but any changes in the scripts would cause the encryptor to fail and any exfiltration of data to an unrelated server would be visible in Wireshark.

Return to “Crypto Cafe”

Who is online

Users browsing this forum: No registered users and 1 guest

cron