Jump to content

Proton Mail

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Jonathanriley (talk | contribs) at 16:02, 28 February 2015 (insert 'Mailbox Password. rm ref to btc, which doesn't belong at so prominent a point in the article, if indeed it belongs in the article at all. (And I'm a btc user. :-) )). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Protonmail
Official ProtonMail logo.
Official ProtonMail logo.
Securing Privacy Rights for Everyone
Type of site
Webmail
Available inEnglish
Created byAndy Yen, Jason Stockman, Wei Sun
URLprotonmail.ch
CommercialYes
RegistrationRequired
Users250,000 (August 2014)[1]
Current statusActive

ProtonMail is a free web-based encrypted email service founded in 2013 at the CERN research facility by Jason Stockman, Andy Yen, and Wei Sun.[3][4] ProtonMail is designed as a zero knowledge system, using client-side encryption to protect emails and user data before they are sent to ProtonMail servers, in contrast to other common webmail services such as Gmail and Hotmail. ProtonMail servers are located in Switzerland, outside of US and EU jurisdiction.[5] The service received initial funding through a crowdfunding campaign, and will be sustained long-term by multi-tiered pricing, although the default account setup is free.

ProtonMail has approximately 250,000 users as of August, 2014.[6]

Features

ProtonMail accounts use two user passwords; the first -- the Login Password [7] -- authenticates the user into the ProtonMail system and the second -- the Mailbox Password [7] -- is used to decrypt the user's electronic mailbox. This decryption takes place client-side in a web browser. The second password is known only to the user; as ProtonMail's servers hold the user's data in encrypted form, password recovery is not possible nor can ProtonMail decrypt user messages under a court order.[8]

Similar to Snapchat, ProtonMail also includes a message expiration feature: messages can optionally self-destruct from the ProtonMail system after a period of time.

Design

Distribution of ProtonMail servers in Switzerland.

Security

ProtonMail uses a combination of public-key cryptography and symmetric encryption protocols to offer end-to-end encryption. When a user creates a ProtonMail account, their browser generates a pair of public and private RSA keys. The public key is used to encrypt the user's emails and other user data. The private key, which is capable of decrypting the user's data, is symmetrically encrypted with the user's mailbox password in the user's web browser using AES-256. The public key and the encrypted private key are then both stored on ProtonMail servers. Thus, ProtonMail only stores decryption keys in their encrypted form, so ProtonMail developers are unable to retrieve user messages.[9]

ProtonMail-ProtonMail messages are then encrypted with public mailbox key of the recipient. Once a user logs in, their mailbox password decrypts their private key, revealing their Inbox. ProtonMail to non-ProtonMail email addresses are handled with or without encryption. Without encryption, the emails will be sent in clear text. With encryption, the message is encrypted with AES under a shared password, distributed in advance between the two parties. The non-ProtonMail recipient receives a link which takes them to the ProtonMail website. Once the pre-shared password is supplied, the email is decrypted in the web browser.[9] Emails from non-ProtonMail address to ProtonMail are sent in clear text.

Attacks

A video demonstrating a cross-site scripting attack was shown in July 2014.[10] The ProtonMail developers reviewed the video and confirmed that the issue only affected an early development version of ProtonMail that was released in May 2014, and the attack did not affect the current version.[11]

Server architecture

Architecture of a ProtonMail datacenter.

ProtonMail administrators maintain and own their own server hardware and network to avoid trusting a third party. In response to overwhelmed servers, in mid-2014 ProtonMail founders began expanding server architecture.[12] The service is currently powered by two redundant datacenters in central and western Switzerland. Each datacenter uses load balancing across web, mail, and SQL servers, redundant power supply, hard drives with full disk encryption, and exclusive use of Linux and other open-source software.[13] ProtonMail also joined the RIPE NCC in an effort to have more direct control over the surrounding Internet infrastructure.[14]

Transport Layer Security (TLS) is used to secure and encrypt all Internet traffic between users and ProtonMail servers. A whitepaper and source-code are coming soon, according to the developers.[9][15] Protonmail.ch holds an "A" rating from Qualys SSL Labs.[16]

Interface

ProtonMail uses a web-based interface, similar to Gmail. Users also have the ability to set expiration dates for emails and encryption passwords for outgoing emails to non-ProtonMail users.[8]

History

ProtonMail was created in response to the 2013 disclosure of global surveillance and interception of email by the NSA, and is inspired by Gmail, Lavabit, and Snapchat.

Crowdfunding

On June 17, 2014, ProtonMail started a crowdfunding campaign via Indiegogo with the goal of raising $100,000 USD. On June 30, 2014, the PayPal account of ProtonMail was frozen, preventing withdraw of $251,721 worth of donations in the account. A representative of PayPal stated that the company froze the account over the doubts of the legality of the encryption, statements that were unfounded.[17][18] The restrictions were lifted the following day.[19] The campaign ended on July 31, 2014 with a total of $550,377 raised from 10,576 donors.[20]

See also

References

  1. ^ "Join Us". Retrieved 2014-08-17.
  2. ^ "ProtonMail.ch Site Info". Alexa Internet. Retrieved December 26, 2014.
  3. ^ Biggs, John (2014-06-23). "ProtonMail Is A Swiss Secure Mail Provider That Won't Give You Up To The NSA". TechCrunch. Retrieved 2014-07-01.
  4. ^ Suberg, William (2014-06-30). "ProtonMail collects over US$10,000 in BTC donations in 6 weeks". Retrieved 2014-07-01.
  5. ^ "Why Switzerland?". 2014-05-19. Retrieved 2014-07-01.
  6. ^ "Join Us". Retrieved 2014-08-17.
  7. ^ a b "ProtonMail: faq5".
  8. ^ a b http://thehackernews.com/2014/05/protonmail-nsa-proof-end-to-end.html
  9. ^ a b c https://security.stackexchange.com/questions/58541/how-are-protonmail-keys-distributed
  10. ^ http://vimeo.com/99599725
  11. ^ https://protonmail.ch/blog/update-reported-xss-issue/
  12. ^ "Über-Secure ProtonMail Beta Maxes Out Servers in Just 60 Hours".
  13. ^ "ProtonMail: Infrastructure Upgrades".
  14. ^ "ProtonMail joins Réseaux IP Européens (RIPE NCC)".
  15. ^ https://protonmail.ch/blog/protonmail-threat-model/#comment-509
  16. ^ "SSL Report: protonmail.ch".
  17. ^ Halfacree, Gareth (2014-07-01). "ProtonMail hit by PayPal account freeze". Retrieved 2014-07-01.
  18. ^ O'Neill, Patrick Howell. "PayPal freezes account of email encryption startup ProtonMail [Update]." The Daily Dot. July 1, 2014. Retrieved on July 1, 2014.
  19. ^ "Paypal Freezes ProtonMail Campaign Funds".
  20. ^ "IndieGoGo: ProtonMail".
Retrieved from "https://en.wikipedia.org/w/index.php?title=Proton_Mail&oldid=649241058"