Insights For Success

Strategy, Innovation, Leadership and Security

Hotmail

Review of encrypted email provider Protonmail

GeneralEdward Kiledjian

Why would anyone use Protonmail instead of Gmail or Hotmail? SECURITY

Email is inherently insecure and if you are a political dissident whose online communications can mean the difference between living and dying, don't use email. For everyone else looking for an easy and secure email solution, keep reading about Protonmail.

Everyone needs to understand that SMTP was not designed to be secure and will always have security weaknesses.

We use email because we don't have a choice and everyone agrees it won't be displaced tomorrow.

The other major issue faced by secre service providers is ease of use. PGP is a good example of strong unbreakable email encryption that never became mainstream because it was simply too complicated for the mortal man. 

Absolute security is unpractical and will never gain widespread adoption so good security should be the goal for most services.

There is always a tradeoff between usability and security, The difficulty is finding the right balance.

So what does Protonmail offer?

The bright scientists behind Protonmail understand fine balance they must find between usability and security. Make the product too secure and no one will use it (aka bankruptcy) or make it extremely user friendly but not secure (become a me too email provider). 

They have chosen to implement good enough security which makes encryption generally accessible to the masses while protecting against unauthorized government seizure or mass surveillance.

What are the weaknesses of Protonmail?

Read my blog post about the Vault7 leaks (here) and you will realize that when government is stifled  by strong encryption (Whatsapp, Signal, etc), they compromise the endpoint and extract the information pre/post-encryption. 

Protonmail does not protect you if your endpoint is compromised. It would be unreasonable to assume any secure online service could protect you from this type of attack. if you want maximum endpoint security, learn about real security protocols and use a secure operating system like Qubes OS.

Nation state level man in the middle attack. Protonmail implements all of the controls to prevent a common man in the middle type of attack but a nation state actor with the ability to redirect your web traffic and generate real "fake" TLS certificates could theoretically intercept your traffic, ask you for your username/password then use those to access your account and decryption keys. Let's be clear that your garden variety hackers (even those that are extremely skilled) won't be able to pull this off. This would require skills, money and huge technical capabilities to reroute internet traffic and generate encryption certificates.

Intelligence break in. With all the talk about government backdoors, the third major weakness of Protonmail (and all other secure services products you did not write) is the fear that a nation-state actor would somehow infiltrate Protonmail and then implement "special" code that sends bad encryption code to the users thus allowing the threat actor to access unempted versions of the messages. Protonmail has stated that they have multiple controls in place to protect against this type of attack. They scan servers for unauthorized code changes.

Some nice features of Protonmail

Protonmail is a Swiss company based in Switzerland. Any government request for information would have to be done there using Swiss law, which is very protective of private information (USA cannot issue a National Security Letter to force the company to turn over information and hide the request from the user).

In the rare situation that a government were to spend the money and convince the Swiss court to compel Protonmail to turn over user information... Protonmail uses "Zero Access Cryptography" which means they do not hold the encryption keys and therefore can only turn over encrypted information. 

Protonmail supports (and you should use) 2-factor account authentication. This means that in addition to something you know (your username and password), you need something you have (a time based authentication code generated by an authentication app Google Authenticator or Authy.)

If you want to send something more secure than normal email to a non-Protonmail user, you can create a Protonmail hosted message that requires a password to open (obviously don't send the password using email) and can even have a fixed expiry date. 

Creating a password for the secure "hosted" email

Setting an expiry time for the message

Protonmail stores user based encrypted authentication logs. This means you can see when your account was logged into and from which IP address. You can turn this off it you don't want this captured. Protonmail does not capture or log your IP anywhere else.

 

The ProtonMail service has internal authentication logs. When I say internal, I mean that these details are available only to the account owner, and are recorded and encrypted with all the other data inside the account. As I mentioned earlier, Proton Technologies AG doesn’t log IP addresses, but this information can be logged inside your web client session. If you don’t need them, just wipe the logs and switch to basic mode which doesn’t record info on the IP addresses you logged in from.

Basic stores login dates / times only. Advanced also stores the IP Address from where you logged in. The choice is yours. You can always download this information or secure erase it.

No user profiling. When you use a free service, the provider is conducting deep analysis and creating a deep analysis about you. Protonmail doesn't do this since everything is encrypted.

They encrypt all non Protonmail emails received immediately upon ingestion. 

Emails that come from third party email providers obviously cannot be delivered with end-to-end encryption, but upon reaching our mail servers, we will encrypt them with the recipient’s public key before saving the messages. All this is done in memory so that by the time anything is permanently stored to disk, the email is already unreadable to us.

This is good for security but limits what they can do for SPAM control. In a blog post, they explain what they do to help fight SPAM:

  1. They check the IP address of the incoming SMTP server against known blacklists
  2. They pass all messages through their own Bayesian filter marking suspicious emails as SPAM
  3. They generate a checksum for each email message and verify this checksum against known SPAM messages
  4. They verify the authenticity of the email using standard protocols (SPF, DKIM and DMARC)

Sending secure emails to non Protonmail users

I alluded to this earlier but wanted to restate it here in it's own section since I would otherwise receive a dozen emails asking this question. 

Can secure emails be sent from Protonmail to non-Protonmail uers (Gmail, Hotmail, Outlook, etc)?

When sending emails to non-Protonmail users, you can:

  1. Send an un-encrypted standard email. This is what every other email provider does.
  2. You can use the lock icon in the compose window which asks for a password (See screenshot earlier in this post). In the case this is set, the recipient will receive a message with a link to a Protonmail web interface and he/she can use to  enter the provided message password and see the email. 

Notification non-Protonmail user receives

Password requested by non-Protonmail user.

Free versus paid

Protonmail offers a free basic tier and I recommend everyone start with this level. If it meets your needs, you should consider upgrading to a paid tier which offers custom domains and more storage. 

Conclusion

I love Protonmail and am moving my private (not public) email address there. I like the security it provides and the open philosophy they espouse. I say use them if you want something more secure and private.

You may also want to read my article about SpiderOak. SpiderOak is a Google Drive, Microsoft OneDrive or Dropbox alternative with strong trust no one encryption.

Is [add name] down for everyone or is it just me

technologyEdward Kiledjian
Image by  arkaitz.zubiaga Under Creative commons Lincese

Image by  arkaitz.zubiaga Under Creative commons Lincese

We have become increasingly dependant on our online services and when they go down , we are lost and the world loses meaning. Ok.. maybe its not that bad but we still want to know whether the service is down or it's just us.

The next time your online service isn't working, check out their online services status dashboard and rest easy knowing its not your fault (unless your internet is down, in which case you should panic).

Is WhatsApp down? 

WhatsApp_status.jpg

You can check the status of the WhatsApp service by visiting their special Twitter account page (link)

Is Google Apps down?

Google_status.jpg

You can check the status of Google Apps services by visiting their special Service Status Dashboard website (link)

Is Microsoft Live Down?

Microsoft_status.jpg

You can check the status of Microsoft services by visiting their special Service Status Dashboard website (link)

Is Apple down?

Apple_status.jpg

As a Macbook owner and an iPhone user, I get the a cold sweat down my back when key Apple services are down. Is iMessage down or is it just me? Is Facetime down or is it my internet connection?

All good questions that can be easily answered by visiting Apple's detailed service status dashboard site (link).

Is Twitter down?

Twitter_status.jpg

Everyone loves Twitter and it now breaks news faster than any other news distribution outlet. When it goes down, many news agencies panic. If you want to know if Twitter is really down, head over to their service status page (link).

Is CloudFlare down?

CloudFlare_status.jpg

CloudFlare has become the last line of defence between many small or medium internet sites and hackers. Do you want to know if their service is operating fully, check out their special webpage (link).

In the above image, you can see a couple of sites re-routing traffic to other locations. This could be because of scheduled maintenance.

An easy way to encrypt your emails and keep its contents safe

InfoSecEdward Kiledjian

I had written an article a while back entitled "Is Microsoft Going Through Your Cloud Stored Files?". Whether the analysis of your content is done by a human, a robot or disgruntled employee, it feels wrong and there are times when you absolutely need to make sure the info in a particular email is secure & protected. 

You can always install one of the open source PGP alternatives but require complicated setup and key exchange (which makes these non usable by the average Joe). This is where Mailvelope is hoping to change the industry. 

Mailvelope offers free Chrome and Firefox extensions that encrypt outgoing emails via OpenPGP when using the most popular web based email services( Gmail, Outlook.com, Yahoo, etc). Their claim to fame is that it works with the web based clients offered by these services and is super simple to use.

The product is still in beta but has been shown fairly stable during normal use. You install the extension, generate your public and private keys and that's it. The installation walks you through the process and advance computer skills are not required.

Once the keys have been generated, you will see a lock icon in the message compose window [of your chosen email service], by clicking this icon, you can encrypt your message. Remember that to work, the other party also needs a PGP compliant client to decrypt your message and a public key exchange must also occur. The easiest setup is to ensure the recipient also installs Mailvelope.

I would never call encryption easy but this seems to make it simple enough for the general population to use. I will be interested in seeing how they eventually monetize their service.

 

Encryption icon on a gmail:

 

How an encrypted message looks

you click on the lock icon and it asks for your private key passphrase

 

Followupthen.com free email reminder service review

ProductivityEdward Kiledjian

If you are anything like me, you probably get a few hundred emails a day. Some of those emails require immediate attention but most are for future actions that I don’t need to look at now. So how do you clean up your inbox without losing the reminder for these future actions? Enter a cool new free service called Followupthen.com.

Ubiquitous

Using the service is simple, you send the email to a special (time coded) Followupthen.com email address and the service will then remind you at the designated date and time. The interesting part of this process is that it works on all platforms (Windows, Mac, Linux, iPhone, Ipad, Android) as long as you can send and receive emails.

It requires no special plug-ins, no complicated configuration or proprietary app.

Competition

Followupthen does have competition in this space from the likes of Followup.cc and Bomerang but it does have differentiating characteristics. Boomerang requires browser plug-ins so it limits its use and make it a little more complicated which is why I wouldn’t even consider it.

Followupthen.com allows you to send an unlimited number of reminders for free and uses more natural reminder language (e.g. to reminder you of something in 23 minutes, you simply send an email to [email protected] No account or registration required.

Their Premium service

Although we would like everything to be free, they have to have a revenue stream if they want to continue providing services. They have chosen to adopt the freemium model where most users will be able to use the free service without issues but where power users can pay a little extra and get the jacked up super powered version.

So for $24 a year, you get:

  • SMS Reminders
  • Customization of reminder email designs (company logo, layout, etc)
  • You can manage your reminders via a simple web interface
  • Calendar integration so your reminders get added to your calendar
  • Ability to have attachments in your reminder emails
  • You can use these premium services for all your email addresses

Security

Like most cloud services, they take some security precautions to protect your information but just remember that email, by it’s very nature, isn’t secure. An email can easily be intercepted by anyone between the sender and receiver.

Conclusion

I think you should try this free service right now. There are dozens of situations where it will be extremely useful.

 

Additional Service Information

How to Use FollowUpThen

 FollowUpThen requires no account to get started!

Just compose an email and include [schedule format]@followupthen.com in the "Cc", "Bcc" or "To" fields of your email. Each is a bit different:

  • BCC: You will receive a followup but we won't bug the original recipient.
  • TO: You will get a followup after the time interval you specify.
  • CC: If your recipient has not responded by the scheduled time, both of you receive a followup. Note: Your recipient has to “reply all” to include followupthen on their response for us to know about it. You can always cancel followups by emailing [email protected].

Time Formats

Here are some examples of the scheduling formats you can use:

Time Interval

Day of Week

Common Scheduling Terms

Specific Date

Specific Time

Specific Date and Time

Recurring Reminders

 

 

  • [email protected]

    • Google has granted you 10 GB of free GMAIL Storage

    technologyEdward Kiledjian

    When GMAIL started 8 years ago, we were astounded that the King of Search would graciously offer us 1GB of free storage. After all, the big players (like Hotmail and Yahoo) were offering a paltry 25-50MB. Why would we EVER need 1 GB of storage?

    Well just a couple of years later, the King of Search has yet again blessed its citizens by offering them an additional 2.5GB of storage bumping users to 10GB of GMAIL space

    Here is the original Google blog post about the increase.

    Enjoy your new freedom and breathe free (at least for a little while longer).