Insights For Success

Strategy, Innovation, Leadership and Security

Secure Email

Review of encrypted email provider Protonmail

GeneralEdward Kiledjian

Why would anyone use Protonmail instead of Gmail or Hotmail? SECURITY

Email is inherently insecure and if you are a political dissident whose online communications can mean the difference between living and dying, don't use email. For everyone else looking for an easy and secure email solution, keep reading about Protonmail.

Everyone needs to understand that SMTP was not designed to be secure and will always have security weaknesses.

We use email because we don't have a choice and everyone agrees it won't be displaced tomorrow.

The other major issue faced by secre service providers is ease of use. PGP is a good example of strong unbreakable email encryption that never became mainstream because it was simply too complicated for the mortal man. 

Absolute security is unpractical and will never gain widespread adoption so good security should be the goal for most services.

There is always a tradeoff between usability and security, The difficulty is finding the right balance.

So what does Protonmail offer?

The bright scientists behind Protonmail understand fine balance they must find between usability and security. Make the product too secure and no one will use it (aka bankruptcy) or make it extremely user friendly but not secure (become a me too email provider). 

They have chosen to implement good enough security which makes encryption generally accessible to the masses while protecting against unauthorized government seizure or mass surveillance.

What are the weaknesses of Protonmail?

Read my blog post about the Vault7 leaks (here) and you will realize that when government is stifled  by strong encryption (Whatsapp, Signal, etc), they compromise the endpoint and extract the information pre/post-encryption. 

Protonmail does not protect you if your endpoint is compromised. It would be unreasonable to assume any secure online service could protect you from this type of attack. if you want maximum endpoint security, learn about real security protocols and use a secure operating system like Qubes OS.

Nation state level man in the middle attack. Protonmail implements all of the controls to prevent a common man in the middle type of attack but a nation state actor with the ability to redirect your web traffic and generate real "fake" TLS certificates could theoretically intercept your traffic, ask you for your username/password then use those to access your account and decryption keys. Let's be clear that your garden variety hackers (even those that are extremely skilled) won't be able to pull this off. This would require skills, money and huge technical capabilities to reroute internet traffic and generate encryption certificates.

Intelligence break in. With all the talk about government backdoors, the third major weakness of Protonmail (and all other secure services products you did not write) is the fear that a nation-state actor would somehow infiltrate Protonmail and then implement "special" code that sends bad encryption code to the users thus allowing the threat actor to access unempted versions of the messages. Protonmail has stated that they have multiple controls in place to protect against this type of attack. They scan servers for unauthorized code changes.

Some nice features of Protonmail

Protonmail is a Swiss company based in Switzerland. Any government request for information would have to be done there using Swiss law, which is very protective of private information (USA cannot issue a National Security Letter to force the company to turn over information and hide the request from the user).

In the rare situation that a government were to spend the money and convince the Swiss court to compel Protonmail to turn over user information... Protonmail uses "Zero Access Cryptography" which means they do not hold the encryption keys and therefore can only turn over encrypted information. 

Protonmail supports (and you should use) 2-factor account authentication. This means that in addition to something you know (your username and password), you need something you have (a time based authentication code generated by an authentication app Google Authenticator or Authy.)

If you want to send something more secure than normal email to a non-Protonmail user, you can create a Protonmail hosted message that requires a password to open (obviously don't send the password using email) and can even have a fixed expiry date. 

Creating a password for the secure "hosted" email

Setting an expiry time for the message

Protonmail stores user based encrypted authentication logs. This means you can see when your account was logged into and from which IP address. You can turn this off it you don't want this captured. Protonmail does not capture or log your IP anywhere else.

 

The ProtonMail service has internal authentication logs. When I say internal, I mean that these details are available only to the account owner, and are recorded and encrypted with all the other data inside the account. As I mentioned earlier, Proton Technologies AG doesn’t log IP addresses, but this information can be logged inside your web client session. If you don’t need them, just wipe the logs and switch to basic mode which doesn’t record info on the IP addresses you logged in from.

Basic stores login dates / times only. Advanced also stores the IP Address from where you logged in. The choice is yours. You can always download this information or secure erase it.

No user profiling. When you use a free service, the provider is conducting deep analysis and creating a deep analysis about you. Protonmail doesn't do this since everything is encrypted.

They encrypt all non Protonmail emails received immediately upon ingestion. 

Emails that come from third party email providers obviously cannot be delivered with end-to-end encryption, but upon reaching our mail servers, we will encrypt them with the recipient’s public key before saving the messages. All this is done in memory so that by the time anything is permanently stored to disk, the email is already unreadable to us.

This is good for security but limits what they can do for SPAM control. In a blog post, they explain what they do to help fight SPAM:

  1. They check the IP address of the incoming SMTP server against known blacklists
  2. They pass all messages through their own Bayesian filter marking suspicious emails as SPAM
  3. They generate a checksum for each email message and verify this checksum against known SPAM messages
  4. They verify the authenticity of the email using standard protocols (SPF, DKIM and DMARC)

Sending secure emails to non Protonmail users

I alluded to this earlier but wanted to restate it here in it's own section since I would otherwise receive a dozen emails asking this question. 

Can secure emails be sent from Protonmail to non-Protonmail uers (Gmail, Hotmail, Outlook, etc)?

When sending emails to non-Protonmail users, you can:

  1. Send an un-encrypted standard email. This is what every other email provider does.
  2. You can use the lock icon in the compose window which asks for a password (See screenshot earlier in this post). In the case this is set, the recipient will receive a message with a link to a Protonmail web interface and he/she can use to  enter the provided message password and see the email. 

Notification non-Protonmail user receives

Password requested by non-Protonmail user.

Free versus paid

Protonmail offers a free basic tier and I recommend everyone start with this level. If it meets your needs, you should consider upgrading to a paid tier which offers custom domains and more storage. 

Conclusion

I love Protonmail and am moving my private (not public) email address there. I like the security it provides and the open philosophy they espouse. I say use them if you want something more secure and private.

You may also want to read my article about SpiderOak. SpiderOak is a Google Drive, Microsoft OneDrive or Dropbox alternative with strong trust no one encryption.

Using Non-US cloud providers doesn't protect data

technologyEdward Kiledjian
Image by Jaaron under Creative Commons License

Image by Jaaron under Creative Commons License

My day job is in security so I read every Snowden leak with great interest. It is fascinating to see how well funded intelligence agencies can collect the data they need. All these these leaks seem to have tickled a nerve with some non American corporate IT managers who are now demanding that their cloud providers store their data outside of the US. 

But does that really make a difference?

In my opinion, the answer is no and here's why. The US Patriot Act (link) which gives the US intelligence community its super powers, compels any US company to turn over requested data regardless of where it is stored (it is not limited to data stored in the United States). Companies that allow customers to choose where the data is stored are providing a false sense of security to customers.

So how should we do to protect our data?

If you are a non-US company that wants to leverage a cloud service provider but that still want to protect your data from the NSA then you have to use a non-american provider and ensure your data is stored outside of the US. 

But even this doesn't guarantee total privacy. Keep in mind that most countries have local intelligence organizations (CSE in Canada, GCHQ in the UK, etc) and the leaks show that many of these agencies eagerly collect data for each other and share that data with limited control.

For the time being, your super secret data should be encrypted by you before it is sent to the cloud using Trust No One encryption but then you lose most of the value of these cloud services. Ultimate security means broken functionality. Ultimate functionality means broken security. You'll have to try to find a balance somewhere in between. 

Silent Circle enables secure VOIP calling from Android

InfoSecEdward Kiledjian

I wrote about Silent Circle in October and was excited to learn that they recently released an Android app and enabled Out of Circle calling. Silent Circle will enable secure voice, text, email and video chatting from any Silent Circle client to another (Android -> Android or Android -> iPhone).

The app can be downloaded from the Google Play Store. Using their service is simple and straightforward. You download the app, create an account and then pay the $20 monthly service fee. As soon as this is done, you will be able to call Silent Circle to Silent Circle securely regardless of where in the world you are (over WIFI, 3G or 4G).  

They also added an "Out-Circle Access" which will enable Silent Circle users to call regular phone lines. You link is encrypted from the device until the Silent Circle boundary (which is a nice feature for people working in some questionable countries). This feature costs an additional $29 a month but includes unlimited calling to Canada, US and Puerto Rico.

Here is the full Press Release

 

Silent Circle Releases Silent Phone For Android And Out-Circle Access (via PR Newswire)

Private encryption service developed by PGP inventor Phil Zimmermann protects voice and video calls on both Android and iOS devices across cellular and Wi-Fi networks Download image WASHINGTON, Jan. 16, 2013 /PRNewswire/ -- Silent Circle, a global private encrypted communications firm revolutionizing…

 

 

 

SilentCircle protects you from espionage or government monitoring

SecurityEdward Kiledjian

I not only work in Information Security, I love it. In the era of “everything digital”, nothing else is as important. Well imagine my excitement when I learned of a newly formed company, called SilentCircle, which was promising a very secure yet easy to use communication product.

The company

The company says that it was started by 2 former Nacy Seals and the world-renown creator of PGP, Phil Zimmermann. It wanted to create a military grade encryption product for securing phone calls (VOIP), text messages, emails and video. It’s goal was to create a secure product, with the ease of use of an iPhone app (all for $20 per subscriber per month).

Services include:

 

  • Encrypted voice
  • Encrypted text
  • Encrypted Video
  • Encrypted email
  • Ability to call anyone (non subscriber). Your session is encrypted until the SilentCircle servers

 

The need

Anyone with a public profile has a need for secure communication. Secure from whom? Secure from competitors, government agencies and foreign nations.

How

The design of the solution has been well thought out and all encryption is performed on the end device. Once a communication stream is completed, the keys used to encrypt that communication are securely deleted making future decoding more difficult. They store only minimal system logs (required to maintain the service) and these logs are stored in Canada and Switzerland (who have stricter privacy laws).

They offer a service called Burn Notice which automatically destroys the sent information (photo, message, email, etc) after a pre-determine timeframe.

Resistance

Current US wiretapping laws do not apply to VOIP but some officials are pushing to have these older laws amended to include VOIP. It is conceivable that future laws may make this type of service illegal or highly regulated but [for now] you can rest assured that your discussing with nana about her top secret apple pie recipe will stay confidential.

Verdict

Since I haven’t tested the service, I can’t vouch for how it will actually work but it looks great on paper. If you are concerned about eavesdropping or espionage, take a look at this new tool.