Why would anyone use Protonmail instead of Gmail or Hotmail? SECURITY

Email is inherently insecure and if you are a political dissident whose online communications can mean the difference between living and dying, don't use email. For everyone else looking for an easy and secure email solution, keep reading about Protonmail.

“Everyone needs to understand that SMTP was not designed to be secure and will always have security weaknesses.”

We use email because we don't have a choice and everyone agrees it won't be displaced tomorrow.

The other major issue faced by secre service providers is ease of use. PGP is a good example of strong unbreakable email encryption that never became mainstream because it was simply too complicated for the mortal man.

“Absolute security is unpractical and will never gain widespread adoption so good security should be the goal for most services.”

There is always a tradeoff between usability and security, The difficulty is finding the right balance.

So what does Protonmail offer?

The bright scientists behind Protonmail understand fine balance they must find between usability and security. Make the product too secure and no one will use it (aka bankruptcy) or make it extremely user friendly but not secure (become a me too email provider).

They have chosen to implement good enough security which makes encryption generally accessible to the masses while protecting against unauthorized government seizure or mass surveillance.

What are the weaknesses of Protonmail?

Read my blog post about the Vault7 leaks (here) and you will realize that when government is stifled by strong encryption (Whatsapp, Signal, etc), they compromise the endpoint and extract the information pre/post-encryption.

Protonmail does not protect you if your endpoint is compromised. It would be unreasonable to assume any secure online service could protect you from this type of attack. if you want maximum endpoint security, learn about real security protocols and use a secure operating system like Qubes OS.

Nation state level man in the middle attack. Protonmail implements all of the controls to prevent a common man in the middle type of attack but a nation state actor with the ability to redirect your web traffic and generate real "fake" TLS certificates could theoretically intercept your traffic, ask you for your username/password then use those to access your account and decryption keys. Let's be clear that your garden variety hackers (even those that are extremely skilled) won't be able to pull this off. This would require skills, money and huge technical capabilities to reroute internet traffic and generate encryption certificates.

Intelligence break in. With all the talk about government backdoors, the third major weakness of Protonmail (and all other secure services products you did not write) is the fear that a nation-state actor would somehow infiltrate Protonmail and then implement "special" code that sends bad encryption code to the users thus allowing the threat actor to access unempted versions of the messages. Protonmail has stated that they have multiple controls in place to protect against this type of attack. They scan servers for unauthorized code changes.

Some nice features of Protonmail

Protonmail is a Swiss company based in Switzerland. Any government request for information would have to be done there using Swiss law, which is very protective of private information (USA cannot issue a National Security Letter to force the company to turn over information and hide the request from the user).

In the rare situation that a government were to spend the money and convince the Swiss court to compel Protonmail to turn over user information... Protonmail uses "Zero Access Cryptography" which means they do not hold the encryption keys and therefore can only turn over encrypted information.

Protonmail supports (and you should use) 2-factor account authentication. This means that in addition to something you know (your username and password), you need something you have (a time based authentication code generated by an authentication app Google Authenticator or Authy.)

If you want to send something more secure than normal email to a non-Protonmail user, you can create a Protonmail hosted message that requires a password to open (obviously don't send the password using email) and can even have a fixed expiry date.

Creating a password for the secure "hosted" email

Protonmail stores user based encrypted authentication logs. This means you can see when your account was logged into and from which IP address. You can turn this off it you don't want this captured. Protonmail does not capture or log your IP anywhere else.

The ProtonMail service has internal authentication logs. When I say internal, I mean that these details are available only to the account owner, and are recorded and encrypted with all the other data inside the account. As I mentioned earlier, Proton Technologies AG doesn’t log IP addresses, but this information can be logged inside your web client session. If you don’t need them, just wipe the logs and switch to basic mode which doesn’t record info on the IP addresses you logged in from.

Basic stores login dates / times only. Advanced also stores the IP Address from where you logged in. The choice is yours. You can always download this information or secure erase it.

No user profiling. When you use a free service, the provider is conducting deep analysis and creating a deep analysis about you. Protonmail doesn't do this since everything is encrypted.

They encrypt all non Protonmail emails received immediately upon ingestion.

“Emails that come from third party email providers obviously cannot be delivered with end-to-end encryption, but upon reaching our mail servers, we will encrypt them with the recipient’s public key before saving the messages. All this is done in memory so that by the time anything is permanently stored to disk, the email is already unreadable to us. ”

This is good for security but limits what they can do for SPAM control. In a blog post, they explain what they do to help fight SPAM:

They check the IP address of the incoming SMTP server against known blacklists
They pass all messages through their own Bayesian filter marking suspicious emails as SPAM
They generate a checksum for each email message and verify this checksum against known SPAM messages
They verify the authenticity of the email using standard protocols (SPF, DKIM and DMARC)

Sending secure emails to non Protonmail users

I alluded to this earlier but wanted to restate it here in it's own section since I would otherwise receive a dozen emails asking this question.

“Can secure emails be sent from Protonmail to non-Protonmail uers (Gmail, Hotmail, Outlook, etc)?”

When sending emails to non-Protonmail users, you can:

Send an un-encrypted standard email. This is what every other email provider does.
You can use the lock icon in the compose window which asks for a password (See screenshot earlier in this post). In the case this is set, the recipient will receive a message with a link to a Protonmail web interface and he/she can use to enter the provided message password and see the email.

Notification non-Protonmail user receives

Password requested by non-Protonmail user.

Free versus paid

Protonmail offers a free basic tier and I recommend everyone start with this level. If it meets your needs, you should consider upgrading to a paid tier which offers custom domains and more storage.

Conclusion

I love Protonmail and am moving my private (not public) email address there. I like the security it provides and the open philosophy they espouse. I say use them if you want something more secure and private.

You may also want to read my article about SpiderOak. SpiderOak is a Google Drive, Microsoft OneDrive or Dropbox alternative with strong trust no one encryption.

Encryption isn't just for terrorists

April 6, 2017GeneralEdward Kiledjian

It seems every time there is a terrorist attack, governments around the world use it as an opportunity to chip away at encryption. The latest attack was the UK Home secretary, Amber Rudd, who called WhatsApp's end-to-end encryption "completely unacceptable". She then adds that there should be “no hiding place for terrorists”.

Encryption is publicly known mathematics and there is no way to put the "cat back in the bag". If encryption is banned for law abiding Joe and Jane public, it makes everyone less safe but terrorists will simply use their resources and public encryption libraries to write their own encrypted programs and do their evil work.

Minister Rudd's comments are the clearly from someone that doesn't understand the technology and how it is the fundamental underpinning of our entire technological society. Anytime you perform online banking, file your taxes with the government online or request a government service, you are using an encrypted channel of communication called TLS. It is the technology that makes using sensitive services on the internet possible.

Banning encryption would mean no more online shopping, banking or anything else that requires privacy. So banning would not be accepted by our always online generation.

Government would counter this argument by saying they "simply" want a back door and not a ban on encryption. A backdoor would allow intelligence and police to more easily perform investigations while keeping general encryption alive.

As a security professional, let me be clear that this is simply not possible. The minute a backdoor is implemented, it becomes a vulnerability that threat actors would attempt to find and exploit (organized crime, nation-state actors, foreign rogue governments, etc).If the Snowden and Vault7 leaks have shown us anything, it is that even government has issues keeping secrets. The reason encryption works is that it is based on mathematics and remains perfectly secure even though all the protocols, formula and applications are well know.

Creating a backdoor for the good guys means you are also creating it for the bad guys.

The Vault7 leak showed that governments have already solved the Whatsapp encryption issue by hacking the end device. When hacked, government can see pre/post encryption messages and therefore they are able to get the information they need. Yes it requires more work but every job has its challenges. This would bypass the encryption of Signal, Whatsapp or any other encrypted communicator.

Terrorism is a bad thing that affects as all. It is the worst of humanity being manifested because of hatred and misunderstanding of one another. Politicians are targeting encryption because it is the easy target but it isn't the right one.

As a geeky security professional, I will always be able to protect myself by rolling my own encryption, but the general population won't. Considering everything about us can now easily be stolen from our smartphone, I'm worried about any weakening of encryption. Just think about everything stored on your device (location history, contacts, social networks, where you have been and what you have done, health information, etc) and how you would feel if someone had access to all of it without your knowledge.

We need technically knowledgeable politicians that will fight the good fight (against terrorism) without trying to neuter good wholesome public protecting technologies. It's like saying we will ban pools because there were 3,536 fatal non-boat related drownings in 2015 (there are over 8M pools public and private in the USA). We can't let a small batch of rotten apples contaminate the entire batch of cider.

Canada's Anti Spam Law (CASL) and what it means and CASL 2.0

December 5, 2014technologyEdward Kiledjian

Over the last month, I received several emails asking me about CASL (the Canadian Anti Spam Law) which went into effect July 1 2014. The purpose of CASL is to protect consumers from unsolicited email messages.

“Nothing in this article should be construed as legal advice. Always check with a qualified legal professional.”

What is CASL

There are well written white papers by lawyers that provide the legal perspective on CASL and how it impacts business'. If that applies to you, you should go find and read some of those. The Canadian Anti-Spam Law was designed to protect canadian email addresses (.ca) from receiving unsolicited commercial messages. The main drivers are:

Consent : the sender needs to secure and record detailed explicit consent from the recipient that they want to receive your marketing content
Identification : The law required that you clearly identify who is sending the message and who it is being send on behalf of. The recipient must have a way to easily reach you.
Unsubscribe : The recipient must have a simple and clear way to unsubscribe from your mailing list.

Each message you send must contain Identification and unsubscribe.

Not only email

Legislators made sure CASL protect canadians from multiple mediums of commercial message delivery including emails, instant messaging, social media, etc.

Assume this applies to all mechanisms you use to contact a customer for marketing purposes.

Does this CASL apply to me?

Let me keep this simple... CASL applies to any entity pushing a marketing message and you should plan on adhering to its standards.

Does CASL apply to not for profit organizations?

As currently worded, the law provides an exemption for government certified charities performing fund raising through emails. Conversely other revenue generating activities are not exempt.

The identification and unsubscribe requirements of the law apply to not for profits also.

If you want to add subscribers from one list to another, then you will need explicit consent.

Non commercial messages (aka regular business type emails) are not covered by CASL.

You can learn more on the government's website (link)

CASL and email address harvesting

A practice used by some email marketers or resellers of marketing lists is to harvest email addresses using electronic programs to collect email addresses from websites, mailing lists, forums, etc.

CASL amends PIPEDA to forbid the activity of email harvesting.

CASL 2.0

January 15 2015 an additional provision will go into effect called the Computer Program Rules. This new provision will require express consent before the installation of a computer program on someone's PC, smartphone or other electronic device.

This new wave of CASL comes with very stiff penalties that can reach $10,000,000 for companies. This new wave goes beyond Canadian borders. It applies to organizations (can be located anywhere) installing programs on a computer located in Canada or to Canadians installing program on computers outside of Canada (or under the direction on someone in Canada).

This section of CASL is fairly complicated so I will let you research the interwebs for additional information if you think it applies to you.

CASL Best practices

In addition to following the CASL requirements stated above, many organizations are also verifying receiver interest in their messages every 6 months.

Organizations that can prove that they have an existing business relationship will have 3 years to comply but industry best practice says you should plan to comply immediately.

7 tips to make email more acceptable

November 12, 2014BusinessEdward Kiledjian

Image by Rene Schwietzke used under Creative Commons License — Image by Rene Schwietzke used under Creative Commons License

The only thing that saps productivity out of an organization more than meetings (Link) is email. Has email ever helped you become more productive? Email has outlived its usefulness and has become the ugly drunk uncle no one wants to acknowledge or deal with.

Assuming you have to live with email in the workplace, here are 7 tips to help make it a little more bearable:

Start with the end in mind - Before writing your email, ask yourself what it is you want as an outcome to this email and decide if email is the right mechanism. If it is, make sure you write the desired outcome right at the start (e.g. Please approve, Please comment, etc).
KISS - My modified definition of Kiss here is Keep it short stupid. I don't have time to read your 12 page essay masquerading as an email. Keep all emails shorter than 10 lines. Anything more and your recipient will likely file it under "Never Read".
Never Reply All - Unless there is a very specific reason why everyone in an email thread should receive your words of wisdom, be judicious about who you reply to. Most people do a Reply All to protect their own ass. That's a horrible reason stop it now.
One Channel for each message - If you decided that email is an appropriate channel for your message in step 1 then please don't use other channels to pass the same message at the same time (printing a copy and sending it to me, talking to me about it in the hallway, etc). You chose it as a channel now stick with it.
Email doesn't convey tone - Remember that email doesn't convey the tone of a message. Ask yourself if the message could be misconstrued without the appropriate tone. If it can be misinterpreted then ditch email and use the telephone, videoconference or a good old fashion face to face. Countless issued have been created (tempest in a teapot) because the recipient over-reacted because he/she could infer the real tone of a message.
Time is your enemy - In my world, email is a nice to have and I read incoming messages about twice per day.. .and I am at least a week late with my emails. This means that anything that is urgent or time sensitive shouldn't be sent via email. Email is asynchronous.
Archive IT - Set a time after which all email get's archived (even if you haven't read it). I use a 1 - 1.5 week period then bam, everything get's archived.

My core message is that I hate email. It is an ugly creation that punishes me every day. Remember that next time you punish your coworkers with it.

Google wants easy end-to-end email encryption in Chrome

June 4, 2014technologyEdward Kiledjian

Sending an email is akin to mailing a postcard. Everything written in it can easily be read, copied or analyzed by any one of the email transfer points. It is this simple fact that motivates security advocates to push for email encryption. The main obstacle to mass adoption of email encryption is the complexity. It requires installation and configuration of special software. It requires the purchase or generation of you private/public keys.

Google wants to change all of that and has released an alpha Chrome plug-in called End-to-End (link). End-to-End will provide an additional layer of security over and above what your existing email prover already makes available. The plug-in means all of the complexities of encryption are hidden from the user which should help at-risk but less technically savvy users happy (journalists, human rights workers, whistleblowers, etc).

Google is clear that this is currently an alpha release for technically proficient users only and is not meant for general use yet. They want the community to review the open source plug-in and provide security recommendations to strengthen and improve the tool.

I haven't reviewed the tool just yet but am really happy google is taking the first step in making email more secure and accessible. Once this plug-in is ready for general consumption, I'll let you know.

Review of encrypted email provider Protonmail