ProtonMail. End-to-end encrypted email

I'm willing to bet that a number of you have bitcoin wallets/accounts which are tied to a email address somehow (blockchain.info comes to mind). Depending on which email service you may use there are probably a considerable number of insecure access points to you email, even if you have 2-factor security related to that account. I'm fairly certain a number of you know that I'm an experienced penetration tester and general security advocate so here's a service which I think the community should be using for any Bitcoin related email communication. ProtonMail.

What I really enjoy about ProtonMail is that it has complete end-to-end encryption, meaning, if you send to another ProtonMail user everything is encrypted and cannot be read outside out the side, even by the developers. The second is that your entire inbox is encrypted, and requires an account password (this can be hacked just like any other service) and a password to decrypt your inbox, which is similar to a second password to send Bitcoin from any given wallet. Now naturally if you lose the inbox password you're pretty much lost because this is the only password that no one can know other than you (the site doesn't allow this password to be saved in your browser or auto-complete) so it's more or less completely secure from outside tampering. And finally, the servers are located in Switzerland which hav outstanding personal digital privacy laws-which are increasingly hard to find lately-so you can pretty much be assured that it's going to take a lot for anyone to be able to access this data.

I've been on the waiting list for over a year and got my account a few months ago but didn't activate it until this weekend and from what I've seen it's well worth the wait for the new waiting list. IP addresses to resolve to Swiss servers, so none of your personal IP information is passed along in the email header. This service is free (and will always stay free) but naturally they will be providing some premium content in the future. I'm slowly moving all my email associations from my old email accounts to ProtonMail and hopefully will be using ProtonMail only in the near future.

For the best inbox encryption password I recommend using random.org for password generation which uses atmospheric noise as it's Random Number Generator (RGN). You can set your password requirement to 24 passwords, it will then pump out 5 different ones. Pick one, write down all but one character (this is what you NEED to remember) and tape it to the back of your keyboard. It's not digitally accessable, and, if anyone happens to find this password, they still need to brute-force the password. At 24-characters the level of entropy basically makes this impossible to crack if you even suspect that someone may have the means and motivation to crack this.

https://protonmail.ch/

It's not very often I really endorse stuff, but I think this is a no-brainer for information security.
«1

Comments

  • What do you think of Tutanota.de? They encrypt absolutely everything + they are open-source. I just wish they open-sourced their server software so that I could run the whole thing myself.
  • barehunterbarehunter Member Plus
    Nice writeup BruceWayne.

    Scryptmail.com and tutanota.com are similar services.

    I'm leery of these small operations. Many do not last. The ones with a paid plan might stay around but the "free forever" does not usually work out.

  • BruceWayneBruceWayne Member Plus
    My main problem with other service providers is that they're still located in territories which have very lackluster digital privacy laws. If your servers are located in the United States anything they do are subject to every single law that the US has, and simply put, you need an team of lawyers to even figure out what's what. All security measures are dropped to the most base elements when the physical hardware is potentially vulnerable. Which is why I've completely supported ProtonMail (and can't get on security with them because I'm neither in Geniva or San Fransisco) as they are located in one of the most paranoid defensive nations in the world: Switzerland

    Keeping servers in Canada at least keeps it so you don't need an international lawyer, let alone an American lawyer to figure out. You do need to realize that what anyone does has a 90% chance it involves an American server, and the majority of the rest involves a Canadian one. If you do anything online and need a lawyer to help you you quickly realize this. And why holding any Bitcoin related service on an Amazon instance will quickly have the law of the state, the country, then international law slowly, but surely, figure out what laws apply to you before you've even realized what you've been implicated in.

    TL/DR. Where's my information, dude?
  • SCRYPTmailSCRYPTmail Member
    edited May 2015
    Hi everyone.

    @BruceWayne let me disagree with you. If service end-to-end encrypted, why is it matter which country its located?
    For example protonmail developers live in San-Francisco, I can bet if US gov want to get access to their servers, they wouldn't even need to contact Switzerland authorities for that.
    I doubt that protonmail will be able to shutdown business like Lavabit and tell investors we are done. If I remember correctly, they just accepted 2 mil of VC funds. Imho, they already lost battle by accepting their money.

    However I think being overly concerned over location is problem with no solution, what is more important for such services is to be open sourced, and I mean both front-end and back-end. So people can trust it. Or ultimately able to host independently owned nodes.

    Sorry for my English.
  • barehunterbarehunter Member Plus
    @SCRYPTmail

    I take it you are affliliated with scryptmail? If so, can you tell us more about your service and what plans you have to make it self sustaining?
  • @SCRYPTmail

    I take it you are affliliated with scryptmail? If so, can you tell us more about your service and what plans you have to make it self sustaining?

    Yes I do, in fact I'm the author. So please don't get me wrong if it seems I'm too proud of it. It just a lot of time involved and hard to stay objective sometimes.

    Answering your question, that would be hard to explain what our services do in few words, except we try to keep communication private between people. I would say that encryption is not most important part of it. We are trying to distance ourself from mass providers, by providing more secured solution to people, i.e not scanning emails or learning from their personal life.

    Encryption in this case is just a way to proof what we are saying is hold true, and not just our promise.

    Second part to the question, we almost ready to go out of beta, I think major part of service already developed and we can start offer them as paid features. It would be hard to predict where it will lead us, but there is few directions we may go, be it enterprise or personal use.
  • barehunterbarehunter Member Plus
    Thanks for your reply.

    I'm impressed you share some of your time and expertise with us. Good luck with scryptmail.
  • BruceWayneBruceWayne Member Plus
    @Scryptmail Well, the PATRIOT act is by far the biggest reason. If a server is located in the US it is vulnerable to state and federal laws. Snowden's expose of just how US law enforcement works and the fact that it can intercept, and, if necessary, seize any server located on US territory. It's the same reason why so many file sharing servers are located in Sweden, or, have a .se domain name. You go to where the laws are in your favour. File sharing is still pretty much non-existent in the US (or at least servers located in the US) which is why I don't believe a service located in the US can compete with services located in territories which much more privacy laws.
  • SCRYPTmailSCRYPTmail Member
    edited May 2015
    @BruceWayne it's true but with many exceptions.. Kimdotcom got arrested in New Zealand by US court order, Silk road servers were shadow copied in Iceland by DOJ request, in the most of this cases, excuse was: its not US territory, so we don't have to follow the Fourth Amendment. I think there are little protection to be outside of US if they really want your server. Hosting in Russia or China will just complicate things, because their own gov want access.

    But again, I believe more wise to focus on encryption part, than possibly do a lousy job and expect it be protected by country. Laws can be changed tomorrow by politicians, but they couldn't make AES-256 less secure.

    I hope Patriot Act will expire this summer..
  • BruceWayneBruceWayne Member Plus
    @Scryptmail There's a reason why a Swiss bank account is known as the way to hold funds untouchable from any other government. A rhetoric can be made about their banking standards, but the fact is that they've held on to the gold bullion as currency until 1999. And in fact voted this year on returning to it. If you want to park money safe you park it in Switzerland. And since I come from a financial as well as an infosec background I still look at them as the same. Switzerland was neutral when the Axis powers completely surrounded them during the 1940's. They have a proven track record I wouldn't exactly discount
Sign In or Register to comment.