ProtonMail
Screenshot Screenshot of the ProtonMail website, showing the user's inbox and a composer window. | |
Web address |
protonmail |
---|---|
Commercial | Yes |
Type of site | Webmail |
Registration | Required |
Available in | English |
Users | 1 million (December 2015 ) |
Content license | MIT License |
Written in | PHP and Javascript |
Owner | Proton Technologies AG |
Created by |
|
Launched | 16 May 2014 |
Alexa rank | 10,698 (May 2016)[1] |
Current status | Active |
ProtonMail is a free and web-based encrypted email service founded in 2013 at the CERN research facility by Jason Stockman, Andy Yen and Wei Sun.[2][3][4] ProtonMail is designed as a zero-knowledge system,[note 1] using client-side encryption to protect emails and user data before they are sent to ProtonMail servers, in contrast to other common webmail services such as Gmail and Hotmail. ProtonMail is run by Proton Technologies AG, a company based in the Canton of Geneva, and its servers are located at two locations in Switzerland, outside of US and EU jurisdiction.[5]
The service received initial funding through a crowdfunding campaign and will be sustained long-term by multi-tiered pricing, although the default account setup is free. As of December 2015, ProtonMail has approximately 1 million users.[6] In March 2016, ProtonMail opened up to the public and stopped being invite-only. The company is also launching free iOS and Android apps.[7]
Features
ProtonMail is designed a zero-knowledge system. ProtonMail accounts use two user passwords: a login password and mailbox password. The first authenticates the user into the ProtonMail system, whereas the second decrypts the user's electronic mailbox, which contains received messages, contacts, and user information. This decryption takes place client-side in a web browser and uses the mailbox password which is known only to the user. ProtonMail also offers end-to-end encryption for emails sent from ProtonMail to non-ProtonMail users. This system prevents ProtonMail from recovering the mailbox password so ProtonMail cannot decrypt user messages under a court order.[8]
Similar to services like Snapchat and Telegram, ProtonMail also includes a message expiration feature that allows encrypted emails to self-destruct after a period of time.[9]
Servers
ProtonMail administrators maintain and own their server hardware and network in order to avoid trusting a third party. They maintain two redundant data centers in Lausanne and Attinghausen (in the former K7 military bunker[10]), Switzerland. Each datacenter uses load balancing across web, mail, and SQL servers, redundant power supply, hard drives with full disk encryption, and exclusive use of Linux and other open-source software.[11] Their main datacenter is located under 1,000 meters of granite rock.[9][12] In December 2014, ProtonMail has joined the RIPE NCC in an effort to have more direct control over the surrounding Internet infrastructure.[13]
Since the datacenters are located in Switzerland, they are legally outside of US and EU jurisdiction. Under Swiss law, all surveillance requests from foreign countries must go through a Swiss court, are subject to international treaties, and surveillance targets are notified and may appeal the request in court. Additionally, ProtonMail is outside the scope of the Swiss Federal Act on the Surveillance of Postal and Telecommunications Traffic, a law which governs lawful Swiss interception of electronic communications.[14]
Security
ProtonMail uses a combination of public-key cryptography and symmetric encryption protocols to offer end-to-end encryption. When a user creates a ProtonMail account, their browser generates a pair of public and private RSA keys. The public key is used to encrypt the user's emails and other user data. The private key, which is capable of decrypting the user's data, is symmetrically encrypted with the user's mailbox password in the user's web browser using AES-256. The public key and the encrypted private key are then both stored on ProtonMail servers. Thus, ProtonMail stores decryption keys only in their encrypted form, so ProtonMail developers are unable to retrieve user emails or reset user mailbox passwords.[15]
An email sent from one ProtonMail account to another is automatically encrypted with the public key of the recipient. Once encrypted, only the private key of the recipient can decrypt the email. When the recipient logs in, their mailbox password decrypts their private key and unlocks their inbox. Emails sent from ProtonMail to non-ProtonMail email addresses may be sent with or without encryption. With encryption, the email is encrypted with AES under a user-supplied password and then stored on ProtonMail's servers. The recipient receives a link to the ProtonMail website on which they can enter the password and read the decrypted email. ProtonMail assumes that the sender and the recipient have exchanged this password through a back channel.[15]
ProtonMail exclusively supports HTTPS and uses TLS with 2048-bit key exchange to encrypt all Internet traffic between users and ProtonMail servers. Their 4096-bit RSA SSL certificate is signed by QuoVadis Trustlink Schweiz AG and supports Extended Validation and Certificate Transparency.[16] Protonmail.com holds an "A+" rating from Qualys SSL Labs.[17]
In September 2015, ProtonMail added native support to their web interface and mobile app for Pretty Good Privacy (PGP). This allows a user to export their ProtonMail PGP-encoded public key to others outside of ProtonMail, enabling them to use the key for email encryption. The ProtonMail team plans to support PGP encryption from ProtonMail to outside users.[18]
Vulnerabilities
A video demonstrating a cross-site scripting attack was shown in July 2014.[19] The ProtonMail developers reviewed the video and confirmed that the issue affected an early development version of ProtonMail that was released in May 2014. The attack did not affect the then-current version.[20]
Interface
ProtonMail provides a web interface for accessing user emails, contacts, and user settings. The default layout of the interface places mailbox folders along the left side of the screen, a search bar and controls across the top, and email messages in the remaining space. The user also has the ability to provide a third-party theme and choose between two different styles for the email composition area and two different layouts for their Inbox.[21][22] The source-code for the web interface, including all client-side encryption methods, is available on GitHub under the MIT License.[23]
History
Development
On 16 May 2014, ProtonMail entered into public beta.[24] Within three days, ProtonMail was met with an overwhelming response and was forced to temporarily suspend beta signups while they worked to expand server capacity.[25]
On 31 July 2014, ProtonMail received US$550,377 from 10,576 donors through a crowdfunding campaign on Indiegogo, while aiming for US$100,000.[26] During the campaign, PayPal froze ProtonMail's PayPal account, thereby preventing the withdrawal of US$251,721 worth of donations. PayPal stated that the account was frozen due to doubts of the legality of encryption, statements that opponents said were unfounded.[27][28] The restrictions were lifted the following day.[29]
On 18 March 2015, ProtonMail received US$2 million from Charles River Ventures and the Fondation Genevoise pour l'Innovation Technologique (Fongit).[30]
On 13 August 2015, ProtonMail released version 2.0, which was the most significant update in ProtonMail's history and included a new codebase for its web interface and introduced significant performance enhancements. The ProtonMail team simultaneously released the source-code for the web interface under an open-source license.[31]
2015 DDoS attacks
From 3 to 7 November 2015, ProtonMail was under several DDoS attacks that made the service largely unavailable to users.[32] ProtonMail believed that it was affected by two separate attacks, the first led by a group of hackers known as the Armada Collective and the second by an unknown, more technically advanced group with abilities similar to a state-sponsored group. The first attack was tied to a ransom of 15 Bitcoins (roughly US$6,000) which ProtonMail eventually paid due to pressure from ISPs and other companies affected by the attack. The DDoS attacks, however, did not stop and instead began to take on more sophistication, with rates exceeding 100 Gbit/s. The company received an email from the Armada Collective in which they denied responsibility for the ongoing attack.[33][34][35][36] During the attack, the company stated on Twitter that it was looking for a new data centre in Switzerland, saying that "many are afraid due to the magnitude of the attack against us". They have since posted that they "have a comprehensive long term solution which is already being implemented".[34][37]
See also
Notes
- ↑ Zero-knowledge mail systems are mail systems that prevent access to the email messages it hosts to everyone, including the individuals or corporations hosting its data and/or operating such systems. While such individuals or corporations may gain physical access to the messages in encrypted form, access in any human-readable or machine-readable form is blocked through encryption mechanisms. The encryption keys are held only by the actual owners of the mailboxes.
References
- ↑ "ProtonMail.com Site Info". Alexa Internet. Retrieved 5 May 2016.
- ↑ "ProtonMail is Open Source!". ProtonMail. 13 August 2015. Retrieved 19 October 2015.
- ↑ Biggs, John (23 June 2014). "ProtonMail Is a Swiss Secure Mail Provider That Won't Give You up to the NSA". TechCrunch. Retrieved 19 October 2015.
- ↑ Suberg, William (30 June 2014). "ProtonMail collects over US$10,000 in BTC donations in 6 weeks". The Cointelegraph. Retrieved 19 October 2015.
- ↑ "Why Switzerland?". ProtonMail. 19 May 2014. Retrieved 19 October 2015.
- ↑ Steier, Henning (16 December 2015). "Protonmail Ende Januar offen für alle". Neue Zürcher Zeitung (in German). Retrieved 24 February 2016.
- ↑ http://motherboard.vice.com/en_ca/read/protonmail-the-easy-to-use-encrypted-email-service-opens-up-to-the-public
- ↑ Khandelwal, Swati (26 May 2014). "ProtonMail: 'NSA-Proof' End-to-End Encrypted Email Service". The Hacker News. Retrieved 19 October 2015.
- 1 2 "ProtonMail Security Details". ProtonMail. 31 January 2016. Retrieved 31 January 2016.
- ↑ "Datacenter Attinhausen". SRF. 5 September 2012. Retrieved 19 February 2016.
- ↑ Yen, Andy (17 December 2014). "Infrastructure Upgrades". ProtonMail. Retrieved 19 October 2015.
- ↑ Patterson, Dan (13 November 2015). "Exclusive: Inside the ProtonMail siege: how two small companies fought off one of Europe's largest DDoS attacks". TechRepublic. Retrieved 31 January 2016.
- ↑ Yen, Andy (17 December 2014). "ProtonMail joins Réseaux IP Européens (RIPE NCC)". ProtonMail. Retrieved 19 October 2015.
- ↑ "Why Switzerland?". 19 May 2014. Retrieved 31 January 2016.
- 1 2 "How are ProtonMail keys distributed?". Stackexchange. 22 May 2014. Retrieved 19 October 2015.
- ↑ "SSL Certificate Update". Qualys SSL Labs. 19 January 2016. Retrieved 31 January 2016.
- ↑ "SSL Report: protonmail.com". Qualys SSL Labs. 7 March 2016. Retrieved 7 March 2016.
- ↑ "ProtonMail adds Facebook PGP integration". ProtonMail. 22 September 2015. Retrieved 19 October 2015.
- ↑ Hacking protonmail - with a browser. Vimeo. 30 June 2014. Retrieved 19 October 2015.
- ↑ "Update about reported XSS issue". ProtonMail. 8 July 2014. Retrieved 19 October 2015.
- ↑ "ProtonMail Composer". Retrieved 31 January 2016.
- ↑ "How to change the layout of the inbox". Retrieved 31 January 2016.
- ↑ "Official AngularJS Web Client for ProtonMail". Github. 31 January 2016. Retrieved 31 January 2016.
- ↑ "ProtonMail now in Public Beta!!". ProtonMail. 16 May 2014. Retrieved 31 January 2016.
- ↑ "Über-Secure ProtonMail Beta Maxes Out Servers in Just 60 Hours". Infosecurity Magazine. 22 May 2014. Retrieved 19 October 2015.
- ↑ "ProtonMail". Indiegogo. 31 July 2014. Retrieved 19 October 2014.
- ↑ Halfacree, Gareth (1 July 2014). "ProtonMail hit by PayPal account freeze". bit-tech. Retrieved 19 October 2015.
- ↑ Howell O'Neill, Patrick (1 July 2014). "PayPal freezes account of email encryption startup ProtonMail [Update]". The Daily Dot. Retrieved 19 October 2015.
- ↑ Yen, Andy (30 June 2014). "Paypal Freezes ProtonMail Campaign Funds". ProtonMail. Retrieved 19 October 2015.
- ↑ Yen, Andy (18 March 2015). "ProtonMail has raised $2M USD to protect online privacy". ProtonMail. Retrieved 19 October 2015.
- ↑ Yen, Andy (16 May 2014). "ProtonMail goes Open Source with version 2.0". ProtonMail. Retrieved 31 January 2016.
- ↑ Leyden, John (5 November 2015). "ProtonMail still under attack by DDoS bombardment". The Register. Retrieved 5 November 2015.
- ↑ "DDOS Update". ProtonMail. 5 November 2015. Retrieved 5 November 2015.
- 1 2 "ProtonMail Statement about the DDOS Attack". ProtonMail. 5 November 2015. Retrieved 5 November 2015.
- ↑ "Armada Collective Blackmails Swiss Hosting Providers". Swiss Governmental Computer Emergency Response Team. 22 September 2015. Retrieved 6 November 2015.
- ↑ Fox-Brewster, Thomas (5 November 2015). "ProtonMail Pays Crooks $6,000 in Bitcoin to Cease DDoS Bombardment". Forbes. Retrieved 5 November 2015.
- ↑ ProtonMail (5 November 2015). "We are seeking a datacenter in Switzerland brave enough to host ProtonMail, many are afraid due to the magnitude of the attack against us." (Tweet).
External links
Wikimedia Commons has media related to ProtonMail. |