I'm always skeptical of browser/JS based crypto, but it is nice to see that they're at least upfront with the risks involved in doing such a thing.
They probably downplay the risk of a MITM attack a little much, but otherwise I'm glad to see they're realistic about possible weaknesses of the platform.
Plus, they're offering self-destructing e-mails, which is impossible to provide, so already there's a bit of snake oil there. If they said, "It's not possible to provide real self-destructing e-mails, but you can set it up so that (assuming you trust us), we'll delete the messages from our servers after a certain amount of time, which is the best anyone can do." Instead they say that they are "more ephemeral than SnapChat."
Edit: here is what they say: "Forever Free
We believe privacy is a fundamental human right and should be available for everyone. That's why we offer multi-tiered pricing including a free version that anyone can use. Let's bring privacy back to the people!"
BUT, and it's a big but, I'd only use it for normal e-mails, just because I want to raise a big enough obstacle for NSA to read even my normal e-mails. However, I would not use it for anything too sensitive. I don't trust ProtonMail for that, and since it doesn't have real end to end encryption, you have to trust ProtonMail.
I can't write messages with my preferred mail client, can't read messages with my preferred mail client and I can't access my (old) messages while offline. non-protonmail-users will receive a notification with a link that they received a message, not the actual message that they can keep for archiving purposes, offline use etc. I wonder if and how they handle searching mailboxes.
Neat, but not mail.
edit: typo. darn.
disclaimer: I am a software engineer at Virtru. Happy to address any questions/comments!
No? Both S/MIME and GPG provide E2E encryption and work with traditional mail clients. Both provide offline access. They also have their problems, but that's another story.
My point is: This is a neat system. It certainly has it's own set of advantages and disadvantages, but it's a centralized system that does not work very much like mail. So don't call it mail.
Unless you and your recipient use something like GnuPG.
I'm not sure that having a Swiss company makes any difference in a case where people have ties to the US. Does anyone else know better than me on this topic?
edit: It looks like the goal is that you don't even have to trust protonmail: "For this reason, we are also unable to do password recovery. If you forget your decryption password, we cannot recover your data." https://protonmail.ch/pages/security_details.php
Sorry to say, but that goal is unachievable with that setup. They provide you with the code that does the decryption. It's a simple thing to enable that code to send back the decryption password and store it on their servers. So every time you decrypt a message, you'd either have to evaluate all the javascript they send your browser, or put your messages at risk.
There's a similar problem with GPG/SMIME implementations: I have to trust the people writing that decryption code, but that's a bit simpler - they can't easily target me directly and the churn is much lower.
Note that France and Germany probably have much more direct dealings with Switzerland than the US has -- so pressure from these governments/the EU is more likely to hold sway, than any direct pressure from the US (but, as with all things, if a nation state consider you a legitimate it's probably game over anyway).
[edit: see other comment wrt MIT -- I was probably too optimistic.]
[0] https://twitter.com/StackSmashing/status/474214532114812928
All you needed to do was send an email which contained a From header with script embedded in the name part:
From: "<script>Do evil</script>" <address@example.com>
-
Emphasis mine. That doesn't sound like E2E encryption to me. End to end means it's encrypted user-to-user, not server to user, or user to server to user. It sounds more like they have something slightly more secure than an e-mail service like Gmail, but still very vulnerable to subpoenas, backdoors and so on.
This part is only noting that inter-user messages never even leave their 'secured environment'. By all accounts it does seem as well secured as any other provider I've looked into.
I also wonder about their claim to "expire" mails -- I assume they mean only for mails internal to protonmail -- as any other expiry would have to rely on the recipient using a cooperating pgp/gpg and/or cooperating pop/imap client.
I understood 'expiring' mails to mean those accessed directly on their servers, following notification by email, subsequently deleted at the pre-agreed time. I could just have an active imagination.
Don't get me wrong, I'm not fully sold on the outfit, particularly for practical reasons, but am intrigued.
From the threat model article here: https://protonmail.ch/blog/protonmail-threat-model/
"NOT RECOMMENDED:
Edward Snowden – If you are Edward Snowden, or the next Edward Snowden, we would not recommend that you use ProtonMail. And in case Mr. Snowden was foolish enough to try, we have already blocked the username snowden@protonmail.ch"
Running infrastructure in those DC's can't be cheap (compared to regular co-lo facilities). Thats on top of probably having to deploy more gear (or higher perf gear than a regular email provider) since the work load is probably CPU heavy.
True end to end encryption would mean everything is transferred as an encypted thing, and only people with a key can open it. If any email you send out ultimately is unencrypted so that the other side can read it, we aren't much closer than where we started are we?
If an email ends up in an unencrypted IMAP mailbox on a server somewhere, how is that more secure than what happens now?
Presumably they'll have some way to distribute the password in some ephemeral or slightly out-of-band way. It's probably less secure than messages within their environment, but it shouldn't ever hit another mailserver in plaintext (ideally ProtonMail wouldn't even have the plaintext anyway).
So it really depends on your threat model. This service is somewhat more secure than Lavabit, but incrementally and not by leaps and bounds. It also constrains the attack model (in the Lavabit model they could be coerced to give the plaintext directly, in this case they would need to be coerced to actively steal their users' private keys).
And even if it would be application based (PGP, S/MIME), it would still leak metadata like crazy.
With all the threat models, I come to the conclusion, that there is no real E2E possible _at_all. All known platforms have been compromised, either by lawful interception/state trojan means or by direct hacking.
Great!
Is this a unicorn or moon on a stick statement? [1]
EDIT: Just to expand on that a little. For as long as Snowden sports a TOR sticker on his laptop, or until I hear otherwise, I'll continue recommend its use for basic privacy needs. And as mikegioia notes, it is only used on the front page. You could also block the script, failing that!