This appears to be a PHP wrapper around OpenPGP.js. If the encryption comes from Javascript loaded by browsers from the servers every time they visit the site, the encryption isn't "end to end". It's controlled by the server and can be broken by the server.
Also: the RSA Security logo isn't the logo of the RSA algorithm; it's the logo of the company that sells RSA tokens.
I knew this is the first thing I would read. We are becoming pretty predictable.
I tire of hearing this repetitively, every time somebody attempts to take this path, but I recognize you are doing it for anybody that is new and didn't hear the other warnings.
Isn't the perfect the enemy of the good?
Can we recognize that this is a good first step, and definitely constitutes a huge improvement over gmail/yahoo type webmail solutions?
You can still quickly add a disclaimer that you hope they quickly begin the large task of development of native windows/mac/linux/ios/android apps that will remove the javascript concern.
If you spit on everything that is not perfect, you may be steering people away from taking any action to protect their privacy.
Not in this case, I don't think. If there's a way to break encryption, even in the smallest way, then it's not really encrypted, and calling it "good enough" does a disservice to people who actually expect it to be flawless.
Look at Lavabit, which was good but not perfect... everyone thought they were protected enough, and then the government came knocking and all of a sudden the little gotcha of "Well, Lavabit did have access to your data after all, even though they promised not to look and also be really careful about their encryption keys" is the crack they use to blow the entire thing open. (Though that was a pretty damn big crack, admittedly.)
If there's a way to break in, then it will be broken in to--and then "good enough" all of a sudden becomes "tragically and dangerously broken" for the kinds of people who trusted it the most: activists, whistleblowers, informants, political radicals, etc.
> Can we recognize that this is a good first step, and definitely constitutes a huge improvement over gmail/yahoo type webmail solutions?
No its not. "Browser crypto" in the form of JS is broken. There are many different possible attacks. So a false sense of security is actually worse then no security at all.
If you're concerned about keep things private, having it technically sound is important. This application fails that and as a result deserves to be shot down.
There is no need for niceties when you're trying to promote something as secure when it isn't.
One can worry about making a system perfect once it solves the problem it sets out to solve. They chose to build on a platform (browsers) that has known security issues at a conceptual level, and have apparently ignored those issues while advertising an end-to-end secure service. That doesn't inspire trust. Perfect comes after working.
But but ... MIT, Caltech, Switzerland, CERN ... amirite?
No honestly, thank you for your comment and the ensuing discussion - most people get swayed by big names and such and reading sincere criticism of this sort of stuff is important and educating.
The JS doesn't appear to be compressed so it's possible to view source and see what exactly it's doing. So if it was actually backdoored, somebody will actually find out.
You can't just review "openpgp.min.js". You have to review every single Javascript input and every single DOM node, and any of them can alter the behavior of any other element of the Javascript runtime in subtle ways to subvert cryptography.
And you have to do this every time you load any page on the site, and any time any of those pages asynchronously load any content.
So, no, contrary to popular belief, this doesn't work.
You can serve different JS to "special" users once. If you're smart, you run checks "for the security of the browser environment" first to make sure it's something unlikely to contain debugging capabilities, e.g. an unmodified iOS device.
The site even helpfully asks you to identify yourself with ANOTHER username and passphrase first, making it even safer for the attacker.
Anyone that values their privacy should never trust a service like this. The idea of in-browser encryption and decryption is nothing new, and it always suffers from the fact that the server can replace the client side software at any time without warning. If you must use a browser, find a plugin that you trust that works with any webmail service. Better yet, use an actual mail client and encrypt/decrypt in that.
I think the idea of ProtonMail is to serve the part of the population that mostly uses the browser. Obviously if you wanted to be super secure, there are more sophisticated methods out there, but they aren't exactly accessible to the non-HN population. I don't think we should say, just because a perfect browser based solution isn't possible, this shouldn't exist at all. It's like saying, do something only if you can do it perfectly.
Even if I thought this was a sensible way to describe the value of the service (I don't): that's not remotely what this site says. It makes expansive claims about security, which it can't possibly back up. Why should ordinary people be expected to trust them with secrets?
Funny, when I hear "Switzerland" I think about how just this morning I heard that the American IRS has finally broken the long standing tradition of Swiss banking privacy, and that CreditSuisse will be paying billions of dollars in fines.
> By using a CA owned by the Swiss government, we ensure the highest security for our users because it is extremely unlikely SwissSign can be coerced into validating another website impersonating us
This is a dangerous and insane misunderstanding of the trust relationships work in the public CA system.
Any CA can impersonate any site. Your choice of CA has no bearing on your exposure to this risk.
(If this were an app or browser extension, you could plausibly pin the right certificate path to only trust SwissSign. But if you can do that, you can just pin your certificate and don't need a CA at all.)
Encryption to keys that are not properly authenticated is more unsafe than no encryption at all.
This holds up "No private / public key management." as a feature. Without key management (specifically, secure generation, storage, and authentication) encryption is worse than useless.
This is a browser addon, right?
Is everything loaded locally? If no, what prevents you from putting up some javascript that transfers the decryption password (or the plain text) to you.
Sorry, didn't bother to download and look for the source code, to find out how the inner mechanics work. The website doesn't give much information either.
No, it doesn't appear to be. They're at pains to say "nothing is installed", and when I created an account, it loaded "openpgp.min.js" from the server.
Readit News
Also: the RSA Security logo isn't the logo of the RSA algorithm; it's the logo of the company that sells RSA tokens.
I tire of hearing this repetitively, every time somebody attempts to take this path, but I recognize you are doing it for anybody that is new and didn't hear the other warnings.
Isn't the perfect the enemy of the good?
Can we recognize that this is a good first step, and definitely constitutes a huge improvement over gmail/yahoo type webmail solutions?
You can still quickly add a disclaimer that you hope they quickly begin the large task of development of native windows/mac/linux/ios/android apps that will remove the javascript concern.
If you spit on everything that is not perfect, you may be steering people away from taking any action to protect their privacy.
Look at Lavabit, which was good but not perfect... everyone thought they were protected enough, and then the government came knocking and all of a sudden the little gotcha of "Well, Lavabit did have access to your data after all, even though they promised not to look and also be really careful about their encryption keys" is the crack they use to blow the entire thing open. (Though that was a pretty damn big crack, admittedly.)
If there's a way to break in, then it will be broken in to--and then "good enough" all of a sudden becomes "tragically and dangerously broken" for the kinds of people who trusted it the most: activists, whistleblowers, informants, political radicals, etc.
No its not. "Browser crypto" in the form of JS is broken. There are many different possible attacks. So a false sense of security is actually worse then no security at all.
There is no need for niceties when you're trying to promote something as secure when it isn't.
Yes, but neither of those descriptors apply to this product.
No honestly, thank you for your comment and the ensuing discussion - most people get swayed by big names and such and reading sincere criticism of this sort of stuff is important and educating.
And you have to do this every time you load any page on the site, and any time any of those pages asynchronously load any content.
So, no, contrary to popular belief, this doesn't work.
The site even helpfully asks you to identify yourself with ANOTHER username and passphrase first, making it even safer for the attacker.
This is a dangerous and insane misunderstanding of the trust relationships work in the public CA system.
Any CA can impersonate any site. Your choice of CA has no bearing on your exposure to this risk.
(If this were an app or browser extension, you could plausibly pin the right certificate path to only trust SwissSign. But if you can do that, you can just pin your certificate and don't need a CA at all.)
This holds up "No private / public key management." as a feature. Without key management (specifically, secure generation, storage, and authentication) encryption is worse than useless.
Sorry, didn't bother to download and look for the source code, to find out how the inner mechanics work. The website doesn't give much information either.
Deleted Comment