1. 5

I recently ran across ProtonMail, which is interesting in that email encryption and decryption happen locally in the client, and in that ProtonMail-to-ProtonMail messages are end-to-end encrypted.

I realized that I have no idea how I would ensure that my communications can’t be trivially read without my knowledge by, for example, the US government - Even if I switch to ProtonMail, I’ve got to resort to the dubious practice of decrypting my email on a device that might easily have a factory-installed keylogger and/or malware for reading the key.

In the worst case, the NSA has “reflections on trusting trust”ed all the software on my machine, including all relevant compilers, binary analysis tools, and emulators. This seems pretty unlikely, but would I really be able to tell?

Disregarding this last possibility since it seems too hard to protect against, and hopefully too difficult to accomplish in the first place, what’s my best bet for a computing environment that can be safely connected to the internet to send and receive email that only the correspondents will be able to see?

My best guess is something like a Novena laptop running OpenBSD and using ProtonMail and nothing else, with some kind of data shredding on shutdown. Is there something better? Is this a doomed thought experiment? I look forward to any thoughts or new sources of tinfoil.

  1.  

  2. 3

    Serious question from a fully paid up member of the tinfoil hat brigade: Why protonmail?

    Don’t forget that if you’re sending messages you also have to consider the recipient. If your hardware is hosed, theirs may well be too. On that basis perhaps mail should be avoided depending on your threat model.

    One option would be to use something like a BeagleBone black as it’s open source and I believe verifiable.

    Another option would be to use a disconnected host for creating, encrypting and viewing messages then a separate host for relaying. This was the basis for a project I did (and cancelled) a few years back.

    1. 1

      Yeah, I guess I’m imagining that I’d be able to give my correspondents their own copy of the setup, and instructions on how to use it. I’m definitely not expecting that emails I send to random people will magically be safe from now until the end of time.

      1. 2

        If you’re talking about dedicated hardware at both ends, why not signal?

        1. 1

          Signal’s proprietary central server and TOFU-oriented protocol add a lot of attack surface that doesn’t exist in other approaches.

      2. 1

        The answer to the question “why protonmail” is mainly that I’m not sure what else to do. I have long given up hope that I’ll ever convince anyone to manually use PGP. Protonmail is a platform that I might be able to convince people to use; - has a nice UI and can conform to people’s existing habits and tools.

        Edit: Reading this next to my other response does seem to make it clear that I’m confused about how other people ought to relate to the hypothetical system involved here. Obviously they can’t be allowed to just use their phones to read messages, so I’m not sure in what sense they should be allowed to stick with their existing habits.

        1. 1

          if it’s just secure email wouldn’t spiped suffice?

      3. 2

        Isnt protonmail on the browser? That seems like a hell of a big leap of trust to make already. You’d be better off encrypting (and hosting, well this is debatable, but the less actors involved the better no?) it yourself.

        1. 2

          If you assume that the adversary could change protonmail’s encryption script, that adversary also could’ve modified the crypto software in your OS’s repository…

          1. 5

            I think superpat was implying anything depending on a browser just made the security equivalent to finding a hole in the browser. That happens a lot. In high-assurance security, the standard way to do secure email was a combination of proxies and/or guards. The proxies are what matters here where they were in their own process sitting between the native client and the network. They handled the crypto. You could write them pretty memory-safely. You couldn’t do that if relying on a common browser.

            1. 2

              ^^this

        2. 2

          Look into Qubes if you’re feeling truly paranoid.

          1. 4

            It only runs on backdoored platforms that get a lot of scrutiny from black hats, too. Last I checked, also on a virtualization platform not built for security. So, one must consider who has the backdoors and rate of bugs found in threat analysis. Although paranoids don’t trust computers at all, the safest option is still probably Leon3’s GPL edition since all the hardware was open. One could get silicon, FOSS drivers, etc. Just need one, big fundraiser. :)

            Note: Alternatively, a recent design like Rocket (RISC-V) or OpenPITON. I like highlighting Leon3 since it’s just been siting there waiting for FOSS to use for years without any action.

          2. 2

            OpenVPN on your private hw/vps and all traffic over that. Your own DNS, your own mailserver.

            1. 1

              If you want some examples for OpenBSD:

              Mailserver OpenVPN

            2. 1

              Funny, I just read this article on how most PGP mail clients have some serious security flaws right after I read this post. I was already inclined to think that really secure email for like 99% of possible uses is hopeless. The most important issue IMO is that whoever you are communicating with is likely to be less paranoid/concerned about this than you are.

              The other thing - the NSA and any other potential adversary combined just don’t have the analysis bandwidth or storage to do anything useful with the amount of data they would get from compromising everyone in this way. If they have such valuable vulnerabilities, they aren’t going to spread them all around the world and risk them getting discovered and patched at any time in exchange for data volume that they can’t store or analyze. They save them for very limited application against high-value targets.

              I’m not saying they don’t gather massive reams of data where they can do so easily. I do think they don’t want to put their most valuable vulnerabilities at risk of discovery without getting something they really want out of it. Look at how many vulnerabilities made it out into the wider internet and were discovered and patched when that Flame malware spread farther than its controllers intended on the open internet.