1. 8
  1.  

  2. 4

    Time and time again. You can’t deploy crypto in the browser[0]. Being from Switzerland certainly helps, because the US government can’t just come with a gag order forcing them to decrypt users' emails, but you still have to put your full trust into the provider to live up to their promise.

    [0] http://matasano.com/articles/javascript-cryptography/

    1. 1

      Their setup is less insane than most (at least they don’t have all the plaintext data on their server locally, and use unique per-user keys). Many issues remain, like the fact that most SMTP traffic is not end-to-end encrypted, so mail comes in and often goes out in plain text. So even if the transport protocol is probably encrypted (TLS), every mail server in the delivery chain can intercept or modify the data.

      The point in the article you linked though, is not entirely applicable here. They’re not trying to replace TLS/SSL with JavaScript client-side encryption. They’re just trying to encrypt/decrypt some data in Javascript. Their Javascript and probably encrypted emails are still channeled through an authenticated HTTPS connection.

      Their client-side crypto is an additional layer on top of HTTPS, which provides something HTTPS does not: the fact that the server side must not know the plaintext of the payload data.

      There is still a need to provide some kind of authentication for the Javascript library which is doing the decrypting/encrypting, and all code calling into that library, and I’m not sure how or if they will provide this. Is there a way to sign Javascript and warn the user about updates to such code?

      1. 1

        To me it sounds like adding a false sense of security when there’s effectively nothing stopping a sophisticated attacker or a government entity to completely reverse all efforts.

        We have seen this exact case with Lavabit before. It doesn’t help to have additional layers, if they can’t all be scraped off. It’s making money off of people’s fears without actually addressing them.

        1. 1

          Yes, but Lavabit did have the single encryption/decryption key for all his data. In the case of Photonmail, they don’t.

          So say there’s a compromise of the service where the service would continue to operate with malicious Javascript which is sending the data in plain text (or worse, your key) to either the compromised servers or some third party. This attack is entirely plausible in the case of Photonmail.

          I’m guessing the Javascript code that is running on the client side would be monitored by the community for changes, and you’d have to be wary of what the service is running on your end. I think a compromise like this involving changing the behaviour of their client side code would be noticed pretty quickly.

          I agree that this approach is not 100% fool proof, but it’s much harder to pull off unnoticed.

          1. 1

            I agree that this approach is not 100% fool proof, but it’s much harder to pull off unnoticed.

            That is an interesting point, indeed. In the day and age of gag orders being auditability by the users could become an interesting feature.

    2. 3

      Just because you’re European doesn’t mean the men in black suits won’t get you. If they want to get you, they will get you. I remember Lavabit.

      1. 2

        I’ve had an account for a bit. It’s neat, but not something I feel I’d use regularly. You have a login password, which they’re aware of, and a second encryption password to decrypt your mail after logging in. Your private key for the encryption is stored on their servers. Prontonmail -> Protonmail emails are encrypted “end to end”, but it’s not clear to me what happens with your mail when a non-protonmail account sends you something… I think it just sits unencrypted until the next time you log in.

        When you want to encrypt something for non-protonmail users, they get an (styled, with HTML/JS I think) email, asking them to click a link and enter a password that you gave them out of band to decrypt the message (all done in a browser).

        Overall, it’s nice if you’re only emailing other people with protonmail accounts, but clunky if not. I’m not even sure that it provides a better UI than Enigmail/GPG + Thunderbird.

        1. 1

          I really like it. It’s still in beta and there’s room for improvement but I see it becoming a really solid tool.