ProtonMail with full PGP Support and Address Verification - gHacks Tech News

ProtonMail with full PGP Support and Address Verification

ProtonMail announced two new security related features and improvements yesterday available to all users of the secure email provider.

Address Verification is a new security feature that leverages ProtonMail's Encrypted Contacts feature. Encrypted Contacts allows you to trust public keys of contacts so that the contacts data is encrypted and digitally signed.

ProtonMail states that no one can tamper with the data once it has been trusted; this eliminates the risk associated with a compromise of the ProtonMail service and the sending of fake public encryption keys to read confidential messages.

protonmail trusted keys

The default state on ProtonMail is that the service distributes cryptographic keys needed for communication; this was done to make the process as straightforward as possible.

When ProtonMail users use the new security feature, use of specific keys can be enforced which the ProtonMail server or anyone else cannot change or tamper with.

To configure trusted keys for a particular user on ProtonMail do the following:

  1. Go to Contacts.
  2. Select the contact from the list that you want to configure trusted keys for.
  3. Click on the advanced settings gear icon next to the email address.
  4. Toggle Trusted Keys to on, and select the key from the list of available public keys, that you want to trust.

Trusted senders have a special icon attached to their email address to indicate the enhanced security status.

ProtonMail users can check out this help article on the ProtonMail website for additional information.

Full PGP Support

The second new feature that ProtonMail launched improves PGP Support. The cryptography that ProtonMail uses is based on PGP.

The two new additions to PGP support are:

  • Option to import public keys from contacts to send PGP encrypted emails to non-ProtonMail contacts.
  • Export your public ProtonMail PGP key and share it with non-ProtonMail contacts so that they can send you PGP email to your account.

ProtonMail launched a new public key server that should make key discovery even easier. For ProtonMail customers, the process is automatic and Address Verification can be used to make it more secure. For non-ProtonMail users, it is now possible to grab the public key of ProtonMail users if they could not retrieve it through other means.

The address of the public key server is hkps://api.protonmail.ch. Note that it cannot be accessed through the browser. Public keys can be downloaded directly by using https://api.protonmail.ch/pks/lookup?op=get&[email protected]

Now You: Do you encrypt your email?

Summary
ProtonMail with full PGP Support and Address Verification
Article Name
ProtonMail with full PGP Support and Address Verification
Description
Secure email provider ProtonMail launched address verification, full PGP support, and its own public key server yesterday.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. nobody said on July 26, 2018 at 10:03 am
    Reply

    Nice article, I wander if all the effort is for nothing taking into account this “small’ hardware add-on:

    boingboing.net/2016/06/15/intel-x86-processors-ship-with.html

    1. John Fenderson said on July 26, 2018 at 9:00 pm
      Reply

      A little insider info here — I worked on software that interacts with the ME for a number of years, and while I wouldn’t say I’m an expert, I do have a fair amount of working knowledge of it. The answer is: yes, encrypting your stuff on your own machine is still worthwhile regardless of the presence of ME.

      ME does present some security issues (although they are greatly exaggerated in the tech media), but it’s also possible to block access to the ME by using an external firewall to block access to ports 16992 – 16995.

      1. Clairvaux said on July 27, 2018 at 5:08 am
        Reply

        What is ME ?

      2. Hy said on July 27, 2018 at 11:30 am
        Reply

        Clairvaux said: “What is ME?”

        “Management Engine” from Intel. It’s discussed in the boingboing link above.

        P.S. Thanks for your presence here. I always enjoy reading your comments.

      3. John Fenderson said on July 27, 2018 at 4:32 pm
        Reply

        The Management Engine. It’s an independent computer that exists in the same die as the Intel processor, and it what the article nobody linked to is talking about.

        The intention is to allow enterprises to be able to do maintenance on computers regardless of the state the computer is in (turned off, missing/inoperable operating system, etc.) The security concerns of this are pretty obvious.

        This hit the news a while back because someone found a security hole that could allow attackers to use it, and Intel denied it was a problem until they just couldn’t deny it anymore. Ironically, I had found the same hole years earlier and screamed my head off to them about it, but was completely ignored.

  2. toto totti said on July 26, 2018 at 12:34 pm
    Reply

    Excellent news !

    1. jasray said on July 26, 2018 at 7:33 pm
      Reply

      Yes, wonderful to hear–ProtonMail and VPN is tops for many reasons.

      Nice article, Martin.

  3. Weilan said on July 26, 2018 at 12:57 pm
    Reply

    I’m using Protonmail since spring 2017. Previously I uses Outlook, but Microsoft’s policy regarding account security is horrible. I was locked out of my account, because it presumed someone else used my account, which was not the case, then it asked me to input my backup e-mail also on Outlook, which it also thought someone has used it, then it asked me for the backup of the second e-mail, where I had already forgotten it. The options was to tell them account info, like Skype names of users on my friends list and stuff, it never let me in again and I even lost my Steam account because of it.

    Now in Protonmail, I honestly don’t know what this update does, but it has been a great e-mail service and I intend on continuing using it.

  4. Anonymous said on July 26, 2018 at 2:40 pm
    Reply

    Our email server has been inundated with spam originating from users at ProtonMail. While it is a noble concept, abusers of the service have led us to blacklist all email originating from the ProtonMail domain.

  5. GarrettW said on July 26, 2018 at 6:11 pm
    Reply

    Kudos to protonmail, gnupg, enigmail, and all the others.

    HOWEVER, email encryption seems to be a non-starter. Of the 400+ email contacts in my contacts list, only 2 or 3 people communicate using encryption – 26 years after Phil Zimmerman released PGP.

    protonmail’s approach my be easy to work with – but how many people are going to drop the legacy email address they received from their ISP, their employer, or gmail?

  6. Anonymous said on July 26, 2018 at 6:50 pm
    Reply

    Will be interesting to know why they use fingerprinting scripts.

    1. John Fenderson said on July 27, 2018 at 4:34 pm
      Reply

      No, PGP has not been compromised. Despite the headline, what that article is talking about is the use of MIME in email. That’s what was compromised. But it’s not PGP itself.

  7. owl said on July 27, 2018 at 3:01 am
    Reply

    Since e-mail is similar to a letter, I think that encryption is important from the viewpoint of “protection of personal information”.
    Previously, it was basically based on Thunderbird + Enigmail, but the other party was unable to understand how to handle decryption key, only about 2% was able to do that means.
    Protonmail is ideal. However, It was even judged as ‘spammer’ by Outlook server etc and makes it impossible to communicate.

    Ideals and reality are divergent.
    However, I think “Protonmail” is the best for those that require confidentiality.
    E-mail is convenient, but still “letters and other postal matter” is the leading authority of reliable means (it takes time)

  8. Clairvaux said on July 27, 2018 at 5:35 am
    Reply

    I use Tutanota (among many other providers), for mail which either :

    – Needs to be encrypted at rest.
    – Needs to be stripped of IP info when sent.
    – Or needs to be anonymous to the max.

    I don’t encrypt the mails in transit, although it is remarkably simple with Tutanota, because this means you need to convince the other party to a) change their usual email routine, however easy the alternative may be, b) exchange a password offline at least once.

    When you think of it, this excludes many people with which it might be beneficial to exchange encrypted emails. Good luck convincing your local tax inspector to drop his government-provided system for some fly-by-night encrypted private outfit recommended by you (as seen from his point of view) !

    Tutanota is great, compared to Proton Mail, because it enables you :

    – To open an account completely anonymously, even using Tor if needed.
    – To do it for free, or for a very low starting fee if you’re a business, or you need the extra features.

    Proton Mail is more feature-rich, it has more services, it’s bigger, and it has the Swiss cachet if you’re after such things (although Tutanota’s Made in Germany image is not bad either, I hasten to add).

    But, Proton Mail goes to great lengths in order to make it known that it does not provide anonymity (or, at least, that it does not strive to), and that it does not pretend to protect you if your adversary is a state.

    As for PGP, even high-flying security luminaries such as Bruce Schneier (and others) have declared it’s useless, because it’s so complex to get right that it will never leave the stage of scientific games, or spy usage (maybe ; I’m not privy to their mores).

    1. John Fenderson said on July 27, 2018 at 4:36 pm
      Reply

      “even high-flying security luminaries such as Bruce Schneier (and others) have declared it’s useless”

      That’s overstating his point. PGP is far from useless (it’s extremely useful) Schneier’s point is about ease of use, not usefulness. But this is a fundamental tradeoff with security — the more secure something is, the more of a pain in the ass it is.

  9. Clairvaux said on July 27, 2018 at 5:02 pm
    Reply

    One person asks on Proton Mail’s Reddit :

    “So if I want to send an encrypted message to my parents for example (they are not on PM), do I have to first give them a key to keep on their device and they would have to reference it whenever opening one of my emails? I don’t really understand how any of this works…”

    “I once used the feature to send an email to a friend who was not on protonmail, where I lock it and use another secure tool (like signal messenger) to email them the passcode to unlock the email. Is it still like that ?”

    And the Proton Mail team replies :

    “The easiest way honestly is to ask them to create a ProtonMail account. PGP is not really usable for non-tech people, and ProtonMail was created precisely to address this issue.”

    https://www.reddit.com/r/ProtonMail/comments/91szmf/introducing_address_verification_and_full_pgp/e30op6a

    1. John Fenderson said on July 31, 2018 at 1:53 am
      Reply

      So, in other words, this “PGP support” is seriously limited.

  10. Hy said on July 28, 2018 at 7:34 am
    Reply

    Reading this above from ProtonMail’s Reddit I must say that ProtonMail seems so complicated compared to StartMail. With StartMail I send and receive encrypted email with anyone no matter what email provider they use, simply by agreeing on a question-and-answer in advance.

    1. cicko said on August 1, 2018 at 4:25 pm
      Reply
  11. owl said on August 3, 2018 at 10:00 am
    Reply

    Ask your Question:
    https://protonmail.com/support/categories/getting-started/
    If you check “Ask your Question”
    You can understand that “there is nothing impossible” with ProtonMail.
    The problem is “skill”, “motivation” and “value” of the end user.
    In recent years, things that are easy, light (Speedy), inexpensive, skill-free are preferred.
    Most end users will not check the FAQ. Besides, they do not look intuitively and do not look for anything that takes time and effort in interactive communication.
    ProtonMail is a wonderful app, but “such people (overwhelming majority) do not understand.”
    It is a limited existence supported by “minority with insight”. However, ProtonMail, like “Tor”, is extremely noble and wonderful.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.