ProtonMail with full PGP Support and Address Verification
ProtonMail announced two new security related features and improvements yesterday available to all users of the secure email provider.
Address Verification is a new security feature that leverages ProtonMail's Encrypted Contacts feature. Encrypted Contacts allows you to trust public keys of contacts so that the contacts data is encrypted and digitally signed.
ProtonMail states that no one can tamper with the data once it has been trusted; this eliminates the risk associated with a compromise of the ProtonMail service and the sending of fake public encryption keys to read confidential messages.
The default state on ProtonMail is that the service distributes cryptographic keys needed for communication; this was done to make the process as straightforward as possible.
When ProtonMail users use the new security feature, use of specific keys can be enforced which the ProtonMail server or anyone else cannot change or tamper with.
To configure trusted keys for a particular user on ProtonMail do the following:
- Go to Contacts.
- Select the contact from the list that you want to configure trusted keys for.
- Click on the advanced settings gear icon next to the email address.
- Toggle Trusted Keys to on, and select the key from the list of available public keys, that you want to trust.
Trusted senders have a special icon attached to their email address to indicate the enhanced security status.
ProtonMail users can check out this help article on the ProtonMail website for additional information.
Full PGP Support
The second new feature that ProtonMail launched improves PGP Support. The cryptography that ProtonMail uses is based on PGP.
The two new additions to PGP support are:
- Option to import public keys from contacts to send PGP encrypted emails to non-ProtonMail contacts.
- Export your public ProtonMail PGP key and share it with non-ProtonMail contacts so that they can send you PGP email to your account.
ProtonMail launched a new public key server that should make key discovery even easier. For ProtonMail customers, the process is automatic and Address Verification can be used to make it more secure. For non-ProtonMail users, it is now possible to grab the public key of ProtonMail users if they could not retrieve it through other means.
The address of the public key server is hkps://api.protonmail.ch. Note that it cannot be accessed through the browser. Public keys can be downloaded directly by using https://api.protonmail.ch/pks/lookup?op=get&[email protected]
Now You: Do you encrypt your email?
Nice article, I wander if all the effort is for nothing taking into account this “small’ hardware add-on:
boingboing.net/2016/06/15/intel-x86-processors-ship-with.html
A little insider info here — I worked on software that interacts with the ME for a number of years, and while I wouldn’t say I’m an expert, I do have a fair amount of working knowledge of it. The answer is: yes, encrypting your stuff on your own machine is still worthwhile regardless of the presence of ME.
ME does present some security issues (although they are greatly exaggerated in the tech media), but it’s also possible to block access to the ME by using an external firewall to block access to ports 16992 – 16995.
What is ME ?
Clairvaux said: “What is ME?”
“Management Engine” from Intel. It’s discussed in the boingboing link above.
P.S. Thanks for your presence here. I always enjoy reading your comments.
The Management Engine. It’s an independent computer that exists in the same die as the Intel processor, and it what the article nobody linked to is talking about.
The intention is to allow enterprises to be able to do maintenance on computers regardless of the state the computer is in (turned off, missing/inoperable operating system, etc.) The security concerns of this are pretty obvious.
This hit the news a while back because someone found a security hole that could allow attackers to use it, and Intel denied it was a problem until they just couldn’t deny it anymore. Ironically, I had found the same hole years earlier and screamed my head off to them about it, but was completely ignored.
Excellent news !
Yes, wonderful to hear–ProtonMail and VPN is tops for many reasons.
Nice article, Martin.
I’m using Protonmail since spring 2017. Previously I uses Outlook, but Microsoft’s policy regarding account security is horrible. I was locked out of my account, because it presumed someone else used my account, which was not the case, then it asked me to input my backup e-mail also on Outlook, which it also thought someone has used it, then it asked me for the backup of the second e-mail, where I had already forgotten it. The options was to tell them account info, like Skype names of users on my friends list and stuff, it never let me in again and I even lost my Steam account because of it.
Now in Protonmail, I honestly don’t know what this update does, but it has been a great e-mail service and I intend on continuing using it.
Our email server has been inundated with spam originating from users at ProtonMail. While it is a noble concept, abusers of the service have led us to blacklist all email originating from the ProtonMail domain.
Kudos to protonmail, gnupg, enigmail, and all the others.
HOWEVER, email encryption seems to be a non-starter. Of the 400+ email contacts in my contacts list, only 2 or 3 people communicate using encryption – 26 years after Phil Zimmerman released PGP.
protonmail’s approach my be easy to work with – but how many people are going to drop the legacy email address they received from their ISP, their employer, or gmail?
Will be interesting to know why they use fingerprinting scripts.
It seems PGP has been compromised: https://gizmodo.com/email-no-longer-a-secure-method-of-communication-after-1826002682
https://gizmodo.com/new-pgp-encryption-exploits-are-being-discovered-almost-1826329086
No, PGP has not been compromised. Despite the headline, what that article is talking about is the use of MIME in email. That’s what was compromised. But it’s not PGP itself.
Since e-mail is similar to a letter, I think that encryption is important from the viewpoint of “protection of personal information”.
Previously, it was basically based on Thunderbird + Enigmail, but the other party was unable to understand how to handle decryption key, only about 2% was able to do that means.
Protonmail is ideal. However, It was even judged as ‘spammer’ by Outlook server etc and makes it impossible to communicate.
Ideals and reality are divergent.
However, I think “Protonmail” is the best for those that require confidentiality.
E-mail is convenient, but still “letters and other postal matter” is the leading authority of reliable means (it takes time)
I use Tutanota (among many other providers), for mail which either :
– Needs to be encrypted at rest.
– Needs to be stripped of IP info when sent.
– Or needs to be anonymous to the max.
I don’t encrypt the mails in transit, although it is remarkably simple with Tutanota, because this means you need to convince the other party to a) change their usual email routine, however easy the alternative may be, b) exchange a password offline at least once.
When you think of it, this excludes many people with which it might be beneficial to exchange encrypted emails. Good luck convincing your local tax inspector to drop his government-provided system for some fly-by-night encrypted private outfit recommended by you (as seen from his point of view) !
Tutanota is great, compared to Proton Mail, because it enables you :
– To open an account completely anonymously, even using Tor if needed.
– To do it for free, or for a very low starting fee if you’re a business, or you need the extra features.
Proton Mail is more feature-rich, it has more services, it’s bigger, and it has the Swiss cachet if you’re after such things (although Tutanota’s Made in Germany image is not bad either, I hasten to add).
But, Proton Mail goes to great lengths in order to make it known that it does not provide anonymity (or, at least, that it does not strive to), and that it does not pretend to protect you if your adversary is a state.
As for PGP, even high-flying security luminaries such as Bruce Schneier (and others) have declared it’s useless, because it’s so complex to get right that it will never leave the stage of scientific games, or spy usage (maybe ; I’m not privy to their mores).
“even high-flying security luminaries such as Bruce Schneier (and others) have declared it’s useless”
That’s overstating his point. PGP is far from useless (it’s extremely useful) Schneier’s point is about ease of use, not usefulness. But this is a fundamental tradeoff with security — the more secure something is, the more of a pain in the ass it is.
One person asks on Proton Mail’s Reddit :
“So if I want to send an encrypted message to my parents for example (they are not on PM), do I have to first give them a key to keep on their device and they would have to reference it whenever opening one of my emails? I don’t really understand how any of this works…”
“I once used the feature to send an email to a friend who was not on protonmail, where I lock it and use another secure tool (like signal messenger) to email them the passcode to unlock the email. Is it still like that ?”
And the Proton Mail team replies :
“The easiest way honestly is to ask them to create a ProtonMail account. PGP is not really usable for non-tech people, and ProtonMail was created precisely to address this issue.”
https://www.reddit.com/r/ProtonMail/comments/91szmf/introducing_address_verification_and_full_pgp/e30op6a
So, in other words, this “PGP support” is seriously limited.
Reading this above from ProtonMail’s Reddit I must say that ProtonMail seems so complicated compared to StartMail. With StartMail I send and receive encrypted email with anyone no matter what email provider they use, simply by agreeing on a question-and-answer in advance.
You can do the same in ProtonMail:
https://protonmail.com/support/knowledge-base/encrypt-for-outside-users/
Ask your Question:
https://protonmail.com/support/categories/getting-started/
If you check “Ask your Question”
You can understand that “there is nothing impossible” with ProtonMail.
The problem is “skill”, “motivation” and “value” of the end user.
In recent years, things that are easy, light (Speedy), inexpensive, skill-free are preferred.
Most end users will not check the FAQ. Besides, they do not look intuitively and do not look for anything that takes time and effort in interactive communication.
ProtonMail is a wonderful app, but “such people (overwhelming majority) do not understand.”
It is a limited existence supported by “minority with insight”. However, ProtonMail, like “Tor”, is extremely noble and wonderful.
If you don’t have a Protonmail, please get one. You can get one for free or you can subscribe to their services. Chances are your email will be intercepted by some rogue servers which set up by some sick people who doesn’t know how to leave people alone. But then there are duckduckgo.com search engine and all these add-ins to stop those tracking! Your privacy is your rights. You don’t want some crazy sick people got your personal information, e.g. your social security number, your driver license, or your back account #. It’s easy to hack into other people account if people do not aware of being phished or being tracked. Nowadays, there are crazy people who will do all sort of things. Educate yourself and take care of your privacy. I am just suspecting that you are another victim. Nowadays, it’s easy for people to track your IP address. I suggest you get a VPN from ProtonVPN or ExpressVPN.