As handy as email is for both personal and corporate communications, it’s often not very secure. Your private data can be used by service providers for various purposes, such as targeted advertising, and is at a risk of being exposed to government agencies upon request.
Whether you’re transmitting important documents such as confidential memos, patent designs, or even personal information, it’s worth considering ways to better protect your privacy. One very interesting option is ProtonMail.
ProtonMail is a web-based, encrypted email service that was founded in 2013 at the CERN research facility. It’s a free and open-source service, the code of which is available on GitHub.
ProtonMail uses client-side encryption to establish a zero-knowledge
system, in order to enforce strict data privacy and protection for its users.
Security Mechanisms of ProtonMail
Secure Email Servers
The ProtonMail email servers are located in Switzerland, and your data is protected by the Swiss Federal Data Protection Act, as well as the Swiss Federal Data Protection Ordinance. These laws are some of the strongest privacy protection laws in the world.
ProtonMail states:
As ProtonMail is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.
In addition to this, ProtonMail ensures that your data stays on its servers, so that it is never exposed on the cloud. ProtonMail claims that its primary datacenter (which itself is guarded by multiple passwords on a system level) is located under 1000 meters of granite rock, in a heavily guarded bunker that can survive a nuclear attack. Apart from the fact that your data may survive a nuclear holocaust, this also ensures an extra layer of hardware security.
End-to-end Encryption
ProtonMail uses SSL for communication between its servers and your computer. Although message data is already encrypted before being sent, SSL adds an extra layer of security, preventing man in the middle
attacks. ProtonMail requires two passwords — one for signing in and one for decrypting your mailbox. The latter cannot be recovered if you forget it.
Anonymity
ProtonMail doesn’t require any information that can be used to personally identify an account holder while signing up. Also, it doesn’t track or record information such as the user’s IP address. Since your emails are encrypted, there’s no way even for the staff to read your emails.
Secure Communication With Other Email Providers
Communication between ProtonMail users is encrypted by default, which is denoted by the presence of a blue-colored lock icon. In addition to this, ProtonMail also supports sending encrypted emails to other email providers such as Gmail, Yahoo and AOL via symmetric encryption. This is sent in the form of a hyperlink, which the recipient receives in an email. Here is a screenshot of the encrypted mail that I’ve sent from my ProtonMail account to Google Inbox:
The recipients are asked for a passphrase (to be shared via a secure channel) which is used to decrypt the encrypted message:
Upon correctly entering the passphrase, the message gets decrypted and is displayed as shown in the following screenshot:
Self-destructing Emails
There’s an additional feature that distinguishes this secure email service from its competitors. Encrypted emails can be set to automatically self-destruct in the recipient’s mailbox after a certain amount of time. This feature only applies to the encrypted emails sent to the non-users of ProtonMail (regular emails sent to non-ProtonMail users cannot be marked for self-destruction).
Product Walkthrough
Setting up an Account with ProtonMail
Currently, invitations have to be requested for setting up a new account at ProtonMail. The signup page says:
Due to high demand, we have hit our capacity limit. We are adding servers constantly and will send you an invitation as soon as possible.
I got a reply to the invitation request within a week. It asked me to set up two passwords. One password was for logging in to the account. In case you forget this password, a password reset link can be sent to your alternative email. Then it asked me for a password for encrypting my mailbox. This password cannot be recovered if you lose it, so take care.
Once you decrypt your mailbox and log in, you have a number for utilities available for jump starting your regular work. You can import your contact book to ProtonMail in either .vcf or .csv format. I was a Gmail user, so I was able to export my contact list via Google Contacts and import it to ProtonMail.
In the settings section, you can set your signature as well as your display name via the Account Settings tab. The Security tab allows you to keep records of the Authentication Logs for your mailbox, so this helps you to monitor who has accessed your account and from which IP address. The Appearance tab helps you to tweak various options, including a field to set up a custom CSS theme for a tailored look.
New Developments
On November 3rd, 2015, ProtonMail was hit by a very powerful DDOS attack that took the service offline for a few days.
ProtonMail recently started a GoFundMe crowdfunding campaign to raise $50,000 to help pay for systems to defend it against future attacks of large scale.
According to its Transparency Report (September, 2015), five out of five requests to access user data have been denied by ProtonMail. It was even featured in the highly popular television show, Mr. Robot (Season 1 Episode 8). ProtonMail is all set to launch its Android and iOS applications by the end of 2015, and invites for the beta versions of the mobile applications are available for $29 each.
Conclusion
ProtonMail has been widely appreciated in the popular media for its efforts to establish a secure, private and open-source messaging platform. I believe that end-to-end encrypted messaging services with open-source infrastructure like ProtonMail will form the basis of future professional communication systems.
Having said that, I feel that it’s difficult for individual users to leave a familiar email ecosystem for a more secure one, and for the corporate users to shift from Google for Work. Let’s see which side wins: Security/Privacy or Feature-Completeness/Familiarity.
Have you used ProtonMail so far? If yes, will you continue to use your old email account? If no, what are your concerns for not switching to ProtonMail?
Frequently Asked Questions about ProtonMail
How secure is ProtonMail?
ProtonMail is one of the most secure email services available today. It uses end-to-end encryption, which means that only you and the recipient can read the emails you send. Even ProtonMail cannot decrypt and read your emails. This level of security ensures that your private communications remain private.
Can I use ProtonMail on my mobile device?
Yes, ProtonMail has mobile applications for both Android and iOS devices. You can download these apps from the Google Play Store or the Apple App Store, respectively. The mobile apps have all the features of the web version, allowing you to send and receive encrypted emails on the go.
Is ProtonMail free to use?
ProtonMail offers a free version with basic features, which is sufficient for personal use. However, they also offer paid plans with additional features such as increased storage, priority customer support, and the ability to use your own domain.
How does ProtonMail protect my privacy?
ProtonMail is based in Switzerland, a country with some of the strongest privacy laws in the world. They do not log IP addresses, which means your emails cannot be traced back to you. Additionally, they do not sell your data to third parties.
Can I import my existing emails into ProtonMail?
Yes, ProtonMail provides a tool called ProtonMail Import-Export app which allows you to import emails from other email providers. This makes it easy to switch to ProtonMail without losing your existing emails.
Can I send encrypted emails to non-ProtonMail users?
Yes, you can send encrypted emails to non-ProtonMail users. They will receive a link to a secure page where they can read the email and reply securely.
Does ProtonMail support two-factor authentication?
Yes, ProtonMail supports two-factor authentication (2FA). This adds an extra layer of security to your account by requiring a second piece of information, in addition to your password, to log in.
Can I use ProtonMail with my custom domain?
Yes, if you have a paid ProtonMail account, you can use it with your own domain. This allows you to have a personalized email address while still benefiting from ProtonMail’s security features.
Does ProtonMail have a size limit for attachments?
Yes, the maximum size for attachments in ProtonMail is 25 MB. However, you can send larger files using ProtonMail’s file sharing service, ProtonDrive.
Can I recover my ProtonMail account if I forget my password?
Due to the end-to-end encryption, ProtonMail does not have access to your password. If you forget it, you will lose access to your past emails. However, you can reset your password and regain access to your account, but your past emails will remain encrypted and unreadable.
Tanay PantTanay Pant is an Indian author, hacker, developer and tech enthusiast. He is known for his work on Learning Firefox OS Application Development, which was published by Packt. He is also an official representative of Mozilla, and has been listed in the about:credits of the Firefox web browser. His personal website is tanaypant.com.
