Vulnerability in ProtonMail, a secure email

This morning I got notification from encrypted email providers (ProtonMail.ch) that I have been able to register through their e-mail service.
As soon as I got the notification, I immediately signed up and tried a few things related to the security they offered. ProtonMail is still Beta and need fine tuning in the future. There are several points that I emphasized in this ProtonMail improvement. Indeed, I have not read much about protons mail. But this article can convey what I feel, which represent other users worldwide.

Proton mail offers the email security that use end-to-end encypriton as they say “they are transmitted in encrypted format Also between our servers and users’ browsers”.

Well, if we talk about end-to-end encryption, then all forms of data / transactions will be encrypted from the begin, on the way, to get in to the destination. But, ProtonMail is not so. Although they uses RSA-2048 encryption technology and AES-256, a complex algorithm for now; however, I do not know what the encrypted part of my email. I suspect encryption occurs only when the email transmitted through the network. As they said “they said transmitted in encrypted format between our servers and users’ browsers”. In the event of wiretapping (sniffing) may indeed not be obtained because the messages are encrypted. But when the email got to the destination, the encrypted email will be opened.

tes1Figure 1. Sent item of proton mail

ReceivedFigure 2. Inbox of recipient’s email

This caused when a user account is stolen, then all messages will be stolen anyway. According to the picture above, there is no encrypted email when the messages arrived in recipient’s mailbox.

The second problem is that they put an option to encrypt or not encrypt the messages. Here there are two problems. Because they offer security services, they should not give that option. Because when we talk about security as an option, then the security options will not be selected by the users. So this option should be removed. Encryption will be mandatory, not optional. Therefore messages that have been sent is encrypted automatically.

An another related to second problem are they send those messages that were encrypted along with the key via email. It is not justified because if an attacker can open an email victim then the attacker will also be able to get all the messages. Actually, the message is a message that is encrypted but when the delivery is not inserted into the recipient’s mail inbox. They simply notifying the user that there is a person who sends the message, but the message can only be opened on their server (ProtonMail) with a link that has been attached and password (hint).

When I was dealing with clients to exchange confidential information, I strongly avoid this issue because it is very crucial when I send an encrypted message along with the key in it. So another method I use is to separate the delivery of key and messages.

tes2_

Figure 3. Sent item of proton mail

tes2arr_

Figure 4. Inbox of recipient’s email

And when you click that link along with the password hint, you’ll see:

read_

Figure 5. Read the messages

You can read the messages.

Although hint just suggest or indicate something indirectly or covertly, it can be figured out by the attacker.

So what happens when an attacker gains access to proton mail? Because ProtonMail directly decrypt the encrypted messages, the attacker will get all the messages whether in the inbox, sent items, trash, draft and so forth. This happens because ProtonMail makes the data turn into clear text when it arrived at the destination also in their sent items. Encrypted data only occurs in transmission from their server to the client browser.

Let’s talk about OpenPGP. OpenPGP will encrypt all messages end-to-end encryption.
If an attacker gains access to the victim’s email, then he will not be able to read the email because it’s encrypted.

pgpFigure 6. Encrypted messages with (Open)PGP

I has made the simple comparison between ProtonMail and OpenPGP. This comparison base on my view.

comparisontableTable 1. Simple comparison between ProtonMail and OpenPGP

Well, maybe not as I imagined, but they have a very good step for securing the Internet, which started with an email. As their slogan “We’re building an Internet that protects privacy, starting with email.”

So, you choose 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.