ProtonMail and Encrypted Email

A secure and encrypted email address is the backbone of even the most basic online privacy plan. This is the first thing that just about any other tool, account or service that you will need such as email forwarders, cell phone accounts, and so one is going to ask for.

I recommend having multiple addresses for different aspects of your plan/life. I have mentioned this before in other posts and I will cover this in more depth in the future as well as how to benifit most from Protonmail for the privacy minded.

The email service that I highly recommend is ProtonMail. I use it personally, as well my clients, and many people I know use it as their business email structure as well because you can link your web addresses to it so that you can have email addresses using your url.

They offer some of the best security and privacy protections in the business and have a grown a trusted reputation in the privacy sector as well as among people whoes life may very well depend on their privacy and security holding up, such as reporters, the politically and just generally persecuted and so one.

ProtonMail is a Switzerland-based secure/encrypted email service that was created in 2014. They also offer VPN service and are constantly adding features to their platform including cloud storage, contacts, and encrypted calendar(BETA). ProtonMail’s mission in their words is “to make secure and private email communication easily accessible to all.”

The following information is facts directly from Protonmail.

ProtonMail is owned by Proton Technologies, which has a long history and ​strong reputation in the privacy world.

The company maintains some of the world’s most widely used open source encryption libraries and has a long history of working towards promoting Internet privacy.

ProtonMail uses end-to-end, zero-access encryption so that no one even the company can access users’ messages, drives, calendar details and so on. There are no special or overly technical steps to follow, and all encryption happens automatically and by default.

To achieve this high level of security, in their words “ProtonMail assumes that all mail servers may eventually be compromised. Thus, ProtonMail uses end-to-end encryption and zero-access encryption to protect user data. If a server only contains encrypted messages, users have a much higher level of security in the event of a security breach. The use of encryption also prevents ProtonMail from being able to decrypt and share user emails with third parties.”

As well as their security precautions that keep them from being able to analyze user data they also have no incentive to
spy on or sell its users’ data as they have no advertising inside their apps.

The security of their platforms extends beyond just strong encryption and includes features designed to mitigate human vulnerabilities and physical threats.

End-to-end encryption
Which means that messages cannot be intercepted in transit and decrypted by any third party as they are encrypted on the senders device and can only be decrypted by the recipient.

Zero-access encryption
Even if a user’s contacts are not using ProtonMail, All emails sent to/from a ProtonMail account (even if the other side is not using ProtonMail) are stored with zero-access encryption. So that the messages are encrypted, they can only be decrypted by the account owner. (Keep in mind any copy on the other persons email account may not be stored encrypted.)

Additionally, ProtonMail users can also send end-to-end encrypted emails to non-ProtonMail users with the ​”encrypt to outside” feature​. Which sends the email encrypted to the recipient and you can give them a way to decrypt the email without them needing a ProtonMail account.

Open source cryptography
ProtonMail uses only secure implementations of AES, RSA, and adheres to the open source OpenPGP standard. By using open source libraries, users have greater assurance that the encryption algorithms do not have built-in back doors. ProtonMail’s open source software has also been vetted by security experts from around the world to ensure the highest levels of protection.

Hardware-level security
ProtonMail has invested heavily in owning and controlling its server hardware and doing so within Switzerland, so data never goes to a third party cloud. This ensures that all user data is protected by Swiss privacy laws and on a system level, ProtonMail servers utilize fully encrypted hard disks, which protects user data from physical hardware seizures.

Authentication
ProtonMail uses the Secure Remote Password protocol to ensure that neither ProtonMail nor an attacker with network access can obtain users’ passwords. ProtonMail also offers two-factor authentication via 2FA apps.

Address Verification

To mitigate man-in-the-middle attacks​ ProtonMail uses Address Verification which leverages ProtonMail’s ​Encrypted Contacts​ feature. This unique feature ensures secure communications cannot be intercepted by an attacker tampering with encryption keys.

This additional enhanced level of security, and it’s one of the reasons it is the preferred email provider for journalists and other individuals with the highest security and privacy needs.

Self-destructing emails
ProtonMail allows users to send messages that will automatically delete themselves after a user-selected period of time.

Plans and pricing
All of the company’s revenue comes from subscriptions to premium plans and donations from the user community and does not show ads or make money by abusing users’ privacy.

ProtonMail has apps for IOS and Android as well as web access that can be used on any OS with an internet browser. In addition ProtonMail offers other useful apps such as The ProtonMail Bridge, which is a desktop application for paid users that encrypts and decrypts mail as it is sent or received by the user using a program that supports IMAP and SMTP, such as Microsoft Outlook, Mozilla Thunderbird etc.

They also offer an Import-Export application (beta) which is a application currently available to users on paid plans that lets them transfer emails easily to and from their ProtonMail account. This allows users to import their mailbox from another email account, such as Gmail or upload email files stored on their computer into their ProtonMail encrypted Inbox. It can also be used to export emails from their ProtonMail account to their hard drive for secure local backups.

ProtonMail believes everyone in the world should have access to secure and private online communication, regardless of their ability to pay. Which is why they offer a free plans as well as paid plans for those who need more storage, more features, or just want to support the project so that they can continue to offer the service to those who need it and cannot afford it.

Online Infosec Basics

You are the commodity! You’ve probably heard the saying “there is no such thing as a free lunch” well this truer than ever now. Your online personal Infosec is just as important as it is in your in person interactions and passive situations.

.

With only a few exceptions if a product, or service is free to you this means that the organization putting it out is working on an alternative business model. They are not getting money from their product users so you have to ask where they are getting their money from.

.

This usually means they are harvesting info from you. This can be addresses, name, phone number or any other personal info. How big a threat to your personal infosec will depend on where on the scale these companies and organizations fall.

.

On the low end of the scale they are asking for an email to send you a news letter where they will up sell you on paid content or that companies products. This’s is where most small businesses and entrepreneurs is operating including ourselves. They won’t sell your info, they are just trying to conduct their own businesses. The main threat in these instances are data leaks and hacks of either their own systems or any third party service they use to conduct their business.

.

On the other end you have organizations that will take any and all info they get and sell it. The more info they require the more likely this is the case. This info is likely then, not only used by them but sold to people search sites and other services. This is by larger organizations because they are getting a volume of info that people search sites are willing to pay for. Now not all companies do this and this does happen at everywhere on the spectrum. Do your due diligence and ask your self is what I’m getting worth it if they sell my info.

.

Now luckily the way to protect your self from both data leaks/breaches and the company them selves selling the information is the same. It’s called one time use information.

.

This is most easily done with emails as there are multiple services that offer one time use forwarding address. This allows you to create an email address that you will use for only one website or organization that forwards any email sent to it to your actual email address. By doing this you are able to protect your actual email address and if your one time address gets sold, leaked or hacked you are able to shut it off and stop receiving any spam you might be getting and if the information is hacked or leaked, it doesn’t matter because that email is only used for that site and doesn’t connect to any of your other accounts.

.

This tactic should be used for any newsletter, website, or organization you sign up for or give your information out to. That being said never use these services for anything that involves sensitive information. These services will be able to see any email that is sent to

you so it should not be used for financial, medical, or anything else you consider sensitive. For these instances you should just create a dedicated email for those purposes. We recommend proton mail for a email provider you can find them HERE.

You can either set up a separate account or you can set up a paid account and have multiple addresses that feed into one inbox.