Security and privacy on entertainment platforms and different online services is increasingly valued by users, who have seen in certain scandals linked to Facebook the possibility that their data will be used in inappropriate ways by large corporations. And if a service needs great security, that is our email, a place where we can store information of great value, both personal and professional.
Focused on this is ProtonMail, which was born as an alternative with more privacy options than the most popular email services, such as Gmail, Outlook or Yahoo Mail. It has been developed by a team of research students from MIT and Harvard, spearheaded by Harvard Ph.D. candidate and CERN researcher Andy Yen, and was initially funded by a highly successful IndieGoGo campaign.
What does your service consist of
ProtonMail is a privacy-focused webmail service designed to bring the functionality and ease of use of services like Gmail. Their great advantage and what they boast about is their safety. The service does not spy on the communications of its users to send emails or deliver some of them to investigative agencies of different countries, mainly the NSA of the United States.
Its base is user-side encryption and although its initial funding was collective, it currently belongs to Proton Technologies, a company based in Geneva. It is completely free and its apps are available for both Android and iOS, and it also has desktop versions for Windows and MacOS.
VPN usage
From ProtonMail they boast that their secure VPN sends our internet traffic through an encrypted tunnel, so our passwords and confidential data remain safe, even on public or little-known internet connections. Also that they keep our browsing history completely private. And as a Swiss provider, they don’t log user activity or share data with third parties, with an anonymous VPN service that enables unattended internet.
To protect journalists and activists who use this service, they have developed ProtonVPN, which breaks the barriers of internet censorship, allowing us to access any website or content. Unlike other free VPNs, they do not serve ads or sell your browsing history. ProtonVPN Free is subsidized by paid users. The difference with upgrading to a paid plan is getting faster speeds and more features.
Features and security
All emails are stored in an encrypted format on their servers using zero access encryption, meaning they have no way of accessing our email. And emails sent from one ProtonMail account to another are always encrypted at every step of the process, just as emails sent to other providers are encrypted where possible.
And those messages can be further encrypted with a password that we must accept or communicate as recipients, so that the message can be decrypted, through a form of PGP. The decryption key can be set to expire after a certain period of time, after which the message becomes unreadable forever.
ProtonMail’s servers are located in a protected former nuclear bunker in the Swiss Alps under a kilometer of granite, making it almost impossible for any attacker to gain unauthorized access to the infrastructure. This should also help indicate how much the company values security and privacy, as well as the Swiss reputation for being great guarantors of both.
It is a service intended for any user who has concerns about the privacy of traditional email clients, or anyone who wants to communicate sensitive information, such as companies with data security requirements or journalists living under oppressive regimes. Zero-access encryption means they can never deliver specific mail data; however, under Swiss law, they may be required to hand over metadata, including IP addresses, when presented with a valid Swiss court order.
End-to-end encryption
It uses asymmetric encryption to encrypt and decrypt the messages you send and receive. Also known as public key cryptography, messages are protected using a key pair consisting of a public key and a private key.
Emails are encrypted with the recipient’s public key and can only be decrypted by the intended recipient using their corresponding private key. This provides end-to-end encryption (E2EE), which means that only we and the recipient can read emails sent this way.
When a ProtonMail user sends a message to another user in the company, the message is automatically encrypted with the recipient’s public key, and when the recipient opens the mail within their mailbox, it is seamlessly encrypted in the background using their private key.
Access to user data
The service boasts that our encrypted data is not accessible to them. Zero access architecture means that our data is encrypted in a way that makes it inaccessible even to the company that provides this service. The data is encrypted on the client side using an encryption key that they do not have access to.
All this means that they do not have the technical ability to decrypt our messages and, as a result, we cannot deliver them to third parties. In this way, privacy is not just a promise, it is mathematically assured and for this reason, they cannot carry out any data recovery either. If we forget our password, they will not be able to recover our data in any way.
Cryptography
The Web Crypto API is a set of browser-implemented functions that provide common cryptographic operations, such as encrypting and decrypting data and generating the cryptographically secure random numbers needed to generate random private keys.
These operations are implemented natively by the browser, rather than in the Proton web application because, for example, a native browser implementation is often faster. Hardware-based support for AES encryption and decryption can be leveraged, resulting in improved performance, making it easier to ensure a native implementation is resistant to time attacks.
All modern operating systems have a means of collecting entropy to generate the truly random numbers needed for secure encryption. A native browser implementation is required to allow the web application to make use of this randomness, and most modern browsers support the Web Crypto API, including recent versions of Firefox, Chrome, Safari, Edge, and Opera. However, Internet Explorer 11 only supports an earlier version and therefore ProtonMail does not support it.
Other features of the service
This email offers more options for the user to definitively trust your commitment to privacy. For example, anonymization, tracking or recording of personally identifiable information, so they do not offer personally targeted advertising and offer an anonymous mail gateway.
It also has self-destructing messages, the user being able to set a time in which these will be deleted automatically and it works both for emails sent to other ProtonMail accounts and for those sent to other email clients.
How to create an account on the web and mobile application
Today, emails are accessed more frequently through mobile devices, so it is important to explain the steps to create a new ProtonMail account on a smartphone or tablet. The requirements remain the same as on the web and the only part that makes the mobile process different is where we need to download the app and install it on the device before proceeding to sign up for a new account.
We go to ‘Create account’ and we will have to complete the form. We complete the required information in which we will be asked for the username, which will be our email address to add @protonmail.com. The next step is to prove that we are human with a captcha, where we must write the code or select the required image similarities that are displayed.
Then under ‘Email’, ProtonMail will send a unique code to the alternate email for us to log into that email, get the code and return to ProtonMail to enter it. An SMS can be selected and it is the same process as with email. Finally, with a voluntary act, through which any donation can be made.