Highly secure email. Secure email


This week, testing of the new protected mail application ProtonMail and now its final version is available to users. Thanks to end-to-end encryption, neither attackers, nor special services, nor the service developers themselves will be able to gain access to the content of forwarded messages.

ProtonMail is equipped with end-to-end encryption, that is, the message is encrypted all the way from the sender to the recipient. Neither Proton Technologies nor the government can decode them if they wish, since the encryption keys are only in the possession of users. For encryption, the company uses open technologies AES, RSA and OpenPGP.

In addition, ProtonMail's servers are outside the jurisdiction of the United States and the European Union, which have gained an infamous privacy record over the past few years. They are based in Switzerland, which has stricter laws in this area.

Andy Yen, co-founder of the service, said strong encryption and privacy are of great economic and social importance. “This technology not only protects dissidents and activists, but is also a key factor in securing the world's digital infrastructure,” Ian said.


ProtonMail was founded in 2014 after the world was shaken by the revelations made by Edward Snowden. When it became known about the total surveillance of ordinary citizens by American and not only special services, it became necessary to create secure communications that would allow the exchange of information without fear of interception.

Signing up for ProtonMail is free, and the process itself takes no more than two minutes. If the base 500 MB of storage is not enough for the user, he can checkout paid subscription... In addition to credit cards and PayPal, the service supports payments in bitcoins.

According to Ian, the company's lack of access to customer messages has great importance, as evidenced by the current situation with Apple and the FBI. “Unfortunately, Apple is likely to lose in court because the FBI has chosen the case very carefully. Apple is not Lavabit, however, and if the world's largest tech company sided with privacy, the entire privacy movement has a powerful ally, ”Ian said.

ProtonMail is compatible with others postal services... Messages between application users are sent encrypted by default. If the owner of a mailbox in ProtonMail wants to send an encrypted message to a user of another mail service, he will need to use the pre-encryption function and set a password. The recipient will receive a link to the encoded message located on the ProtonMail server.

You can download ProtonMail for free, mobile client available for any device with iOS 8.0 and higher.

Initially, guaranteed message delivery ranked first in the ranking of services provided by the progenitors of the Internet. This was due to the specifics of such networks and their focus on the operational exchange of scientific and defense information. In the future, the list of services was constantly expanding, but the delivery of messages always remained a priority. As a result, this rule was inherited by the Internet system practically unchanged. The service itself, called e-mail (e-mail), has gained great popularity among users today.

The main advantages of e-mail are:

  • phenomenal speed of message delivery;
  • guaranteed delivery to the addressee;
  • confidentiality.

After working with the electronic system, returning to paper mail and telegrams is very painful.

According to various independent statistical studies, in Russia, more than half of Internet users go online at work, only a little more than a quarter - at home, and a little less than a quarter - at their place of study (however, in the rest of the world at work, Internet users spend two hours on the Internet. times longer than at home). Thus, not all users of the Network are “always at hand” and it is not always possible, for example, to customize the mail program “for themselves”. In addition, do not rely on the confidentiality of standard email, especially those sent within corporate network... In some cases, with the content of e-mail corporate employees the bosses carefully get acquainted (in addition, a number of companies practice the targeted use of business addresses with selective control of the correspondence of their employees), not to mention the possible checks of corporate letters by intelligence officers who are legally authorized to do so full right... So, in most cases, e-mail can become much less secure than even traditional paper, because if the paper message is easily torn or burned, the e-mail can be restored even if it was deleted.

However, for those Internet users who are at least a little familiar with the Web, this is not so a big problem... If you need to talk to work time with a colleague or make an unofficial date, it is quite possible to send a message using the free e-mail services of some popular Internet portal, which is probably beyond the reach of corporate programmers. Although in this case, one should not forget that the texts of the messages become available to the employees of this portal and to the same ubiquitous employees of the special services.

More than two-thirds of "netizens" use e-mail, which is why mail services with a Web interface are so popular today (moreover, the emergence of these services has led to an unprecedented increase in the number of e-mail users). In this case, incoming messages are stored by the provider, and you can view mail using a regular browser - specifying your name and password and connecting from anywhere to the website mail provider... It is very convenient to use this type of mail.

An additional advantage of Web-based e-mail is the ability to view incoming correspondence without having to pre-download it from the mail server. At the same time, according to statistics, more than a third of incoming mail does not interest the addressee at all, and only a little more than a quarter of incoming correspondence requires an immediate response.

In addition, Internet portals often provide various means of creating and maintaining public or private groups. So, any group provides its members common resources, similar to those of regular user(group mailbox, group address book and task list), as well as a number of specific features:

  • hierarchical storage of documents of any type;
  • the ability to assign to each document a state (or status) from a list predefined by the group owner, which allows organizing the simplest workflow within the group;
  • conferences;
  • chats;
  • polls or votes of group members.

However, practice shows that the problem of confidentiality of personal information of Internet users is very acute. In addition to unauthorized mailings (so-called spam) as a result of "leakage" of e-mail addresses (it's no secret that some public servers they simply trade this information) here there is another series important issues... One of them is the openness of the information itself, transmitted over standard protocols Email. None of the standard mail protocols (SMTP, POP3, IMAP4) include security mechanisms that can guarantee the confidentiality of correspondence. The contents of the letter and the files attached to it can be easily opened and read by hackers.

Moreover, most people forget that the Internet is public place and that e-mail passes through several computers before it reaches the addressee and, as it travels from one provider to another, from node to node, can be iterated over at every step. Naturally, none of these computers are immune to prying eyes.

A special problem is the ability to easily create letters with fake addresses and change the content of the letter (since a standard SMTP letter does not contain means of checking authorization and integrity).

Potential attackers could be:

  • Your office staff. It's no secret that most often the attacker turns out to be the one who works or worked with you yesterday. Studies show that the bulk of threats come from colleagues and company personnel, and the number of external intrusions does not exceed a quarter. As a rule, "intrigues are meted out" by employees who feel offended, or just office schemers trying to turn colleagues against each other. However, direct bribery or blackmail is not ruled out - after all, the passion for peeping is not always disinterested. In any case, information is power and power, and bloodhounds are hungry for power. Means for perusing your correspondence are abundant. (Moreover, in addition to special programs- like telephone bugs listening to all traffic passing on the Web, your enemies, taking advantage of your carelessness, can corny use your access.)
  • Technical staff of providers and intermediate communication nodes. Such "penetration" can occur both for selfish purposes and unintentionally, simply due to the imperfection of the technologies used in the field of data transmission. And do not flatter yourself when you delete the incoming correspondence on your local computer: it can be stored on the mail server for many months ...
  • Special government services. And here even a good old closed safe will not save you, since you may be “asked” to open it voluntarily, backing the “request” with arguments that exclude refusal. In addition, various systems lead constant control telecommunications without any permission. In Russia, for example, there is SORM (a system of special operational search measures), which can install special software and hardware directly at the sites of telecommunications companies.
  • Private security firms. Some specialized private organizations carry out illegal collection and sale of information. In Moscow, for example, there are firms that can supply your ill-wishers not only with recordings telephone conversations but also the content of emails.
  • Hackers. Although the capabilities of hackers, according to experts, are greatly exaggerated by the efforts of the press and television, they still cannot be discounted. Of course, skilled hackers are pretty rare, and they won't waste their time on trivialities. However, almost everyone has competitors and detractors. And in order to inflict tangible harm on you, you don't need a qualified hacker. With existing technologies, this can be done even by a student who is addicted to computers and who has decided to earn a little extra money on his hobby or just practice on a randomly turned up Internet address or a computer left on the Internet "unattended." In addition, there are often "obscure" JavaScript inserts in email streams that indicate this is a very real problem. In order to avoid such "surveillance", you need to at least abandon the use of HTML code in emails, disable JavaScript and apply encryption. However, as a rule, few people take such advice seriously until they face the danger themselves.

What and how to protect

Mandatory protection requires:

  • Content of transmitted and received information. This is the most obvious type of protection, which is usually implemented using information encryption (encryption). Pre-encryption of e-mail can be performed using special programs, but both addressees must have such a program.
  • The truth of the addressee and the integrity of the information. If you do not take special precautions, you can get information from another person, but signed with a familiar name or altered (forged).
  • Confirmation of receipt (notification). In many cases, it is advisable to provide evidence that your partner received, viewed the data received, and even, perhaps, put his signature. This confirmation is provided by the so-called digital signature.

Any encryption algorithm (including with a public key) can provide the ability to close (encrypt) the transmitted data. The number of applications using public key cryptographic protection systems is growing rapidly worldwide. The only thing that ordinary users usually care about is the ease of use of the encryption administration system and verification of electronic certificates.

In this case, it is necessary that no one, even the system administrator, could in principle read your mail, and working with it would be no more difficult than with a regular mail system or a Web browser.

Historically, the public key certificate infrastructure (PKI) was created on the basis of foreign crypto standards (RSA, DES), taking into account their specific features. Broad development abroad this technology received through the support of such major American software manufacturers as Microsoft, Hewlett-Packard, Intel and others. Microsoft Corporation was one of the first to develop and implement PKI-based products in the standard delivery of its Windows 95/98 / NT system software / 2000 / Me / XP. However, proceeding from "the highest state interests of the United States", Microsoft Corporation uses "weak cryptography" (small key length) in delivering its localized products abroad. However, for the average user, more is not required. If stronger protection is required, then you can use special solutions based on the infrastructure of certificates and public keys.

A secure mail system based on the web interface seems to be more convenient in this sense. It guarantees maximum protection and ease of use, and no special software is required. You can work from any public place with Internet access. Moreover, such a system can provide additional features (sometimes paid):

  • a secret SSL channel is additionally established between the user and the server;
  • a documented notification of the delivery of mail to a correspondent or an automatic response to incoming letters is carried out;
  • digital signature is implemented;
  • communication with other postal services is maintained. You can receive and forward letters to other addresses, while the channel to the mail server can be protected;
  • a notification is sent to another (open) mailbox that the protected mailbox a new message has appeared. Incoming letters are processed using customizable filters, including sending messages to pagers and cell phones in the form of SMS;
  • coding (encryption) of information (file) on a local computer (diskette) can be carried out even without sending it. Decryption will be done anytime and anywhere with Internet access;
  • there is a possibility of additional implementation of maintenance notebook for storing notes in a structured storage or the ability to maintain drafts;
  • acceptance of letters is limited to certain correspondents only.

Scroll additional opportunities is largely determined by the circle of users for whom a particular service is designed. For one category of users, the simplicity of the interface is more critical, and they do not care much about the size of the mailbox or flexible rules for processing incoming mail. Another category could be mobile workers, for whom, on the contrary, large box volume and storage reliability are the determining factors. Managers and responsible employees will most of all appreciate the possibility of prompt notification on cellular telephone by SMS about the arrival of some letters. Therefore, at the initial stage, developers are forced to focus on a certain circle of users, otherwise the server will be overloaded with rarely used functions that slow down the execution of priority operations.

Criteria for choosing a mail service (by reviews and tests)

However, despite the various encryption options, the main criteria that the user is guided by when choosing one or another modern mail service (whether mail is protected or not) are as follows:

  • reliability of mail delivery;
  • the speed of sending and receiving messages;
  • convenient design that makes it easier to use (it should be borne in mind that old habits die off for a long time, so the interface in any case should not differ much from Microsoft Outlook);
  • loading time cover page and toolkit (perhaps for a beginner and an experienced user, the entry points should be different);
  • availability of POP3, SMTP and IMAP4 servers and the ability to store messages on a remote server without uploading to a local computer;
  • availability of services via the Web interface (HTTP / HTTPS);
  • short response time of the technical support service.

The rest is not so important. The myth that people prefer huge supermarkets (where everything they need is physically located in one place) is true only for real life- on the Internet, the physical location does not matter (everything is one click away from each other). Therefore, combining all kinds of functions in one service does not make much sense. Better to have two or three different postal addresses and use them for different purposes. Therefore, if you choose secure mail, then its main task should still be protection. At the same time, there is no reason that several specialized services could not work together, creating networks, common entry points, concluding partnership agreements, alliances, opening partnership programs etc.

Email protection

To get started, you need to preserve the integrity of your e-mail and its reliable authorization - a digital signature can give you a guarantee that the message is sent by the person who signed it and has not been altered during transmission.

Do not be alarmed if your postage Outlook program you suddenly come across a message like this:

This means that the received message is digitally signed. Feel free to press Continue - and you will receive a message text with a red ribbon in the header:

It is not so easy to reply to such a letter! Correspondence in this case must be fully confirmed on one side and on the other. To answer, you also need to obtain such a digital certificate (for example, at http://www.thawte.com/ you can get a free certificate for personal use- Free Personal Email Certificate). It is unique digital code, which is attached to the message and allows you to verify its authorship and authenticity to the original. The code is calculated based on the sender's secret key and the content of the message. And in order to make sure that the email message has not changed along the way, the addressee checks it using the sender's public key:

But in order to completely encrypt a message, it must be encoded. Encryption is the main mechanism for ensuring the confidentiality of transmitted or stored information. Encryption can be used to protect any information, be it email or downloads. In addition, encryption can protect information when it is stored, for example, in databases located on a computer that cannot be physically secured (for example, on a laptop).

Exists big number coding algorithms, but experts recommend those that have been used in practice for a long time, which confirms their real ability to ensure data security.

Mail services provide 40-, 56- or 128-bit information encoding mode, depending on the browser version used. Standard (localized) versions of Netscape supported 40-bit encoding, Microsoft Explorer- 56-bit (to work at the level of 128-bit encoding, you had to load special modules). It should also be noted that today, 128-bit encoding software may also be subject to import or operational regulation in various countries.

Email, protected at the 128-bit level, provides ample protection of the confidentiality of correspondence and the safety of application files from unauthorized access or from their interception by representatives of government agencies, competitors or hackers. Leading experts recommend using keys on the Internet with a length of at least 75 bits, or better with a length of 90 bits or more - such coding is used by reputable international trading companies, banks, brokerage houses, hospitals and insurance companies.

The most popular encryption technology is Bill Zimmermann's Pretty Good Privacy (PGP), which uses the RSA cryptographic scheme (an abbreviation made up of the first letters of the names of the creators of the scheme: Rivest, Shamir, and Adleman). The protective properties of RSA are due to the complexity of factoring large numbers. PGP (http://www.pgp.com/) also allows you to supply a message electronic signature, giving the addressee of the message the opportunity to make sure that it was you who sent it.

Powerful computers are available to almost every user today, but even 40-bit encoding is still considered “powerful” by the encoder community. And 128-bit is a pretty reliable coding method for a predictable future, even taking into account Moore's Law, which notes that the world's computing power doubles every eighteen months.

Web-based email

One of the best specialized servers providing secure e-mail services with a Web-based interface (including Russian) is today http://www.s-mail.com/, developed by Network Research Lab Ltd (NR Lab) ...

S-mail is a secure e-mail that allows you to send and receive messages that are absolutely protected from prying eyes... At the same time, secure transmission of encrypted e-mail messages over the Internet occurs as conveniently as possible for the user. User-friendly and intuitive Web-based interface does not require special knowledge. In order to protect your correspondence, you do not need to master numerous procedures or exchange secret keys - you just need to register in this system and write letters as is usually done in open mail systems with a Web-based interface.

For users of the S-mail system, all correspondence is absolutely confidential: if the sender and recipient use the S-mail system, then no one will be able to penetrate their correspondence, because, before leaving the sender's computer, messages are encrypted and stored in encrypted form until then. until they are automatically decoded on the recipient's computer after the latter enters the password. At the same time, you do not need to specially download and install any programs, buy additional modules or specialized devices. The work is greatly facilitated by the fact that users do not have to pre-exchange keys or passwords with their subscribers via secure correspondence.

Before being sent to the Internet, all messages and attachments to them are encoded using generally accepted cryptographic algorithms, which provide the highest degree of protection: the system operates on the basis of the OpenPGP standard, and the used cryptographic algorithms, protocols and formats of messages composited and transmitted over communication networks are implemented in accordance with RFC 2440 "OpenPGP Message Format". This standard describes the structure of messages, the order of application of algorithms, their parameters, etc. The CAST-5 block algorithm with a key length of 128 bits (16 bytes) in CFB mode is used as a symmetric algorithm. The Diffie-Hellman algorithm is used as the public key algorithm. The lengths of the algorithm parameters have the following values: P - 2048 bits, G = 2, X - 512 bits.

Naturally, the S-mail system interacts with any other mail systems and allows you to receive and send messages to any e-mail addresses, but the protection function is only effective when both the sender and the recipient are S-mail subscribers.

TO additional benefits S-mail service refers to the fact that it is not tied to a specific user's computer and is accessible from any place where there is an Internet connection. Moreover, using the S-mail technology, you can store information in an encrypted form and decrypt it, having access to any computer connected to the Network.

For ordinary users, free registration on the S-mail server is open, and corporate users, in addition, will be able to organize their own mail system of any configuration based on the applied protection technologies.

We especially note that the S-mail service guarantees the absolute absence of advertising (both on the server itself and in the form of inserts, mailings and other spam in mail).

They planted the site on the hosting, created the domain, and raised the users. And when there are a lot of regular users, then it's time to create mail. Here…

I received many questions from my readers, most of which they asked me how to implement an email verification system with ...

The developers of which are employees of Cern. And in this article we will look at another project of this team.

Today you will learn all about ProtonMail secure mail. You will find out how it differs from others postal services and what security technologies it uses, how anonymous it is, how to register and how to use ProtonMail, and much more you should know about it. Well, let's go!

Secure Mail ProtonMail

  • Foreword
  • Possibilities
  • registration
  • Usage
  • ProtonMail in Tor
  • ProtonMail virus
  • Mail Proton in the TV series Mr. Robot
  • Interview with one of the creators
  • Conclusion, evaluation and reviews of ProtonMail

The project has been operating since 2013. From 2013 to 2014 was under testing. The creators of the service are employees of CERN (European Organization for Nuclear Research) Andy Yen, Jason Stockman and Wei Sun (it is clear why the Proton mail is called). Offices and servers are located in Switzerland in Geneva.

Mail ProtonMail differs from other mail services in the ability to encrypt messages before they are sent to the server. The entire encryption / decryption process takes place directly in the web browser, and only encrypted data is stored on the service server. According to the authors of the service, even in court they will not be able to decrypt the user's messages.

By default, the service uses one password for access, but it is possible to use two passwords, which improves the security of mail. Mail Proton uses a combination of two encryption solutions: public key cryptography (RSA) and protocol symmetric encryption(AES).

  • The first is for user identification (Password).
  • The second is for decrypting the data stored on the server (Mailbox Password).

The first user password is stored on ProtonMail servers (the user can change it at any time), while the second password is known only to the user himself, this is the reason that the service does not provide an opportunity to change or recover this password.

In addition, Proton mail provides the ability to set an expiration date for the storage of letters, after which the messages will be self-destructed.

There is both free and several paid versions with a wide range of functionality, but with the same level of protection. I would like to note that the payment option does not affect the level of protection in any way, but only adds additional functions.

For users free version There is no ProtonMail two-factor authentication.

On this moment the mail service interface is translated into: English (main), French, Italian, Polish. Alas, there is no Russian language yet.

Updated 07.08.2017. Added Russian language (thanks to subscriber Andrey Eremeev for the information).

Encryption in ProtonMail

Messages between users of the Proton mail service are encrypted automatically. An e-mail from ProtonMail sent to a recipient using the service of other providers can be encrypted at the request of the client or sent in unencrypted form.

Transport Layer Security (TLS) is used to secure and encrypt all communications between ProtonMail and users of other services.


The encryption uses the AES-256 algorithm with a password that must be known to both the recipient and the sender. The e-mail received by the addressee contains a link that directs to the ProtonMail server. After clicking on the link, the recipient enters a password, which allows them to read the message or reply to it.

Key features of ProtonMail:

  • The functionality is written in JavaScript. There is no open API.
  • The service successfully works with Cyrillic.
  • The service has the ability to create your own domain (only for paid accounts)
  • Email attachments are encrypted along with the body of the email.
  • Client applications for mobile devices: Android and iOS.

In fact, there is nothing difficult in registering the Proton mail, there is no need to even dwell on this. But still, for those who do not know English, I'll tell you quickly.

ProtonMail virus

In some cases, ransomware authors use Proton mail to communicate with the victim. Quite often, the address comes across. This fact has nothing to do with the developers.

Conclusion

This is one of the few still free secure email services. In terms of security, it is better than most mail services, but in terms of anonymity, not everything is so rosy. Using JavaScript reduces all anonymity to zero. Which can not only de-anonymize, but in some cases lead to other scenarios.


Another point that I didn’t like was the confirmation of registration by phone or some other mail. Of course, no one forces you to use your real mail for confirmation or to shine your real number, you can use, or even better, some left mailbox on some VFEmail, for example.

Which is better ProtonMail or GPG / PGP?

I would use the old fashioned way.

Should you use ProtonMail?

If you cannot or do not want to configure PGP encryption yourself, then you can. Proton mail is in many ways more reliable than conventional mail services.

When should you not use Proton mail?

I would probably not recommend this service exclusively to those for whom mail is the main tool, and who do not need a special level of mail protection. Because you will obviously miss a free account, and the prices for paid services not democratic at all by our standards.

Disadvantages of ProtonMail

  • There is no Russian language.
  • Using JavaScript.
  • There is no open API.
  • Does not support access via IMAP and POP (in terms of security, this is a plus).
  • Unable to export PGP keys.
  • Not best organization emails (Gmail is more convenient).
  • No (Gmail has it).

ProtonMail advantages

  • Secure mail.
  • Free secure mail.
  • Open source.
  • Sending password protected messages.
  • The service supports working with Cyrillic.
  • Create your own domain (paid version only).
  • Email clients for Android and iOS.

And finally. My friends. Online privacy is your right. I don't understand why ordinary people do not consider it shameful to lock their houses and apartments. And this fact does not arouse suspicions among the authorities “if it is locked, then something illegal is going on inside”. But on the net - this is a terrible sin, "if you lock it - then you are a maniac, terrorist and scoundrel."

All other materials on the topic of anonymity and online security you can find yourself using the search form on the site. And that's all for today. I wish you safety both online and offline. Good luck friends!

Proton Mail Developer Interview (English). Include Russian titles!

Evaluating ProtonMail Anonymous Mail

Our rating

ProtonMail is a secure mail. In some ways it is better than usual, but in some ways it is worse. In general, the guys from Cern look pretty convincing about security.

User rating: 4.04 (25 ratings)

The service uses asymmetric encryption (an encryption system using public keys), implemented on the side of the user's web browser in JavaScript.

On Wikipedia there is, but, unfortunately, it is rather difficult to read for an ordinary user without special technical knowledge.

Security

About the safety of such solutions on the user's side, when program code is issued by the service at every request, on the Internet you can find a lot of discussions and articles. For example, an article in English http://matasano.com/articles/javascript-cryptography/ from Matasano security.

A short summary of all discussions and available materials lies in the fact that at any time the service can give the changed program code (for example, at the request of law enforcement agencies), which will send them the user's mail password.

The ProtonMail team emphasizes that they are located in Switzerland, where, as they write, I cannot legally oblige them to install a backdoor. The full text of their explanation is available at https://protonmail.ch/blog/switzerland/. But this is “in theory”, while “in practice” there are no well-known public precedents yet.

In any case, the ability to change the program code at any time on the part of the service is a very serious drawback, since these changes can be aimed at specific users... In the case where cryptography is implemented in software product or generally at the operating system level, such updates aimed at specific users are much less likely and much harder to implement. Although, as you know, there are no 100% safe solutions, but we must strive for the highest possible level of security required in this situation.

Javascript executable on the browser side can be vulnerable to XSS attacks. In the case of ProtonMail, just like any other webmail, you can send a specially crafted email bypassing the built-in protection against XSS attacks and execute malicious code that will gain access to the user's email password or simply intercept the decrypted message content.

ProtonMail relies on the js-xss library to defend against XSS attacks. But in addition to filtering the content of the letter, there are also service mail headers, which can be similarly formed in a special way when sending letters from third party services to the ProtonMail user. And all ProtonMail accounts have the ability to receive letters from third-party services and cannot be disabled in the account settings.

In early June, a vulnerability was found in the ProtonMail service, allowing the execution of an arbitrary JavaScript code nothing unsuspecting user on the computer and get full access to his mailbox.

This vulnerability was found by Mike Cardwell and reported to the ProtonMail team. After fixing the vulnerability, he published information about it on ycombinator.com. ProtonMail posted his name in the list of thanks on its website - https://protonmail.ch/blog/protonmail-security-contributors/, which confirms this fact.

This security issue in ProtonMail has now been fixed, but how many more of these opportunities are there for hackers to implement browser-side cryptography in JavaScript?

Similar projects

Mailpile is an open source project, actively developing, is a web mail client (similarly ProtonMail works in a web browser in JavaScript), which should do affordable use cryptography for users without special technical skills.

Separately, it should be noted a unique feature of this project - support for a full-fledged search for encrypted messages. At https://www.mailpile.is/faq/ they write that an index is being created, and the contents of the index itself are stored in the form of hashes.

It is not specified, these are ordinary MD5 / SHA hashes or MAC. In the case of ordinary hashes, this search solution can be extremely insecure due to the possibility of determining which keyword occurs in the cipher text by counting the hashes of the words in a dictionary. Security is highly dependent on the implementation of this method.

Lavaboom is a secure webmail service similar to ProtonMail. Cryptography is implemented in JavaScript, the code is executed in a web browser.

Scramble is open source, implemented on the basis of OpenPGPjs (similar to ProtonMail), but a relatively young project and not so rapidly developing. I have listed it on this list to give a more complete picture of the services available on the market.

OpenMailBox - encryption is implemented using the OpenPGP plugin for the Roundcube web mail client project. The private key will be saved in the Local Storage of the browser.

Unseen - uses its own implementation, there is an exchange service text messages and voice calls. There are clients for mobile platforms and desktops.

Unseen is also used by Roundcube with the OpenPGP plugin.
From desktop clients I looked at the version for Ubuntu and Mac. These are native wrapper applications that have a "website" embedded inside them.

What to do?

Usage separate application for working with mail (mail client), the use of well-known cryptography implementations and a number of special restrictions for the sake of security (for example, the inability to receive mail from third-party resources in order to minimize the number of possible attacks) are the best solution.

Whoever can implement the use of public key cryptography in an accessible (easy) form for ordinary ordinary users using well-known mail clients (Apple Mail, Microsoft Outlook, mail clients built into mobile OS, and others) will win the love of users and, of course, will become the most successful service! Add tags

Email- the technology, as well as the shipping services it provides e-mails v computer network(including in global network Internet).

Currently, the technology of electronic mail has become widespread, which was facilitated, in particular, by the convenience and ease of use - anyone can easily register an electronic mailbox; to do this, you just need to take advantage of the numerous free services, such as, for example, mail.ru or yandex.ru (Russian) or google.com, yahoo.com or mail.com (international).

E-mail by the principle of work and its constituent elements resembles regular mail - it also contains such concepts as "letter", "recipient", "sender", "delivery", "attachment", "box" and others. At the same time, email borrows from regular characteristics: message transmission delays, sufficient reliability and no delivery guarantee.

Advantages and disadvantages

Merits e-mail is considered to be:

  • easy-to-remember and human-readable e-mail addresses [email protected] _name.com (for example, [email protected]);
  • possibility of transferring both plain text, and formatted (using, for example, HTML markup);
  • independent servers;
  • the ability to send files attached to the letter (in terms of e-mail - "attachments");
  • sufficiently high reliability of message delivery;
  • ease of use by programs and humans.

disadvantages Email:

  • the presence of such a phenomenon as spam;
  • theoretical possibility of non-delivery of a specific letter;
  • possible delays (up to several days) in the delivery of the letter;
  • restrictions on the size of one letter and on the total size of all letters in the mailbox of a particular user.

Along with the above disadvantages, email also has security deficiencies which are more interesting within the framework of this article:

  • the email may be altered (intentionally) or deformed (unintentionally) during the delivery process, which affects integrity transmitted information;
  • content email can be read by an attacker during its transfer between servers, which endangers confidentiality transmitted information;
  • the email could be fabricated by an attacker with spoofing email address the sender, which endangers authenticity information;
  • from the previous paragraph it follows that the sender can always refuse a letter in which he is listed as the sender, which is contrary to the principle non-repudiation from information.

Email protection

As mentioned above, e-mail, in its simplest case, is not able to protect the transmitted information. In this regard, for a long time, tools and methods for ensuring information security of e-mail have been developed and proposed for implementation, which will be discussed in the following parts of this article.

Based on the foregoing, mandatory protection is required by:

  • The content of the transmitted and received information, and it is important that no one (even the system administrator) can access the personal correspondence of users in open form... This is the most obvious form of protection and is usually implemented using encryption mechanisms. Content encryption can be performed transparently for the user (by remote servers) or by the users themselves using third-party software (in this case, both addressees must have the same program that encrypts / decrypts the contents of the letter).
  • The integrity of the information and the validity of the sender's email address. This kind protection can be implemented using an electronic digital signature (EDS), which is analogous to a conventional signature, but applies to electronic documents.
  • Confirmation of receipt of the letter. Very often (especially when business correspondence), it is advisable to have proof of receipt of your letter by the addressee.

Theoretical foundations for solving the problem

Ensuring integrity, authenticity and non-repudiation

To begin with, you need to ensure the integrity of the electronic messages and their reliable authorization - a guarantee that the letter was sent by the exact person who signed it. This problem can be solved by using an electronic digital signature... A digital certificate is used to digitally sign documents.

When signing a document, based on its content and the sender's secret key, the digital signature value is calculated, which is attached to the document along with the sender's certificate. The recipient, in turn, decrypts the digital signature value using the public key contained in the sender's certificate and verifies checksums received and original messages.

Thus, the use of an electronic digital signature provides:

  • integrity the information received: with any (deliberate or not) change in the document, the signature becomes invalid, since its value is calculated taking into account the contents of the document;
  • impossibility of repudiation: The secret key the certificate used to sign the document is known only to its owner, respectively, he cannot refuse his signature put under the document;
  • authenticity of the received document: an attacker cannot fabricate a document on behalf of one of the participants in the correspondence without knowing his secret key.

Ensuring confidentiality

Any of the encryption algorithms, including those with a public key, can provide the ability to hide the transmitted data. Number of applications using public key cryptographic protection systems, in recent times growing steadily around the world. Encryption of transmitted information provides completely reliable protection confidentiality of correspondence and the safety of files attached to the letter from unauthorized access to them by malefactors, representatives of government agencies and competitors.

Leading experts recommend using keys with a length of at least 75 bits, and preferably 90 bits or more, for cryptographic data protection; These recommendations are adhered to by all reputable international trading companies, hospitals, insurance companies, banks and brokerage firms that pay due attention to data security. Today, powerful computers are available to almost every user, however, even 40-bit encryption is still considered to be quite cryptographically strong, and encryption of data on a key with a length of 128 bits or more seems to be reliable for the foreseeable future, even taking into account Moore's law, which says that computing power doubling every 18 months.

Security criteria

A secure messaging system can be considered reliable if the following conditions are met (Protected mail on the SHIPKA website):

  1. all cryptographic transformations are performed in a trusted environment;
  2. all cryptographic keys are stored in a trusted environment throughout life cycle(creation, storage and application);
  3. transmitted messages are protected at all points of possible attack:
    • when creating (it is impossible to send a false message from someone else's name);
    • during transmission (it is impossible to read, change or delete the message by a third party);
    • upon receipt (it is impossible to receive and read the message by a person to whom it was not intended).

Basic cryptographic constructs and their strength

There are currently two main mechanisms for providing email security: PGP and S / MIME.

Practical applications of cryptographic constructions, peculiarities of their implementation

Desktop-based solutions

Microsoft Outlook and Microsoft Outlook Express

Postage Microsoft customers Outlook and Microsoft Outlook Express have built-in ability to send secure messages using CryptoAPI 2.0 features and X.509 public key certificates.

This solution has two main disadvantages:

  1. Public key certificates are paid, and their receipt can only be done in person upon presentation of a number of documents.
  2. Microsoft Outlook and Microsoft Outlook Express mail clients do not work with Russian cryptoalgorithms - to exchange messages using GOST certificates, you need to "patch" operating system computer.

Additional modules for mail clients

There is the ability to connect to email clients third-party solutions to ensure the confidentiality of correspondence, for example, in the settings client The Bat! you can install a version of PGP and use protections based on this standard.

This method of building secure messaging also has disadvantages:

  1. PGP also does not support Russian cryptographic algorithms;
  2. PGP is difficult to configure for a non-cryptographic user.

Common Disadvantages of Desktop Email Security Solutions

In addition to specific flaws, both of the email security solutions described above have a much more important common flaw: the Desktop implementation. If the cryptographic keys are stored on the computer on which the application is installed, and an attacker is able to gain access to this computer, then he will be able to gain access to key information, and therefore, for example, send a fabricated message signed by the EDS of the person who owns this machine and illegally obtained keys. At the same time, the owner of key information himself is not able to maintain secure correspondence from other computers, since they do not have his private keys.

Also important is the ongoing development of malicious software aimed at:

  • theft of key information from local storage media of computers and from RAM;
  • unauthorized modification of cryptoalgorithms used to encrypt information to obtain a conversion result beneficial to the attacker.

Secure mail with a web interface

A secure mail system with a Web interface seems to be more convenient in comparison with the tools described above. In such a system, maximum information protection and ease of use are guaranteed, and no special software is required - you can work from anywhere with Internet access. Also, this system may provide additional, sometimes paid, opportunities:

  • encrypted channel between user and server using SSL;
  • a documented notification of the user about the delivery of a letter and / or an automatic response to incoming correspondence;
  • digital signature of messages;
  • communication with other mail services (the communication channel with the mail server can also be protected);
  • additional notification of letters to another, regular (open) e-mail address;
  • the ability to forward incoming letters in the form of SMS to a cell phone or pager;
  • encryption of a letter on a local computer can be carried out without sending it for subsequent decryption anywhere with Internet access;
  • support for maintaining a notebook in a secure remote storage.

One of best services today, providing secure e-mail services with a Web-based interface, is the S-mail system, created by Network Research Lab Ltd (NR Lab).

S-mail is a secure e-mail that allows you to send messages protected from access by third parties. At the same time, all cryptographic techniques information protection is applied completely "transparently" to the user. For use of this service there is no need to learn the peculiarities of cryptographic protocols or exchange cryptographic keys, you just need to register on the website and work with it as with a regular mail service - send letters.

The S-mail system also allows the user to exchange messages with subscribers of other postal services, however, the maximum security of correspondence is guaranteed only in the case of communication with S-mail subscribers.

All correspondence of users of the S-mail service is absolutely confidential: third parties cannot get access to the contents of messages, since before sending the letter is securely encrypted by local machine user and decrypted only on the recipient's computer after entering the password. In this case, you do not need to install any additional software, as well as exchange keys or passwords with your partners in confidential correspondence.

Encryption of messages and applications to them is based on generally accepted cryptographic algorithms that can guarantee the highest degree of information security. The S-mail system works on the basis of the OpenPGP standard, and the used cryptographic protocols, algorithms and formats of messages transmitted over public networks are implemented in accordance with RFC 2440 "OpenPGP Message Format", which describes the order of application of algorithms, their parameters, message structure, etc. NS. A block cryptoalgorithm is used as a symmetric encryption algorithm


2021 gtavrl.ru.