Feeds

CERN and MIT chaps' secure webmail stalled by stampede of users

Proton Mail encrypts text in the browser and doesn't collect metadata

Beginner's guide to SSL certificates

A bunch of CERN alumni has taken time out of the weighty world of particle physics to take another shot at cracking the e-mail encryption nut.

Their offering, Proton Mail, has gone into public beta, and proved so popular the group has had to suspend new registrations while it upgrades its servers.

As a concept, encrypting e-mail goes back at least to the earliest days of PGP – Pretty Good Privacy – that got Phil Zimmerman in so much trouble back in the day (he suffered a long criminal investigation by the US Customs Service, as outlined briefly at Wikipedia) .

PGP, which lives on in various open-source tools today, ran encryption alongside users' e-mail clients and was widely seen as too difficult for the average user. In the world of Webmail, encryption happens at the server end, and as Lavabit found to its cost, that leaves user data subject to the demands of law enforcement.

Proton Mail even nods towards PGP: “In truth, there is not a whole lot that ProtonMail does that is not already accomplished by PGP, at least from a security standpoint," the outfit notes. "But, to quote what Bruce Schneier said to us when he visited MIT, 'all PGP has demonstrated is that even one click is too much'.”

“What we really want to provide is privacy for the much larger segment of the population that isn't sophisticated enough to use PGP.”

Proton Mail is a Webmail that encrypts messages at the client-side – within the user's browser – so that the user doesn't have to delegate encryption and trust to the provider. The organisation doesn't log user activity, so information like IP addresses and other metadata aren't available.

It runs AES, RSA and OpenPGP implementations on open source cryptographic libraries, while at the server end, Proton Mail runs full disk encryption in its Swiss data centres (Switzerland was chosen as offering the best available privacy legislation).

While the system is designed to be a crypto-for-dummies operation, it does demand that users have two passwords: one to authenticate yourself with its servers, and the second local password for decrypting messages. El Reg would suggest using a password manager for the second, since Proton Mail can't re-issue a password that it never held.

There's also an optional self-destruct feature for messages, and users can deal with other e-mail providers either unencrypted, or using symmetric encryption.

Some of the developers remain at CERN, while others are now at MIT.

There's some interviews with the founders, Jason Stockman, Wei Sun, Andy Yen, in this piece at Forbes – even if the headline, “The Only Email System The NSA Can't Access”, is something of a howler.

The developers told Forbes they chose to “bootstrap” rather than seek VC funding to maintain their credibility among users. The service will be priced on a fee-for-storage model, at US$5 for 1GB. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.