Messages are encrypted at all times
Messages are stored on ProtonMail servers in encrypted format. They are also transmitted in encrypted format between our servers and user devices. Messages between ProtonMail users are also transmitted in encrypted form within our secure server network. Because data is encrypted at all steps, the risk of message interception is largely eliminated.
Zero Access to User Data
Your encrypted data is not accessible to us
ProtonMail’s zero access architecture means that your data is encrypted in a way that makes it inaccessible to us. Data is encrypted on the client side using an encryption key that we do not have access to. This means we don’t have the technical ability to decrypt your messages, and as a result, we are unable to hand your data over to third parties. With ProtonMail, privacy isn’t just a promise, it is mathematically ensured. For this reason, we are also unable to do data recovery. If you forget your password, we cannot recover your data.
Open Source Cryptography
Time-tested and trusted encryption algorithms
We use only secure implementations of AES, RSA, along with OpenPGP. Furthermore, all of the cryptographic libraries we use are open source. By using open source libraries, we can guarantee that the encryption algorithms we are using do not have clandestinely built in back doors. ProtonMail’s open source software has been thoroughly vetted by security experts from around the world to ensure the highest levels of protection.
Incorporated in Switzerland
All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and corporations. As ProtonMail is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.
Hardware Level Security
Full disk encryption and storage in secured datacenters
We have invested heavily in owning and controlling our own server hardware at several locations within Switzerland so your data never goes to the cloud. Our primary datacenter is located under 1000 meters of granite rock in a heavily guarded bunker which can survive a nuclear attack. This provides an extra layer of protection by ensuring your encrypted emails are not easily accessible to any third parties. On a system level, our servers utilize fully encrypted hard disks with multiple password layers so data security is preserved even if our hardware is seized.
No tracking or logging of personally identifiable information
Unlike competing services, we do not save any tracking information. By default, we do not record metadata such as the IP addresses used to log into accounts. As we have no way to read encrypted emails, we do not serve targeted advertisements. To protect user privacy, ProtonMail does not require any personally identifiable information to register.
Self Destructing Messages
With ProtonMail, emails are no longer permanent
You can set an optional expiration time on ProtonMail’s encrypted emails, so they will be automatically deleted from the recipient’s inbox once they have expired. This technology works for both emails sent to other ProtonMail users, and encrypted emails sent to non-ProtonMail email addresses. Similar to SnapChat, we’ve added a way for you to have ephemeral communication.
SSL Secured Connections
Swiss SSL to secure your connection
We use SSL to secure communication between our server and your computer. Message data between our server and your computer is already sent encrypted, but we use SSL to add another layer of protection and to ensure that the web page your browser loads is not tampered with by a third party intercepting your traffic in a MITM (Man in the Middle) attack.
Our SSL certificate authority (CA) is QuoVadis Trustlink Schweiz AG, a leading Swiss SSL certificate issuer. Using a Swiss based CA ensures that our CA’s SSL infrastructure is not under the control of US or EU government agencies. To allow extremely security conscious users to further verify that they are in fact connecting to our server, we have also released the SHA1 and SHA-256 hash for our SSL public key.
Securely communicate with other email providers
Even your communication with non-ProtonMail users can be secure
We support sending encrypted communication to non-ProtonMail users via symmetric encryption. When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser, which they can decrypt using a passphrase that you have shared with them. You can also send unencrypted messages to Gmail, Yahoo, Outlook and others, just like regular email.
Easy to Use
Comprehensive Security for Everyone
We created ProtonMail because we found that none of the existing secure email services available today are sufficiently secure. However, a secure service like ProtonMail cannot improve the security landscape if it is so difficult to use, nobody can use it. From the start, we designed ProtonMail with a strong emphasis on usability. As a result, ProtonMail is very easy to use. There is nothing to install, and no encryption keys to manage, if you can use Gmail, Thunderbird, or Outlook, you can use ProtonMail.
An Introduction to Qubes OS
What is Qubes OS?
Qubes OS is a security-oriented operating system (OS). The OS is the software that runs all the other programs on a computer. Some examples of popular OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it.
Why is OS security important?
Most people use an operating system like Windows or OS X on their desktop and laptop computers. These OSes are popular because they tend to be easy to use and usually come pre-installed on the computers people buy. However, they present problems when it comes to security. For example, you might open an innocent-looking email attachment or website, not realizing that you’re actually allowing malware (malicious software) to run on your computer. Depending on what kind of malware it is, it might do anything from showing you unwanted advertisements to logging your keystrokes to taking over your entire computer. This could jeopardize all the information stored on or accessed by this computer, such as health records, confidential communications, or thoughts written in a private journal. Malware can also interfere with the activities you perform with your computer. For example, if you use your computer to conduct financial transactions, the malware might allow its creator to make fraudulent transactions in your name.
Aren’t antivirus programs and firewalls enough?
Unfortunately, conventional security approaches like antivirus programs and (software and/or hardware) firewalls are no longer enough to keep out sophisticated attackers. For example, nowadays it’s common for malware creators to check to see if their malware is recognized by any signature-based antivirus programs. If it’s recognized, they scramble their code until it’s no longer recognizable by the antivirus programs, then send it out. The best of these programs will subsequently get updated once the antivirus programmers discover the new threat, but this usually occurs at least a few days after the new attacks start to appear in the wild. By then, it’s too late for those who have already been compromised. More advanced antivirus software may perform better in this regard, but it’s still limited to a detection-based approach. New zero-day vulnerabilities are constantly being discovered in the common software we all use, such as our web browsers, and no antivirus program or firewall can prevent all of these vulnerabilities from being exploited.
How does Qubes OS provide security?
Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated compartments called qubes.
This approach allows you to keep the different things you do on your computer securely separated from each other in isolated qubes so that one qube getting compromised won’t affect the others. For example, you might have one qube for visiting untrusted websites and a different qube for doing online banking. This way, if your untrusted browsing qube gets compromised by a malware-laden website, your online banking activities won’t be at risk. Similarly, if you’re concerned about malicious email attachments, Qubes can make it so that every attachment gets opened in its own single-use disposable qube. In this way, Qubes allows you to do everything on the same physical computer without having to worry about a single successful cyberattack taking down your entire digital life in one fell swoop.
Moreover, all of these isolated qubes are integrated into a single, usable system. Programs are isolated in their own separate qubes, but all windows are displayed in a single, unified desktop environment with unforgeable colored window borders so that you can easily identify windows from different security levels. Common attack vectors like network cards and USB controllers are isolated in their own hardware qubes while their functionality is preserved through secure networking, firewalls, and USB device management. Integrated file and clipboard copy and paste operations make it easy to work across various qubes without compromising security. The innovative Template system separates software installation from software use, allowing qubes to share a root filesystem without sacrificing security (and saving disk space, to boot). Qubes even allows you to sanitize PDFs and images in a few clicks. Users concerned about privacy will appreciate the integration of Whonix with Qubes, which makes it easy to use Tor securely, while those concerned about physical hardware attacks will benefit from Anti Evil Maid.
How does Qubes OS compare to using a “live CD” OS?
Booting your computer from a live CD (or DVD) when you need to perform sensitive activities can certainly be more secure than simply using your main OS, but this method still preserves many of the risks of conventional OSes. For example, popular live OSes (such as Tails and other Linux distributions) are still monolithic in the sense that all software is still running in the same OS. This means, once again, that if your session is compromised, then all the data and activities performed within that same session are also potentially compromised.
How does Qubes OS compare to running VMs in a conventional OS?
Not all virtual machine software is equal when it comes to security. You may have used or heard of VMs in relation to software like VirtualBox or VMware Workstation. These are known as “Type 2” or “hosted” hypervisors. (The hypervisor is the software, firmware, or hardware that creates and runs virtual machines.) These programs are popular because they’re designed primarily to be easy to use and run under popular OSes like Windows (which is called the host OS, since it “hosts” the VMs). However, the fact that Type 2 hypervisors run under the host OS means that they’re really only as secure as the host OS itself. If the host OS is ever compromised, then any VMs it hosts are also effectively compromised.
By contrast, Qubes uses a “Type 1” or “bare metal” hypervisor called Xen. Instead of running inside an OS, Type 1 hypervisors run directly on the “bare metal” of the hardware. This means that an attacker must be capable of subverting the hypervisor itself in order to compromise the entire system, which is vastly more difficult.
Qubes makes it so that multiple VMs running under a Type 1 hypervisor can be securely used as an integrated OS. For example, it puts all of your application windows on the same desktop with special colored borders indicating the trust levels of their respective VMs. It also allows for things like secure copy/paste operations between VMs, securely copying and transferring files between VMs, and secure networking between VMs and the Internet.
How does Qubes OS compare to using a separate physical machine?
Using a separate physical computer for sensitive activities can certainly be more secure than using one computer with a conventional OS for everything, but there are still risks to consider. Briefly, here are some of the main pros and cons of this approach relative to Qubes:
- Physical separation doesn’t rely on a hypervisor. (It’s very unlikely that an attacker will break out of Qubes’ hypervisor, but if one were to manage to do so, one could potentially gain control over the entire system.)
- Physical separation can be a natural complement to physical security. (For example, you might find it natural to lock your secure laptop in a safe when you take your unsecure laptop out with you.)
- Physical separation can be cumbersome and expensive, since we may have to obtain and set up a separate physical machine for each security level we need.
- There’s generally no secure way to transfer data between physically separate computers running conventional OSes. (Qubes has a secure inter-VM file transfer system to handle this.)
- Physically separate computers running conventional OSes are still independently vulnerable to most conventional attacks due to their monolithic nature.
- Malware which can bridge air gaps has existed for several years now and is becoming increasingly common.
(For more on this topic, please see the paper Software compartmentalization vs. physical separation.)
Today, July 19th 2017, WikiLeaks publishes documents from the CIA contractor Raytheon Blackbird Technologies for the “UMBRAGE Component Library” (UCL) project. The documents were submitted to the CIA between November 21st 2014 (just two weeks after Raytheon acquired Blackbird Technologies to build a Cyber Powerhouse) and September, 11th 2015. They mostly contain Proof-of-Concept ideas and assessments for malware attack vectors – partly based on public documents from security researchers and private enterprises in the computer security field.
Raytheon Blackbird Technologies acted as a kind of “technology scout” for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.