Protonmail – andy yen – public key – encryption
Αn in-dΞpth Analysis:
Collaboration with protonΜλil & andy yen (ceo)
By Ryan Ward
Originally published: November 21, 2015 – Updated April 22, 2020
With a colossal escalation of interest in secure-impregnable open-source encryption email services, Jason Stockman, Andy Yen and Wei Sun collaborated together colliding their thoughts and expertise in the cafeteria of the CERN research facility and not before long founding ProtonMail in 2013. With the vision and joint expertise of the ProtonMail’s team they have contemporaneously set the bar firmly for the safety and transference of our personal data, setting out to crucially fill the much-necessary void in lack of security and encryption and in doing so coherently masking the complexity of the cryptography. Serving a fully integrated platform designed to be intuitively merged with unparalleled ease of use and privacy. Which in turn is a highly functional anonymously secure end to end encrypted-free of cost email service for the entire global populations use, whom may not be as technologically adapted as the average savvy crypt-analyst. Stationed in Switzerland the team at ProtonMail has revitalised the old PGP mail server market. With success & aspiration of their concept becoming a reality due to the launching of their project on a crowd funding site Indiegogo. Through doing so is far from a guaranteed success for many projects. The Success of this campaign is strapping evidence that ProtonMail’s social mission of safeguarding online privacy resonates strongly with the people around the world. Andy Yen knew of the possibilities of crowdfunding stating firmly “Do not underestimate the power of the crowd” and with over 10.000 people donating and raising well over $500.000 dollars, well and truly far passing its original goal of $100.000 which is affirmation of record breaking numbers, Andy was equitable in saying so. Things did not go so smoothly with the retrieval of the funds – On 31 July 2014 PayPal froze ProtonMail’s PayPal account, thereby preventing the withdrawal of US$251.721 worth of donations. PayPal stated that the account was frozen due to doubts of the legality of encryption, statements that opponents said were unfounded, and subsequently the constraints were lifted the following day. Only if Bitcoin was as widespread, Andy Yen would have done the entire campaign through the alternative.
Finances emerged, cascading in from many foundations, notably from the Charles River Ventures and the Foundation Genevoise pour L’Innovation Technologigue ( Fongit) amassing a benevolent donating of US$2Million. The service is constructed in such a way it delivers on all aspects which it promises– with enough paranoia instilled in its framework to keep precocious eyes away. On a system level, their servers utilise fully encrypted hard disks with multiple password layers so data security is preserved even if their hardware is seized, not to mention its primary data centre being buried under 1000 meters of granite rock in a heavily guarded bunker which can survive a nuclear attack! On a lighter note all user data is protected by the (DPA) and the (DPO) which offers some of the strongest privacy protection in the world for individuals and corporations. As ProtonMail is outside of the US and EU jurisdiction, only a court from the cantonal court of Geneva or the Swiss Federal Supreme Court can compel them to release the extremely limited user information which they have.
Back doors to security
The back doors to security structures and voids in the technology where shown by disclosures from whistle blowers such as Edward Snowden, Such disclosures such as “Global surveillance and interception of email by the NSA “inspired ProtonMail at its foundation.In further detail of ProtonMail’s firm and impassible security structure, they operate by using a combination of symmetric encryption protocols and public-key cryptography to offer end-to-end encryption. On formation of a ProtonMail account, your web-browser will generate a combination of public and confidential RSA keys. The public key is used to encrypt all of the users’ data such as email address & all other associated data developed by the user. The confidential key, which is capable of decrypting the user’s data, is symmetrically encrypted with the user’s mailbox password in the user’s web browser using AES-256. The public key and the encrypted private keys are then both stored on ProtonMail servers. Thus, ProtonMail stores decryption keys only in their encrypted form, so ProtonMail developers are incapable to retrieve user emails, do not record any metadata such as IP addresses.
An email sent from one ProtonMail account to an additional ProtonMail account is automatically encrypted with the public key of the recipient. Once encrypted, only the private key of the recipient can decrypt the email. When the recipient logs in, their mailbox password decrypts their private key and unlocks their inbox. Emails transmitted from ProtonMail to non-ProtonMail email addresses may be sent with or without encryption. With encryption, the email is encrypted with AES and can only be decrypted with a separate password. This password has to be set by the sender and be given to the recipient through other channels. The recipient only receives a link to the ProtonMail website on which they can enter the password and read the decrypted email.
With the state-of-the-art architecture of a ProtonMail datacenter, ProtonMail administrators maintain and own their own server hardware and network to avoid trusting a third party. In response to overwhelmed servers, in mid-2014 ProtonMail founders began expanding and developing server architecture.
Each datacenter uses load balancing across web, mail and SQL servers, redundant power supply, hard drives with full disk encryption, and exclusive use of Lunix and other open-source software. ProtonMail also joined the RIPE NCC in an effort to have more direct control over the surrounding internet infrastructure. The use of (TLS) to secure and encrypt all internet traffic between users and ProtonMail servers. Protonmail.com currently holds an “A+” Rating from Qualys SSL Labs.
The service is currently powered by two redundant data-centres in central and westrn Switzerland.
ProtonMails colossal surge in members.
Advantages compared to competitors
One distinguished feature ProtonMail have integrated is the destruction of messages, you can now set an optional expiration time on encrypted emails, so they will be consequently deleted from the recipient’s inbox once they have expired. This technology works for both emails sent to other ProtonMail users, and encrypted emails sent to non-ProtonMail email addresses. Similar to SnapChat, They have added a way for you to have ephemeral communication. ProtonMail was primitively conceived by PhD student Andy Yen, who collocated and called on fellow CERN scientists to examine the problem of online privacy, or rather the scarcity of it, and see if they could come up with a solution. Andy Yen took to CERN’s Facebook group and the response was overwhelming. Within days, dozens of people decided to join the effort and more than 40 individuals took part in the dialogue. And has now catapulted to where its standpoint is today with a very diverse range of people throughout the team.
The Snowden Leak
Edward Paved the way
The Snowden leak demonstrated what many technologists suspected and questioned for years, that the NSA was collectively obtaining access to commonly used technology to snoop on people – but many were taken aback by the sheer scale of the operation exposed by the whistle blower. There has been a huge upsurge within the internet community resorting to encrypted communications in light of the Snowden Affair. According to Canadian broadband management company Sandvine, the volume of encrypted internet traffic has skyrocketed in recent months. With the percentage of encrypted internet traffic in Europe quadrupled over the course of 2014 ‘Global Internet Phenomena Report the first half of 2014’, Andy Yen at Protonmail is looking to reach this relatively large volume of internet goers who would like to keep their communications private.
The ProtonMail Team
ProtonMail’s team is comprised of a devoted team of developers, Scientists, Researchers from the European Organization for Nuclear Research (CERN) in Geneva and other high-level educational institutions such as(Harvard) (MIT) (USC)whom all have a wide range of experience and qualifications to match their titles at ProtonMail, You can view the entire team below. This team has taken on a huge responsibility to protect your civil liberties & email privacy and security against cyber-attacks for today and for the remaining future. They believe privacy is a fundamental human right that must be protected at any cost. What better of a group of people to do it than these guys! Worth noting that – they all support Bitcoin.. including andy yen!
Andy Yen a physicist and economist by training, since 2010 Andy has been part of the ATLAS experiment at CERN, where his research and analysis focus has been on the search for supersymmetric particles. He is translating his experience in large-scale computing to build the infrastructure that is used to run ProtonMail. Andy stated “It’s clear that we are under observation by both governments and corporations, and we can’t just sit on the sidelines — privacy is too important for democracy. We are computer scientists, we can do something, so we decided to try.” He has a very impressive resume within education & research, has been awarded various awards such as the George W. Housner award ( Awared to a caltech senior for an outstanding piece of original scientific research), U.S department of Energy, Graduate fellowship, National science Foundation graduate fellowship, Haren Lee Fisher Memroial award in junior physics, American physical society travel award , California academic decathlon state finals. To the observer: he is an intellectual with impressive academic credentials. Andy Yen delivered a profound and comprehensive thought-provoking ‘Ted Talk’, argued the point that encryption can be made simple to the point of becoming the default option, providing true email privacy to all.
Q & A with
Andy Yen (ceo of Protonmail)
Ryan Ward (director of liive, ambassador of rumec).
Ryan Ward: What is the primary benefits of ProtonMail being located outside of the US and EU jurisdiction for the colossal amount of users at ProtonMail?
Andy Yen: Switzerland is neutral which allows us to serve a wide spectrum of users without fear of governmental pressure. US and EU laws also have some fairly intrusive surveillance directives, and being based in Switzerland gives us a legal framework that better protects privacy.
Ryan Ward: Edward Snowden disclosed many of the voids and back doors to security structures. What has this information transpired into for companies such as ProtonMail?
Andy Yen: The Snowden leaks have really helped to separate the real security companies from the ones that offer psuedo-security. In particular, the Snowden revelations have made clear to the world the importance of offering end-to-end encryption as opposed to just encryption, and this has obviously helped companies such as ProtonMail who provide true end-to-end encryption.
Ryan Ward: Is the team on schedule to release the native iOS application by summer?
Andy Yen: Actually the release should happen in January 2016.Rumec: What is your thoughts on the data-mining model used by almost all of the large email providers, In comparison to a freemium model? ProtonMail: For this, I would like to refer you to our blog post here:
https://protonmail.com/blog/privacy-under-attack/Rumec: Where do you see Proton Technologies AG in the future? ProtonMail: I see us growing to become a security and privacy company that encompasses more than just email, but also other critical pieces of our digital existence such as file storage, file sharing, and chat. Our goal is to build an entire suite of web applications which are end-to-end encrypted so we can bring back online privacy across the board.
Ryan Ward: We know now of the magnitude of the recent DDoS attacks. Has this been a substantial setback for ProtonMail? With the purpose of the primary attack not being financially attributed, but purposefully to keep ProtonMail offline, what does this mean for ProtonMail and other companies whom strive to protect privacy rights?
Andy Yen: We have always known that privacy has opponents. At ProtonMail, we protect many at risk groups such as dissidents, activists, and whistleblowers, and these groups often have powerful opponents which will stop at nothing to prevent them from communicating safely through ProtonMail. Thus, all privacy companies not only need to fight for themselves, but we also need to fight for our users. The attack against ProtonMail was massive, but we are fortunate to have a very competent technical team so we were able to overcome the attack quickly. The attack was a challenge, but in the long run, not a major setback. Our development schedule is delayed by approximately 2 weeks, but that’s the limit of the harm done to us.
ProtonMail is currently in public beta and the team (Dino Kadrikj, Yangfeng Zhang, andy yen) is actively working on Android and iOS apps (beta). These should be fully launched in January 2016, if all goes according to plan, the service will move out of beta at around the same time. The team has decided to adopt a freemium model to make the service pay, since the service is encrypted and, thus, cannot be used to serve targeted ads, such as Google AdSense, the team has decided to embrace this model. There is a chance that the data-mining model used by mass corporation’s will die out in the next decade. Since ProtonMail is all about the preservation of security and privacy, it does not track its users or gather any personally identifiable information. Of course, an additional level of security and anonymity is provided by one of the payment methods – bitcoin. Additional features and storage will be available. Full pricing tiers have not yet been announced, but the basic paid account will provide 1GB of storage for $5.
Proton Technologies AG
Proton Technologies AG based in Plan-Les-Ouates, Switzerland has grown into a global leader in online security. Today, they are the world’s largest secure email provider with over half a million users. In addition to their headquarters in Geneva, Switzerland, they have support centers in San Francisco, CA, and Skopje, Macedonia. Their global presence allows them to provide 24/7 support and monitoring of mission critical applications for all their customers. ProtonMail works on various devices, including desktops, laptops, tablets, and smartphones.
Encryption (the translation of data into a secret code) is the process of changing information in such a way as to make it unreadable by anyone except those possessing special knowledge (Usually referred to as a “Key”) that allows them to change the information back to its original, readable form. Encryption is critically important because it allows you to securely safeguard data that you don’t want anyone else to have access to by right. Encryption is an effective method of protecting and securing your corporate data,
in the same way locking the doors to your business is an effective method of preventing trespassers. The hacking and selling of corporate data can be a very lucrative prospect for a potential hacker and, as such,
protection against hacking is extremely important.
Corporations use it to protect corporate secrets, government’s use it to secure classified information, and many individuals use it to protect personal information to guard against things like identity theft. Andy Yen has been pushing for privacy and encrypted mail since the beginning.
Espionage uses encryption to securely conserve folder contents, which could enclose emails, chat histories, tax information, credit card numbers, or any other sensitive information. This way, even if your computer is stole that data is safe. People complain that using encryption in email is too much work, which it can be fraught with difficulty for the encryption novice, but now with ProtonMail there is a secured solution. A maintained solution, in Switzerland whose team are sufficiently & persistently motivated to the task with the best encryption practices. ProtonMail creates a barrier against your most sensitive data being accessible to people who simple should not have it and you don’t want outsiders to eavesdrop in to your sensitive data. They are your first line of defence for relative security that is unlikely to be broken into within this century at current levels of encryption technology. Discussion in person is the only suitable replacement, barring life-threatening emergencies, for due diligence in maintaining my long-distance communications security.Comparing hacking (virtual theft) with burglary (physical theft), there is a much higher chance that your business will be hacked than there is that your business will be broken into. According to a recent survey, 90% of businesses say they have been hacked. Burglary statistics vary by region, but are typically extremely low (well under 1%).Encryption is the most imperative privacy-preserving technology we have, and one that is compulsory, obligatory suited to protect against bulk surveillance, the kind done by governments looking to control their populations and criminals looking for vulnerable victims. By forcing both to target their attacks against individuals, we protect society. Encryption should be enabled for everything by default, not a feature you turn on only if you’re doing something you consider worth protecting.
Under the hood, ProtonMail uses OpenPGP, an old open source encryption standard that uses a mix of linked public and private crypto keys to lock and unlock data. The public key is shared, the private key kept secret. This allows one person to take another’s public key and use it to sign and scramble a message that can only be unlocked by the recipient’s private key. As long as they each have the others public key, they can converse with encrypted messages. In September 2015, ProtonMail added native support to their web interface and mobile app for Pretty Good Privacy (PGP). This allows a user to export their ProtonMail PGP-encoded public key to others outside of ProtonMail, enabling them to use the key for email encryption, enabling the support of PGP encryption from ProtonMail to outside users.
PGP: How it works.
Pretty Good Privacy uses a variation of the public key system. In this system, each user has an encryption key that is publicly known and a private key that is known only to that user. You encrypt a message you send to someone else using their public key. When they receive it, they decrypt it using their private key. Since encrypting an entire message can be time-consuming, PGP uses a faster encryption algorithm to encrypt the message and then uses the public key to encrypt the shorter key that was used to encrypt the entire message. Both the encrypted message and the short key are sent to the receiver who first uses the receiver’s private key to decrypt the short key and then uses that key to decrypt the message.
PGP comes in two public key versions — Rivest-Shamir-Adleman (RSA) and Diffie-Hellman. The RSA version, for which PGP must pay a license fee to RSA, uses the IDEA algorithm to generate a short key for the entire message and RSA to encrypt the short key. The Diffie-Hellman version uses the CAST algorithm for the short key to encrypt the message and the Diffie-Hellman algorithm to encrypt the short key.
When sending digital signatures, PGP uses an efficient algorithm that generates a hash (a mathematical summary) from the user’s name and other signature information. This hash code is then encrypted with the sender’s private key. The receiver uses the sender’s public key to decrypt the hash code. If it matches the hash code sent as the digital signature for the message, the receiver is sure that the message has arrived securely from the stated sender. PGP’s RSA version uses the MD5 algorithm to generate the hash code. PGP’s Diffie-Hellman version uses the SHA-1 algorithm to generate the hash code.
PGP: Security quality
To the best of publicly available information, there is no known method which will allow a person or group to break PGP encryption by cryptographic or computational means. Indeed, in 1996, cryptographer Bruce Schneier characterized an early version as being “the closest you’re likely to get to military-grade encryption.” Early versions of PGP have been found to have theoretical vulnerabilities and so current versions are recommended. In addition to protecting data in transit over a network, PGP encryption can also be used to protect data in long-term data storage such as disk files. These long-term storage options are also known as data at rest, i.e. data stored, not in transit.
The cryptographic security of PGP encryption depends on the assumption that the algorithms used are unbreakable by direct cryptanalysis with current equipment and techniques.
In the original version, the RSA algorithm was used to encrypt session keys. RSA’s security depends upon the one-way function nature of mathematical integer factoring. Similarly, the symmetric key algorithm used in PGP version 2 was IDEA, which might at some point in the future be found to have previously undetected cryptanalytic flaws. Specific instances of current PGP or IDEA insecurities (if they exist) are not publicly known. As current versions of PGP have added additional encryption algorithms, the degree of their cryptographic vulnerability varies with the algorithm used. In practice, each of the algorithms in current use are not publicly known to have cryptanalytic weaknesses.
New versions of PGP are released periodically and vulnerabilities are fixed by developers as they come to light. Any agency wanting to read PGP messages would probably use easier means than standard cryptanalysis, e.g. rubber-hose cryptanalysis or black-bag cryptanalysis i.e. installing some form of trojan horse or keystroke logging software/hardware on the target computer to capture encrypted keyrings and their passwords. The FBI has already used this attack against PGP in its investigations. However, any such vulnerabilities apply not just to PGP but to any conventional encryption software.
In 2003, an incident involving seized Psion PDAs belonging to members of the Red Brigade indicated that neither the Italian police nor the FBI were able to decrypt PGP-encrypted files stored on them.
A more recent incident in December 2006, (see In re Boucher), involving US customs agents who seized a laptop PC that allegedly contained child pornography, indicates that US government agencies find it “nearly impossible” to access PGP-encrypted files. Additionally, a magistrate judge ruling on the case in November 2007 has stated that forcing the suspect to reveal his PGP passphrase would violate his Fifth Amendment rights i.e. a suspect’s constitutional right not to incriminate himself. The Fifth Amendment issue was opened again as the government appealed the case and a federal district judge ordered the defendant to provide the key.
Evidence suggests that as of 2007, British police investigators are unable to break PGP, so instead have resorted to using RIPA legislation to demand the passwords/keys. In November 2009 a British citizen was convicted under RIPA legislation and jailed for nine months for refusing to provide police investigators with encryption keys to PGP-encrypted files.
Recent DDoS Attack
Even with an encrypted webmail system able to withstand intelligence agency-level surveillance, ProtonMail was hit hard from the 3rd to the 7th of November 2015 with a DDOS (basically an enormous amount of junk data) that made the service largely unavailable to users. ProtonMail believes it was struck by two separate attacks from what appears to be a nation state, as well as an ‘Irrelevant in comparison’ secondary and separate lower-level assault from an identified assailant. The lower-level assault first led by a group of hackers known as the Armada Collective, and the second by an unknown, more technically advanced group with abilities & hallmarks similar to a state-sponsored group, extremely high sophistication and a colossal amount of resources. In detail the mix of attacks where in extremely high volume and was timed in a highly coordinated and sophisticated fashion with intentions of causing large-scale damage to achieve its aims The first attack was tied to a ransom of 15 bitcoins(roughly US&6,000) from the Armada Collective, which ProtonMail eventually paid due to pressure from ISPs and other companies affected by the attack. The DDoS attacks, however, did not stop and instead began to take on more sophistication, with rates exceeding 100 Gbps & an attack that leave experts stunned due to the pattern of tactics – with an attack on 15 different ISP nodes simultaneously, then attacking all the ISPs going into the data center .The Company received an email from the Armada Collective disclaiming responsibility for the ongoing attack. During the attack, the company stated on Twitter that it was looking for a new data center in Switzerland, saying that “many are afraid due to the magnitude of the attack against us”. They have since posted that they “have a comprehensive long term solution which is already being implemented”. On 6 November, ProtonMail posted to twitter that their ISP came under ‘renewed attack’ that morning. On 7 November, they said that there was a ‘50% chance of coming back today’
“WE HOPED THAT BY PAYING, WE COULD SPARE THE OTHER COMPANIES IMPACTED BY THE ATTACK AGAINST US, BUT THE ATTACKS CONTINUED NEVERTHELESS. THIS WAS CLEARLY A WRONG DECISION SO LET US BE CLEAR TO ALL FUTURE ATTACKERS – PROTONMAIL WILL NEVER PAY ANOTHER RANSOM.” Andy Yen
To avail and giving credit to, many of the world’s largest tech companies and networking experts who gave their offering of assistance to analyze and track the attack, Such as one of the world’s top DDoS protection companies (Radware) offering to step in at a significantly reduced prices in order to support ProtonMail’s Mission, Knowing that a large number of activists, dissidents, journalists, and regular users would have lost the ability to communicate, thus bringing ProtonMail back online in three days with the capability to withstand the largest distributed cyber-attack (DDoS)which has ever hit Switzerland. Also much of ProtonMail’s credit goes to its users whom contributed largely by donating over $50.000 to help with the current attack & safe guarding of services from future attacks by developing a permanent solution. DDoS attacks are common and crude, they are also effective at disrupting critical networking infrastructure. When attacks at this magnitude are carried out on companies such as ProtonMail, with purpose to destroy the community, but this attack only served to unify the entire community including security organizations, united by a common cause and vision for the future.
Chillingly enough commonly someone will take responsibility for the attacks or request a ransom, on this occasion – their sole mission was to keep ProtonMail offline.
With a colossal amount of people flocking to CERN’s new
super-secure email and you don’t have to ask why, its servers
must grow exponentially in order to cope with the capacity of
interest. Even with a major infrastructure upgrade, thus allowing
ProtonMail to quickly invite a lot of users from their waiting list,
they still rely largely on donations in order to add more servers,
your donations will also give you an exclusive perk of a higher
capacity of storage in your email account, also another exclusive
is that soon users will have the opportunity to invite others
to the service without having to wait. Also by the end of year
ProtonMail will be offering customized business domains.
The future is in our Hands
It is time for an alternative, a framework constructed of reckoning and logic, with privacy deep at its core foundation, the community at its heart, whom propelled ProtonMail to where it is today. It is in thanks to the community who donates, shares, advocates a platform of your right to anonymity and privacy, a community who strongly believe that privacy is a fundamental human right that must be protected at any cost.
With the advent of the internet now making us more vulnerable to mass surveillance than at any other point in human history. The disappearance of online privacy is a very dangerous trend as in many ways privacy and freedom go hand in hand. ProtonMail believes that the best way to guard against mass surveillance is to give encryption to everybody making it free and easy to use.
Thanks to the entire team at ProtonMail , the early adopters, the entire community, the organisations who helped tackle the largest cyber-attack on Switzerland, for now allowing a revolutionary framework to open up to the world, giving myself and people around the world a right to privacy for our generation and generations to come.Sign up to ProtonMail and join a community that is rapidly growing as you read this and learn about public keys and encryption , be part of something remarkable and transforming of the norm.
Donate to Andy Yen’s platform Protonmail below!
Let’s make ProtonMail develop to it’s potential.
Click here to Donate.
Sign up and Share
ProtonMail needs your support to help promote
privacy around the globe. Sign up.
Learn more about public key and encryption here . The importance of public key and encryption is to secure your private data.
Stay in Touch
To follow the best independent media platform in the world, read stories you wont see on the main stream media and follow inspirational interviews with the worlds most amazing people and un mask the corruption and cause of poverty. Start changing your perspective by being actively engaged in our independent coverage!