EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > Email Comments, Questions and Miscellaneous
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Email Comments, Questions and Miscellaneous Share your opinion of the email service you're using. Post general email questions and discussions that don't fit elsewhere.

Reply
 
Thread Tools
Old 17 May 2014, 02:55 AM   #46
rockman
Senior Member
 
Join Date: Aug 2013
Location: Seattle
Posts: 115
For the record, I've been running Firefox 29.0.1 for a week or so with no problems. That's less problems than with IE11.

OK, I think we can put the FF browser issues to bed now. If you encounter any more show-stopping browser issues, contact ProtonMail support directly. Posting here is not nearly as valuable or helpful. Jason fixes stuff fast. It's amazing.
rockman is offline   Reply With Quote
Old 17 May 2014, 03:04 AM   #47
rockman
Senior Member
 
Join Date: Aug 2013
Location: Seattle
Posts: 115
Regarding headers, here's an example of a full email source sent from my ProtonMail account to a non-ProtonMail account unencrypted...

Code:
Return-path: <redacted>
Envelope-to: <redacted>
Delivery-date: Fri, 16 May 2014 10:51:12 -0700
Received: from mail.protonmail.ch ([37.35.106.36]:40023)
	by whub39.webhostinghub.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.82)
	(envelope-from <redacted>)
	id 1WlMHo-0006Py-Ky
	for <redacted>; Fri, 16 May 2014 10:51:12 -0700
Received: by mail.protonmail.ch (Postfix, from userid <redacted>)
	id 8412E14250641; Fri, 16 May 2014 17:50:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=protonmail.ch;
	s=default; t=1400262652;
	bh=5XJEnonlaxIM0My6t8LmMrweIrr1YWD4ZknMfuXae6o=;
	h=To:Subject:Date:From:Reply-To;
	b=bF9uuVO4U8fOFo+nGn4CHyll5k9kzLLDCScwPcZlkWfn924rSzJk219lD32toaC3b
	 T0bQwcTDB6JEqeYPLLf1NY/79w0tIfxhOxYiIKlgH56gtwB74j0kgPnO23k0pnTJ10
	 rvW3AK/4PGrJG5u0HtNBvVO6GFvkpliwH8sq/wsI=
To: <redacted>
Subject: Hello
X-PHP-Originating-Script: 516:class.phpmailer.php
Date: Fri, 16 May 2014 13:50:52 -0400
From: <redacted>
Reply-To: <redacted>
Message-ID: <redacted>
X-Priority: 3
X-Mailer: PHPMailer 5.2.7 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hello again! Check out the headers.<br><br><br><span><br><br><br><br>
Sent from <a href="https://protonmail.ch" rel="nofollow" target="_blank">ProtonMail</a>, 
encrypted email based in Switzerland.</span>

Compared to an encrypted email sent to the same recipient...

Code:
Return-path: <redacted>
Envelope-to: <redacted>
Delivery-date: Fri, 16 May 2014 11:00:09 -0700
Received: from mail.protonmail.ch ([37.35.106.36]:40035)
	by whub39.webhostinghub.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.82)
	(envelope-from <redacted>)
	id 1WlMQT-00008e-AN
	for <redacted>; Fri, 16 May 2014 11:00:09 -0700
Received: by mail.protonmail.ch (Postfix, from userid <redacted>)
	id 44B6E14250685; Fri, 16 May 2014 18:00:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=protonmail.ch;
	s=default; t=1400263200;
	bh=aGp26359f4l3hZZUOsTPZ3Swr51EiulknibPVn6xR+I=;
	h=To:Subject:Date:From:Reply-To;
	b=JSaMJnehESv5RB8bFM+YiYxUIHCdVOachlFAvT8bOeejplvrt16wG6nQG73D/AnB4
	 jPRMfzy513TjLelKROWE16a8sP9Z86KvIeIAK1WttMuxh+cmznRZRQtJSIipqNat7W
	 uRz79yBhERKA6N+1B9eicYNXDbxTuOP7x1EqQ/wE=
To: <redacted>
Subject: Hello Again
X-PHP-Originating-Script: 516:class.phpmailer.php
Date: Fri, 16 May 2014 14:00:00 -0400
From: <redacted>
Reply-To: <redacted>
Message-ID: <redacted>
X-Priority: 3
X-Mailer: PHPMailer 5.2.7 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hello,<br><br>You received an encrypted email from the ProtonMail user rockman. 
The link to view the encrypted message is:<br>
https://protonmail.ch/decrypt_outside.php?Sender=rockman&Tag=14002632008aeca3fb6a959bd59030<br><br>
The messsage will expire at:<br>2014-05-30 18:00:00 GMT<br><br>
The hint of the password is:<br><br><br>Best wishes,<br>ProtonMail

Last edited by rockman : 17 May 2014 at 03:36 AM.
rockman is offline   Reply With Quote
Old 17 May 2014, 08:58 AM   #48
Franko753
Junior Member
 
Join Date: May 2014
Posts: 13
Proton website reads:
Quote:
When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser which they can decrypt using a decryption passphrase that you have shared with them.
How well is this implemented. Easy to use for the receiving end? I recall some complaints from users of StartMail beta (using same or similar procedure), that such a process would be too annoying for the receiver. What is the experience of users here with ProtonMail?

Just a side note: It is a pity that the service is not working with an email client. I live in a country with internet speed varying from ok to almost nonexistent. So I prefer to use email clients on my PC and phone.
Franko753 is offline   Reply With Quote
Old 17 May 2014, 09:29 AM   #49
rockman
Senior Member
 
Join Date: Aug 2013
Location: Seattle
Posts: 115
Quote:
Originally Posted by Franko753 View Post
Proton website reads: "When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser which they can decrypt using a decryption passphrase that you have shared with them. "

How well is this implemented. Easy to use for the receiving end? I recall some complaints from users of StartMail beta (using same or similar procedure), that such a process would be too annoying for the receiver. What is the experience of users here with ProtonMail?
I've not had any complaints, but I don't use it for EVERY email sent to non-ProtonMail addresses. It functions exactly as described. I can't imagine this can be made any simpler using existing email and browser technology without some kind of plug-in or add-on like Virtru. However, the user can only reply this way via the plaintext, unencrypted email, not the encrypted webpage. Given the way ProtonMail encryption keys work, this is expected. To be fully secured, both users need ProtonMail accounts of course.

Last edited by rockman : 17 May 2014 at 09:39 AM.
rockman is offline   Reply With Quote
Old 17 May 2014, 11:37 AM   #50
Franko753
Junior Member
 
Join Date: May 2014
Posts: 13
I've subscribed and am happy so far (as it is beta). I love the look and feel of it - simple and easy to read. The encryption to non-protonmail users is easy enough for the receiver and look is also nice. No complaints.

100 Mb storage is not enough for day-to-day use but they say to increase storage with paid services coming this year. No sub-folders at the moment - or did I miss it?

No imap/pop with email clients, you can get email notifications of new incoming emails to your other email address though.
Franko753 is offline   Reply With Quote
Old 26 May 2014, 10:12 PM   #51
curvefan
Essential Contributor
 
Join Date: Oct 2007
Posts: 471
I just received a message that my beta account was ready, and a link was provided in order to proceed.

Clicking the link brought up a page saying that I needed to upgrade to IE11 as my version was not to their liking.

I do not use IE for any browsing, is there any way to use my beta account with FF or hopefully Chrome?

I read about the browser problems in this thread and I'm still a little confused. Is it possible to avoid using IE in order to continue signing in to my beta account?

Thanks
curvefan is offline   Reply With Quote
Old 26 May 2014, 10:33 PM   #52
LinuxArie
Member
 
Join Date: Nov 2013
Posts: 51
I use Iceweasel (Debian version of FireFox) 24.5 ESR, FF 29 works also
LinuxArie is offline   Reply With Quote
Old 30 May 2014, 05:16 AM   #53
somdcomputerguy
Cornerstone of the Community
 
Join Date: Jun 2004
Location: Rupert, WV
Posts: 516
Quote:
Proton website reads:
When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser which they can decrypt using a decryption passphrase that you have shared with them.
I sent an encrypted message to a non-ProtonMail user. That email was read with the Thunderbird client with the 'ThunderBrowse' add-on enabled in it. That add-on is basically a web browser that loads pages into the 'message body' field. So this encrypted email was read , the link clicked on, and the ProtonMail 'Decrypt' page as well as the message itself when the passphrase was entered was displayed in the email client. EasyPeasy!
somdcomputerguy is offline   Reply With Quote
Old 30 May 2014, 08:06 AM   #54
emebrs
Essential Contributor
 
Join Date: Dec 2012
Posts: 302
Quote:
Originally Posted by somdcomputerguy View Post
So this encrypted email was read , the link clicked on, and the ProtonMail 'Decrypt' page as well as the message itself when the passphrase was entered was displayed in the email client. EasyPeasy!
Is it possible that this constitutes an example of security theater, or is it truly good security?
emebrs is offline   Reply With Quote
Old 30 May 2014, 08:14 AM   #55
somdcomputerguy
Cornerstone of the Community
 
Join Date: Jun 2004
Location: Rupert, WV
Posts: 516
Quote:
Originally Posted by emebrs View Post
Is it possible that this constitutes an example of security theater, or is it truly good security?
Well, I would guess that it (the security) is as good as using a 'real' browser as using the browser add-on. The only benefit I see of using an external browser is if the link is opened in a 'Privacy Tab', but that only 'hides' it from ones browser history..

- Bruce
somdcomputerguy is offline   Reply With Quote
Old 30 May 2014, 08:24 AM   #56
rockman
Senior Member
 
Join Date: Aug 2013
Location: Seattle
Posts: 115
Quote:
Originally Posted by emebrs View Post
Is it possible that this constitutes an example of security theater, or is it truly good security?
In what context are you asking? How do you define "good security"

Technically, it appears to be secure. If you are someone who does not send sensitive, confidential or otherwise private data across the Internet, then maybe it is security theater. Otherwise, I don't think it is.

My main email account is Gmail. But if I need to send a sensitive document or message, I use ProtonMail. It's more convenient for me and the recipient. It just works. It is simple for the non-ProtonMail user to view the secured message and they do not need to install anything.

In contrast, Virtru aims to utilize existing email accounts like Gmail. But frankly, its usability with someone without the Virtru add-on is cumbersome and needs more work. For the best user experience, both parties need the Virtru add-on, which may be a barrier to some folks.

Last edited by rockman : 30 May 2014 at 08:30 AM.
rockman is offline   Reply With Quote
Old 30 May 2014, 08:30 AM   #57
rockman
Senior Member
 
Join Date: Aug 2013
Location: Seattle
Posts: 115
Quote:
Originally Posted by somdcomputerguy View Post
Well, I would guess that it (the security) is as good as using a 'real' browser as using the browser add-on. The only benefit I see of using an external browser is if the link is opened in a 'Privacy Tab', but that only 'hides' it from ones browser history..

- Bruce
And this is really a non-issue if you encrypt the message to a non-ProtonMail user with a password with an option for expiration.
rockman is offline   Reply With Quote
Old 31 May 2014, 12:33 AM   #58
zimmermanfan
Essential Contributor
 
Join Date: Aug 2010
Posts: 200
Quote:
Originally Posted by emebrs View Post
Is it possible that this constitutes an example of security theater, or is it truly good security?
It's security theater.

If the decryption happens server-side, then the server has access to the cleartext before sending it over the SSL tunnel. And if the decryption happens client-side, then the server is acting as an application server (probably sending java or javascript), in which case the server can target recipients and send a malicous app (something that sends the key back to the server).

Hushmail and Countermail have a substantially more secure way to send messages to outsiders (using asymmetric encryption and using the recipients [trusted] client software). See my recent thread for the full discussion.
zimmermanfan is offline   Reply With Quote
Old 31 May 2014, 01:45 AM   #59
rockman
Senior Member
 
Join Date: Aug 2013
Location: Seattle
Posts: 115
Quote:
Originally Posted by zimmermanfan View Post
It's security theater.

If the decryption happens server-side, then the server has access to the cleartext before sending it over the SSL tunnel. And if the decryption happens client-side, then the server is acting as an application server (probably sending java or javascript), in which case the server can target recipients and send a malicous app (something that sends the key back to the server).

Hushmail and Countermail have a substantially more secure way to send messages to outsiders (using asymmetric encryption and using the recipients [trusted] client software). See my recent thread for the full discussion.
You are comparing apples to oranges. Countermail is designed for more tech savvy folks who understand PGP and Java setups, not "normal" folks for which ProtonMail is designed.

Now, comparing Hushmail to ProtonMail is apples to apples. Hushmail is less secure since they hold the keys to decrypt your mailbox. Yes, ProtonMail serves JS to do the mailbox crypto client-side, but at least the private key is only used client-side for the crypto and is not transmitted to the server by design.

So, no ProtonMail itself is not security theater. The all of this security theater.
rockman is offline   Reply With Quote
Old 1 Jun 2014, 05:17 AM   #60
emebrs
Essential Contributor
 
Join Date: Dec 2012
Posts: 302
Quote:
Originally Posted by rockman View Post
My main email account is Gmail. But if I need to send a sensitive document or message, I use ProtonMail.
That's an interesting approach. But can we truly say that any messages are not sensitive? It seems to me that even the most mundane emails reveal quite a lot about a person.
emebrs is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 03:26 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy