- Some Tips on Registering an Account
- Encryption for Non-ProtonMail Users
ProtonMail is an email service that provides a level of security surpassing that of most the alternatives. Pretty much the entirety of its security model is based on well-implemented encryption – to be more specific, AES 128, RSA with 4,086-bit key and OpenPGP. All messages are encrypted on ProtonMail’s servers, and are only ever decrypted in the user’s browser or client application – certain features extend this to communication between ProtonMail users and recipients using another service. This means the service provider cannot turn over the messages to a third-party, and the information is protected even if the mail servers are compromised. The servers, by the way, physically exist in the company’s data centre in Switzerland – they’re not virtual machines provisioned by a third party.
Additional security features include a ProtonVPN service, availability through TOR, and the option to register accounts without supplying personal information such as cellphone number. This is very useful if we’re using publicly accessible (but, of course, not well advertised) list servers to communicate, or we’re concerned about the security of our organisation’s extranet/portal. Many of us have already taken that security measure with other services.
So, what’s the catch? In comparison to Outlook and Gmail, ProtonMail’s free service accounts are limited in storage capacity, features and the number of messages that can be sent, though it’s still very usable. The company’s business model is reliant on subscriptions to the paid services, which are comprehensive for an annual subscription of 48 Euros.
Also, while it provides decent end-to-end encryption, ProtonMail by itself is not suitable for communicating highly sensitive information – additional layers of security would be required.
Some Tips on Registering an Account
A prerequisite for communicating securely, of course, is to use a computer that’s reasonably secure. This means having the latest updates installed for your operating system and anti-virus software. Also, you need a browser that’s regularly updated. And avoid using a public access computer. In short, take the same precautions you would as when doing online banking.
Only three things are required for registering a ProtonMail account: a chosen email address, a password, and your usual email address for validation/recovery. The latter can be deleted from your account settings after, if you choose. After registering my account, I deleted the email containing the verification code, so my ProtonMail address wouldn’t be revealed and its account reset in the unlikely event my usual account is compromised.
Choose a strong password, as ProtonMail’s encryption is only as good as this. Here I’ve chosen a long string of random letters, numbers and special characters. Instead of writing this password on paper, I’ve used an offline password manager, which stores login details in an encrypted container file – there are several that are freely available, including Password Safe, KeePass and F-Secure Key. It’s a good idea to make a backup of the encrypted password manager file.
Regarding your email address, you might wish to keep that private among a few associates for PERSEC reasons. Don’t re-use it across third-party Web sites, if you don’t want others to associate it with you or your social media profile. Since registration and access of your account is over an HTTPS connection, nobody on the outside should be able to determine your full email address. ProtonMail’s VPN service enables access to the extranet/portal without others knowing, if you’re away from the home network.
In the settings there are several security-related configurations that relate to access and recoverability of the account: It is possible to remove the email address used for resetting your password – removing it protects your ProtonMail account if the recovery account is compromised, but it renders the ProtonMail account permanently inaccessible if the password for that is forgotten.
Slightly related, there is the option to configure two-factor authentication (commonly referred to as ‘2FA’). Enabled, this protects the account if the password is compromised, as an authenticator application would be required to complete the login. If the device running the authenticator application is lost, that might also be an issue.
Encryption for Non-ProtonMail Users
Message security is very strong between ProtonMail addresses, but what if either the sender or recipient is using another email service provider? There are two ways of encrypting emails in this case.
The first method involves a password that’s shared beforehand with associates. When sending an email to a recipient who’s not using ProtonMail, compose the message in the normal way, but click the ‘Encryption‘ button at the foot of the window. All the recipient would need to do is open the email, follow the link to a Web application and enter the password to decrypt the message within the browser.
ProtonMail allows the recipient to send a protected reply, which is again encrypted in the browser, and independently of other email service providers.
Sending from a non-ProtonMail address is a little more awkward, as it requires installing an application for managing OpenPGP encryption. Essentially it’s the same procedure we’re all familiar with for using PGP encryption, but ProtonMail automatically decrypts the messages.
In the Settings, in the ‘Keys‘ page under the ‘Email encryption keys‘ heading, there are links for downloading your public key as a .asc file. This can be opened in a text editor, and the contents pasted as your email signature. Recipients could use this to encrypt emails to your address, using an OpenPGP application, such as Mailvelope (a Firefox/Chrome browser extension) or gpg4win. Only the intended recipient with the correct private key could decrypt and read the email.
Some of us already use VPNs and Tor to access the extranet/portal, so ProtonMail’s VPN service, which is just as easy to use as the Tor Browser, is another welcome addition. This is more to add another layer of protection to your login details and the fact you’re accessing the portal, especially if you’re using free WiFi services ‘in the field’ or otherwise are away from the home network – DNS Leak Protection is always enabled here, by the way.
Using the ProtonVPN service this is simply a matter of downloading the client, entering the ProtonMail account details and clicking the ‘Connect‘ button.
There are a couple of settings to look at here. You can create profiles, to save the trouble of reconfiguring the connection for a given use case.
Here we have the option to use Tor or P2P or a conventional VPN service, at least for the duration of the trial period. ProtonVPN client can be configured to automatically start and connect when the local machine is switched on.