Declaring it secure after an audit is like writing 100% coverage tests and saying it's bug-free. You can't prove absence, only presence.
This title is the definition of sensationalism and only by reading the article do you find the truth: "Their tests uncovered no major issues or security vulnerabilities". This is a bad look for them and I'm wary of their company now...
I agree with you that the title is a bit sensationalist. But if independent security audits with no major issues uncovered cannot make you claim something is secure, when can you claim something as secure? Or are you of the opinion that nothing ever can be claimed to be secure as there can always be holes that could be uncovered in the future?
Using openssh as an example, would you say it's secure when you're using public keys for the authentication? Their track record seems pretty good for the last years, but there might still be uncovered vulnerabilities, could it still claim to be secure?
I think it's partly the phrase "Security experts declare" which is likely to be what's rubbing people up the wrong way.
The security auditors themselves would never actually word it like that in their reports, because the statement implies a degree of certainty that cannot really exist.
Here's an example of what the auditor's actually said:
"Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest."
There's a reason that audit reports will never say outright that something is "secure". They may say something like "strong and effective security measures are in place", but that's a very different kind of statement.
I think the article itself is great but the headline just falls on the wrong side of being a bit hyperbolic and seems to be optimised for marketing impact over accuracy.
> But if independent security audits with no major issues uncovered cannot make you claim something is secure, when can you claim something as secure?
Nothing at all; it's a broken model. The server can at any time start serving malicious payloads [0]. The server hosts your mail but they also serve the webapp. The clientside decrypts the mail, but the server hosts the client code...
It's a fundamentally flawed idea, trying to retrofit encryption into email in this way, when the server essentially has to hold all of your mail. In this case, the only thing that would make me feel secure in using it, is a third-party OSS client that downloads the mail without using the webapp, using only client-side code. And even then, of course, the mail can simply just be not encrypted when being ingested by Proton. So even then I wouldn't really trust it without external encryption like PGP. In which case, why bother?
To be clear I do use private email services (protonmail, tutanota) but I am simply not going to fall for the illusion of guaranteed privacy; I just trust that they are what they say they are. They are still a better option IMO than something like Gmail, but I don't think they're a silver bullet.
This is why I'm excited for 9elements and Mullvad's System Transparency[0][1] project. The goal is to let the end users know that your server is indeed running the code it says it's running. Of course, open firmware and hardware also plays a role in this as a server running binary blobs still has the potential for malicious code to be unknowingly run.
> The server can at any time start serving malicious payloads
True, and I call this threat model "Beware Each and Every Fetch" (BEEF) in contrast to the more common TOFU model (although if you trust a desktop app to auto-update itself then these two models might not be all that different).
In any case, I think you're being a little quick to dismiss the idea of server-hosted applications. It's true that browsers don't natively have a nice way of pinning specific versions of a web app, but there is the clever hack of SecureBookmarks[0] (if you're prepared to sacrifice the UX), or, more realistically, you can pin the web app version using some sort of browser extension.
Examples of the latter include the Signed Pages extension[1], and Code Verify[2], which is the result of a collaboration between Meta and Cloudflare (for securing the WhatsApp Web code, currently, but should eventually support other sites like Proton's too). Of course, it would be much better if this capability was natively included in browsers themselves, but hopefully adoption of this technology will pressure browsers and standards bodies to take ownership of this.
Secure email is snake oil; no amount of cruft can make it both reasonable secure and useful (as in federated). Other protocols better fill that space because they were designed for security needs.
I wouldn’t call secure email snake oil: it meets some of the characteristics, but not all. “Snake oil” implies at least in part inefficacy and deceptive marketing; yet secure email is possible, though there are typically rather severe caveats (mostly around the question of which parts are being encrypted, and usability).
What is actually snake oil, and distressingly rarely realised as such, is first-party end-to-end encryption. That’s what sodality2 is actually talking about. And when you stop and consider it in this light, you realise that the significant majority of stuff that’s advertised as having E2EE is first-party and thus, to put it mildly, not robust.
I agree that I wouldn't use Protonmail if Signal was an option, but there are many situations where Signal isn't an option (eg. transactional email, people who don't use signal). In those contexts it's still better to use encrypted mail rather than ad-supported mail (eg. gmail, outlook), or even commercial mail (eg. fastmail), which are both unencrypted.
End to end secure email definitely is, I agree. No matter what you have to trust the server. (Maybe a Tor-based email system would be better, where each user is their own server? reminds me of `cables`).
If you do trust the server then it can be acceptably secure.
I thought that was just a wrapper around the website, to be honest. But regardless, the app still loads JS from the website and executes it, so it's still a backdoor possibility.
Nevertheless, if you insist: you can claim a certain abstraction of a system guarantees certain mathematically expressed requirements cannot be violated by a certain attacker model once you've formally proved that.
Of course, all implementations have implementation details which violate the abstraction, your mathematically expressed requirements may not fully capture your intentions, and in practice, an attacker may have additional options that your model doesn't consider. But hey, now you can truthfully claim that "the system" is "secure" - for some values of "system" and "secure".
I think if it it more like having a fire Marshall inspect a building, doesn’t mean it can’t catch fire the next day, but at least you know that it’s not death trap (smoke alarms, fire doors, sprinklers etc all check out)
Proton is claiming something similar to EAL4, which is not secure, there is an assurance that not all trained reviewers can find a vulnerability. Openssh is a little less secure than that formally, but has more trained reviewers informally, which probably cover some parts extremely well and other parts sparsely.
You can write all of the tests, you can get all of the audits, but there’s nothing that’s going to stop a 13-year old polish kid from mucking about in the guts of your tech. Security isn’t a promise you can make in absolutes, at some point you have to ship and you hope that you did everything well enough that there’s no low-hanging fruit.
There’s no such thing as a secure system, only systems which are more expensive to compromise.
I’d be willing to say “there are things with known exploits, there are things which employ techniques that are known not to be safe making them less secure, and the rest is more akin to Schrödinger's cat as far as secureness goes.”
You beat me to it. I have sat with hundreds of software and network auditors. Never once have I heard them say something was secure. At best they might say they didn't find any high severity issues in this particular audit. I am curious who their statement was intended for.
Considering we live in world where Google and Facebook publicly state "We care about your privacy", I think this title pretty close to reality.
Have they proved the non-existence of bugs? Nope. But the title is also not the complete opposite of reality, which is what their competition seems to doing.
So many complaints about the headline, but for the purpose of getting their point across to the masses and encouraging the use of as-secure-as-can-be-known software, it’s perfectly fine.
If you cover your ass in a headline, which ultimately ends as legalese, the average person will completely ignore it due to wordiness or they will become suspicious and assume the worst.
The body and attachments do not mislead at all and that should be commended.
All this pedantry is counterproductive unless you truly know and trust your audience. Proton should be for the masses, not just for the technically adept.
I have a hard time adding protonmail to my "generally regarded as safe" mail provider list when they haven't been able to implement Webauthn security key support (aka U2F security keys / FIDO security keys).
Yes, they support Multi-Factor authentication, but only via phishable methods (TOTP)[1]. They have been "trying" for years[2] to implement U2F but for some reason haven't been able to figure it out yet /shrug
Technical nitpick purely on the wording of the title: the pentesters declared that "no important security issues were found during the pentest". Unfortunately in our current world that's about as good as you're going to get for a large software system, but that does not necessarily mean that Proton is secure. There could still be undiscovered vulnerabilities.
Yeah, it's a bit like when someone says their relative's doctor said their cancer was cured. This is basically an impossible statement for a doctor to make to medical standards which is why the best you're going to get from a doctor is a statement that someone is in remission or the latest scan did not find cancer cells.
When someone makes a stronger claim you're left wondering if it's the original source or the messenger that's after oversimplifying the situation and it looks bad for one or the other.
ProtonMail has a bad history of irresponsible sensationalism. It’s like constantly marketing yourself as the most private e-mail service “built by CERN scientists” but who will give information about you to authorities:
I know that ProtonMail doesn’t claim to protect your IP address, but I don’t expect the average user to make that distinction.
This is another dumb article. Getting your service tested for vulnerabilities is good hygiene but it shouldn’t be used as marketing material to make users think your service is Fort Knox.
> ProtonMail has a bad history of irresponsible sensationalism. It’s like constantly marketing yourself as the most private e-mail service “built by CERN scientists” but who will give information about you to authorities:
Well, conflating "security" with "following the law" seems odd. Do anyone realistically expect a legally incorporated company to not follow laws? They have to respond to lawful requests, otherwise there will be no business at all.
As long as they fight against unlawful requests, they are what they make out to be. If they're found to be spying on their users when it's not lawfully requested, then you have some bite in your argument. But otherwise, I'm not sure what you expect them to do.
By the way, they seem to be pretty upfront about how they collaborate with law enforcement, at least according to https://protonmail.com/law-enforcement Maybe it wasn't like that in 2021 when the article you linked was published?
In the end, if you rely on any single company for both your security and privacy, you're playing a loosing game. Not hiding your IP when signing up for something when you're planning to do illegal activities? Maybe time to reconsider your opsec strategy.
> Well, conflating "security" with "following the law" seems odd. Do anyone realistically expect a legally incorporated company to not follow laws?
I’m talking about privacy, not security. And again, this has nothing to do with their official policies listed on their website, but rather their tendency to market themselves as “a super private e-mail provider built by CERN scientists.”
I think for many use cases (e.g., political activism) most peoples intuitive idea of privacy does not align at all with what ProtonMail actually provides.
> In the end, if you rely on any single company for both your security and privacy, you're playing a loosing game. Not hiding your IP when signing up for something when you're planning to do illegal activities? Maybe time to reconsider your opsec strategy.
Totally agree. But again, this is less about getting the average individual to rethink their op sec strategies, and more or less about ProtonMails proclivity to market themselves as an organization that solves these opsec problems for you.
Yeah, ProtonMail generally proclaims itself to be for privacy as well, but I think that's because of their focus on security, not anything else.
And this blogpost is strictly about security, not about privacy, so it seems maybe your comment was generally about ProtonMail, not specifically about this blogpost.
But yeah I agree, their marketing is a bit problematic, but I'm not sure you can blame them. They do have laws to adhere to, they do make it clear that if you are breaking the law and their receive lawful requests from authorities, they do have to comply, implicitly telling people to cover their tracks if they need to.
I'm so tired of this argument. It doesn't work. Nobody volunteers to willingly and knowingly sacrifice their privacy. Politicians do this even after promising the opposite.
This is so smart, I wish someone would have thought about this a long time ago!
Joking aside - making good privacy laws is not an easy task. “privacy” is not even easy to define, much less create fair laws around what will likely be an imperfect definition.
I agree with the sensationalism but it's a for-profit company after all. They definitely do more than the average email provider but it's certainly not the Tor equivalent of E-Mail.
So a company called Securitum did a security assessment limited to pentest according to the pdf.
More over "Tests have been carried out in September 2021 in accordance with generally accepted methodologies, including OWASP Top 10 and SANS Top Issues".
It's hard to believe that one can call apps being secured after pen testing especially when the two highlights are such low hang fruits that are OWASP top 10 and SANS top issues..
It doesn't really give any confidences into Proton, but then again, I am not an expert, and have seen such useless reports at different clients.
I always think twice when a company offers me an "app" for an application that is already available as a web app or that is already inbuilt in the system or doesn't use existing standards. Like, I perfectly understand the need for a Proton Mail client as some would like offline access to their mail and a backup of their mail in their system. But I resent the need of a custom and locked-in app, instead of the service being available over existing POP3 / IMAP protocol. (Yes, I understand how email encryption creates hurdles of using it over POP3 / IMAP, usage, but it would be a lot easier to trust a company if they actually built an extension over existing protocol or create a new standard that makes it easy to access their service. E.g. https://fastmail.blog/open-technologies/jmap-new-email-open-... ). ProtonVPN app also seems a bit redundant when most OSes already have built in support for VPN. Though I understand that it does make configuring, changing / choosing VPN servers a lot simpler, and probably helps ProtonVPN in load balancing, it provides more avenues for data collection and data leak.
I was totally confused by the title thinking what does that mean or how can they say such a thing without proving a secure sandbox environment, which I didn't even know was possible. Then I realized it's for ProtonMail etc, not Proton from Valve.
Unfortunately users declare Protonmail barely usable in terms of features and UX. After a decade of this, I’m shifting back to IMAP. My use case is better off with GPG than with Protonmail. I can’t usefully function without integration into the rest of my Mac or iOS. A secure walled garden with Apps that get worse over time? I’ll go with Apple’s version.
Protonmail user here, and I haven't declared any such thing. The complaints I see tend to center around the assumption that using the service is exactly the same as any other service, despite the lengths they go to tell you how it's different. The service and the app is very usable and there are more than enough features, without them getting in the way. I use the app and the bridge; both have served me well.
I was sarcastically riffing on the original title, but that aside, the differences between Protonmail are diverging year-on-year, with the new bridge providing features that don’t exist in the app. Adding Calendaring and Drive at the expense of improvements in the core Mail. There’s only so long they can go on touting supposed security benefits at the expense of interoperability and usability. Swipe to multiple actions, select multiple messages, opening calendar invites in other apps. I disagree that they go to lengths to explain how everything is different, a quick look says the opposite, and they don’t establish the trade-offs at all. If you want privacy for “everyone” you have to make hard things easy and not make easy things hard.
This title is the definition of sensationalism and only by reading the article do you find the truth: "Their tests uncovered no major issues or security vulnerabilities". This is a bad look for them and I'm wary of their company now...