Comparing encryption
Since Edward Snowden has shared with the general public the practice of state access to the private data of his citizens, a new era has begun. Privacy issues have finally gotten attention. The combination of “end-to-end encryption” is gradually moving from the vocabulary of specialists into advertising booklets.
The great shock for everyone was the revelation of the creator of Lavabit, Ladar Levinson, about how he was forced to reveal the correspondence of all users of his service. He closed the service in order not to do this (although he seemed to obey orders for disclosing the correspondence of individual users). The interesting details of this event were that the owner was explicitly banned from reporting the order in any way (the so-called gag order, the silence order).
But a holy place is never empty - with the closure of Lavabit, work began on other encrypted mail. This review focuses on projects that have already been launched in this area.
For starters - some cold water on hotheads. All services from the review load the code for encryption (most often openpgp.min.js) into javascript, that is, on the fly, when opening the mail page. This allows you in case someone gets control on the service / server / path to the server, slip you into the browser instead of or with the encryption library code to intercept your password.
')
All services in the review are in beta.
A project that collected on indiegogo a round sum on launch. The project code is currently closed (disclosure in plans). The service itself in the initial stage - gives access only as capacity increases. The service requires two passwords - one for the input and authentication (you can reset it if you forget), the other - to decrypt your data. The service itself does not know the second password and changing it will not work without losing all the data. Openpgp.min.js is used, although minimized, but without obfuscation, so you can always check whether everything is correct. Another thing is that you are unlikely to check constantly. Encryption is built on AES-256 and RSA-2048.
The set of functions is quite wide (in addition to standard mail capabilities). You can send an encrypted message within the service. You can send an encrypted message to another person outside the service - then he will receive a notification to the mail and a link to the message that will open after entering the password. Password he needs to somehow inform. And another important opportunity is to set up a destruction timer for a message - then after a certain time it will be impossible to read it.
From the standard features there is no possibility to create folders or categories for messages. Current restrictions - 500 MB of space, 1000 messages per month. In the future, for exceeding the quota it is planned to take money. Servers are located in Switzerland. There is legislation on data acquisition, however, the creators of the service believe that it can only be applied publicly, through the courts. However, it is alarming that the transparency page has not been updated since November.
Service from the United States, which actively applies the practice of " signal canary " (warrant canary) to counter the order of silence. It is also interesting that the source code of the service is open . Judging by them, the development is based on the Yii framework.
Unlike protonmail, access to the box is given immediately after registration. When creating an account, only one password will be asked. After they offer to download a token that will allow you to restore access to your account, but will not save you from losing its data. In the options you can enable two-step authentication, as in protonmail. The cryptographic functions are mainly defined by the cryptojs and forge libraries, and not even minimized.
The possibilities of working with encryption keys are somewhat broader than those of Protonmail. You can reset the password only with the help of a special token, and not by mail, as in protonmail. You can also save or vice versa download public and private RSA keys that are used to encrypt messages. AES-256 encryption. The bitness of the RSA keys is set by payment - the more you pay, the more the bit depth, from 1024 for free to 4096.
Functionally, this service is on a par with protonmail. An interesting feature is temporary (disposable) addresses. There can be three of them in a free account at the same time. You can reset any of them at any time. However, they can be used only for receiving letters, not sending them. Of course, within the framework of the service, all letters are protected, and the fact of correspondence is also protected - no one will know to whom you wrote and when. Also, like protonmail, it is possible to send a secure message out of service. True, it will be available only 14 days - here the option protonmail is mandatory. There is also a so-called. SafeBox - for secure storage of the keepas password database.
Folders for messages are available, standard functions are implemented in full. The service has a custom off timer when there is no activity. Servers are located in the United States, and in general the service lives in the jurisdiction of the United States. It is in the USA that the topic of privacy is now actively moving forward because of Snowden. US privacy legislation can be reformed. So far, the shadow of a scandal with Snowden certainly weighs on the service. The limit of 1000 messages and the business model similar to protonmail are also present here.
Similar service from Germany. Its source codes are also open . An important advantage is its presence on mobile devices ( IOS , Android ) - thus, there is some guarantee that javascript will not be replaced. An interesting feature is the use of only one password. When creating an account, the password is “salted”, passed through a hash (bcrypt), after which the key pair created right there is also encrypted. The disadvantage of this approach is the inability to reset the password - it remains only to register a new account.
So far, the metadata - the fact of correspondence - is not encrypted. The encryption itself takes place according to the AES-128 and RSA-2048 algorithm. The basic features of the service lose to all their competitors. How long have you used mail without the ability to save a draft document? The tutanota has three folders - inbox, sent and basket. You can communicate with service users and with external users with encrypted messages.
Free account limit - 1Gb. Servers are in Germany. According to the creators of the service, this jurisdiction is even better than Switzerland. The service business model is the provision of a plug-in for Outlook and, in general, corporate mail. Also, the service was examined by experts .
The most complete service at the moment is Scryptmail. If you are not confused by his jurisdiction (USA), then you can begin to use it. The most promising is tutanota - yet the only password and the availability of applications is captivating for convenience. Protonmail is suitable for those for whom the United States, for various reasons, look compromised, but do not want to wait for tutanota.
And most importantly - before you register your mail, think - and do you need it?
PS On the way, there is still lavaboom , there is still unseen.is with very interesting jurisdiction - Iceland. It also has encryption, but it is not there so ubiquitous, as in the services described above. And of course there is Mailpile and i2p or tor mail, but all these tools are much more complicated and less accessible to regular users.
The great shock for everyone was the revelation of the creator of Lavabit, Ladar Levinson, about how he was forced to reveal the correspondence of all users of his service. He closed the service in order not to do this (although he seemed to obey orders for disclosing the correspondence of individual users). The interesting details of this event were that the owner was explicitly banned from reporting the order in any way (the so-called gag order, the silence order).
But a holy place is never empty - with the closure of Lavabit, work began on other encrypted mail. This review focuses on projects that have already been launched in this area.
For starters - some cold water on hotheads. All services from the review load the code for encryption (most often openpgp.min.js) into javascript, that is, on the fly, when opening the mail page. This allows you in case someone gets control on the service / server / path to the server, slip you into the browser instead of or with the encryption library code to intercept your password.
')
All services in the review are in beta.
Protonmail
A project that collected on indiegogo a round sum on launch. The project code is currently closed (disclosure in plans). The service itself in the initial stage - gives access only as capacity increases. The service requires two passwords - one for the input and authentication (you can reset it if you forget), the other - to decrypt your data. The service itself does not know the second password and changing it will not work without losing all the data. Openpgp.min.js is used, although minimized, but without obfuscation, so you can always check whether everything is correct. Another thing is that you are unlikely to check constantly. Encryption is built on AES-256 and RSA-2048.
The set of functions is quite wide (in addition to standard mail capabilities). You can send an encrypted message within the service. You can send an encrypted message to another person outside the service - then he will receive a notification to the mail and a link to the message that will open after entering the password. Password he needs to somehow inform. And another important opportunity is to set up a destruction timer for a message - then after a certain time it will be impossible to read it.
From the standard features there is no possibility to create folders or categories for messages. Current restrictions - 500 MB of space, 1000 messages per month. In the future, for exceeding the quota it is planned to take money. Servers are located in Switzerland. There is legislation on data acquisition, however, the creators of the service believe that it can only be applied publicly, through the courts. However, it is alarming that the transparency page has not been updated since November.
Scryptmail
Service from the United States, which actively applies the practice of " signal canary " (warrant canary) to counter the order of silence. It is also interesting that the source code of the service is open . Judging by them, the development is based on the Yii framework.
Unlike protonmail, access to the box is given immediately after registration. When creating an account, only one password will be asked. After they offer to download a token that will allow you to restore access to your account, but will not save you from losing its data. In the options you can enable two-step authentication, as in protonmail. The cryptographic functions are mainly defined by the cryptojs and forge libraries, and not even minimized.
The possibilities of working with encryption keys are somewhat broader than those of Protonmail. You can reset the password only with the help of a special token, and not by mail, as in protonmail. You can also save or vice versa download public and private RSA keys that are used to encrypt messages. AES-256 encryption. The bitness of the RSA keys is set by payment - the more you pay, the more the bit depth, from 1024 for free to 4096.
Functionally, this service is on a par with protonmail. An interesting feature is temporary (disposable) addresses. There can be three of them in a free account at the same time. You can reset any of them at any time. However, they can be used only for receiving letters, not sending them. Of course, within the framework of the service, all letters are protected, and the fact of correspondence is also protected - no one will know to whom you wrote and when. Also, like protonmail, it is possible to send a secure message out of service. True, it will be available only 14 days - here the option protonmail is mandatory. There is also a so-called. SafeBox - for secure storage of the keepas password database.
Folders for messages are available, standard functions are implemented in full. The service has a custom off timer when there is no activity. Servers are located in the United States, and in general the service lives in the jurisdiction of the United States. It is in the USA that the topic of privacy is now actively moving forward because of Snowden. US privacy legislation can be reformed. So far, the shadow of a scandal with Snowden certainly weighs on the service. The limit of 1000 messages and the business model similar to protonmail are also present here.
Tutanota
Similar service from Germany. Its source codes are also open . An important advantage is its presence on mobile devices ( IOS , Android ) - thus, there is some guarantee that javascript will not be replaced. An interesting feature is the use of only one password. When creating an account, the password is “salted”, passed through a hash (bcrypt), after which the key pair created right there is also encrypted. The disadvantage of this approach is the inability to reset the password - it remains only to register a new account.
So far, the metadata - the fact of correspondence - is not encrypted. The encryption itself takes place according to the AES-128 and RSA-2048 algorithm. The basic features of the service lose to all their competitors. How long have you used mail without the ability to save a draft document? The tutanota has three folders - inbox, sent and basket. You can communicate with service users and with external users with encrypted messages.
Free account limit - 1Gb. Servers are in Germany. According to the creators of the service, this jurisdiction is even better than Switzerland. The service business model is the provision of a plug-in for Outlook and, in general, corporate mail. Also, the service was examined by experts .
General impressions
The most complete service at the moment is Scryptmail. If you are not confused by his jurisdiction (USA), then you can begin to use it. The most promising is tutanota - yet the only password and the availability of applications is captivating for convenience. Protonmail is suitable for those for whom the United States, for various reasons, look compromised, but do not want to wait for tutanota.
And most importantly - before you register your mail, think - and do you need it?
PS On the way, there is still lavaboom , there is still unseen.is with very interesting jurisdiction - Iceland. It also has encryption, but it is not there so ubiquitous, as in the services described above. And of course there is Mailpile and i2p or tor mail, but all these tools are much more complicated and less accessible to regular users.
Source: https://habr.com/ru/post/376407/
All Articles