After turning email into end-to-end encrypted communication, Proton Mail Key Transparency will close another potential security hole, says the company: ensuring you’re emailing the right person …
Background
By default, email is a plain text form of communication – and your emails pass through multiple servers before they reach the recipient. That means that anyone with full access to those servers could read your mail.
PGP – or Pretty Good Privacy – is an email encryption protocol designed to ensure privacy. Emails sent to you are encrypted using your public key, which anyone can access, and can then only be decrypted with your private key, which is known only to you.
PGP turns email into an end-to-end encrypted communication, but it’s not especially user-friendly to implement, which is the problem Proton Mail set out to solve. Provided both you and your email contacts are using Proton Mail, then PGP is automatically applied without either party having to do anything other than send and receive email.
What started out as a niche product has grown to 100 million users, and the company has diversified into password managers, VPN, storage and more.
Proton Mail Key Transparency
While Proton Mail ensures that the content of your email is safe from snooping, there is still another potential security hole, says the company. A bad actor could spoof an email from one of your contacts, leading you to reply to the wrong person. Spoofing email headers is very easy to do.
To solve that, Fortune reports that the company is preparing to launch Proton Mail Key Transparency. This is a way to verify that an email address really belongs to the person behind it.
The approach uses blockchain technology – though the company’s CEO, Andy Yen, was quick to point out that while this tech is best known for cryptocurrency, the company is in no way involved in that particular minefield.
The issue, Yen said, is ensuring that the public key actually belongs to the intended recipient.
“Maybe it’s the NSA that has created a fake public key linked to you, and I’m somehow tricked into encrypting data with that public key,” he told Fortune. In the security space, the tactic is known as a “man-in-the-middle attack,” like a postal worker opening your bank statement to get your social security number and then resealing the envelope.
Blockchains are an immutable ledger, meaning any data initially entered onto them can’t be altered. Yen realized that putting users’ public keys on a blockchain would create a record ensuring those keys actually belonged to them—and would be cross-referenced whenever other users send emails.
Effectively, everyone puts their public keys out there in plain sight on the blockchain, and anyone can check the public keys they hold against that public record. Because the database is decentralised, it can’t be compromised by a hacker.
As with PGP, Proton Mail users won’t need to do anything to take advantage of it. Every time you email someone, the Proton Mail app will check the public key against the blockchain database to ensure it is correct.
The company is currently running Proton Mail Key Transparency on its own servers as a proof of concept, while moving it to a public blockchain would be needed to provide the necessary confidence.
Blockchain visualization: Shubham Dhage/Unsplash
FTC: We use income earning auto affiliate links. More.
Comments