Peerio Launches With Easy To Use End-To-End Encrypted Email

Right now, the only way to send end-to-end encrypted email is through PGP, a technology and set of tools that has proven very difficult to use for most people. There are several companies and groups working on making PGP easier to use as well as trying to solve this problem of simple end-to-end encrypted email, in general.

Among the most known are Google itself with its "End-to-End" extension, which is supposed to come out in beta later this year. There's also DIME (formerly Dark Mail), which is at an even earlier stage in its development.

Protonmail, made by a few CERN scientists, gathered quite a bit of attention for its ease of use last year. The problem is that it doesn't use true end-to-end encryption, as the keys are managed by the company's server. Thus, it's not much more secure than a service like Gmail.

There's also MailPile, a Kickstarter project, that has focused mainly on making PGP easier to use rather than changing the technology, but now the group seems to work on implementing Google's solution, too.

Today we get to see a whole new take on encrypted email; it uses end-to-end encryption and is also quite different from PGP. The new app utilizing this technology is called Peerio, and it's already available for Windows, Mac OS X and Chrome (which means it works for Linux and Chrome OS, too). There will be an Android and iOS app as well.

Peerio is made by Nadim Kobeissi, the creator of the end-to-end encrypted group messaging app Cryptocat and the encrypted file-sharing app miniLock. Kobeissi has gone through some security blunders with Cryptocat in his first years of working on crypto projects, but he seems to have taken the criticism to heart. Since then, he's been approaching his projects with more professionalism.

For instance, he didn't release the miniLock app until it was audited by a team of security experts to verify that its cryptography is sound. MiniLock passed the test, and it's now the core technology being used to encrypt emails and messages in the Peerio app. Peerio was also audited by the German security team Cure53, before release. No crypto flaws were found, other than some minor Javascript implementation bugs that have already been fixed.

Peerio avoids the complexity of the PGP key management by requiring users to create a long ~30 character passphrase that is then used to create a 100-bit entropy private key and encrypt the files. PGP works by creating a random key and requiring the user to keep that key file safe.

After the long passphrase is selected, you can also choose a PIN, which is a shorter password you can use to log into the app. You still have to remember the longer password if you want to keep your list of contacts and be able to access any files you might have shared with them in the past. If you forget the long passphrase, you'll have to start the process all over again, just like you would if you lost your PGP private key.

Inside the app, Peerio looks more or less like an email client. You can compose messages whether they are one-liners, such as chat messages, or longer email-style messages, and all of them are threaded and searchable.

You also get an interface that shows the received files by category. You can send files up to 400 MB in size right now, but that limit should be increased with a future update. The free version of the app only gets 1.2 GB in storage, though. Although the client is open source and can be reviewed on Github, the Peerio team intends to sell premium features, such as more storage, as its business model.

The emails and files you exchange with your friends will be stored on Peerio's servers, but they can't see what's in them because the messages and files get encrypted locally, by the client, before being sent to the servers and on to the recipient.

In this way it's no different than using PGP over the regular email infrastructure. Because of that, there's also no metadata protection. Your content will be encrypted, but the metadata won't be. That's a problem nobody has solved yet, although DIME is working on it.

Just like PGP, Peerio doesn't have "Perfect Forward Secrecy," so if your passphrase is somehow discovered by someone else, they'll be able to access all of your previous messages and files.

For the future, I could also see automatic deletion after a user-set time period as a feature that could be useful, making all emails ephemeral. This doesn't help much against a spy agency that can tap the Internet cables, capture anything that goes through them, and then hold all encrypted communications for at least five years, but it should still reduce the potential exposure.

Sony, for example, is a company that could have used this to avoid having its private emails being made public. Perhaps, in the future, it may even do that, as Peerio intends to eventually offer the app for enterprise customers as well.

Regular users can start sending end-to-end encrypted through Peerio today, by downloading it from the website.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Anyone find it weird that google couldn't do this, in say, a week?
    Reply
  • fredch
    "Protonmail, made by a few CERN scientists, gathered quite a bit of attention for its ease of use last year. The problem is that it doesn't use true end-to-end encryption, as the keys are managed by the company's server. Thus, it's not much more secure than a service like Gmail. "

    This is plainly wrong Proton mail use a password to identify user, but all data are encrypted or decrypted locally by your web browser using the pass phrase you set up. Proton mail has no access to clear text.
    Reply
  • NotProfit
    Absolutely laughable. This is NOT the only end to end encrypted email service. How in the hell did this get posted?
    Reply
  • Lucian Armasu
    Absolutely laughable. This is NOT the only end to end encrypted email service. How in the hell did this get posted?

    PGP is the only reliable End-to-End encryption mechanism right now. Many "services" that promise end-to-end encryption aren't in fact using proper end-to-end encryption. Which did you have in mind?
    Reply
  • Lucian Armasu
    "Protonmail, made by a few CERN scientists, gathered quite a bit of attention for its ease of use last year. The problem is that it doesn't use true end-to-end encryption, as the keys are managed by the company's server. Thus, it's not much more secure than a service like Gmail. "

    This is plainly wrong Proton mail use a password to identify user, but all data are encrypted or decrypted locally by your web browser using the pass phrase you set up. Proton mail has no access to clear text.

    That's true, and in that sense it's "end to end encrypted". However, the server seems to control the crypto implementation, which means the server can change that crypto implementation, to weaken your encryption. The granted, the same could probably be done with Peerio's Chrome extension, since Chrome's extensions update automatically, but not with the Windows and Mac OS X apps.

    Reply