ProtonMail, the Swiss end-to-end encrypted email provider, announced that starting with version 3.12 of its email service, the contact manager will be fully encrypted and only the user will have access to it.
Email’s Historical Lack Of Encryption
The email protocol wasn’t written with encryption in mind. It wasn't until decades after the protocol was invented that email companies started using HTTPS encryption to at least encrypt the data between the user and the company’s own email servers.
However, email is a federated service, which means that messages pass through other email companies’ servers, too. Only post-Snowden email companies started taking email server-to-server encryption, called STARTTLS, as well as authentication protocols such as DMARC, more seriously.
Even with HTTPS and STARTTLS, companies can still see your emails, because they hold the encryption privacy keys. Therefore, email companies can typically decrypt the encrypted emails all the time, either to mine the data for ads or to respond to government data requests.
Sometimes even rogue employees are caught looking through some people’s emails--not to mention the occasional billion+ account data breach at large email providers, all of which could have been prevented with end-to-end encrypted email.
ProtonMail’s End-to-End Encrypted Email
This is why, after Snowden’s revelations came out, a few CERN scientists started developing their own encryption solution based on OpenPGP (but much easier to use). This is how ProtonMail, a secure email email service, was born. The company has its headquarters in Switzerland, which has historically had strong privacy laws (although the country’s governments have started chipping away at those privacy laws lately).
New Zero-Access Contacts Manager
Over the years, ProtonMail has continued to improve its encryption, authentication, and user experience. The latest improvement is a “zero-access” contacts manager, to which only the account’s owner can have access. Neither ProtonMail nor law enforcement, nor hackers for that matter, will have access to a user’s email contact list.
ProtonMail is the first email service provider to offer this kind of feature. Beecause the email protocol was developed without encryption in mind, not only were email contents unencrypted, but also the email records (metadata) and users' contact lists.
ProtonMail said that its new feature could be especially useful to journalists who may want to keep their sources’ phone numbers, addresses, or other sensitive information confidential.
Digitally Signed Contacts
Another important security feature that ProtonMail added is the ability to digitally sign a contact’s information (that you’ve added). This will ensure the integrity of the contact’s information fields and that nobody, including ProtonMail, has tampered with that information.
ProtonMail explained that this feature is important because it could stop an attacker from intercepting the communications between you and a contact by changing the contact’s email address to some other similar address, without you noticing.
For instance, the attacker could change firstname.lastname@example.org to email@example.com. However, because the contact information is now signed, that shouldn’t be possible anymore. If anyone does tamper with the contact information, the following error message will be displayed.
ProtonMail generates a new private/public key pair in the user’s browser that is used exclusively for contact signing. The key is generated as a derivative of the user’s password, to which ProtonMail also doesn’t have access. This also means ProtonMail doesn’t have access to the private key.
The contact fields are encrypted with your contact’s public key and can be decrypted only with your own corresponding private key. The signing of the contacts is done with your private key, and the integrity of the contacts’ information is checked every time you access it.
ProtonMail said that the newly announced changes also pave the way for other security enhancements in 2018. For instance, the contact manager will be expanded to store PGP public keys securely. Because the contact fields can now be digitally signed, that means attackers can’t change a contact’s PGP public key, either.
This new feature will enable ProtonMail users to communicate with other people that may not use ProtonMail, but another service with PGP encryption, in a more secure way.
In the near future, the team will focus on bringing the zero-access contact manager feature to the mobile apps, too; currently, it's enabled only in the web version of the service.