Saturday, January 31, 2015

Anonymity leaks within ProtonMail Beta

This is a short commentary on a few overt anonymity gaps in ProtonMail Beta, ver 1.12.  These concerns were emailed to ProtonMail Security on January 21, 2015, and they provided a response that is included at the end.

Summary: Online anonymity is a tricky stunt to pull off.  Any shortcomings or risks within a service that markets itself as an anonymity solution should be clearly presented and addressed so the user does not operate under false assumptions. I propose that ProtonMail could be more specific about the extent and the limitations of the anonymity that their service provides.

First, I wanted to mention something cool about ProtonMail that I didn't know about until after I got their email response.  They include a green checkmark icon next to the From email if the address has been verified with DKIM.  The padlock means the email was sent from another ProtonMail user:

DKIM can help against email-spoofing attacks, but it has limitations.  I'd be really interested in finding out how ProtonMail implements this feature and under what conditions to they decide to include the green checkmark.  For example, will the checkmark only appear if the DKIM key is greater than 1,024 bits?

The invitation email

The anonymity problems begin with the invitation email sent to new users:

Two leaks:

1)  The requested ProtonMail username is included in the invitation email.  This is bad because it ties together two email addresses (and any associated online identities or content) that were probably previously un-linked.  My email provider and anyone that happened to (accidently-on-purpose) intercept and log this welcome email while in transit could see the Protonmail username that was requested.  If logged, this email is now stored in a database somewhere in case a future analyst decides that one of my email addresses needs some scrutiny.  This data leak was not communicated during the initial Request Invite process.

2)  The link to register includes my requested Protonmail username as part of the URL.  Same problem as above.  A more anonymous solution would be something like "{message_ID}".

Sending an encrypted email to a non-ProtonMail address

ProtonMail allows their users to send an encrypted message to non-ProtonMail users.  The non-user receives an email with a link that connects them to ProtonMail to retrieve and decrypt the message:

Four leaks:

1)  The ProtonMail username appears in the From field.  A more anonymous method would be to not include the username at all and instead use a generic From field, such as "From: A ProtonMail User".  Alternatively, ProtonMail could allow the sender to choose whether or not they want their username to be removed or replaced when sending encrypted messages to non-ProtonMail addresses.

2)  The Protonmail username appears in the Body twice.  The body contains the text "You received an encrypted email from the ProtonMail user XXXXXXXXXX" followed by "The link to view the encrypted message is:{username}/{message_ID}".   A more anonymous URL would be "{message_ID}", and clicking on that link opens the specific decrypt page.  Only after the decrypt password is entered will the sender's email address will be revealed to the recipient.  This allows the recipient to receive encrypted emails without allowing an eavesdropper to know which ProtonMail user sent it.

3 & 4)  When creating an encrypted message, ProtonMail does not warn the user that the subject line and password hint are sent unencrypted.  Unsuspecting senders may unintentionally leak information if they make a wrong assumption about which parts of their email are encrypted.  A better solution would be to include clear notices in the ProtonMail UI that the subject and the hint will always be sent unencrypted.  Ideally the user would have granular control over which metadata is leaked, managed through on-by-default options like "Leave subject line empty" and "Hide Username within outgoing emails".

Notification that my ProtonMail account received an email

By default, ProtonMail will send a notification email to the registration address whenever a new email is received:

One semi-leak:

The asterisks are equal to the letters in the username.  Masking the username is a step in the right direction, but it's odd that ProtonMail decided to do so in this email and not others.  If it can be done here, why not elsewhere?  A more anonymous option would be to drop the username entirely.

Clarifying descriptions

Security Details  -

The section on Anonymity should be expanded.  There are various levels of anonymity and claiming to deliver it reliably is a tall technical order - extraordinary claims require extraordinary evidence.  I have trouble accepting the statement "We do not store any metadata" without a clear definition of what data is intentionally not logged and a 3rd-party audit of all data that is sent or received.  The statement "ProtonMail does not require any personally identifiable information to register" should be amended to include "except for the email address you send to us.  For better anonymity, create a disposable email address that you'll never use again once registration is complete, and then disable all ProtonMail notifications from being sent to that address."

Threat Model  -

The threat model could use another entry under NOT RECOMMENDED:

Anonymity - The current Beta version is not a solution if you desire strong, vetted anonymity.  If you wish to sign up for Protonmail anonymously, please wait for the full version that allows sign-ups without asking for an notification email.   If you wish to send encrypted messages to non-Protonmail users without revealing your Protonmail username in the email metadata, please wait until this has been corrected in a later version.

Other suggestions

Revisit and update the Threat Model blog post at least once a year.

Offer a Tor-friendly login page like Facebook did:

Under the entry for SSL Secured Connections, add the link to the results from the Qualys SSL Report:

Upgrade the SSL certs to SHA-2:

ProtonMail's response

I sent this post to on Jan 21.  They responded in about ONE HOUR, which is very impressive.  How many other email companies are that fast?

Hi Cuantico, 
First, thanks for your suggestions and interest in writing about us! 
We will have a redesigned website soon with updated info and will also be upgrading our SSL certificate to EV.  We will also be releasing a knowledge base soon that we will link to from the welcome email and other pages to educate new users on things such as what is encrypted. 
Your observations on anonymity are correct.  However, we are not trying to be the most anonymous messaging service.  We are building an email service that everyone can easily use to protect their data and privacy.  And to be a widely used email service and prevent abuse, we need a valid return path and transparency when communicating with other email accounts. 

What we have seen from our early adopters so far is a strong demand for privacy, not necessarily anonymity.  A vast majority of users set a notification/recovery email and opt to receive daily notification emails, showing they don't care too much about linking to their other email.  In fact, many choose to broadcast their ProtonMail address in their other emails or on social media to raise awareness about privacy. 
The totally anonymous messaging service you seem to prefer could eventually be a cool feature within ProtonMail but we will first focus on implementing basic features that appeal to everyone such as folders, encrypted attachments, mobile apps and etc. 
Thanks again for your support and patience as we improve ProtonMail Beta! 
Best regards,
The ProtonMail Team


I responded with the words below.  This pretty much sums up my reasons for doing all of this:

I realize that you have not positioned ProtonMail as a service centered around delivering anonymity.  There are challenges and struggles with that kind of work and I completely understand the decision to not go that route. 
My suggestions were intended to raise awareness of the anonymity gaps and I thank you for acknowledging them.  If I could make only one request, I ask that the lack of complete anonymity be communicated more clearly via your website.  Expanding and clarifying the nuances of anonymity in your Threat Model and a clear explanation of which metadata is sent would be highly beneficial to those that are evaluating whether they should sign up. 
Doing so would hopefully redirect users that need stronger anonymity to services that can provide what they need.  Not because ProtonMail is faulty, but because it's the wrong tool for certain situations, such as individuals that live under aggressive surveillance where even a few minor leaks could lead to imprisonment or death.


This post was edited on 2/10 for grammar, formatting, and to add comments about DKIM

No comments:

Post a Comment

Relevant comments will be approved as soon as possible.

Thank you for contributing!