Mediaboss Marketing

Swiss-based PGP end-to-end encrypted email provider, ProtonMail, now has an onion address, allowing users to access its service via a direct connection to the Tor anonymizing network in what it describes asan active measure aimed at defending against state-sponsored censorship.

The startup, which has amassed more than two million users for its e2e encrypted email service so far, launching out of beta just over a year ago,says its worried about an increased risk of state-level blocking of pro-privacy tools pointing to recent movessuch as encryption messaging app Signal being blocked in Egypt, and the UK passing expansivesurveillance legislation that mandates tracking of web activity and can also require companies to eschew e2eencryption andbackdoor products.

The service also sawa bump in sign ups after the election of Donald Trump as US president, last fall withweb users apparently seekinga non-US based secureemail provider in light of the incoming commander-in-chiefs expansive digital surveillance powers.

Given ProtonMails recent growth, we realize that the censorship of ProtonMail in certain countries is inevitable and we are proactively working to prevent this says co-founder Andy Yen in a statement on the launch. Tor provides a way to circumvent certain Internet blocks so improving our compatibility with Tor is a natural first step.

Users of the Tor browser can now reach ProtonMail directly using its new onionaddress: https://protonirockerxow.onion

Its alsowritteninstructions onhow to set up ProtonMail over Tor here.

Users accessing ProtonMail via Tor will have their connections anonymized meaning the email servicewont be able to see (and thus couldnt be forced to divulge) theirtrue IP address.

Of course its still possible to browse to ProtonMails main website via Tor but it points out the directonion address has a few advantages such as providing e2e encryption on the Tor level; meaning the encryption applied by Toris present until theconnection reaches ProtonMailsinfrastructure(vs a non-onion Tor connection not havingTor encryption beyond the last node), therebymaking it hard for an attacker to perform a man-in-the-middle attack ona users connection.

The onion site also provides end-to-end authentication, which ProtonMailsays helps mitigate some of theweaknesses with the existing Certificate Authority (CA) systemthats used across much of the Internet pointing out thatmanyCAsare trusted by default and some can be under direct government control. For this reasonits also using an onion site with HTTPS only also as a backup in case Tor itself is ever compromised.

If someday Tor were to be compromised, enforcing HTTPS adds another layer of security for the end user. Similarly, Tor also provides security in case HTTPS is compromised. The notion ofHTTPS being compromisedis one that we take seriously, considering that there are hundreds of CAs thatare trusted by default, with many of them under direct government control in high risk countries, itwrites in a blog about the launch.

Thus, by using our onion site, your emails are protected by three layers of end-to-end encryption, theres Tors encryption on the outer layer, HTTPS in the middle layer, and PGP as the final layer of defense for the emails themselves.

Another motivating factor it flags for launching theTor hidden serviceis to bolster itsdefenses against DDoS attacks given its harder for attackers to determine the physical locationand IP address of the onion site, so itcould offer a workaround for accessing ProtonMail in the event ofa sustained DDoS attack taking its web addressoffline.

ProtonMail suffered a major incident on that front back in November 2015, with theemail service going down for more than 24 hours. Yen tells TechCrunch it still gets major DDoS attacks routinely, although he reckonsitsdefenses and network are now able to withstand them without user impact.

That said, the resistance of Tor to standard DDoS attacks is something that is interesting to us, particularly since DDoS attacks have continually grown in size over the past year, he adds, although he emphasizes it is still a secondary motivation compared to the concerns we have about compromises in the certificate authority system and government mandated blocking.

ProtonMailsonion site is described as experimental at this point, so its warning reliability may not be as high as our standard site even above and beyond the typically slower connectionTor users generally get.

Even without using Tor, your ProtonMail inbox is still strongly protected withPGP end-to-end encryption,secure authentication(SRP), and optionaltwo-factor authentication. However, ProtonMail definitely hasusers in sensitive situations where the extra security and anonymity provided by Tor could literally save lives, it adds.

View post:
ProtonMail adds Tor onion site to fight risk of state censorship - TechCrunch