5

ProtonMail keeps the encrypted private keys of all their users on their servers. The mailbox password, which is known only to the user, decrypts the private key of that user.

Would it not actually be better if each user had control of their own private keys?

Important facts to consider:

  1. Users are trusting ProtonMail to keep their encrypted private keys safe. In a pure form of public-key cryptography, this would not be the case. Each user would be responsible to keep their private key safe or secure (for example in an encrypted USB key).

  2. In a traditional PKI infrastructure, there will never be a place where all private keys are stored in a single database (even if they were encrypted).

  3. An offline dictionary attack can be launched against any encrypted private key, so a mailbox password = a private key. Keep in mind that most people do not choose strong passwords, therefore it creates a false sense of security for many.

  4. User doesn’t have control over their private key: they cannot extract it, save it separately, nor can they decide to remove it from ProtonMail’s servers if they wish.

  5. User can place their private key on an encrypted USB key, making it “something they have”. Passwords are something “they know”, and as such could result in weaker security.

  6. How can having to enter two passwords in a row (login + mailbox password) be labeled or considered to represent a public key cryptography scheme? Would not protecting a PKI with a password be considered in a way to be counter-productive?

This question is not about AES encryption for a simple reason: The password is as strong as itself, not as strong as the encryption used behind it. The classic example of a password of 1234 is just as weak if AES256 was used or DES.

techraf
  • 9,141
  • 11
  • 44
  • 62
Zack
  • 486
  • 2
  • 6
  • 1
    Users having their own private key would be the traditional PGP which has issues like key management and other usability downfalls that protonmail is trying to solve imo. – Silverfox Jul 06 '16 at 17:14
  • 1
    Yes, but that is the usability compromise we have to take while using PKI. The point I am trying to make is that adding a password on top of PKI might make things a lot less secure than most people realize. – Zack Jul 06 '16 at 17:46

2 Answers2

4

Hushmail does something like this (or used to). The private key was stored locally and the website would send a Java applet to handle encryption/decryption and signing operations.

It would protect you against the vector you describe... but... the whole model of a web application handling PGP has serious limitations. When you log on to the compromised site, your key can still be stolen.

The service was tapped by law enforcement with a warrant:

I don't know if they still support the Java applet method. They added to the case: "Hushmail stated that the Java version is also vulnerable, in that they may be compelled to deliver a compromised java applet to a user."

It's best to manage your software and keys locally.

mgjk
  • 7,535
  • 2
  • 20
  • 34
  • You mentioned that "When you log on to the compromised site, your key can still be stolen". If ProtonMail asked for the private key just to decrypt and unlock my encrypted message, how would my private key be stolen? For one, they would not have it in their database, and for second, my private key would be handled only on my own browser, never leaving it. – Zack Jul 06 '16 at 17:43
  • 2
    Similar to the Java Applet weakness in Hushmail, Protonmail "... could also serve malicious code to a targeted individual (based on a specific IP address, for example) if legally compelled to do so." https://www.wired.com/2015/10/mr-robot-uses-protonmail-still-isnt-fully-secure/ . – mgjk Jul 06 '16 at 17:56
  • I read that article before. Yes in that case they could steal it, but it might be also considered a bit extreme considering they are intentionally compromising the security of their users (complete loss of reputation, like Hushmail). But if we know that it is better to manage keys locally, why does ProtonMail even have our encrypted private keys protected by a password? If it is not intentional, it is simply not a sound practice? – Zack Jul 06 '16 at 18:02
  • In theory, the password protects against a massive breach decrypting your private key and your data. It does not protect against a massive breach also adding js which would leak you passphrase or key to the attacker when you log in. If it were added through a warrant and only delivered to the victim's account, nobody would likely ever learn of it. Security is not black and white though, these kinds of services are ok if you trust the company to adequately secure their systems and the warrant vector isn't a concern. – mgjk Jul 07 '16 at 15:41
  • 1
    I think it is a design / implementation issue. For most users out there who don't choose (or dont know how to) strong passwords, that massive breach will reveal tons of private keys, in a single phase or attack. Whereas if you leave the private key of each user to themselves, that would never happen. Putting all private keys in a single database actually weakens the security of all those users (being protected by their own passwords). – Zack Jul 07 '16 at 16:04
  • PKI was implemented to counter the usage of passwords, using PKI with a password in front of it is not doing us any favors. – Zack Jul 07 '16 at 16:04
  • PKI was designed to do a lot more than counter the use of passwords. PKI gives you digital signatures and the ability to send encrypted emails without sharing secrets, even if the security of the keys is only as strong as their effective secrecy and the passwords protecting them. Otherwise I agree. The answer is nuianced because regular users have a hard time with PKI. User experiences with fat clients like Outlook, Lotus Notes and Enigmail show how poorly people manage the concepts. I would think web-based PKI are little more secure than Gmail, except users also get PKI features. – mgjk Jul 07 '16 at 16:25
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/42167/discussion-between-zack-and-mgjk). – Zack Jul 07 '16 at 16:57
0

Private key storage by user would be a nice feature, but it could open you up to a world of issues as you would be unable to access the web based version without uploading the key--thus traversing networks that are public. I trust proton more than I trust starbucks

James Green
  • 1
  • I would highly advise you spend as little as 15-30 minutes digging into Proton's history and then you might re-evaluate your last statement :) –  Apr 27 '21 at 15:35