ProtonBlog(new window)
Iscriviti con RSS

2016 Email Security Roadmap

Proton Team(new window)

Condividi questa pagina

For 2016, we are looking forward to another year of progress towards building easy-to-use secure email. Today, we are publishing our first security roadmap.

Over the course of 2015, we have taken several big steps towards making Proton Mail the easiest to use secure email service.(new window) Some highlights of 2015 include the release of Proton Mail 2.0, which is fully open source(new window), and the beta release of the Proton Mail iOS and Android secure email mobile apps(new window). Thousands of users have been testing these apps for over 4 months now and given very positive feedback. Therefore, we will finally be releasing the apps in the App and Play stores in 2016.

During the second half of 2015, our team focused almost exclusively on Proton Mail 3.0 which will launch at the end of this month, bringing many new features to Proton Mail including support for custom domains(new window). In 2015, we also made numerous security enhancements including adding support for encrypted attachments and adding the ability for non-Proton Mail users to send encrypted replies to encrypted Proton Mail messages. Now, all messages in Proton Mail, including attachments and emails sent by non-Proton Mail users, are stored with zero-access encryption.

For 2016, we will continue on this trend of increased email privacy. As our primary focus is on secure email, it is fitting that our first published roadmap is focused entirely on security. Building a privacy focused email service is difficult as security is a moving target that requires constant innovation. These are the steps we will be taking in 2016 to protect your email privacy.

We have broken down our security roadmap into four broad categories.

Authentication

  • Challenge/Response login password improvement so that every login uses a different one-time hash.
  • Store mailbox password in memory only, not session storage. This means the user will have to re-enter the mailbox password if the page is refreshed, but will avoid the mailbox password ever touching the disk if the browser caches session storage.
  • Two factor authentication

Server

  • Public Key Pinning (HPKP): This pins our certificate such that we can’t be impersonated if a root CA or intermediate CA is compromised.
  • Content Security Policy (CSP): An extra layer of XSS protection which disables all inline scripting and whitelists only our domain for loading Javascript.
  • Migration to Certificate Transparency (CT) for EV Certificates
  • DNS-based Authentication of Named Entities (DANE)

Full PGP Support

  • Support importing PGP public keys of contacts so PGP emails can be sent automatically through Proton Mail
  • Support keychain functionality so users can import their own public/private keys
  • Allow the export of Proton Mail user private keys

Application Security

  • Add Proton Mail SSL certificates to the HSTS browser preload list(s). This needs to wait until we have stabilized our certificates.
  • Client-side public key verification mechanism for recipients. This allows you to automatically check the fingerprints of recipient public keys to ensure that there is no key spoofing.
  • Browser extensions or desktop applications so client side code does not need to be loaded each time Proton Mail is accessed.
  • Splitting the Proton Mail webmail into a separate subdomain isolated from other services
  • Adding a Web Application Firewall (WAF)

With limited resources, there is always a trade-off between improving security and adding features, so as much as we would like to, these security improvements cannot be done overnight. If you would like to support our efforts on this, feel free to either join our open source project(new window)! As always, we welcome any feedback on this roadmap either in the comments or by emailing us at security@proton.me.

Over the past year, we have meticulously built up our infrastructure, technology and team in order to support the largest encrypted email service in the world. Looking forward to 2016, we hope to leave Beta and open the gates so that private and secure email can be enjoyed by all. Join us on this exciting journey to change the Internet!

Proteggi le tue email e difendi la tua privacy
Passa gratis a Proton Mail

Articoli correlati

Una comunicazione sicura e fluida è il fondamento di ogni azienda. Con sempre più organizzazioni che proteggono i loro dati con Proton, abbiamo notevolmente ampliato il nostro ecosistema con nuovi prodotti e servizi, dal nostro gestore di password al
what is a brute force attack
Nel contesto della cybersecurity, un termine che spesso si incontra è attacco brute force. Un attacco brute force è qualsiasi attacco che non si basa sulla raffinatezza, ma utilizza la pura potenza di calcolo per violare la sicurezza o addirittura la
La Sezione 702 del Foreign Intelligence Surveillance Act è diventata famigerata come giustificazione legale che consente ad agenzie federali come la NSA, la CIA e l’FBI di effettuare intercettazioni senza mandato, raccogliendo i dati di centinaia di
In risposta al crescente numero di violazioni dei dati, Proton Mail offre una funzionalità agli abbonati a pagamento chiamata Monitoraggio del Dark Web. Il nostro sistema verifica se le tue credenziali o altri dati sono stati diffusi su mercati illeg
Il tuo indirizzo email è la tua identità online, e lo condividi ogni volta che crei un nuovo account per un servizio online. Sebbene ciò offra comodità, lascia anche la tua identità esposta se gli hacker riescono a violare i servizi che utilizzi. Le
proton pass f-droid
La nostra missione in Proton è contribuire a creare un internet che protegga la tua privacy di default, assicuri i tuoi dati e ti dia la libertà di scelta. Oggi facciamo un altro passo in questa direzione con il lancio del nostro gestore di password