The Hacks of Mr. Robot: How to Send Ultra-Secure Emails
Welcome back, my nascent hackers!
In several episodes, Elliot was seen sending secure emails. As a seasoned and savvy hacker, he would never use Gmail, Hotmail, or Yahoo to send confidential messages. Instead, Elliot chose the most secure email system available to non-military and non-spy people like you and me: ProtonMail.
In a world where Google and the NSA inspect every email, a truly secure email service would be a godsend. Several email systems have touted themselves as secure, but we eventually learned that they were flawed or that their servers could be grabbed and inspected or otherwise compromised.
ProtonMail was developed in 2013, at least in part due to the revelations that Edward Snowden provided regarding the NSA's world-wide surveillance (WWS) program. It was developed by researchers from CERN in Geneva, Switzerland. If you are not familiar with CERN, it's the world's largest subatomic research facility that many credit with the development of the World Wide Web, among other things.
Being based in Switzerland gives ProtonMail several advantages.
First, the EU has far more stringent privacy standards than the U.S, and although Switzerland is not a member of the EU, Europe has much greater respect for individual privacy than what is practiced in the U.S., presently.
Second, Switzerland has probably the most stringent privacy standards in all of Europe. Long a haven for neutrality and secret bank accounts, Switzerland has developed sophisticated laws to protect individuals' privacy. In addition, Switzerland is outside of the U.S. and EU legal jurisdiction. This makes it an almost perfect physical location for a private email server.
ProtonMail was designed to give the email user complete anonymity. To accomplish this anonymity, it provides the following.
- End-to-end encryption (emails are decrypted in your browser).
- Does not require a phone number or another email to open an account (that account might be used to track your identity).
- You can set your email to expire after a number of days—even hours.
- It keeps no logs.
- Even the administrators at ProtonMail can't read your email.
- It is located in a neutral nation that is known for its respect for privacy.
ProtonMail has become very popular because of these unique security features. Presently, there are over 250,000 users worldwide and growing rapidly. Due to this rapid growth, you may have to wait awhile to get an account. You need to first request an account and, when they have the capacity, they will email you back telling you that you are eligible to open an account. Presently, this takes 2-3 weeks, but it does vary.
The first step, of course, is to request for an account. Go to protonmail.ch and submit a request for an account.
Once you receive the email notifying you that you can now open an account, click on the link they sent you. This will take you to a "Create Your Account" screen, such as below.
It looks a lot like any other webmail account form, with one exception: it requires two passwords. One is to log into your account and the other is to decrypt your email. For maximum security, make certain that these two are different.
Once you have created an account, you can log in like any other webmail account.
Now that you have successfully logged in with your username and password, ProtonMail will prompt you for your second password which is used to decrypt your email.
When you enter it, it begins working on decrypting your email as seen below.
When all of your email is decrypted, it will open a familiar email interface.
If you click on "Settings" in the top bar and then "Security," it brings you to the screen below. Notice that you can export your PublicKey for use in PGP-compatible services. Presently, it is only compatible with OpenPGP. Also notice in the lower half of the screen the "Authentication Logs." By default, they are "Disabled" and I recommend you keep them so for the highest level of security.
One of the features of ProtonMail that I really like is the email expiration feature. When you compose an email, you can choose how long it will exist on the server before "expiring."
To do so, simply click on the "clock" icon in the bottom of the compose email window and it will open a slider where you can choose how long the email will exist. In this case, I set the expiration to 13 hours. After you hit "Set," the clock will begin ticking, and when the time has expired, the email will expire and no longer be available to ANYONE.
In addition to keeping your emails safe from prying eyes, if you want to make certain your chat sessions are secure, check out my article on OTR. (OTR, or Off the Record, is an IRC client.)
Keep coming back, my nascent hackers, as we continue to explore the techniques and technologies of the world's most valuable skill set—hacking!