ProtonMail: A Survivors Tale

Beginning November 3rd, encrypted email service provider, ProtonMail, came under a DDOS attack by blackmailers. Here is my experience, as a supporter and subscriber, watching from the sidelines. It’s a survival story with many heroes that reads like a Mr. Robot script.

Why Encrypt Your Email?

ProtonMail is an encrypted email service that I just love. It overcomes the problems with email providers’ harvesting your personal data for resale, the pitfalls of these databases falling into criminal hands and just plain weirdness you feel when every word, attachment and contact is shared to whomever.

To make my point on why everyone should use encrypted email, like ProtonMail, consider this experience: I recently had to fill out an affidavit confirming my identity but did not have all the particulars with me, such as past addresses, etc. No problem, I just logged into my 12 year old Gmail account and did some searching. In no time, I had all the personal info the affidavit required to prove my identity.

It’s not that I purposely saved all this information in there. It just accumulates over the years organically.

Imagine if that data fell into the wrong hands.

ProtonMail is a crowd-funded, free email service that comes out of the CERN laboratories in Switzerland and MIT. The engineers at these research facilities were inspired by the revelations of Edward Snowdon about back doors into email servers and the general collection of data by governments, so they built ProtonMail.

The service is simple, elegant and super secure. The encryption happens through the use of a client-side password, so theoretically, nobody, not even ProtonMail, can decrypt your emails and read them.

ProtonMail Taken Down

The recent Distributed Denial of Service (DDOS) attack began on November 3rd when a group held for ransom access to ProtonMail’s email service. This was a very sophisticated attack that flooded their servers with requests, but also their ISP. The result was that ProtonMail and several other sites, including e-commerce and banking sites, were unreachable. After failing to successfully fight back, the ISP and other firms put enormous pressure on ProtonMail to pay off the cyber gang. They did so and the attack stopped…momentarily.

Less than half a day later, the attack re-commenced. This time it was even more sophisticated and destructive. And, things got even weirder. The original blackmailers actually contacted ProtonMail to let them know they were not involved in the new attack. ProtonMail is pretty certain that the second attack was likely a state entity.

You can read all the details on their blog post on the incident.

Over this past weekend, November 7-8th, ProtonMail launched a response to the ongoing attack, deploying new defensive technologies used by large Internet firms, funded through a GoFundeMe campaign. As of this writing nearly 1,500 individuals donated $50,000 in just 3 days to help in this regard.

Those would be the first, rather large, set of heroes. Thanks to you guys!

Click here to add to the fund.

Social Networks Get the Word Out

The media was really late to this story. It was not until the end of the week that the first news reports came out about the blackmail story made sexier by the fact that the ransom was paid with bitcoins.

Most of the breaking news, however, was only available on ProtonMail’s Twitter feed and their Sub-Reddit.

It was on their Twitter page that they first disclosed the moment-by-moment details of their fight to restore access and their ultimate attempt to fund new defensive technologies. It was on Reddit that the controversy and pain was aired such as reactions to their payment of the ransom and frustration of everyday users at not being able to access their email.

People really gave them a lot of credit, however. And it was heartening that, despite some rather single-minded rants, most people rallied around ProtonMail.

Lessons Learned

One thing I was surprised about were some of the complaints from business people that were using ProtonMail as their exclusive business email. They were losing money during the attack so they were often the most irate. But you have to wonder about someone using an emerging tool like ProtonMail for something so critical as company email. Obviously, new Internet services take time, especially when they are not backed by seasoned VCs who are risk adverse.

I personally had not made the switch to ProtonMail entirely. Part of this was because they don’t have an iPhone app yet, which is where I do about 50% of my emailing. But I was getting close.

So, yes, I had a few important emails get bounced back to the senders. And perhaps one or two have been lost permanently (I may never know). But it does go to show that, for the foreseeable future, ProtonMail is not a reliable sole-email solution. However, given the work they are doing in response to the latest attack, this event may be the turning point that makes them a truly stable email service.

Just this morning, they came under another attack, but unlike previous days over the past week, they were back online very quickly. Hopefully this means their new defenses are paying off.

Bottom Line

ProtonMail rocks. I really love it. The recent DDOS attack only confirms that the good team at CERN and MIT are dedicated to doing what it takes to keep this alive. I can think of other such services that have folded when they came under similar pressure. In fact, the user community around ProtonMail is as serious as ever, shelling out the money required to safeguard encrypted email just when it counted.

There will likely be further trouble ahead. The British government has suggested it might ban encrypted email services. And who knows how the US will respond long term. So, there could be more chop ahead. But for the time being, it seems that ProtonMail may have survived a very critical test of its resilience.

Stay tuned!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s