Proton Mail & EV Certificates

Logan & All at The Tek:

 

After watching The Tek 0114 - I wanted to check out Proton Mail and found that when I browsed over to the site, they were NOT using EV Certificates.  I found this to be a little strange considering the service they are trying to provide.  I sent them an email to see if this was an oversight on their part or if it was due to their 'beta' status.  They had responded that it was the higher cost of the EV Certificate that prohibited them from using it.  OK, I can understand that maybe since it is (as of now) a free service, the extra cost may not be in their budget - but it did make me think twice and so far I have not signed up.  Steve Gibson had a section on his site that goes into a little more detail on EV Certificates - https://www.grc.com/fingerprints.htm

But I wanted to ask what your opinion was on their lack of an EV Certificate and would it make you think twice before signing up?

 

Sincerely,

 

Franklin J. Smythe

Not sure if blog spam link? ;)

https://www.google.com/

Google doesn't use EV. Where is your god now? lol 

There is ZERO technical difference between an EV cert, a "regular" cert and an organizational cert. In this case (thankfully) the technology is totally divorced from the politics.

The type of SSL hanshake you want to look for is perfect forward secrecy:

http://en.wikipedia.org/wiki/Forward_secrecy

In your browser, in 'about this ssl cert' you want to look for one of the highlighted algorithms:

http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

 

Okay, so what's EV all about? Identity, mainly. That's it. That's not a technical problem, that's a political problem. If you're really paranoid make a note about the certificate thumbprint on sites you frequent. That is if you're suggesting that the EV cert is less likely to be faked by rogue third party certificate authority. Keeping track of the thumbprint would go a long way to prevent some sort of surreptitious SSL shenanigans that you may be suggesting. 

If you want to be paranoid about SSL, don't look for EV. EV is 100% marketing drivel, and you've been brainwashed by what it is successfully. Not meant to offend, just that (for me) when I've been duped that way, I always think of it as a carnivorous ear wig that's been planted in my brain.

To be sure it's secure against replay attacks and/or later capture of the SSL keys, look for the crypto algo and make sure it's one of the PFS ones. The netcraft article overs all this.

(To be completely fair, there is an extra hash EV certs have... but if we're talking about like folks like the NSA, lavabitting your cert, this is not especially helpful for those scenarios. It's more helpful in a scenario where your computer is in a large corporation and has a third party trusted certificate authority issuing certs for facebook, google, etc so they can snoop on SSL traffic at a corporate level. But the infrastructure has to be in place and you have to have a 'rogue' certificate authority that you trust already installed in your browser. so not especially relevant for stand-alone PCs.. in that case, the cert would show as green, but not EV, in that corp. enviornment. )

 

 

Thank you Wendell for explaining what the deal is with EV Certificates.  That is the main reason I joined  - to learn and to get other than the main stream opinions.  Just to let you know - there was no spam intended...The site I mentioned just seemed like it was a good starting point to understanding what EV certificates were and how they worked. Since Proton Mail could be a great thing, I just thought bringing up this observation might have, in some small way, helped out.

no worries I was only pulling your leg slightly. It is true that browsers have an "extra" hash check for a cert that claims to be EV, to check against a list of EV signers... but .. you still have to trust the signers in the first place. Fingerprint is a good way to 'be sure.