![]() ![]() With regards to HMAC-SHA256: in theory this is fine, but again we have no details. This is putting aside the question of whether or not they correctly implemented AES in whatever mode they're using. For all I know they're using ECB (in which case, the VPN is insecure and we can stop right here). They don't explain which block cipher mode they're using for AES at all - another red flag. On to AES: they commit the common marketing-mandated-security-page sin of focusing on the key size instead of the block cipher mode. I'm assuming they're not using something like ECDSA because RSA is faster (but not so much so to justify the potential security tradeoff, even in a VPN client). ![]() If they haven't implemented padding (and done so correctly!), the VPN is insecure and we can stop right here. I also can't see any details of how they use RSA, so I don't know if they have implemented padding. I'll start with RSA: the fact that they use RSA at all for a new cryptosystem in 2017 is a red flag for me. Second, they do have a "Security Features" page which is rather light on the details it mentions that ProtonVPN uses AES-256 (encryption), RSA 2048 (key exchange) and HMAC-SHA256 (auth). I have a few concerns about the cryptosystem.įirst of all, there does not appear to be a whitepaper available that describes the security architecture in any detail. If someone using an official company account was rude to you, I sincerely apologize. I don't believe I've seen the Reddit exchange that you are referring to (I don't personally visit that site very often). UserVoice has a great end user application and clarification effect that is difficult to experience through interacting with users through e-mail or traditional forum comments. That page is monitored and the feedback received through UserVoice is considered and strongly influential. If there's something that is a high priority for you personally to see (such as OpenPGP ECC algorithm support), I would ask that you take the time to submit it to the ProtonMail UserVoice page. For example, take the bridge application (currently in beta testing) that will allow integration with IMAP based applications like Microsoft Outlook. A number of new features and offerings are being worked on. There are just not cycles to do it internally, right now. Specifically, it would be great if someone would contribute ECC support to the opensource OpenPGPjs project that ProtonMail currently maintains. ProtonMail would be happy to implement more of the OpenPGP encryption standard. ![]()
0 Comments
Leave a Reply. |