Is Protonmail Safe for Security and Privacy?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

the question today is should you use protonmail on my channel I don't give you obvious answers is it really the most secure and private email you can use likely many of my subscribers use protonmail but we will study this clearly so you understand the risks and benefits of protonmail and compared to emails in general I have many videos and email and these are largely ignored because they're not cool topics it's all tech but this lack of interest translates to misunderstanding how email works which can lead to uninformed choices and often the biggest dangers to privacy let's dig in deeply I have a particularly applicable background we're talking about protonmail and email in general that's because many years back I actually wrote an email client and server similar to protonmail so I hope my insight is unique because it's like someone from inside the email platform giving you secrets first I will tell you right now that I have no protonmail account I also have no tootin Oda account or start mail account you might think that's weird for the internet privacy guy I'm sure the hated one has one of those email accounts I'm not going to judge you for having these types of email accounts in my interview with John McAfee he says that protonmail is CIA in that these platforms offer no security or privacy that's his opinion by the way I have no inside information to make the CIA claim Edward Snowden by the way used lavabit lavabit shut down in 2013 when the US government demanded access to its private keys because they were trying to access Snowden's email it shut down instead of giving up the information silent circle another cop offered encrypted email shut down after citing the impossibility of being able to maintain the confidentiality of its customers emails should it be served with government orders I shut down my email service around 2014 as well I wasn't served with any government orders of any sort but in actual operation I saw holes even though I was operating the email service with encryption first before I start giving you quick answers you have to understand how email works and how you never hear the complete story about claims an email encryption so I will attempt to make you understand the email system is quite old it existed before the internet and it flourished in the early days of the internet it was used heavily when internet access was based on dial-up modems for example email is made up of three protocols SMTP and pop3 were the original protocols and then IMAP was added later usually when we think of these protocols we also remember that when setting up our email we specify port numbers so the original specifications have these assignments SMTP port 25 pop3 port 110 IMAP port 143 now let me explain what these protocols do so you understand how this relates to you setting up email uses SMTP Simple Mail Transfer Protocol receiving emails can be either pop3 or IMAP the difference between the two is that pop3 means that you store your own messages while when using IMAP the server stores the messages for you webmail has to use IMAP because you're using a browser and are not storing your own messages if you're using an email client on your device and you're using either one most people use IMAP so they can read their messages on multiple devices so each of you devices will just sync email from the email server the actual messages are typically stored on the email server the email infrastructure consists of two parts first is the interactions you have with your own email server which is usually a specific domain or set of domains owned by the email provider or company for example if you have a gmail account this is your interaction with gmail.com if you have a protonmail account it's your interaction with protonmail com I'm going to go back to your interaction with your own email server later the second interaction is between your email server and other email servers these interactions are known as MTA to MTA MTA means message transfer agent so these interactions between gmail.com and yahoo.com or my business comm an outlook.com or protonmail comm an iCloud Kong and so on meaning inter-domain email because MTA to empty is limited to sending emails that's all it does it uses the SMT protocol and which is assigned to port 25 now one interesting fact about the SMT protocol port 25 a very old protocol is that all the traffic has to be sent in plain text it has to be human readable if you send an attachment you have to encode it in base64 which is not encryption it is easily translated base64 allow sending a binary data without corrupting a message since everything is translated to normal text as someone skilled in hacking it is quite interesting to be on the same network as an email server and then listening to the traffic on smtp port 25 again it is unencrypted so all you have to do is run Wireshark and you can see the plaintext traffic coming out of an email server want to make this clear MTA to MTA traffic on port 25 has to be unencrypted and in plain text or the protocol won't work now if you haven't looked at the format of an email you may also not know that there's a little trail on there on the top that shows how the message reach the final email server it will often indicate the machine name of your source computer the IP address of the sender and the IP address of the email server it connected to in addition in plain Tex it shows timestamps and of course the name and email addresses of senders and receivers the subject line of an email and all the supporting information I just mentioned are called email headers and I will generally call email headers as email metadata and it cannot be encrypted the message body and attachments by default are also not encrypted now you can take special precautions like Snowden did to encrypt the body of the message which is tedious using PGP it's tedious because the only way to do it is to exchange keys with everyone you're dealing with and that means you can only talk to techie types who understands how to handle PGP as I mentioned email server to email server or SMTP port 25 traffic is plain text so the governments of the world know this for this reason most definitely the US government and likely many governments collected data on SMTP port 25 this means that there is a high likelihood that some email sent to you over the years maybe the past 30 years has been collected and stored also depending on where a hackers position on the network a hacker can also intercept this kind of traffic and examine your emails so if over the years you've sent tax information or a tax return to your accountant or medical data to your doctor then be assured that someone else now knows this in fact this is well known in a medical field which was my prior career that HIPAA regulations in the u.s. banned the use of emails for sending medical records and this is in effect to this day the IRS also does not send messages via email at all because they must know this on the other hand in a strange turn of events the US State Department apparently uses emails in a some point someone had private email servers which guaranteed that traffic flowed externally and in plain text over ducting SMTP port 25 I've often wondered why no one talks about this or why my videos in this topic are suppressed and my guess is that it is to the benefit of the intelligence community that all of you use SMTP port 25 so that they can easily collect data even from other departments in the US government since most of the traffic off the internet is routed through the US Internet then it should be plain to see that most email in the world is captured by the u.s. three-letter agencies there will be exceptions and I will discuss those in a moment but let me make this statement now so you get this in context all all SMTP port 25 traffic including those from protonmail 210 or Gmail Yahoo iCloud and the US State Department and so on are all exposed so don't believe the lie this part of email has always been open it doesn't matter which email service you use a hacker a government an ISP can read much of your email now in case you think lots of people sit there and read your email give me a break obviously the email is stored in databases and can be searched later by identifying a specific IP address email address name or keyword now let's go on to part 2 I skip the interactions you have with your own email server to make this cleaner what happens if you email yourself is that visible to hackers governments and so on this part is very interesting in the old days the only way to talk to your email server was using pop3 port 110 IMAP port 143 and SMTP port 25 these are all plaintext protocols but now they've changed this practically all email clients now offer encryption on email traffic through the use of something called TLS which is like HTTP for email so now we have TLS versions of encrypted pop3 which is port 995 encrypted IMAP which is 993 and encrypted SMTP which is 465 but this is limited to your communications with your email provider so today in 2020 likely emails that flow between you and your email provider will be encrypted fortunately this blocks reading of lots of emails on local area networks and large business networks within the network in the case of the US State Department emails within the State Department will be secure except to the people running it emails from the State Department to private email servers will not be secure let's make this clear your email provider can still read your email incoming or outgoing your email provider can read the mated data showing IP addresses and names but hackers under Lion can no longer capture this data in 2020 the email traffic has been reduced so that the only exposure now is on the email server to email server traffic the MTA to MTA traffic in other words inter-domain traffic when email providers say their email is encrypted and this includes Gmail protonmail to tanoda start mail and others this is the part they're talking about they don't mention SMTP port 25 which is the sucking hole so in a sense they're not lying to you part of your email interactions is encrypted but not all now let's go further your email provider can read your email it is clear and obvious that Gmail reads your email they use it to profile you for advertising based on the email traffic to your account you will see applicable ads flow wherever you interact on search YouTube and web sites with ads that are based on your Gmail activity they're not giving you this service for free they want something back now what about protonmail now here's the potential positive or protonmail and I'll be frank I consider this only a minor positive protonmail claims end-to-end encryption when you're talking to someone inside the protonmail network which is protonmail to protonmail traffic and that's likely true if both sender and receiver are on protonmail then likely the message body will be encrypted now this is where my experience comes in like I said earlier I made my own email service just like protonmail the difference was that I encrypted over Gmail and your existing email provider so I didn't intend to store the emails on my server for the private messages that way I didn't have direct access to your messages but protonmail stores your email on their server and what that reveals is a lot of metadata especially for your inter domain email it shows who you're interacting with their email addresses time stamps IP addresses that metadata can be demanded by governments and less protonmail is already a government plant in which case they have a deep database of metadata Gmail on the other hand also reads your email and they can read your email content which is again scannable for keywords the difference between the two is that protonmail is a known haven for people with something to hide so all that metadata is a nice collection of interactions between people who would be on the shortlist for surveillance Gmail has probably billions of accounts so the only way to classify you in it is by specific knowledge of your email address an IP address and key word gmail also has a policy of informing you if there's a subpoena for your email information McAfee by the way uses this as a canary warning flag honest email messages and he's smart enough to know the limits of what he can put in an email message so even protonmail is not 100% secure in many ways you can hide in plain sight better on Gmail so that's why I recommend jima for unimportant messaging only like social media accounts and unimportant Gmail to Gmail traffic what is more secure than a protonmail then and it's not to tanoda or start mail well this is the more complex question but I run my own email server this is more secure than Gmail or protonmail nowadays this is very difficult to do without cybersecurity expertise email servers are constantly hacked and require monitoring I run a specially configured Linux server using postfix now I can consult for people and how to set this up it's it's time consuming and it's not cheap and obviously there's the monthly cost to run the servers but this could be good for like a company anyone doing this will be tested on their cybersecurity skills because any mistake will show up with spammers attacking your server and your ISP blocking your SMTP access and you're getting blacklisted your entire domain blacklisted but let me explain the benefits here first only the one would access to the server can read the emails and two people on the same email domain will be more secure than protonmail because converting between two accounts on the same server will be encrypted so if you have a domain my sucking mail.com and you give a new my sucking email that calm account to anyone you want to talk to then all your internal conversations will be private can you still use protonmail it depends on the importance of the metadata since a third party now has tomato data a relationship map and contact lists can generate connections it is worrisome if Snowden use protonmail it would be a quick check to see all the email addresses he communicated with in their IP addresses and all the timestamps in size of messages so if I'm gonna use protonmail it's going to be pseudo anonymous I'm not gonna put my real name in there it's that important to hide in the limited cases where you think that it doesn't matter like an obvious connection between people for example people in the same business then using protonmail among yourselves is probably safe with the use of a VPN now knowing all this what's the conclusion in general any emails from one domain to another domain is tracked by governments ISPs and advanced hackers in general emails within the same domain like Gmail to Gmail protonmail to protonmail iCloud to iCloud are safe from external examination but may be read by the platform provider in general emails in encrypted platforms like protonmail will be safe from email reading within the same domain but your metadata will still be there since it's a format of the SMTP protocol if you decide to use something like protonmail I wouldn't use it for anything other than protonmail to protonmail communications i would never advertise it this way it would have limited made of data the safest email use is a private email server where your most secret emails are only within the same domain and giving limited access to the server itself to others given this I conclude that email is so unsafe that I use it sparingly I use it mostly read I would rely on other messaging systems like signal and my own racks me platform instead of email the reason I dropped email services on Brax me was that I saw so much made of data it had made the platform dangerous something that silent circle saw themselves again they state the impossibility of being able to maintain the confidentiality of its customers emails should it be served with government orders that's what they said this is the beauty of a platform by the way like Brax mean no sucking made of data you're never forced to identify yourself which is why I chose not to support emails on it ever use it it's free it's a lot safer than email and it has end-to-end encryption and it's open source I've several videos on email by the way I also have a video of a live hackathon where 10,000 people watched it live and I demonstrated this SMTP port 25 traffic in plaintext make sure to watch those videos I hope you got a good explanation and subscribe to this channel also please follow me on the other video platform library lb ry Rob Braxton tech the link is in the description thank you for watching [Music]

Info

Channel: Rob Braxman Tech

Views: 204,443

Rating: undefined out of 5

Keywords: internet privacy, internet privacy guy, email unsafe, smtp, smtp protocol, privacy email providers, protonmail, tutanota, startmail, dangers of email, protonmail dangers, tutanota dangers, protonmail facts, tutanota review, protonmail review, how email works, email security, email encryption

Id: 8Ppl62Bl9RE

Channel Id: undefined

Length: 21min 29sec (1289 seconds)

Published: Tue Apr 07 2020