Another neat addition to end-to-end encrypted email client ProtonMail: It’s added a zero-access encrypted contacts manager that also digitally signs the contact info you store in it.
The new features have been added to v3.12 of ProtonMail’s web client, with the Swiss-based startup saying it’s working on also bringing the feature to its Android and iOS apps.
In a blog post announcing the contacts manager, it says the feature is a security benefit especially to those with a strong need to keep sources confidential — such as journalists — although it’s worth noting that any email addresses stored in the contacts manager are not encrypted (so this only applies to phone numbers and addresses).
The addition of encrypted contact fields brings many security benefits. For example, if you are a journalist with a confidential source, it is very important to protect the phone number or address of that source. Using the notes field in contacts, you can also add other information about the contact that will be protected with zero-access encryption. In order to do email filtering, we do not use zero-access encryption for email addresses — doing so also does not significantly improve privacy because as an email service, we necessarily must know who you are emailing in order to deliver the message.
It adds that it’s digitally signing contacts to “verify the integrity of contacts data” — offering users a “cryptographic guarantee that nobody (not even ProtonMail) has tampered with your contacts”.
The new digital signatures are used for all contact fields, including the email address, with signed (and thus untampered) contacts being denoted by a tick icon displayed alongside them.
ProtonMail‘s zero access encrypted email service exited beta in March last year. The company offers both a free e2e encrypted email client, with limited storage and feature, and paid tiers that beef up available capacity and capabilities.
It tells TechCrunch the new digital signature verification for contacts is available for all users.
While the e2e encrypted contact fields feature is currently only available for paid users — although co-founder Andy Yen says “this may change in the future”.
“In our view, verifying the authenticity of contacts data is even more important than hiding contacts data which is why digital signature verification is available for everyone,” he adds.
The full implementation of both features can be examined by outsiders via ProtonMail’s source code, which it open sources.
The company is also trailing a number of additional security enhancements that it says will build on the new contacts manager — and are coming in 2018.
“For example, our new contacts manager can also be extended to store public keys, which is an essential component for both sending PGP messages to people who don’t use ProtonMail, verifying the integrity of the keys themselves, and verifying the authenticity of received messages via digital signatures,” it notes, adding: “We are working on these, and many other security enhancements, and look forward to sharing them with the ProtonMail community in the future.”
to read the original article: