There is an absurd anti-ProtonMail screed that I’ve seen shared in numerous forums now that has levels of stupidity rarely seen out of someone not named Donald Trump.
The Truth About Protonmail is a classic example of a Gish gallop. What the argument lacks in quality, it makes up for in quantity. The process of debunking every absurd claim in the piece would be a significant undertaking, even though almost everything in the screed is specious.
A helpful heuristic in these situations is that readers can safely dismiss the article if one of the arguments shows shoddy research and/or a complete misunderstanding of the subject being discussed. Life is short, and while someone may be wrong about almost everything except for one brilliant insight, the odds are that any such insights about things at the level of email security will have been noticed or discussed/debated elsewhere.
In this case, the author of “The Truth About Protonmail” helpfully demonstrates that they have little understanding of the issues at hand in point 6,
6. Protonmail Follows CIA Email format & Metadata Requirements
Leaked documents at Wikileaks show that the CIA requires emails to be stored as an EML filetype. There are several ways to store emails, and Protonmail has selected the format that the CIA requires. Protonmail offers no protection for users’ metadata and has officially stated that they turn metadata over to Law Enforcement. Edward Snowden revealed that the US government cares least about the content of emails. Mr. Snowden revealed the US Law Enforcement cares most about who a person is talking to, the dates & times of the emails, and the subject of the email. Subject and metadata encryption are not difficult to provide. However, Protonmail refuses to offer any protection on data that is most valuable to the CIA & FBI and they store it as plain text (No encryption). Edward Snowden stated the NSA “isn’t able to compromise the encryption algorithms underlying these technologies. Instead, it circumvents or undermines them by forcing companies to cooperate in other ways. Protonmail has refused to protect the information the NSA wants, this is a concern.
Beginning in 1982, the Internet Engineering Task Force has approved several RFCs that describe the standard format for email messages. That has primarily ensured interoperability between different email systems.
An EML file is simply a saved version of an email that complies with these Internet standards.
EML files are commonly used to allow messages to be easily saved and viewed in other email clients. For example, I can save a message from ProtonMail as an EML file and then easily import that into Thunderbird, Outlook, Apple Email, or almost any other email client.
The other widely used version for storing emails is MBOX which requires saves an entire mailbox or folder as a single file. This has some advantages but also some technical drawbacks.
Portraying something like the EML format as suspect because “There are several ways to store emails, and Protonmail has selected the format that the CIA requires” is the cyber equivalent of suggesting that researchers should look into injecting disinfectant into people to combat COVID-19.
Good to here that ProtonMail is secure because the email format they use was approved by a standards organisation supported by the US government. Dual_EC_DRBG was also approved by a standards organisation supported by the US government.
Any thoughts on why, in spite of implementing PGP for compatibility reasons, ProtonMail cannot exchange encrypted e-mails with users of another server, or support desktop clients – especially given that any encryption implemented in the browser is not worth a penny?