Slashdot Mirror
'World's Most Secure' Email Service Is Easily Hackable (vice.com)
Nomx, a startup that offers an email client by the same name, bills itself as the maker of the "world's most secure email service." The startup goes on to suggest that "everything else is insecure." So it was only a matter of time before someone decided to spend some time on assessing how valid Nomx's claims are. Very misleading, it turns out. From a report on Motherboard: Nomx sells a $199 device that essentially helps you set up your own email server in an attempt to keep your emails away from mail exchange (or MX) -- hence the brand name -- servers, which the company claims to be inherently "vulnerable." Security researcher Scott Helme took apart the device and tried to figure out how it really works. According to his detailed blog post, what he found is that the box is actually just a Raspberry Pi with outdated software on it, and several bugs. So many, in fact, that Helme wrote Nomx's "code is riddled with bad examples of how to do things." The worst issue, Helme explained, is that the Nomx's web application had a vulnerability that allowed anyone to take full control of the device remotely just by tricking someone to visit a malicious website. "I could read emails, send emails, and delete emails. I could even create my own email address," Helme told Motherboard in an online chat. A report on BBC adds: Nomx said the threat posed by the attack detailed by Mr Helme was "non-existent for our users." Following weeks of correspondence with Mr Helme and the BBC Click Team, he said the firm no longer shipped versions that used the Raspberry Pi. Instead, he said, future devices would be built around different chips that would also be able to encrypt messages as they travelled. "The large cloud providers and email providers, like AOL, Yahoo, Gmail, Hotmail - they've already been proven that they are under attack millions of times daily," he said. "Why we invented Nomx was for the security of keeping your data off those large cloud providers. To date, no Nomx accounts have been compromised."
I use it, and I haven't had any issue. It's not as nice as gmail, but if you're looking for a relatively simplistic layout, and encrypted email - Proton is solid.
The statement on nomx's website is horribly misleading. None of the attacks described require physical access or rooting; the security researcher just did those things to help find things. The CSRF attacks he was performing would work on any out-of-the-box nomx device.
I use protonmail too and it seems to be about as secure as webmail could possibly be.
The good: /don't/ have access to old messages on your account
-hosted in Switzerland at CERN, away from the "five eyes".
-Switzerland has data privacy in it's constitution.
-unfortunately sometimes the authorities in Switzerland will ask information about a user and protonmail has to cooperate. but this happens rarely and always shows up on their quarterly transparency report. and they
-your account logs every sign-in attempt and if it succeeded or failed, so you can tell if someone is trying to guess your password
-your emails are symmetrically encrypted against your password, so they can't access your old emails without you even if they tried. (and a side effect of that is if you forget your password, they can recover your account, but not your old emails)
-when two protonmail accounts email each other, it uses end-to-end encryption straight from one browser to the other
-they have an work-around for emailing insecure accounts: you can choose to just send them clear text OR you tell someone a password in advance then instead of sending them your email message, it emails them a link to an encrypted protonmail webpage with your message in it. It's awkward but it's an option.
The bad: ...IMO, beats NSA spying.
-They put a signature in every email "sent from protonmail secure email". If you want to delete it you need to do it manually. Disabling it is a premium feature you have to pay for.
The old software's vulnerability were few and you needed physical access to exploit
The researcher/blogger needed physical access to discover the exploits, but the CSRF attacks can be embedded onto any webpage, he even provides the code in his blog post.
Side note: I'd suggest watching the nomx videos about "How it Works". Quality.