Yahoo! confirmed a massive security breach recently. Unless you have been living under a rock, you probably heard about it. Breaches such as this, like the Ashley Madison hack -- where over 37 million accounts were compromised -- are commonplace these days.
The Yahoo! breach is much bigger than Ashley Madison, with over half a billion accounts confirmed to be compromised. With this in mind, you might want to consider a new, more secure email provider such as ProtonMail.
What Is ProtonMail?
ProtonMail is a free email service that focuses on security and privacy by allowing users to easily send and receive encrypted emails. ProtonMail is also open source and, of course, based on Linux.
Adding security features like two-factor authentication or some simple security questions is often an afterthought for many email service providers, and security measures like these aren't always up to the task of keeping the bad guys out. ProtonMail has security at its core, so with them it's a way of life, not an afterthought.
Security
Because your mailbox is encrypted, the ProtonMail staff have zero access, never mind the NSA. ProtonMail will ask you for your mailbox decryption key after you have initially logged in. You won't be able to access your mailbox until you have entered both sets of credentials.
The first password allows you to log on to the server, just like any traditional method of logging on. The server then decrypts and mounts your mailbox once you have entered your "Decrypt Mailbox" key. Without this, your mailbox is useless.
The encryption goes much further than just your mailbox. Emails are transmitted in an encrypted format between servers and user devices, and emails sent between ProtonMail users is protected by end-to-end encryption via a secure server network. Because data is encrypted at all steps, the risk of message interception is largely eliminated.
The encryption process uses public and private keys. The public key is used by the sender to scramble (encrypt) the message, then the recipient uses their private key to un-scramble (decrypt) the message when they receive it. The basic process is shown in the diagram below:
Encryption Outside of ProtonMail
Encryption can also be applied to messages that are sent outside of ProtonMail. Here's how that works.
When composing a message, select the padlock button from the composer window. This will open the encryption options for your message.
Enter an encryption password and a hint that allows the recipient to decrypt the message. The hint could be something as simple, like "I've texted the password to you". Or it could be instructions as to what the password is.
Click the Set button, finish composing your email as normal, and hit Send when you're ready. The recipient will receive an email with a link to view the secure message.
Once the recipient clicks on the View secure message link, they will be asked to enter the password. They will then be able to view the message.
The recipient can also reply to the message from this window, which will be sent from their email address. This message will, of course, be encrypted also.
Encrypted messages that are sent outside of ProtonMail will expire after 28 days.
Privacy
ProtonMail take privacy very seriously. As already mentioned they have zero access to your mailbox, but they also go to great lengths to ensure your anonymity remains intact. The privacy policy states:
Our company's overriding policy is to collect as little user information as possible to ensure a completely private and anonymous user experience when using the Service. We also have no technical means to access your encrypted message contents.
Sharing too much of your privacy online is commonplace nowadays, so anything that can be done to limit that exposure has to be a good thing.
Using ProtonMail
The ProtonMail user interface is a pleasure to use. The developers have done a great job making such a clean interface with great advanced features, such as custom themes, alias addresses, email filtering and signatures. The features are on par with most other free email services out there. So there's no need to worry about giving up features in favor of security.
A number of service tiers are available to choose from, ranging from the free 500 MB of email storage, up to $30/month for 20 GB of storage and some additional features, such as custom domain names. If you are not a heavy email user, then the free 500 MB service should be fine.
Is It Email for Nerds?
Even though ProtonMail has all this fancy encryption, it's not just for nerds. Once you have logged in and entered your decryption key, the process of sending an email is exactly the same as you would expect from any other email service. ProtonMail handles all of the clever stuff for you.
Apps are available for both Android and iOS, so getting your secure email on the go is no more difficult than logging in. The mobile apps are classed as being in beta, but I've found them to be extremely stable and had no issues. Security could be compromised by using IMAP and POP, so ProtonMail does not support them. Which means you won't be able to use third party mail apps with the service.
Should I Leave Yahoo!?
This is a question only you can answer, but being online requires a pragmatic approach to both security and privacy. You will limit your risk of exposure by considering both at all times.
Often there is a trade off between security and ease of use, but ProtonMail takes that trade off and tips the balance in favor of security, whilst managing to remain as simple to use as your Yahoo! Mail account.
Leaving Yahoo! (or any other widely-used webmail service) in favor of ProtonMail won't guarantee your security online though, as no service is immune to attack. The only way to achieve 100 percent security is to stay off the internet. It's a harsh fact, but it's true. If you decide to stay with Yahoo! I would urge you to go and change your password right now.
Have you been affected by the Yahoo! breach? Do you have security concerns and considering a move to something like ProtonMail? Tell us your thoughts in the comment below.