Feedback Friday Industry Experts Comment on Hive Ransomware Takedown

Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

ProtonMail Launches Encrypted Contacts Manager

Swiss-based encrypted email services provider ProtonMail announced on Tuesday the launch of a new tool designed to help users securely manage their contacts.

Swiss-based encrypted email services provider ProtonMail announced on Tuesday the launch of a new tool designed to help users securely manage their contacts.

According to the vendor, the new ProtonMail contacts manager has been in development for more than a year and it adds powerful functionality for managing the address book.

What makes ProtonMail Contacts highly secure is the fact that it uses zero-access encryption. This means contact information is encrypted and it can only be decrypted by the user – not even ProtonMail can access the data.

The company says the new encrypted contacts manager is ideal for journalists and other individuals for whom it’s critical that contact information is protected.

ProtonMail noted that the new feature secures phone numbers, physical addresses and other information added by the user, but it does not use zero-access encryption for email addresses as it would break email filtering functionality and it wouldn’t represent a significant privacy improvement considering that the service needs to know the recipient’s email address in order to deliver messages.

ProtonMail Contacts

On the other hand, the new ProtonMail Contacts tool does provide some protection for email addresses by using digital signatures to verify their integrity. The digital signatures mechanism, which provides a cryptographic guarantee that contact data hasn’t been tampered with, covers all the information stored in the address book, not only email addresses. If the application detects an invalid signature, it displays an error message to alert the user.

“This is a big security benefit for many reasons,” ProtonMail said in a blog post. “For example, if an attacker wanted to intercept the communications between you and a sensitive contact, one way to do it could be to secretly change the email address or phone number you have saved for that contact, such as changing john.smith(at) to john.snnith(at), which might escape your notice.”

The new contacts manager relies on new private and public key pairs for each account. The private key is generated based on the user’s password and it’s stored on the client side, preventing ProtonMail from gaining access to the encryption key. The same key pair is used both for encrypting contact information and digital signing.

The new contacts manager is currently only available for the web version of ProtonMail, but it will soon be added to the iOS and Android apps as well. Future versions of the tool will also allow users to store keys created for sending PGP-encrypted messages, ProtonMail said.

The source code for ProtonMail’s web client, including the contacts manager, is available on GitHub.

Related: ProtonMail Suspects State-Sponsored DDoS Attack

Related: Powerful DDoS Attack Cripples ProtonMail Service For Days

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...