ProtonMail and Sephia Five, a comparison

ProtonMail was the first main stream available cryptographically secured Open Source webmail system, that became popular amongst the common population, and was practical in usage for the masses. Andy Yen, one of its founders, even held a TED speech about it in 2015. Since I predict that a lot of potential users of Sephia Five will argue that “ProtonMail already exists, what’s the point with Sephia Five” – I thought I’d create a comparison between the two, to illustrate why I think Sephia Five definitely has the right to live.

First of all, I must say that I am fundamentally in agreement with Andy Yen, and I too believe that privacy is the number one issue in the 21st Century. I sincerely hope that ProtonMail succeeds, and helps us reinstate privacy among the general population of the Earth. Me and Andy’s visions are almost perfectly aligned in such a regard. I admire Andy and his colleagues for what they have done, and I wish them all the best!

When that is said, I thought I’d illustrate the difference, such that people can weigh the systems neutrally up against each other, and help make an informed decision. Below I have created a comparison between the two, on a point to point basis, illustrating the value proposition of Sephia Five, compared to that of ProtonMail.

Server side versus client side cryptography

Andy Yen argues that cryptography shouldn’t occur on the server, but rather on the client. This is based upon the assumption that the server is not owned by the end user, and/or entity that needs cryptographically secured email systems. In a “Google and GMail world”, he is right. However, web servers are becoming cheaper every day, and in fact, you could easily convert a 10 year old laptop, into becoming a personal web server, and have it run blistering fast today. And with cheaper and faster internet connections being delivered by our ISPs every day, setting up a “home server”, over a plain home internet connection, would only require a fixed IP address, which most ISPs would be willing to give you for less than $5 today. Hence, the argument is (almost) mute.

This would allow you to create a private web server, which you could put in your home, expose to the web, and use to access your email using any device, from anywhere in the world. This means that your private PGP keys would be much safer, since you wouldn’t have to put them on every device you use to read your email. This would increase the availability, without increasing the attack surface. Arguably, this is more difficult than to simply register at ProtonMail’s website, and start using it – However, that will soon also be a mute point, since creating a secured Linux web server, becomes increasingly easier for every day that passes, thx to among others Ubuntu.

Besides, JavaScript is notoriously infamous for security holes, and hence the probability of that a private PGP key could be compromised when stored on the client, is much larger than if you had your private PGP key on the server, never allowing access to it from the client.

With Sephia Five your private PGP key is probably orders of magnitudes more safe, than with ProtonMail – Sorry Andy …

Searching emails would also be more difficult, since the server won’t know the contents of the emails, and if you wanted to perform a search of every email you have in your inbox, you’d have to download every email to the client, decrypt it, and then perform a search. Needless to say, but this would literally explode your bandwidth consumption. On a server based key solution, you could simply decrypt the email once when it is received, store it in your database, which is secured on your server, and run a simple SQL when you want to search through your existing emails. I must admit that I don’t know how ProtonMail have solved this, but the search problem, is definitely a hard one for them I would assume.

Hence, the usability of a webmail system based upon client based private PGP keys, would highly likely significantly decrease, if you’re only allowing for decryption on the client side.

In addition, I would assume that a server side C# written PGP decryption library, would probably be able to encrypt and decrypt an email, several orders of magnitudes faster. Not to mention, it wouldn’t have to download any attachments in these encrypted emails to the clients, before the user explicitly requested them. Please feel free to correct me if I am wrong here though …

Business model

Sorry, but I cannot see ProtonMail’s business model. Either they have none, or I am simply too dumb to understand it. Sephia Five has what I feel is a very strong business model, which is based upon the needs of corporations for securing their email. This allows me to have corporations “pay for the fun”, while letting the people in general enjoy the benefits. Simply put, because our business model is to deliver additional addon services and products, which only would make sense for corporations and professional consumers, and charge for these. While allowing the general public reap the benefits by being allowed to use the core of Sephia Five for free.

This gives us the best of two worlds, where we would (hopefully) be able to create a community of devoted individuals, help us maintain and develop the system – While at the same time, allowing companies to reap the benefits, creating a symbiosis between the corporate world, and the home world. While ProtonMail would (probably) not be of interest to corporations, since paradoxically, these corporations would highly unlikely allow a cryptographically secured email system to be used in their organisations, which would not permit the management to have access to the emails of their employees.

The last point is crucial, since with ProtonMail, the decryption would occur on the client (correct me if I am wrong) – Which would not permit the employer to have access to emails sent by their employers. After all, when you use your corporate email address to send out emails, you are using the property of your employer – And the data you send in these emails, are ipso facto the property of your employer. In such a regard, ProtonMail would probably be useless for most companies, I would assume …

Arguably, the lack of business model, would I believe, makes ProtonMail into a fad, unless they’re able to pull a “WikiPedia” model out of their sleeves somehow …

Installation

This is probably the point where Sephia Five would come out as loosing. It is obviously easier to create a username and password over at ProtonMail’s website, create a private PGP key pair in JavaScript, and start sending and receiving emails – Than it is to setup your own web server, and install Sephia Five.

However, this is also Sephia Five’s main selling point, since we actually charge for helping companies and corporations setup their own servers. Hence, what seems to be the losing point for Sephia, is actually what ensures we have a business model, and are able to sustain further development, by making money doing what we love! Which is the one thing we have in common with the guys behind ProtonMail.

Privacy matter!!

Addendum; For the record, ProtonMail’s main selling point seems to be that they’re located in Switzerland. With Sephia Five you could install your server, and host your data where ever you wish. Including Switzerland, Bangladesh or the Bahamas for that matter …

Sorry Andy, we won that last one … 😉

Yet again, I wish ProtonMail good luck, and would like to finish up with a personal encouragement to Andy and his guys over at ProtonMail.

Give em’ hell bro!!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s