ProtonMail Restores Services After Epic DDoS Attacks

An anonymous reader writes: After several days of intense work, Switzerland-based end-to-end encrypted e-mail provider ProtonMail has largely mitigated the DDoS attacks that made it unavailable for hours on end in the last week. The attacks exceeded 100Gbps, and are still going on, but they are no longer capable of knocking ProtonMail offline for extended periods of time. The ProtonMail community of users proved to be invaluable for the company. In fact, in just a few days, they donated over $50,000 to the company's "defense fund," providing the resources to resist further attacks against email privacy.

Re:

[Maritz]

Well, just because you have one, doesn't mean you're not one.

Re:

[PopeRatzo]

I have a Penis and im not afraid to use it

You better ask the guy it's attached to first.

Re:

[Tokolosh]

And they say there are no women in tech.

That's some serious traffic

[Falconnan]

State actors or malicious mischief? That is the real question.

Re:

[Anonymous Coward]

State actors. They were paid off, but went ahead and DDoS'd anyway. The DDoS or dissolving of protonmail entirely were the goals.

Re:That's some serious traffic

[Anonymous Coward]

Just to clarify:
ProtonMail were *forced* to pay the ransom, it wasn't entirely their choice [wordpress.com].

"At this point, we were placed under a lot of pressure by third parties to just pay the ransom"
due to... "hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us"

And no doubt, this is the start of a series of attacks against them, by the likes of the terrorists at the NSA/GCHQ.

Re:

[GuB-42]

There are two different actors. The first was in for the ransom and stopped after being paid.
The second uses a much more advanced attack, has unknown motives, and may have chosen to strike at the same time as an attempt to put the blame on the first group.

Re:

[myowntrueself]

State actors or malicious mischief? That is the real question.

We shall see.

If these guys suddenly start getting payments of just over US$10,000 into their bank accounts, which are then reversed or cancelled, so that their bank is forced to close their accounts because they can't cope with the overhead of the constant stream of reporting on possible money laundering, then we'll know its a state actor.

"anonymous" and "secure" what a joke

[Anonymous Coward]

They're asking for an email account so that they can send you an invite. How is this remotely anonymous?

Being in .ch is nice and all, and gives you that "Swiss Bank Account" feel, but the XKCD coming about encryption & pipewrenches comes to mind. Since the Banks have rolled (because Nazis) what is going to keep your free email secure when the Polizei comes knocking?

Re: "anonymous" and "secure" what a joke

[Corwyn_123]

Simple, the admins cannot access the emails of their users, it's encrypted on the servers. The most the police can how to get, of they can get anything at all, would b header and routing information, which is the meta data, not the content.

Re:

[SethJohnson]

I think the goal they are trying to provide is sincere and valid. But, looking over their company, I don't see a reason to trust their implementation. Check the 'about' page and you'll see no description of anyone being a true data scientist with a Masters or Phd. To be credible, they would need to have a third-party security audit performed on their source code. No mention of that anywhere.

Because it's closed-source, you have no assurance the client and server are not juggling SSL keys and allowing a MITM

Re:

[bartbutler]

It's not closed source--the encryption library used is OpenPGPjs, which has been extensively audited, and the client, which is where all the encryption and decryption happens, is also open source: https://github.com/ProtonMail/... [github.com] Nobody can really guarantee against back doors, but using open source certainly helps, as the more eyes on it the better. Also, not that it's terribly relevant, but there are at least 4 PhDs working for ProtonMail.

Re:

[Anonymous Coward]

It depends on your threat model. If you're sufficiently interesting to the thugs that pipe wrenches become involved, then no, ProtonMail won't save you. But an encrypted email service will at least protect your mail from getting caught up in the "new normal" mass data collection. (And the use of encrypted mail may in turn make you more interesting to the thugs, sigh...)

Re:

[TWTiger]

Well, I don't know, but I do know which government that just approved a new surveillance law....

Re:

[nitehawk214]

Yes

I wonder about the client base

[Coisiche]

The article says:

in just a few days, they donated over $50,000

I would just complain to my ISP, over the phone obviously, and demand a compensatory cut in monthly bill... not give them *more* money.

SubjectsInCommentsAreStupidCusTheSubjIsTheArticle

[lesincompetent]

Much more info on this official blog post: https://protonmail.com/blog/pr... [protonmail.com]

Re:

[nitehawk214]

I would donate money to help fight it, but not if they are just going to give the money to the attackers. Which seems to be exactly what they did here.

And it was probably the government of a country obsessed with surveillance of their own people, so no amount of ransom is going to make that go away. The internet service providers are, of course, in on it.

Re:

[Zorpheus]

What? Are you claiming that Radware attacked them to get the contract to help them?

Re:

[nitehawk214]

I believe it was a government that sponsored the DDOS. Thus it did not stop when they were paid off. I don't know who Radware is.

Re:

[Zorpheus]

According to the article Radware were paid the $50000 to handle this attack. Well, it is not that much to read ;)

Re:

[Anonymous Coward]

And it was probably the government of a country obsessed with surveillance of their own people, so no amount of ransom is going to make that go away.

Heh. I do find it interesting that the FBI's official advice regarding CryptoWall is to just pay the ransom. Considering CryptoWall has plagued the world for several years now with no one caught, when other TOR-based crimes like online drug sales and child porn are easily busted, it sorta makes you wonder who's behind CryptoWall and why they're not busted, no? I can picture James Comey checking the FBI's clandestine Bitcoin balance when he arrives at work each morning, figuring out how many more Stingrays h

Re:

[nitehawk214]

Of course, if people take the payoff, then the FBI doesn't have to bother with hunting for the criminals. Pretty convenient to skip out on doing their jobs.

Re:

[KGIII]

What if the next writer is referring to a saga that is truly epic? What then, smart guy? Grind their nuts off just 'cause the word chafes your nether regions?

Stand up, put a foot on one chair and the other foot on another chair. Use a brick to hit yourself in the head, over and over, until you've knocked some of the sand from your vagina. Life will be much easier then.

Re: Question On How Proton Works

[Anonymous Coward]

Wasn't aware that they claires self-destructing mais but when I send an en crypted Mail to a non-protonmail account what they receive is a LINK to the encrypted message on the proton mail server where they must enter the password to read it. So I guess the link probably expires.

Re:

[ale2011]

The fact than one finds more advertising than explanations already betrays the true nature of that feature. In short, you post a link to an ephemeral resource; but you may further encumber that with DRM-like stuff. More here [stackexchange.com] and here [cnet.com].

In fact, all email is self-destructing, eventually. Just not under the sender's control.