Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Encryption Communications Crime

ProtonMail Restores Services After Epic DDoS Attacks 57

An anonymous reader writes: After several days of intense work, Switzerland-based end-to-end encrypted e-mail provider ProtonMail has largely mitigated the DDoS attacks that made it unavailable for hours on end in the last week. The attacks exceeded 100Gbps, and are still going on, but they are no longer capable of knocking ProtonMail offline for extended periods of time. The ProtonMail community of users proved to be invaluable for the company. In fact, in just a few days, they donated over $50,000 to the company's "defense fund," providing the resources to resist further attacks against email privacy.
This discussion has been archived. No new comments can be posted.

ProtonMail Restores Services After Epic DDoS Attacks

Comments Filter:
  • by Falconnan ( 4073277 ) on Tuesday November 10, 2015 @10:06AM (#50900237)
    State actors or malicious mischief? That is the real question.
    • by Anonymous Coward
      State actors. They were paid off, but went ahead and DDoS'd anyway. The DDoS or dissolving of protonmail entirely were the goals.
      • by Anonymous Coward on Tuesday November 10, 2015 @10:41AM (#50900531)

        Just to clarify:
        ProtonMail were *forced* to pay the ransom, it wasn't entirely their choice [wordpress.com].

        "At this point, we were placed under a lot of pressure by third parties to just pay the ransom"
        due to... "hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us"

        And no doubt, this is the start of a series of attacks against them, by the likes of the terrorists at the NSA/GCHQ.

      • by GuB-42 ( 2483988 )

        There are two different actors. The first was in for the ransom and stopped after being paid.
        The second uses a much more advanced attack, has unknown motives, and may have chosen to strike at the same time as an attempt to put the blame on the first group.

    • State actors or malicious mischief? That is the real question.

      We shall see.

      If these guys suddenly start getting payments of just over US$10,000 into their bank accounts, which are then reversed or cancelled, so that their bank is forced to close their accounts because they can't cope with the overhead of the constant stream of reporting on possible money laundering, then we'll know its a state actor.

  • by Anonymous Coward on Tuesday November 10, 2015 @10:28AM (#50900409)

    They're asking for an email account so that they can send you an invite. How is this remotely anonymous?

    Being in .ch is nice and all, and gives you that "Swiss Bank Account" feel, but the XKCD coming about encryption & pipewrenches comes to mind. Since the Banks have rolled (because Nazis) what is going to keep your free email secure when the Polizei comes knocking?

    • Simple, the admins cannot access the emails of their users, it's encrypted on the servers. The most the police can how to get, of they can get anything at all, would b header and routing information, which is the meta data, not the content.

      • I think the goal they are trying to provide is sincere and valid. But, looking over their company, I don't see a reason to trust their implementation. Check the 'about' page and you'll see no description of anyone being a true data scientist with a Masters or Phd. To be credible, they would need to have a third-party security audit performed on their source code. No mention of that anywhere.

        Because it's closed-source, you have no assurance the client and server are not juggling SSL keys and allowing a MITM
        • It's not closed source--the encryption library used is OpenPGPjs, which has been extensively audited, and the client, which is where all the encryption and decryption happens, is also open source: https://github.com/ProtonMail/... [github.com] Nobody can really guarantee against back doors, but using open source certainly helps, as the more eyes on it the better. Also, not that it's terribly relevant, but there are at least 4 PhDs working for ProtonMail.
    • by Anonymous Coward

      It depends on your threat model. If you're sufficiently interesting to the thugs that pipe wrenches become involved, then no, ProtonMail won't save you. But an encrypted email service will at least protect your mail from getting caught up in the "new normal" mass data collection. (And the use of encrypted mail may in turn make you more interesting to the thugs, sigh...)

  • The article says:

    in just a few days, they donated over $50,000

    I would just complain to my ISP, over the phone obviously, and demand a compensatory cut in monthly bill... not give them *more* money.

  • by lesincompetent ( 2836253 ) on Tuesday November 10, 2015 @10:42AM (#50900533)
    Much more info on this official blog post: https://protonmail.com/blog/pr... [protonmail.com]

Q: How many IBM CPU's does it take to execute a job? A: Four; three to hold it down, and one to rip its head off.