back to article ProtonMail DDoS wipeout: Day 6. Yes, we're still under attack

Encrypted email provider ProtonMail is still being hit by a DDoS attack from what appears to be a nation state, as well as a secondary and separate lower-level assault from an identified assailant. However, the service is now operating normally, it seems. Switzerland-based ProtonMail offers an encrypted webmail system able to …

  1. Doctor Syntax Silver badge

    It's time to update SMTP to make end to end encryption default

    That way there would be no point in NSA or the like hitting anybody. To some extent it would take away part of ProtonMail's advantage but there would still be value being based in one of the few places that takes confidentiality so seriously.

    1. ZSn

      Re: It's time to update SMTP to make end to end encryption default

      You can use pgp with enigmail. It takes all of five minutes to set up. However, people at heart don't really care. You're telling me that the same people that smoke (with a 50% chance of dying horribly a decade or two early) care about e-mail security? It's an abstract issue until it's too late for them.

      IT security is like the toilets, a ridiculous topic of conversation unless it breaks and you're standing knee deep in sewage.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's time to update SMTP to make end to end encryption default

        You can use pgp with enigmail. It takes all of five minutes to set up

        .. if all you care about is encrypting the contents of your email, nothing else.

      2. Doctor Syntax Silver badge

        Re: It's time to update SMTP to make end to end encryption default

        "You can use pgp with enigmail. It takes all of five minutes to set up. However, people at heart don't really care."

        That is why it needs to be the default. Encrypted and signed.

        Signed email? Even Microsoft's email spam filters might be able to spot "click here or we'll suspend your account" spam.

      3. Mark 85 Silver badge

        Re: It's time to update SMTP to make end to end encryption default

        I agreed with you on most of your points but linking smoking and encryption was over the top. Might as well link being a non-vegan and encryption.

        1. ZSn

          Re: It's time to update SMTP to make end to end encryption default

          @Mark 85 well, not quite. As a species we are shockingly bad at judging risk. If it is big and scary and in front of us we concentrate on it. For example terrorist attacks kill, proportionately, few people. Far more die daily in car accidents (about ten a day in Britain, a lot more in the USA), but that gets ignored. So getting information security up the agenda is like an abstract risk, like cholesterol, smoking, the right to arm bears, Italian drivers etc. Etc.

      4. John Tserkezis

        Re: It's time to update SMTP to make end to end encryption default

        "You can use pgp with enigmail. It takes all of five minutes to set up."

        We've been through this before, on at least a couple of reports.

        No, it can't be done in five minutes, or even five fucking months when you're talking about joe average who's barely just learned what email is all about.

        Or do those "not in the know" not deserve encryption?

    2. TeeCee Gold badge
      Mushroom

      Re: It's time to update SMTP to make end to end encryption default

      Yeah, let's solve a simple problem by being an incredibly fucking stupid bunch of rabid Stalinists.

      Back compatibility?

      Upgrade costs?

      Migration?

      Guess what? Your saying "we need to force everyone to do xyz whether they want it or not" makes you no better than ${government} saying "we need to force everyone to do xyz whether they want it or not"....

    3. Steve Knox

      Re: It's time to update SMTP to make end to end encryption default

      That way there would be no point in NSA or the like hitting anybody.

      Sure there would. This attack in particular is an example of something which would continue to be effective even with end-to-end encrypted SMTP everywhere.

      This is a Distributed Denial-of-Service attack. The direct purpose of a DDoS is to make a service unavailable. While they are sometimes used to distract from other attacks, they are designed specifically to disrupt communications.

      There is often benefit to state intelligence agencies simply to disrupt others' communications, and end-to-end e-mail encryption doesn't prevent DDoS attacks.

    4. druck Silver badge

      Re: It's time to update SMTP to make end to end encryption default

      Where is the robust key management infrastructure to support it going to come from? The magic spaghetti tree?

  2. stevenotinit

    In all fairness to Protonmail.....

    they said they were under extreme duress by other businesses to pay up. I'll take their word for it. Yes, long term, it was a bad decision, and they do know that big time now.

    1. elDog Silver badge

      Re: In all fairness to Protonmail.....

      Haven't I just read on ElReg a recent article on CryptoLocker4 which appears to be even more malicious than the original? The part that caused the sack to pucker was CL's ability to wait in hiding for months, slowly encrypting files so that even the ones on backups may be useless. Clever!

      In that article there were quite a few really decent comments about how to put critical resources (files/folders) on ZFS or other external file systems and establish very strong control of Read/Write access. If you MUST use Windows, just let the user's Desktop be held hostage.

      1. ZSn

        Re: In all fairness to Protonmail.....

        @elDog - Did you just reply to the wrong post, or did I just misread the article?

        1. elDog Silver badge

          Re: In all fairness to Protonmail.....

          It could have been a misreading on my part, but I was going on this text from the article:

          Late last week the company paid a bitcoin ransom worth £3,500. A company statement explained:

          We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.

  3. Danny 2 Silver badge

    "Maybe if you hadn’t paid the ransom to the wrong attackers it would be over"

    Funny joke but still victim-blaming - what is the secondary attackers bitcoin, and would they really be satisfied with the pocket money originally demanded? I'm guessing the attack will stop only if ProtonMail say they'll no longer accept British email accounts, and issue a statement saying Theresa May is a saint, the UK is a bastion of freedom and they won't intrude here again with their dirty, nasty encryption.

    It is cheering that they've raised their donation target, almost, and that they are now getting help from DDoSing experts. It's up and active, that's the main thing, and they obviously weren't cracked and maintained delivery of mails.

    Personally I'm a bit down as I'm being prosecuted just now and expected some emails from the police, politicians and lawyers I'd emailed just before the attack - no such luck there. My bleeding useless, corrupt and dishonest court-appointed defence lawyer even blocked me as 'spam' after my first email to him. For all you tax-payers out there, legal aid today is benefits for lawyers, nothing more. I can't even confess unless I borrow money for the print-out! I also want to relocate to Switzerland, hell, even Syria seems a more rational destination just now. In the wise words of Ballboy, I hate Scotland.

    1. Mark 85 Silver badge

      Don't be so fast on pinning this on the Brits... or the US... It could be really be any country if it is a state actor. Pinning the blame without the forensics is opinion not fact. It could be one state or it could be several working together. Or maybe not a state at all.... although for 6 days, non-stop, I'd think it's state as script-kiddies would be bored by now and moving on to someone else.

      1. Grikath

        "although for 6 days, non-stop, I'd think it's state as script-kiddies would be bored by now and moving on to someone else"

        Never underestimate the wrath and dedication of a CellarDweller who feels he has been Wronged...

        Mind, the duration and , according to the article, sophistication of the attack make it unlikely this is the work of a single actor, but the question remains: Why?

  4. NoneSuch
    Thumb Down

    Never, ever pay to stop a DDoS. That's moronic and will attract every greedy script kiddie on the planet to collect dosh.

    1. Danny 2 Silver badge

      They were being pragmatic. They were pressured because their ISP went down, taking some Swiss banks with them - the Swiss do love their banks. It was a small price to pay to avoid being deported. And of course it was a huge mistake that they won't make again. Not just because it encourages future script-kiddies, but because it distracts media attention, and your attention, from the nature of the secondary attack.

      We don't need ProtonMail, we are all smart-arses who can properly use Open-PGP to chat among ourselves. But we can't convince anyone else to learn how to do that, so our doctors, our judiciary, our journalists and politicians need a simple 'tick box to encrypt' solution from a trusted provider. And we do need that, more than ever. Our state is increasingly psychotic, paranoid, irrational and violent. We can't all emigrate to Switzerland or Iceland, someone has to stick around to feed the cats.

      1. Captain Badmouth

        "We can't all emigrate to Switzerland or Iceland, someone has to stick around to video the cats."

        Fixed.

        1. TheRealRoland

          Someone has to stay around to fix the cats?

      2. Doctor Syntax Silver badge

        "our doctors, our judiciary, our journalists and politicians need a simple 'tick box to encrypt' solution from a trusted provider."

        No they don't. If you give them a box to tick they'll not do it. It just needs to be encrypted end-to-end AS STANDARD.

      3. dan1980

        @Danny 2

        "And of course it was a huge mistake that they won't make again."

        Yes and no. Paying a ransom may well result in increased likelihood of future attacks and thus is a mistake. But, being responsive to your clients and showing that you really do care about their ability to use your service is not a mistake.

        It was a difficult position and I think they did the best they could, which was to initially refuse and to be very clear about that, but then to temper their position by considering the needs to others. Then, afterwards, when this did not achieve the desired result, they made it clear that it would never happen again.

        It seems now that paying the ransom really didn't matter much one way or the other because the major problem is this second, far more sophisticated attack, which has not been accompanied by a ransom demand.

  5. HAL-9000
    Big Brother

    Chances

    What are the chances we'll ever learn who these villains are? Zero, or some close approximation

  6. Kevin McMurtrie Silver badge
    Mushroom

    Name and shame

    Sort those IP addresses, do the lookups, start naming hosting providers, and start building blacklists. Call BS on every network that claims they're too important to need an abuse response team. I bet the blacklist attenuates the attack very well with only a handful of networks placed in it. It doesn't catch any hackers but it takes their toys away.

  7. Archivist

    DDOS in general

    We've seen the "hardening up" of OSs over the years, and imagined that it would get harder to trojan devices. It seems though, that there are ever increasing numbers to hand. I wonder what proportion are old unpatched, compared with new.

  8. Whynot

    Cats need to be encrypted end to end

    1. CrazyOldCatMan Silver badge
      Happy

      > Cats need to be encrypted end to end

      The output of mine is pretty encrypted. I defy you to extract any meaning from their litter-boxen..

      The input is pretty plaintext though.

  9. ServerSauna

    Would have been interesting to see it in real time: http://map.norsecorp.com/

  10. Danny 2 Silver badge

    PM up due to Radware

    "The Swiss-based secure email provider has selected Radware’s Attack Mitigation System (AMS) to help it take control of the situation and regain control of the mail service. Radware began working with ProtonMail on November 8th as part of their Emergency Response Service and service was restored shortly after."

    http://www.net-security.org/secworld.php?id=19088

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019