InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
You can now connect to ProtonVPN with just one tap of a button.
Proton VPN has launched its new browser extension for Chrome and Firefox, fulfilling one of the most sought-after features requested by its user community. This new extension provides users with a more flexible way to protect their online privacy and bypass censorship.
The Proton VPN browser extension is a standalone platform that encrypts internet traffic and browsers without needing to install Windows or Mac applications. This distribution method allows users in countries with blocked app stores to access Proton VPN.
With this new extension, users can easily protect their browser traffic without affecting the speeds or IP addresses of other applications on their devices. The extension can be used across multiple browsers, and each browser can be connected to a different server, allowing for up to ten simultaneous VPN connections.
In a statement, Proton VPN explained that they understand the importance of online privacy and freedom of access, and this new extension is designed to provide more options for users to protect their online activity. They also emphasized that they take user feedback seriously and strive to implement new features that cater to their needs.
The Proton VPN browser extension is available for Chromium-based browsers (such as Google Chrome, Brave, Microsoft Edge, Chromium, Opera, and Vivaldi) and Firefox-based browsers (including Firefox itself, LibreWolf, and Waterfox).
ProtonVPN
Proton VPN is a well-known and reputable VPN provider based in Switzerland that has been praised for its strong security measures and privacy protections. The company’s commitment to expanding its offerings and providing users with more control over their online privacy is a significant step forward in the fight for digital rights.
Encrypting an email message ensures that unauthorized parties cannot read it. For any party without proper authorization, the message will appear indecipherable.
For organizations, message confidentiality is crucial to stop potentially sensitive information from reaching prying eyes. Also, they should be able to confirm the integrity of the message and the sender’s identity – without this, spoofed messages can be sent.
The basis of confidential communication over email is that both sender and recipient have secured their respective local systems, by hardening the host OS, employing client security, EDR, XDR and so forth.
Different options have different benefits and challenges
Best-effort opportunistic encryption methods such as Outlook Message Encryption (OME) and various third-party solutions (email encryption gateways, plugins and similar) have the benefit of being easy to use. They can also be transparently integrated into email programs (such as Outlook Message Encryption), and make it easy to contact new people, with no need for prior key exchange – if the message is sent to a user who doesn’t run the same system, a portal for opening the message is typically placed in view.
Additionally, they can often be integrated into the outgoing email server with rules to enforce encryption automatically, depending on set rules such as automated encryption for certain attachments, for example.
There is, however, the possibility of an unauthorized party decrypting the message if they gain access to it first. This poses a real threat as the email communication itself is not guaranteed to be encrypted due to the email delivery process being reliant on STARTTLS and similar opportunistic encryption schemes. This can be mitigated by adding 2FA, such as via SMS PIN code which can help improve security (of course, the recipient’s cell phone number must be known when sending). And in many situations, it is important to also identify the sender’s identity reliably: After all, if anyone can send messages, how can you differentiate a genuine sender from an imposter?
Full encryption methods such as S/MIME and PGP/GPG enable complete confidentiality where only the recipient can decrypt the email message due to the possibility of verifying the sender’s identity. However, several issues arise when using this method. There is a need for key management where keys need to be distributed, swapped, and kept up to date. There is also limited support as the recipient often needs to use the same solution as the sender.
Only a certain subset of contacts typically use this solution, leading to the need to use multiple solutions depending on the recipient(s). This also requires extra effort to determine which solution can be used for the specific recipient and if the solution is secure enough for the material being sent. This can lead to a complicated user interface with different, confusing options like “sign only” or “sign and encrypt”. It becomes quite easy to end up choosing the wrong option, or worse, forgetting to use the encryption at all (since it usually must be selected specifically).
Recently Google started offering option to use S/MIME with Gmail as “E2EE” or “client-side encryption”. This option is currently in beta testing and only available for limited audiences. This however is a significant development as it might result in wider adoption of S/MIME encryption, especially if made available for free Gmail tiers.
The threat model decides
What is the best solution? S/MIME or PGP/GPG may seem like attractive solutions, but challenges in key management and difficulty in training people to use them could lead to poor adoption. Some less secure solutions could be used for most communication, while the more secure solutions, such as S/MIME or GPG/PGP, could be used for other recipients.
The users that need to use the more secure solutions must be instructed on identifying when the more secure method is needed and how to use the solution properly (such as key management and practice sending and receiving encrypted email). Ultimately the demands of the specific organization and use cases determine the solutions that might be needed.
