ProtonMail, a new end-to-end encrypted email service developed by several former CERN employees, was forced to halt its beta launch this week after running out of server capacity.
The team behind it announced on Monday, just three days after its launch, that it would be “temporarily closing” beta sign-ups.
“When we launched ProtonMail, we did not anticipate that there would be so much interest in our service. We thought we had enough resources in place to support over 1 month of user signups. Never could we have imagined that we would hit that limit in around 60 hours,” it said in a blog post.
“Over the next couple days, we will work on expanding our server capacity, and further improving our security. Since our launch, we have had several offers to help us with a full security audit and as those results come in, we will also be taking steps to further improve the security of ProtonMail.”
A tweet from the official ProtonMail account said on Thursday that it was “very close” to opening up the beta launch again.
ProtonMail is the brainchild of Harvard and MIT alumni, many of whom were working at the CERN nuclear research facility in Switzerland when they began talking about the idea of an easy-to-use but rigorously secure email service.
It has several features designed to offer users superior security to most of what’s on offer today.
First up its servers are located in Switzerland, so they’re protected under strict local data protection laws and are nominally safe from access requests by the likes of the US.
Encrypted email start-up Lavabit, used by Edward Snowden, revealed for the first time in public this week that it was forced to shut down to protect user data after a court order in the States was issued, which would have forced it to install surveillance kit on its network.
Second, ProtonMail requires two passwords – the first to authenticate the user and access the account and the second to decrypt the data in the browser.
The firm said it never receives this password or has access to the decrypted data. However, for this reason it will also not be able to do password recovery.
Third, messages are fully encrypted end-to-end with “only the most secure implementations of AES, RSA and OpenPGP” and never leave the firm’s own environment.
ProtonMail said it does not log user activity including any metadata such as IP addresses, and it offers an “optional expiration time” on encrypted emails which will delete them from recipients’ inboxes so as to leave no trail.
In terms of the back-end infrastructure, ProtonMail says its servers are located in several facilities in Switzerland in highly secure datacentres used by many of the country’s famed banks.
“On an organizational level, no single individual possesses all access passwords; they are separately kept by members with different citizenships,” it states on the website.
“These precautions may seem excessive, but in today’s world, precautions must be taken to minimize the risk of human security compromises.”
The firm said it also runs server side integrity checks to ensure code running on its systems is not being changed without its knowledge. It uses SSL to communicate between its servers and users’ browsers, with SwissSign the SSL Certificate Authority.
Finally it said the service was as easy to use as Gmail. Those emailing outside to non-ProtonMail accounts can send encrypted data which can then be decrypted at the other end with a shared passphrase.