CTemplar Checksum Implementation

Share on twitter
Share on linkedin
Share on reddit

Encrypted Email Services Can Hack You Using JavaScript

JavaScript can be used to serve malicious code, exploits, or hacks. This is illustrated by GizmodoUSENIXAsk LeoStack Exchange, ITNEXT, and it is a recurring theme at the hacker conference DEFCON. JavaScript hacks are also the primary way to de-anonymize Deep Web users.

In November of 2018, Professor Kobeissi revealed that if JavaScript is required for encryption, it can also be used to hack users who use end-to-end encrypted email services. In January of 2019, one end-to-end encrypted email service, ProtonMail, publicly stated that they are capable of hacking their users and decrypting all of its user’s data through JavaScript. This post showed their dedication to the people who use their service. We have written a post expressing our gratitude to Proton Technologies AG for the work they have done in the security ecosystem here.

Does having open-source code eliminate this risk? No, because open-source code is just an act to encourage users’ trust. The audited code in GitHub might not be the same code that is sent to you from a companies private server. There is no assurance or promise that the code hosted is the same as the one is served.

Currently, all end-to-end encrypted email services can hack their users and decrypt all of their data except us. We can provide this level of protection using an implementation of checksums that haven’t been used before. We are proudly the first “Zero Access” end-to-end encrypted email service that is not able to decrypt our own user’s emails.

How Did We Solve This With Checksums?

Our checksum implementation allows our users to compare the code served to their browser with the code in GitHub within 15-30 seconds. Usually, comparing code can take hours or days. With checksums, you can do it in seconds.

First, the file index.html starts the platform loading process and determines what is loaded, but when doing so, could pose a couple of risks:

  1. Someone/Something could modify the JavaScript files defined in the “index.html” making them harmful without the user’s knowledge.
  2. Someone/Something could make “index.html” load more JavaScript files than what the authors intended, making the website harmful to the users without the user’s knowledge.

In any case, if anyone wants to manually verify if our “index.html” hasn’t been tampered and is the same as the one being served, we have a guide in GitHub.

At the time of writing, our current checksum is:

SHA-256 checksum of “index.html”:

08f4cb9a1c9753a6963b56debb76c31ace97dbead25ccd2c93a1944e7a5ebed2

The CTemplar Team:

Disclaimer: Checksums do not protect you from hacks from your browser, OS’s, plugins, mobile ISP providers, running process software, or the Intel Microprocessor hardware backdoor. We do not protect against keyloggers that may be installed on your computer.

CTemplar

CTemplar

注册 World’s Most Secure Email 就是现在!

凭借次时代的加密技术 & 存储在注重隐私保护的冰岛的服务器上,发送安全性牢不可破的电子邮件,保护您的职业及个人信息。。。

Recent Blog Update

CTEMPLAR TRANSPARENCY REPORT

Warranty Canary: No law enforcement agencies have been here. Watch for this statement’s removal or change. (What is a Warrant Canary?) Zero censorship policy. We do not censor harmful or revealing content...

Read More

零审查政策

我们向社区做出承诺,我们将不会使用审查制度来掩盖对公司的负面报道。 相反,我们将发布关于...的否定或未经编辑的文章。

Read More

4墙面保护

CTemplar’s 4 Wall Protection 4 Wall Protection was defined by the CTemplar team with the goal of helping people review their privacy needs. Imagine that your privacy is a four-walled...

Read More

Privacy as Seen Through Fourteen Eyes

Privacy as Seen Through Fourteen Eyes The history of citizen surveillance boils down to one simple theory: The more eyes you have watching citizens both friend and foe, the easier...

Read More
Footer above logo

注册 World’s Most Secure Email 就是现在!

凭借次时代的加密技术 & 存储在注重隐私保护的冰岛的服务器上,发送安全性牢不可破的电子邮件,保护您的职业及个人信息。。。