Blog

CTemplar secure email ARTICLE

CTemplar Checksum Implementation

Encrypted Email Services Can Hack You Using Javascript

Javascript can be used to serve malicious code, exploits or hacks.  This is illustrated by Gizmodo, usenix, ask-leo, stackexchange, itnext and it’s been discussed at the hacker conference DEFCON.  Javascript hacks are also the primary way people are de-anonymized on the darknet. 

In November 2018 Professor Kobeissi revealed that since javascript is required for encryption, javascript can also be used to hack users who use end to end encrypted email services.  In Jan 20219 one end to end encrypted email service, Protonmail, publicly stated that they are capable of hacking their own users and decrypting all of its user’s data through Javascript.  This admission showed a dedication to the people who use their service, We have written a post expressing our gratitude to Proton Technologies AG for work they have done in the security ecosystem here

Does having open-source code eliminate this risk? No, because open source code is just an act to encourage users’ trust. The audited code in Github might not be the same code that is sent to you from a companies private server.  They make no assurances or promises that the code they show to the public and the code you get is the same. 

Currently all end to end encrypted email services can hack their own users and decrypt all of their data except us. We are able to provide this level of protection using an implementation of checksums that have not been used before.  We are proudly the first “Zero Access” end to end encrypted email service that is not able to decrypt our own user’s emails.  

How Did We Solve This With Checksums?

Our checksum implementation allows our users to compare all the code in their browser, to all the code in github within 15-30 seconds.  Normally comparing code can take hours or days.  Checksums enable it to be done in seconds.  You can do it yourself by following our guide it Github, or watching our video (Pending).

First, the file “index.html” starts the platform loading process and determines what is loaded, but when doing so, could pose a couple of risks:

  1. Someone/Something could modify the JavaScript files defined in the “index.html” making them harmful without the user’s knowledge.
  2. Someone/Something could make “index.html” load more JavaScript files than what the authors intended, making the website harmful to the users without the user’s knowledge.

In any case, if anyone wants to manually verify if our “index.html” hasn’t tampered and is exactly the same as the one being served, we have a guide in GitHub.

Our current checksum is:

SHA-256 checksum of “index.html”:
9363508b363cc5808ab62a6e2ab65ab7426ee0584986b3677bd864441e8df8aa

The CTemplar Team: 

Disclaimer: Checksums do not protect you from hacks from your browser, OS’s, plugins, mobile ISP providers, running process software or the Intel Microprocessor hardware backdoor.  We do not protect against keyloggers that may be installed on your computer. 

Register for the World’s Most Secure Email now!

Send unbreakable emails & protect your key professional and personal details with next-gen encryption using privacy-centric Icelandic storage.
upgrade to prime