CTemplar SRI Checksum
Your Email Service Can Hack You
Currently, all “Zero Access” email services have way of access their own users data. They make their code “Open Source” allowing anyone to review it. However, they do not serve users code from that “Open Source” depository. You are actually served code that is being sent from a server that email companies do not allow to be audited. This gives them the ability to hack their own users, revealing their own users decryption keys. We have solved this issue by implementing SRI & Checksums. This makes us the first “Zero Access” end to end encrypted email service that is not able to decrypt our own users emails.
A Simplified Review of CTemplars Solution:
SRI works in the background when you visit a website by checking the code you get compared to the “Open Source” code that is shown. This protects you from unknown people hacking your visit to the website. We added a Checksum that gives you protection even from us. We are the only secure email service that gives our users the power to prevent us from hacking them.
A Detailed Review of CTemplars Solution:
We are implementing SRI (Subresource Integrity), which is a checksum-like verification integrated in most common browsers. It ensures that all the files the browser is loading, matches exactly what the author provided and confirms that the files were not modified. In the event the files are modified and any of the JS signatures don’t match what the author provided, the browser will refuse to load said JS file and the attack will fail.
This allows users to guarantee that our open source code shown in Github is the same code that they are receiving from our server. We are the first secure email service to have “Zero-Access” to our users data by closing vulnerability.
What is a checksum?
A checksum is a sequence of numbers and letters used to check data for data corruption or tampering. If the author of a program provides a checksum for a file, you can verify – with a checksum tool – if the file you got, is exactly the same as the author’s. For more information, you can also find it here.
How to Perform a Checksum
First, the file “index.html” starts the platform loading process and determines what is loaded, but when doing so, could pose a couple of risks:
In any case, if anyone wants to manually verify if our “index.html” wasn’t tampered and is exactly the same as the one being served, we have a guide in GitHub.
Our current checksum is:
SHA-256 checksum of “index.html”:
The CTemplar Team
We were the first secure email service to enable SRI. Several weeks after we enabled it Protonmail followed us and enabled it also. We remain the only secure email that adds a checksum so we continue to be the only “Zero Access” end to end encrypted email service. Even we are not able to hack our users.