Encrypted Email for Everyone

Parley will be email encryption software that's easy enough for anyone to use: you'll just download the app, connect your existing email account, and start sending emails in total privacy. Our software interoperates with existing end-to-end encrypted email systems, and aims to provide a level of security that is virtually unbreakable (nobody, not even the NSA, should be able to read your private email).

We're currently in pre-beta, with support for Mac OS X, 32-bit Linux, and versions of Windows prior to 8. (64-bit Linux and Windows 8 support are coming soon, and we'll be releasing a mobile version of Parley after that.) You can try Parley right now for free by entering your email address in the field below, or click here to read more about how Parley works and our plans for the future.

Enter your email address here
to get Parley now!

splash
login
compose
settings
contacts

How It Works

Parley is primarily trying to solve the chicken-and-egg network effect which has plagued PGP-encrypted email since its inception. PGP works really well, and for all the clucking hens running around these days saying that email is broken there are millions of people who disagree. The problem, then, is that existing PGP users don't know anyone else using PGP: that's what we're trying to fix, by making a PGP email client that's easy enough for anyone to use, and secure enough that existing PGP users will be comfortable recommending it to their friends. We're trying to solve other problems, too, because they are attached to that problem: secure and convenient key management, a monetisation scheme that is both accessible to everyone and doesn't rely on advertising, and all of the UX challenges that come with simplifying public key encryption for a wide audience (not to mention the UX challenges related to email itself).

We still have a long way to go, but this document aims to describe Parley's core, underlying security model, which has already been implemented in the beta and is extremely unlikely to change.

First, though, a few general notes:

  • We're not cryptographers, and we didn't invent any wild new encryption techniques. Emails are sent using PGP, everything is transferred over SSL/TLS, passwords are hashed with PBKDF2, API authentication is done using SHA-256 HMAC, and we use AES 256 once.
  • All of our code is open sourced, available at github.com/blackchair/parley.
  • Parley is built around two important compromises. Namely:
    • Keyrings need to be stored on the server, because our target users are the sort who don't want to deal with them manually (via USB drives or whatnot). They're encrypted before they ever reach the server, and quite resilient to bruteforce attacks, but it's a major compromise nonetheless.
    • We, the Parley creators and administrators, are not interested in fighting law enforcement over your data. We've designed the system so that we couldn't decrypt your data even if we wanted to, and it would be difficult to distribute a malicious client (because everything is open sourced and updates are not automatic) but we intend to comply with law enforcement agencies when asked. This is actually a pretty minor compromise in our books—the whole point of Parley is that even if our server gets rooted entirely it would be exceptionally difficult to crack even a single user's keys.

In light of those compromises, anyone who is actively evading government surveillance should continue managing their own keys. They may want to consider inviting their friends to use Parley, though!

With those notes out of the way, it's pretty obvious that the main difference between Parley and any other PGP client is that we've hidden key management from the user entirely. In fact, at this point that is the only difference. Here's how we do it:

  1. A user creates a new Parley account by registering their email address via the Parley website.
  2. A verification link is sent to the user's email address.
  3. The user downloads the Parley client. All further interaction with Parley is done via the client.
  4. The user enters their email address, at which point they are prompted to complete the registration process (name, password, etc.)
  5. The password is PBKDF2 hashed, twice, with a user-specific salt. The first round of hashing forms the "local password", which is used as the passphrase for the user's secret key. The second round of hashing forms the "remote password", which acts as an API secret. Doing it this way ensures that the server never sees any passwords actually related to encryption, but only strongly hashed versions of them. Using the "local password" simply prevents us from passing around the user's plaintext password in memory, which is a comparatively small comfort but it at least protects the plaintext version from being sniffed out by a client-side attacker (in case the plaintext password is used elsewhere).
  6. The keypair is generated.
  7. An ASCII armored version of the keypair (including the passphrase-protected secret key) is AES 256 encrypted (using the "local password") and sent to the server, along with the API key ("remote password"). Subsequent communications with the server will authenticate against that API key using a SHA-256 HMAC signature.
  8. On the client, any PGP operations requiring the secret key are carried out using the local password. (The desktop versions of Parley interact with a local installation of GPG to do the heavy lifting. Future mobile versions will need to use libraries corresponding to the respective platforms.)
  9. On subsequent logins, the local and remote passwords are regenerated based on the user's plaintext password, and the remote password is authenticated against the API. If successful, the user is granted access to their encrypted keyring for retrieval--it can be downloaded and decrypted using the local password if the client deems it necessary. (Currently we just download every time; in the future we may choose to use a local version of the keyring when available and lazy-load the server's version behind the scenes for updates...)
  10. That's it!

So there's no magic, and the whole system is relatively simple. We still have a lot of work to do in verifying our implementation of the plan discussed here, and that will include an audit by a reputable firm, but we're confident that the design is at least conceptually sound. Click here to find out a bit more about who we are.

 

 

 

Team

Parley is the project of a tiny Canadian software company called Black Chair Studios, Inc. We usually build custom web software for businesses and consult them with regards to their online strategy (often in relation to their online marketing efforts). Lately we've also been working on Parley, because we strongly believe that privacy is a right, and because building things is fun.

Danny O'Sullivan

System Administrator

Matthew Poirier

Front-End Developer

David Noël

Back End Developer
 

Pricing

During the pre-beta, everything is free. Until the paid beta begins, you may pre-purchase a professional account for $125/year (a 50% discount on the regular beta pricing) and you wil be grandfathered in at that price forever.

These prices will take effect at the beginning of the Beta period:

  • free: exchange messages with up to 5 contacts per month - FREE
  • personal: exchange messages with up to 10 contacts per month - $5/month or $50/year
  • group: includes 5 personal accounts - $20/month or $200/year (+$4/month or $40/year for each additional user)
  • professional: exchange messages with an unlimited number of contacts - $25/month or $250/year
  • small business: includes 10 professional accounts for staff and clients - $200/month or $2000/year (+$20/month or $200/year for each additional user)
  • enterprise: please call or email for prices

Sign Up

The Pre-Beta is completely free, but if you're excited about Parley and want to support its development, please consider pre-purchasing an account before our paid Beta launch—otherwise, you can just leave the credit card fields blank.

For the remainder of the pre-beta, we are offering a pre-purchase of our professional plan at $125/year, which is a 50% discount (see the proposed pricing page for comparison), and if you buy now you'll be grandfathered in at that price forever. Your money will help us to continue refining the visual design, as well as move more quickly towards enabling file attachments and putting together the terms of service (in the meantime, we promise not to share your email address with anyone and everything else is provided as-is). Eventually, we also intend to hire third-party security auditors to make sure Parley is as secure as we want it to be.

Download

Important Note: You'll need to set up a Parley account and verify your email address before you can use the app. If you've already done that, you're in the right place!

Other Note: Since the app is still being developed, you may be prompted to install upgrades relatively frequently. That will obviously slow down as the app matures. Also, it's good practice to compare file hashes with your friends so as to thwart any sort of tampering attempts. In future we'd love to include links to third-party sources for that information.

Now, without further ado, we present Parley Desktop 0.3.0:

Contact

For general questions, bug reports or press enquiries please fill out the form below. If you're filing a security-related bug report, we'd like to give you some recognition and a small reward—please visit our security page for details.

Oops! Please correct the highlighted fields...

Thanks! We'll get back to you shortly.

Our email address is hello@blackchair.net. If you'd like to get ahold of us by phone, you can call us toll free at 1 866 986 5299

Styles

h1. Nullam id dolor id nibh ultricies.

h2. Nullam id dolor id nibh ultricies.

h3. Nullam id dolor id nibh ultricies.

h4. Nullam id dolor id nibh ultricies.

h5. Nullam id dolor id nibh ultricies.
h6. Nullam id dolor id nibh ultricies.

Blockquotes

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam.

This is a blockquote style example. It's cool.

Some Dude, Some Website

Columns

Praesent commodo cursus magna, vel scelerisque nisl consectetur et. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas sed diam eget risus varius blandit sit amet non magna. Morbi leo risus, porta ac consectetur ac, vestibulum at eros.

Praesent commodo cursus magna, vel scelerisque nisl consectetur et. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas sed diam eget risus varius blandit sit amet non magna. Morbi leo risus, porta ac consectetur ac, vestibulum at eros.

Praesent commodo cursus magna, vel scelerisque nisl consectetur et. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas sed diam eget risus varius blandit sit amet non magna.

Praesent commodo cursus magna, vel scelerisque nisl consectetur et. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas sed diam eget risus varius blandit sit amet non magna.

Praesent commodo cursus magna, vel scelerisque nisl consectetur et. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas sed diam eget risus varius blandit sit amet non magna.

Praesent commodo cursus magna, vel scelerisque nisl consectetur et. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Maecenas faucibus mollis interdum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Curabitur blandit tempus porttitor. Donec sed odio dui. Morbi leo risus, porta ac consectetur ac, vestibulum.

Tabs

Proin elit arcu, rutrum commodo, vehicula tempus, commodo a, risus. Curabitur nec arcu. Donec sollicitudin mi sit amet mauris. Nam elementum quam ullamcorper ante. Etiam aliquet massa et lorem. Mauris dapibus lacus auctor risus. Aenean tempor ullamcorper leo. Vivamus sed magna quis ligula eleifend adipiscing. Duis orci. Aliquam sodales tortor vitae ipsum. Aliquam nulla. Duis aliquam molestie erat. Ut et mauris vel pede varius sollicitudin. Sed ut dolor nec orci tincidunt interdum. Phasellus ipsum. Nunc tristique tempus lectus.

Morbi tincidunt, dui sit amet facilisis feugiat, odio metus gravida ante, ut pharetra massa metus id nunc. Duis scelerisque molestie turpis. Sed fringilla, massa eget luctus malesuada, metus eros molestie lectus, ut tempus eros massa ut dolor. Aenean aliquet fringilla sem. Suspendisse sed ligula in ligula suscipit aliquam. Praesent in eros vestibulum mi adipiscing adipiscing. Morbi facilisis. Curabitur ornare consequat nunc. Aenean vel metus. Ut posuere viverra nulla. Aliquam erat volutpat. Pellentesque convallis. Maecenas feugiat, tellus pellentesque pretium posuere, felis lorem euismod felis, eu ornare leo nisi vel felis. Mauris consectetur tortor et purus.

Mauris eleifend est et turpis. Duis id erat. Suspendisse potenti. Aliquam vulputate, pede vel vehicula accumsan, mi neque rutrum erat, eu congue orci lorem eget lorem. Vestibulum non ante. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Fusce sodales. Quisque eu urna vel enim commodo pellentesque. Praesent eu risus hendrerit ligula tempus pretium. Curabitur lorem enim, pretium nec, feugiat nec, luctus a, lacus.

Duis cursus. Maecenas ligula eros, blandit nec, pharetra at, semper at, magna. Nullam ac lacus. Nulla facilisi. Praesent viverra justo vitae neque. Praesent blandit adipiscing velit. Suspendisse potenti. Donec mattis, pede vel pharetra blandit, magna ligula faucibus eros, id euismod lacus dolor eget odio. Nam scelerisque. Donec non libero sed nulla mattis commodo. Ut sagittis. Donec nisi lectus, feugiat porttitor, tempor ac, tempor vitae, pede. Aenean vehicula velit eu tellus interdum rutrum. Maecenas commodo. Pellentesque nec elit. Fusce in lacus. Vivamus a libero vitae lectus hendrerit hendrerit.

Toggle Lists

  • Q. What are the requirements for using this app?

    Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus sagittis lacus vel augue laoreet rutrum faucibus dolor auctor.

  • Q. How does it work?

    Donec ullamcorper nulla non metus auctor fringilla. Maecenas sed diam eget risus varius blandit sit amet non magna. Morbi leo risus, porta ac consectetur ac, vestibulum at eros.

  • Q. How much does it cost?

    Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus sagittis lacus vel augue laoreet rutrum faucibus dolor auctor.

Lightbox Images

Tooltips

Cras justo odio, dapibus ac facilisis in, egestas eget quam. Donec ullamcorper nulla non metus auctor fringilla. Nullam quis risus eget urna mollis ornare vel eu leo.