ProtonMail Theoretical Security

22 thoughts
last posted June 25, 2014, 4:09 p.m.
get stream as: markdown or atom

Thoughts on the ProtonMail service, possible uses and how theoretically secure it might be.

As of right now I don't yet have an account, so all musings are pre-firsthand experience until further notice.


I'm overall very positive about the service. Given the limitations of email (especially hosted email), they seem to be taking the most steps that can be taken to ensure a high level of privacy.


The servers and the company that owns them are in Switzerland outside U.S. jurisdiction, a big plus these days.

Some argue that hosting your email on your own server is crucial for true security, but self-hosting also makes it inherently difficult to protect against certain vulnerabilities. Jurisdiction -- and the potential for government-sanctioned seizures or information release -- is an example of that kind of vulnerability. I suppose if you could find a Swiss VPS provider with no U.S. ties you could self-host that way, or failing that you could co-locate in a Swiss-owned property in Switzerland. For those without strong sysadmin skills and lots of money, ProtonMail makes the benefits of Swiss jurisdiction infinitely more feasible with almost no drawbacks.


ProtonMail offers some more details on their security practices and features here.

Like I said, I'm positive and I feel like this service plugs a large number of email's holes. That said, I'm going to kick the theoretical tires a bit.


ProtonMail encrypts the contents of messages, but not the addressee information.

Obviously they can't encrypt the address of the sender or the recipient, otherwise the message would be undeliverable.

So, even though you can send an encrypted email to, say, a gmail user, Gmail and the U.S. government will still be able to see clearly that that person received a message from you.

(Edit: what I mean by "can't encrypt" is that at some point ProtonMail has to be able to read the metadata in order to know where to deliver the message. Certainly ProtonMail can encrypt the metadata to itself when the message is sent, so that it travels over the wire back to their servers in encrypted form. But if the message is to a non-ProtonMail receipient, then they end up permanently unencrypting some metadata simply in order to be able to send it on to the recipient at Gmail or Hotmail or w/e. The point is that, even in the best-case scenario where both parties are PM users, PM has to retain info about the messages between them in order for the service to function, and this important metadata would be included in the "extremely limited user information" that a Swiss court order could conceivably compel them to release.)


Metadata is kind of important. Consider the inferences you can draw knowing nothing more than the identities of who someone contacts, and the frequency of calls:

  • Participant A communicated with multiple local neurology groups, a specialty pharmacy, a rare condition management service, and a hotline for a pharmaceutical used solely to treat relapsing multiple sclerosis.
  • Participant B spoke at length with cardiologists at a major medical center, talked briefly with a medical laboratory, received calls from a pharmacy, and placed short calls to a home reporting hotline for a medical device used to monitor cardiac arrhythmia.
  • Participant C made a number of calls to a firearm store that specializes in the AR semiautomatic rifle platform. They also spoke at length with customer service for a firearm manufacturer that produces an AR line.
  • In a span of three weeks, Participant D contacted a home improvement store, locksmiths, a hydroponics dealer, and a head shop.
  • Participant E had a long, early morning call with her sister. Two days later, she placed a series of calls to the local Planned Parenthood location. She placed brief additional calls two weeks later, and made a final call a month after.



In the best-case scenario for ProtonMail privacy, all your email communication happens with other ProtonMail users. This way the unencrypted metadata associated with your email activity never leaves ProtonMail's servers in Switzerland. The only way for the U.S. Government get a picture of who you're emailing is to:

  1. Compromise your machine in some way (possible though much less convenient than just ordering Google to hand over the info).
  2. Get a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court to compel ProtonMail to hand over the info about who you are emailing.

You can render option #2 above impossible by never using or accessing ProtonMail in any way that could tie your account to your real identity.

True anonymity is a real rabbit hole. But for starters you would access it through an anonymizing protocol like Tor; only use a free account (or pay with Bitcoin); and never give out your ProtonMail address in any context where anyone (including your ISP or anyone listening "on the wire") could connect the address to your real name.

To their credit, ProtonMail does seem to be doing everything they can on their end to make anonymous use of their service possible. They claim that they don't log "IPs used to connect to accounts, or the times certain accounts are accessed"; and crucially they make it possible to use the service without using a credit card.


In some horrible world where Murphy's Law applies, what could go wrong (i.e., privacy subverted) even if you use ProtonMail?

Pretty much the standard culprits:

  • Unknown browser vulnerabilities could render the encryption useless (ProtonMail is entirely web-based)
  • Your computer could be compromised by malware (keyloggers, e.g.)
  • Your recipient's computer could be compromised
  • Unknown weaknesses in the encryption render it useless

It seems pretty clear that ProtonMail's safeguards are pretty much useless for any messages sent unencrypted to non-ProtonMail accounts.


They say they support sending encrypted messages to non-PM email accounts:

When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser which they can decrypt using a decryption passphrase that you have shared with them.

The real issue there is "that you have shared with them". Sharing a passphrase with someone in a secure way -- other than by telling them in person -- is tricky business. I'm curious how ProtonMail users plan to use this feature and what their attempted solutions will be.


There's an additional standard weakness I forgot to include above, which is:

  • ProtonMail could turn out to be including and using back doors in their own service.

Deciding whether to trust a service provider is its own challenge.


ProtonMail's encryption and decryption all happens inside the browser. This means it's probably very easy for any encryption expert to audit the code and see if, for example, PM is surreptitiously including their own public key in the list of intended recipients.

The catch is that this code gets served up fresh every time you use the service. Assume, for example, that ProtonMail is secretly run by a celebrity gossip rag, and exists solely for the purpose of collecting private details about famous people. It would be trivial for them to serve perfectly secure, normal javascript to all users by default, and serve a slightly different set of code to selected targets. This would be very hard to detect.

How would you know if the code had changed since a trusted expert had done an audit? (For example, is there some ready way for typical users to verify the checksum on a particular site's javascript?)


One productive way of thinking about whether and how much to trust ProtonMail is to consider the real-world example of Lavabit. The two services are identical in purpose: to provide free, secure and optionally anonymous email.

Lavabit had all the same vulnerabilities as ProtonMail, plus additional ones: Lavabit didn't have PM's in-browser encryption, plus it was of course based in the U.S., which was eventually its downfall. Even so, Edward Snowden trusted it enough to use it to contact activists and lawyers for a press event.

You can look at that two ways of course. Ed Snowden's implicit endorsement of Lavabit might go a long way towards validating the use of third-party secure email services. Or you could say that using Lavabit ultimately didn't help him in the end -- look what happened: Snowden's Lavabit email address was leaked and the service was shut down as a result.


What actually did happen in the Lavabit/Snowden case?

The government ultimately did not get the access they sought. Instead, their fast-paced legal intimidation tactics achieved nothing but to induce Lavabit's owner to shut down the service. If the government learned anything more than Snowden's actual Lavabit email address, they likely did it by compromising machines outside of Lavabit's control.

Now, what actually would have happened had Snowden been able to use ProtonMail?

The U.S. government would have been unable to issue fast-paced, overwhelming and compulsory orders. They'd have to go through the Swiss court system. They would not be able or allowed to cloak the proceedings in secrecy. Even assuming they were successful, they likely would not be able to get the kind of sweeping direct access they were demanding from Lavabit; if they were awarded anything, they would likely be awarded info about specific accounts. And ProtonMail would in any case continue to function.


Again: assuming a government was able to legally compel PM to hand over all the information they had about a specific account, what would that set of info include?

It wouldn't include IP addresses or access times since PM supposedly doesn't keep logs of that information.

But it would include a lot of metadata. It would include addresses and timestamps of all non-deleted messages sent and received by that account, including other ProtonMail addresses.

It also would probably include the encrypted subject and body text of all non-deleted messages.


I'm going to stray even further into blind conjecture about edge cases here.

Supposing interest in a ProtonMail user and faced with the potential molasses-slog of going through the Swiss legal system, it's possible -- maybe even likely -- that the U.S. government would opt instead for illegal methods of compromising ProtonMail's servers.

Again, the most they could theoretically gain from this would be ProtonMail's private keys and thus access to the metadata listed above, but not access to the plaintext of any emails or any user's decryption password (which is never sent over the wire).


ProtonMail hasn't said anything so far about their datacenter's or their servers' physical security. I'm not sure its in their interests to do so. ProtonMail users know what metadata could theoretically be stolen or compelled from ProtonMail; whether that could happen legally or illegally is, I would think, not of primary importance. What's important is that ProtonMail's legal and jurisdictional status keeps it from being an easy legal target as Lavabit was.


Reeling things closer towards the realm of the probable here, it's more likely that an interested government agency would opt towards compromising the user's computer rather than going after ProtonMail itself.

  • We've already seen that they do often take this approach.
  • They'd have more to gain this way, including the actual unencrypted plain text of all the user's messages.
  • Operationally, it's far easier to do.

How does ProtonMail's theoretical security compare with that of selectively using GPG on a normal email account?

Assuming you and the other party both know how to use GPG securely, selective GPG use is almost as secure as ProtonMail (not more). To understand this, consider the data a government agency could compel from your email provider in each case:


  • Names, timestamps and addresses of all your messages sent and received
  • Encrypted text of subject and body of all non-deleted messages

Using GPG with GMail/Hotmail/Fastmail/etc:

  • All of the above, plus ...
  • IP addresses and access times

In comparing ProtonMail with the GPG approach, remember the following:

  • As noted earlier, it's far harder to compel or steal that metadata from ProtonMail than from typical email providers. The U.S. government can have that info from Google very quickly and silently.
  • GPG remains little-used because it is too complicated for most users. It's worth considering why Snowden resorted to Lavabit rather than trying to educate lots of lawyers and activists on how to use GPG. (He did use GPG for his most sensitive correspondence, however.)
  • Both approaches are equally vulnerable to a compromised user machine.
  • Even if you and your correspondent both host your own private email server, that server can be physically and silently seized if it is located on U.S. soil, or the soil of any country the U.S. can strong-arm, or if it is hosted/colocated by any company with U.S. ties. And you can't count on encrypted filesystems to save you from government forensics.

The upshot is that it's possible to approximate the security of ProtonMail with selective GPG usage on a normal email account, but to do so takes vastly more expertise, time, and money, than most people have.