ProtonBlog(new window)

Response to analysis of Proton Mail’s cryptographic architecture

Share this page

Recently, a self-published paper(new window) that was not peer reviewed claimed weaknesses in Proton Mail’s cryptographic architecture. The document is rather dense, and the casual reader is unlikely to be able to understand much beyond the alarming conclusion that there are allegedly “serious shortcomings in Proton Mail’s cryptographic architecture.” Below, we analyze these allegations one by one, so the average reader can judge the merits of these claims on their own.

The summary is that the claims made in this paper are not inherent to Proton Mail’s architecture. Its central assertion can also be made against practically every other end-to-end encrypted service in existence today. We do not believe the paper’s arguments constitute “serious shortcomings,” as we explain below.

Claim 1 – Web applications provide fewer security guarantees

This claim is made in section 5.1.1 of the document. While the author cites Proton Mail specifically, the claim covers all web apps in general. The central claim is essentially the following:

Because the user doesn’t have control over the web server that is providing the web app, any web service provider can change the application that is delivered to end users. This includes potentially providing a malicious application that could compromise the encryption. Because of this, Proton Mail should not provide a web application.

This issue is not specific to Proton Mail, of course, but applies to any web app in existence today. That includes all end-to-end encrypted services which provide a web app (practically all of them). The author’s claims would, therefore, apply equally well to WhatsApp, Telegram, Wire, Tresorit, Threema, etc.

The fact that web apps provide fewer security guarantees is well known and has been known since before Proton Mail was created, and it is also discussed in our published threat model(new window). Where we disagree with the author is that we don’t believe the threat model of web apps is so fundamentally flawed that we need to take the step of not offering a web app at all.

The fact that practically every other end-to-end encrypted service also provides a web app is the surest sign that the modern Internet user requires a web app. Generally speaking, we think calling the differences between web and mobile app threat models a serious flaw in Proton Mail’s cryptography is highly misleading to the casual observer.

At Proton Mail, we have done two things to address the weakness of the web as a platform. First, we also provide native apps on every single platform. Second, we are closely following the work being done in the web standards community to introduce some form of code signing for web apps and will implement these solutions as soon as they mature.

Claim 2 – Encrypt-to-Outside doesn’t protect against a malicious recipient

This claim is made in section 5.1.2 of the document. Proton Mail has an Password-protected Email feature(new window) that lets you encrypt messages sent to Gmail or other insecure email services by protecting it with a password. The recipient of this message receives a link which takes them to a website where they enter a pre-shared password to decrypt the message.

The argument made by the author is that if Google was acting maliciously, Gmail could compromise this communication by replacing the link in the email with a phishing link. Using this malicious link, Google could capture the password entered by the recipient and use it to decrypt the message at the original link.

This is technically true, but it is akin to saying “sending an email to a malicious email service can lead to the malicious service reading your emails.” This is always true, and is true for email in general, and not Proton Mail in particular. So while troubling to contemplate, this is not a Proton Mail flaw, but a flaw of any federated protocol, such as email.

If the recipient’s email service is the probable attacker in your threat model, then you probably shouldn’t email them at that address. However, there is a solution to this problem. If you and your contact both use Proton Mail, then all communications will be automatically protected by end-to-end encryption(new window).

Claim 3 – Weak passwords are weak

This claim is made in section 5.1.3 of the document. The argument is that because Proton Mail stores encrypted copies of the keys, we could potentially launch brute force attacks against these keys (although this is made rather difficult by the bcrypt slow hash that we utilize), and if the passwords are simple, they could potentially be guessed relatively quickly.

It is impossible to deny that weak passwords are weak. Our philosophy is to recommend best practices to users (like using 2FA), but not to force them. From past experience, we know that users prefer to make their own security decisions. That’s why we don’t force a minimum password strength, although we do strongly recommend that users use strong passwords. We don’t agree that this decision constitutes a serious cryptographic shortcoming in Proton Mail however. In future releases of Proton Mail, we will indeed do more to encourage the use of strong passwords.

Claim 4 – Proton Mail authentication doesn’t use zero-knowledge password proofs (ZKPP)

We will not address this claim in depth because the author has removed this claim (Section 5.2 in the document) in later versions of the paper. Proton Mail does, in fact, use the Secure Remote Password (SRP) protocol. However, there are a few things worth mentioning.

First, Proton Mail does provide a two password mode for user authentication(new window), which provides additional security against offline oracle attacks. As TLS would need to be broken first to execute this attack, we do not feel the marginal increase in security is worth the tradeoff in usability, so one password mode remains the default.

Second, our threat model today generally assumes the integrity of TLS. There is a growing body of evidence that suggests it might be time to question this assumption, which poses a serious problem for all online services in existence today. Because of this, many security companies (including us) are actively working on ways to reduce the need to rely on TLS integrity.

Conclusion

Deciding whether these points constitute “serious shortcomings in Proton Mail’s cryptographic architecture” is an exercise best left to the reader. We don’t think they are.

Having said that, we fully believe that security is a moving target. Whether it is introducing stronger cryptography to OpenPGP(new window), following the latest developments in browser code signing, working on combating TLS compromises or introducing advanced security features like Address Verification(new window), we are committed to staying at the forefront of security and cryptography and providing the most secure email service(new window) possible.

This video analysis (published by a third party) also responds to the claimed Proton Mail weaknesses:

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.

P.S. Proton Mail always welcomes comments and engagement with the security community, whether directly through our open-source software projects(new window), or our bug bounty program(new window). While we do not agree with the conclusions, we still appreciate the author’s comments, which led to us addressing a non-critical bug where the SRP modulus signature was not verified by the Proton Mail web client(new window).

Protect your privacy with Proton
Create a free account

Share this page

Proton Team(new window)

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Related articles

Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail