Introducing alternative routing to prevent censorship of Proton apps

Illustration of alternative routing

We’re announcing today a new anti-censorship system that can help users access our website if their government, ISP, or network administrator has blocked Proton services. The alternative routing feature is not yet deployed as of writing, but in the coming weeks, we plan to release it across all of our mobile and desktop applications. With this post, we wish to provide a bit more information to the community about the measures we are taking to ensure that Proton services are highly available, even in countries with censorship.

First, you don’t have to configure any settings to take advantage of alternative routing, which routes network connections to Proton servers differently to evade certain types of blocks. This system works automatically to let you use the Proton apps. And it only kicks in if we think you’re being censored. This feature is unfortunately not available for our websites, but it will work on all mobile and desktop apps (both ProtonMail and ProtonVPN). 

Note, using ProtonVPN is also an effective way to bypass many forms of censorship, and ProtonVPN is available for all Proton users (just go to protonvpn.com/download, install the app for your device, and log in with your Proton account).

In this article, we’ll describe some important information about alternative routing, and why this is an important step forward in our mission to provide privacy and security to all.

Why Proton requires anti-censorship measures

Our mission is to make it easy for anyone to keep their personal information safe. Our easy-to-use, encrypted services — ProtonMail, ProtonVPN, ProtonCalendar (in beta), and ProtonDrive (in development) — make it much harder to spy on you, steal your information, or misuse your private data. 

Because of this, some actors want to threaten our mission. Over the years, certain countries have made attempts (generally unsuccessful) to block access to Proton services.

While we have largely been able to overcome censorship and attacks, it’s imperative that we remain one step ahead of those who would seek to spy on people and restrict the freedom of information. Alternative routing is an additional capability which helps us ensure users can access our services.

The vast majority of our users will never need this system because Proton is very rarely blocked. But in critical situations for a small minority of users, this feature provides a seamless way to continue accessing your inbox or connecting to VPN.

When this feature is released in the coming weeks, our apps will automatically detect when a connection might be subject to censorship, and try alternative paths to establish a connection to Proton servers. While this method will not always succeed, in many cases it can be effective in bypassing certain blocks. This is an active area of research for our team, so over time, our anti-censorship capabilities will also get better and better over subsequent releases.

Typically, alternative routing is not used; we will only fall back to this method if we suspect Proton is being blocked in your location. We have made this alternate routing opt-out by default because it will only trigger in the rare instances when attempts to censor Proton are detected and because these attempts can occur without notice. Once Proton services are blocked, we do not have the ability to reach out to our users to inform them they should activate this feature.

However, we recognize there are trade-offs, which is why in the Settings of all of our apps you will have the option to turn off alternative routing if you never want it to be used.

Important things to know about alternative routing

Like most solutions to difficult problems, our anti-censorship system is not without drawbacks. Therefore, we have made this system optional, and you can turn it off in your app settings. 

Because blocking Proton usually involves targeting Proton infrastructure, alternative routing requires us to use third-party infrastructure and networks we do not control, some of which might belong to companies such as Amazon, Cloudflare, Google, etc., which may not have a good track record of privacy. Note, these third parties cannot see your actual data. All data transferred over third-party networks will remain encrypted at all times, just like the data that is transmitted via your ISP when you connect to Proton services regularly. However, these third parties could see your IP address and the fact that you are trying to connect to Proton. 

Additionally, we’ve had to customize TLS encryption to make the alternative routing work. TLS is the encryption protocol used in HTTPS, and it depends on certificate authorities to authenticate servers. Because censors require this information to identify targets, we are using public key pinning instead. This provides equally strong encryption but can be problematic if our server is somehow compromised.

In our view, these issues should not matter for most people, but if you are concerned about this, you can turn off alternative routing. However, this may mean you will be unable to access your Proton account if you are on a network that is censoring Proton. We will be updating our Privacy Policy to also include information about alternative routing.

What we’re working toward

At Proton, we have spent the last several months aggressively combating censorship around the world. We are the email and VPN provider of choice for many activists and pro-democracy movements around the world, and we will continue fighting to provide secure and private Internet services for all who need them.

That’s why we have spoken out against censorship in the UK while also developing new technologies to help users bypass blocks. For instance, ProtonVPN for Android now offers more protocols, making it more difficult to be blocked or censored. We have also made the APK available for download on Github so you can still download our app even if Google Play is blocked in your location.

More anti-censorship measures are coming, and we will be sharing additional updates as they become available. Follow us on social media to be informed of the latest updates.

Thank you for your support — it’s because of our community that we’re able to invest in making the Internet open and accessible.

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

About the Author

Admin

We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

21 comments on “Introducing alternative routing to prevent censorship of Proton apps

    • We understand that not everyone will want to use alternative routing. However, our fear is that if we do not enable by default, we will not be able to alert users that are having their Internet censored. If you do not want to use alternative routing, you are able to turn it off in Settings.

      Reply
  • Amazing work guys! I honestly love reading what you’re up to and I’m weirdly proud to be a user of something that I know is going to blow up and hopefully even challenge big players like like Google (in comparable services) some day.

    Reply
    • Thank you! We share your optimism that society is starting to realize that it needs to reassert the right to privacy. We’re proud to be with you as part of that movement

      Reply
  • Is alternative routing simply domain fronting? Also, can we have the option to always use alternative routing? Thank you

    Reply
    • Hi,

      No, alternative routing is not domain fronting. It will only trigger in the rare instances when attempts to censor Proton are detected.

      Thanks

      Reply
  • +1 “This option should be disabled by default and should only kick in once the user accepts a pop up prompt.”

    Reply
  • For those who are complaining about this setting should be opt in:

    Dear friend, there are two type of people, one are non technical people so if proton apps be blocked in their ISP, they won’t enable alternative routing so they complain.

    Two are those with technical knowledge, so if you are one of them go and turn it off and stop complaining :/

    Reply
  • First, I want to thank the entire Proton staff from past, present and future for your fight for freedoms. It is really a warm feeling to know how hard people like yourselves work not just for yourselves, but for everyone. Thank you for continuing to provide and improve these different kinds of technologies for the basic rights of everyone. I promise, when I can afford to support you, I will purchase the highest paid packages of all of your services, even though I wouldn’t come anywhere close to using half of the space, speed, etc. Instead, I would do it just to give thanks.
    With this latest news from you, I do have a question. If we are re routed, or alternatively routed automatically, will we have some form of pop up message making us aware of or giving us warning of doing so?
    Thanks, Todd!

    Reply
    • Hi Todd,
      Thank you for supporting our mission. Our fight to preserve the right to privacy and freedom of speech is fueled in by Proton users like yourself.
      Regarding your question about receiving a notification or pop-up when alternative routing kicks in, at the moment, no, that is not an option. However, our team will take it into consideration. Thanks again!

      Reply
  • After several months of my previous email attempting to be hacked from Vietnam and Taiwan, my husband and I decided to switch to Proton. I can’t begin to tell you how happy we are with your service, and we can’t thank you enough for the peace of mind.

    Reply
  • I’m very impressed by what you guys are doing. It’s why I’m an actual paying supporter.
    I love that you’ve opened your source. And that you are enabling open secure communications around the world.
    Overall I think this is a benefit to humankind.

    Reply
    • Hi JP,
      Thank you for your kind words and your support. We feel very strongly about the right to privacy and free speech. Our mission is to create tools that help people defend and exercise these rights. Your support helps us with this mission.

      Reply
  • By far, hands down, bar none, you guys are THE BEST. See, that explanation got the point across and didn’t have to be composed of 2.5 million words… keep leading by example. And take the compliment when they attempt to shut you down. The rattle of their cages speaks volumes about your progress toward the right to privacy and freedom of speech! Thank you so much!!

    Reply