Introducing alternative routing to prevent censorship of Proton apps

Illustration of alternative routing

We’re announcing today a new anti-censorship system that can help users access our website if their government, ISP, or network administrator has blocked Proton services. The alternative routing feature is not yet deployed as of writing, but in the coming weeks, we plan to release it across all of our mobile and desktop applications. With this post, we wish to provide a bit more information to the community about the measures we are taking to ensure that Proton services are highly available, even in countries with censorship.

First, you don’t have to configure any settings to take advantage of alternative routing, which routes network connections to Proton servers differently to evade certain types of blocks. This system works automatically to let you use the Proton apps. And it only kicks in if we think you’re being censored. This feature is unfortunately not available for our websites, but it will work on all mobile and desktop apps (both ProtonMail and ProtonVPN). 

Note, using ProtonVPN is also an effective way to bypass many forms of censorship, and ProtonVPN is available for all Proton users (just go to protonvpn.com/download, install the app for your device, and log in with your Proton account).

In this article, we’ll describe some important information about alternative routing, and why this is an important step forward in our mission to provide privacy and security to all.

Why Proton requires anti-censorship measures

Our mission is to make it easy for anyone to keep their personal information safe. Our easy-to-use, encrypted services — ProtonMail, ProtonVPN, ProtonCalendar (in beta), and ProtonDrive (in development) — make it much harder to spy on you, steal your information, or misuse your private data. 

Because of this, some actors want to threaten our mission. Over the years, certain countries have made attempts (generally unsuccessful) to block access to Proton services.

While we have largely been able to overcome censorship and attacks, it’s imperative that we remain one step ahead of those who would seek to spy on people and restrict the freedom of information. Alternative routing is an additional capability which helps us ensure users can access our services.

The vast majority of our users will never need this system because Proton is very rarely blocked. But in critical situations for a small minority of users, this feature provides a seamless way to continue accessing your inbox or connecting to VPN.

When this feature is released in the coming weeks, our apps will automatically detect when a connection might be subject to censorship, and try alternative paths to establish a connection to Proton servers. While this method will not always succeed, in many cases it can be effective in bypassing certain blocks. This is an active area of research for our team, so over time, our anti-censorship capabilities will also get better and better over subsequent releases.

Typically, alternative routing is not used; we will only fall back to this method if we suspect Proton is being blocked in your location. We have made this alternate routing opt-out by default because it will only trigger in the rare instances when attempts to censor Proton are detected and because these attempts can occur without notice. Once Proton services are blocked, we do not have the ability to reach out to our users to inform them they should activate this feature.

However, we recognize there are trade-offs, which is why in the Settings of all of our apps you will have the option to turn off alternative routing if you never want it to be used.

Important things to know about alternative routing

Like most solutions to difficult problems, our anti-censorship system is not without drawbacks. Therefore, we have made this system optional, and you can turn it off in your app settings. 

Because blocking Proton usually involves targeting Proton infrastructure, alternative routing requires us to use third-party infrastructure and networks we do not control, some of which might belong to companies such as Amazon, Cloudflare, Google, etc., which may not have a good track record of privacy. Note, these third parties cannot see your actual data. All data transferred over third-party networks will remain encrypted at all times, just like the data that is transmitted via your ISP when you connect to Proton services regularly. However, these third parties could see your IP address and the fact that you are trying to connect to Proton. 

Additionally, we’ve had to customize TLS encryption to make the alternative routing work. TLS is the encryption protocol used in HTTPS, and it depends on certificate authorities to authenticate servers. Because censors require this information to identify targets, we are using public key pinning instead. This provides equally strong encryption but can be problematic if our server is somehow compromised.

In our view, these issues should not matter for most people, but if you are concerned about this, you can turn off alternative routing. However, this may mean you will be unable to access your Proton account if you are on a network that is censoring Proton. We will be updating our Privacy Policy to also include information about alternative routing.

What we’re working toward

At Proton, we have spent the last several months aggressively combating censorship around the world. We are the email and VPN provider of choice for many activists and pro-democracy movements around the world, and we will continue fighting to provide secure and private Internet services for all who need them.

That’s why we have spoken out against censorship in the UK while also developing new technologies to help users bypass blocks. For instance, ProtonVPN for Android now offers more protocols, making it more difficult to be blocked or censored. We have also made the APK available for download on Github so you can still download our app even if Google Play is blocked in your location.

More anti-censorship measures are coming, and we will be sharing additional updates as they become available. Follow us on social media to be informed of the latest updates.

Thank you for your support — it’s because of our community that we’re able to invest in making the Internet open and accessible.

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

About the Author

Proton Team

Proton was founded by scientists who met at CERN and had the idea that an internet where privacy is the default is essential to preserving freedom. Our team of developers, engineers, and designers from all over the world is working to provide you with secure ways to be in control of your online data.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

46 comments on “Introducing alternative routing to prevent censorship of Proton apps

    • We understand that not everyone will want to use alternative routing. However, our fear is that if we do not enable by default, we will not be able to alert users that are having their Internet censored. If you do not want to use alternative routing, you are able to turn it off in Settings.

      Reply
  • Amazing work guys! I honestly love reading what you’re up to and I’m weirdly proud to be a user of something that I know is going to blow up and hopefully even challenge big players like like Google (in comparable services) some day.

    Reply
    • Thank you! We share your optimism that society is starting to realize that it needs to reassert the right to privacy. We’re proud to be with you as part of that movement

      Reply
  • Is alternative routing simply domain fronting? Also, can we have the option to always use alternative routing? Thank you

    Reply
    • Hi,

      No, alternative routing is not domain fronting. It will only trigger in the rare instances when attempts to censor Proton are detected.

      Thanks

      Reply
  • +1 “This option should be disabled by default and should only kick in once the user accepts a pop up prompt.”

    Reply
  • For those who are complaining about this setting should be opt in:

    Dear friend, there are two type of people, one are non technical people so if proton apps be blocked in their ISP, they won’t enable alternative routing so they complain.

    Two are those with technical knowledge, so if you are one of them go and turn it off and stop complaining :/

    Reply
  • First, I want to thank the entire Proton staff from past, present and future for your fight for freedoms. It is really a warm feeling to know how hard people like yourselves work not just for yourselves, but for everyone. Thank you for continuing to provide and improve these different kinds of technologies for the basic rights of everyone. I promise, when I can afford to support you, I will purchase the highest paid packages of all of your services, even though I wouldn’t come anywhere close to using half of the space, speed, etc. Instead, I would do it just to give thanks.
    With this latest news from you, I do have a question. If we are re routed, or alternatively routed automatically, will we have some form of pop up message making us aware of or giving us warning of doing so?
    Thanks, Todd!

    Reply
    • Hi Todd,
      Thank you for supporting our mission. Our fight to preserve the right to privacy and freedom of speech is fueled in by Proton users like yourself.
      Regarding your question about receiving a notification or pop-up when alternative routing kicks in, at the moment, no, that is not an option. However, our team will take it into consideration. Thanks again!

      Reply
  • After several months of my previous email attempting to be hacked from Vietnam and Taiwan, my husband and I decided to switch to Proton. I can’t begin to tell you how happy we are with your service, and we can’t thank you enough for the peace of mind.

    Reply
  • I’m very impressed by what you guys are doing. It’s why I’m an actual paying supporter.
    I love that you’ve opened your source. And that you are enabling open secure communications around the world.
    Overall I think this is a benefit to humankind.

    Reply
    • Hi JP,
      Thank you for your kind words and your support. We feel very strongly about the right to privacy and free speech. Our mission is to create tools that help people defend and exercise these rights. Your support helps us with this mission.

      Reply
  • By far, hands down, bar none, you guys are THE BEST. See, that explanation got the point across and didn’t have to be composed of 2.5 million words… keep leading by example. And take the compliment when they attempt to shut you down. The rattle of their cages speaks volumes about your progress toward the right to privacy and freedom of speech! Thank you so much!!

    Reply
  • Amazing work guys! I honestly love reading what you’re up to and I’m weirdly proud to be a user of something that I know is going to blow up and hopefully even challenge big players like like Google (in comparable services) some day.

    Reply
  • I’m leaving y’all today immediately after I send this text message/email to y’all
    Ur app is just way way way too confusing to me I can’t figure it out…. It’s mind boggling to me… So I’m definitely deleting it… I’ll never come back to this app I’ve looked at it a lot but it’s just not for me….kinda like the
    Shark tank… I’m out….

    Reply
  • I have mentioned several times that I want a paid for email account-1. User (small account) plus
    1. VPN (paid for by a one year subscription for both email and VPN)
    I believe I need to set up 2FA?

    Reply
    • Hi Jacqueline,

      No, you don’t need 2FA to get a paid account. Please reach out to our customer support team if you have any issues setting up an account.
      Thanks

      Reply
  • I appreciate all you do to protect privacy of users. Certainly the goal of assisting freedom fighters in tyrannical regimes to communicate more safely is incredibly noble. I live in America, I am a civil rights lawyer, and I will never forget how close we came to losing those freedoms and liberties we take for granted every day. Justice Hitler what is the democratically elected, but suspended the constitution within a month, it takes very little for a democracy to turn fascist overnight. Fear mongering, scapegoating minorities, and the rest of it, is winning formula and we cannot seem to learn from history.
    With all that said, I wanted to pose another scenario where your fierce protection of users has a serious drawback. It is a bit of long story but beat with as it takes some background for you to understand my quandary.
    I have been targeted by extremely determined and sophisticated cyber criminals— ironically, because I stood up for Democratic principles, truth and transparency against a corrupt municipal government and its leadership. I found these persons have been stealing millions in taxpayer dollars intended to support public education. Particularly loathsome and just evil has been the diversion of money from programs meant for poor and disabled children. These children, our most vulnerable and voiceless, have suffered tremendously as a result.
    I was an elected school director, a volunteer position but one with the heady responsibility for financial oversight. And it was through this position that I discovered this terrible conspiracy. I fought it as best I could. But I paid a price. Our IT personnel and their associates leveraged the vulnerabilities of Microsoft365 and its suite of extensions (we were each assigned a Microsoft365 for enterprise account) against me. Unbeknownst to me at the time, the bad actors were able to get to my personal Microsoft account, and from there to access my Google, Adobe, LinkedIn, other social media accounts. (I was that dummy that used the same password for everything; so I was easy prey.) Our head of schools literally hacked into my Gmail and sent emails posing as me, that were intended to make me look terrible and bully like and crazy, to get the other directors to turn against me. I sent a text saying I was going to report to the FBI and SEC the theft in order to get justice for the kids. The other directors were sheep, too scared, moral cowards, the worst sort of hypocrites. Next thing I knew, I was threatened and forced to resign to protect my family.
    That’s when I signed up for your service. The feds are investigating the massive embezzlement. The cyber crime is not at the top of the list and they have to prove the underlying crime, which is massive and goes back years, before they can even prosecute on my behalf. I am on own. And here’s the issue. Because I continue to work with authorities I continue to be cyber harassed; have had accounts hacked and passwords changed multiple times. It seems no matter how many times I change ID’s, put in two factor verification, still I can’t shake them. I unfortunately have to still use google for some work items. Google is awful and the data sharing between social media continues to expose me.
    I know that they are trying everything to infiltrate Protonmail. I have 3 kids in the schools who are required to use Microsoft365. I normally do my work at a shared office but since Covid I am home; using the same wifi as the family. And even to check their grades and other information I have to use that damned Microsoft.
    I have to stop these persons; but I can’t trace them without some identifying information. This would include IP addresses and device information. Google provides the last 10 IP sign ins but no other data;, Microsoft doesn’t give IP, but gives location and device info.
    And you — ProtonMail, the biggest target— because they know I store evidence here now — provide no info regarding those attempting to get to this account.
    So in such case privacy is a double edged sword. While it protects my into, I live in perpetual fear they will find a way in. And since you don’t share any info about attempts to sign in or other security alerts, you inadvertently are protecting the very bad actors your technology was designed to repel. Why should they enjoy that privilege.
    I have stood up against dark, anti-Democratic, corrupt forces. Yes it is not a nationstate. But as Orwell warned, fascism anywhere, must be stamped out before it grows. It must fought in any corner, even a municipal district that has succumbed to it. There are people like me all over America – all over the globe – who fight the good fight to protect democracy and freedom. Your service is invaluable to us.
    I just wish your privacy protection that benefits us, the good, the freedom fighters, did not simultaneously cloak the bad, the evil and corrupt, with the same privacy to carry out their misdeeds.
    Thank you for your consideration.

    Reply
  • I would like more options for alterntive browser such as startmil. Safari is not a acceptable option as Apple is part of the security problem.

    Reply
  • Thank you. Only 3 days being your Ptonmail Plus client and you have already been able to get from me, much more confident with your work. Protonmail android app advice has derived me to this article. Congrats and go ahead. Thanks for your great work

    Reply
    • Hi Anonymous. You can change layout options (including switching to Dark Mode) in the beta.protonmail.com web app by going to Settings -> appearance. You can increase text size using your browser’s built-in zoom function (Options -> Zoom -> + in Chrome and Firefox).

      Reply
  • I really appreciate what you do. I am a Trump supporter and have been kicked off many platforms. The way we are going, I am afraid I might end up in a camp to alter my thinking. So, I was very concerned when I got a message from you on gmail. I do want to be notified if there is a problem, I am trying to disentangle my internet from google. Doe# this mean that someone is trying to mess with me? The USA is in real trouble as far as I can see.

    Reply
  • You should tie up for payments using kindness credits from ULCT. And I’m sure we can all work towards a safer tomorrow, lawfully.

    Also, I hadn’t shared any backup email but I’ve got a couple of emails now in another gmail account, which has prompted me to go to https://mail.protonmail.com. to check new messages.

    Please clarify what is happening.

    Thanks

    Reply
  • Your encryption is Very much needed! My Information on identity theft was used on the FTC WEBSITE on “How ID THEFT OCCURS” , … word for word in exact order … . Published a dvd – IDENTITY THEFT: FIRST LINE IF DEFENSE (2008) and I have many copyrighted articles back in 2005-2008 related to information on electronic data, banking, medical records, identity theft, personal tracking & more … WHO & the FTC were the only organizations interested at that time. I Could not get Senate Finance , Medicare, FBI, CIA, interested nor most other parts of the governments.
    I sincerely applaud you!!!

    Reply
  • How does your system work with streaming services? I use amazon prime and netflix through AT T router. Is there any slow down. I do not have a smart TV either. I am looking for an email I can use for secure banking and your company was referred to me by my IT guy.

    Reply
    • Hi James. Using a VPN always intrudes a some speed loss, mainly due to extra distance data must go via a VPN server. If you connect to a VPN server close your you then this sped loss will be minimal. ProtonVPN officially unblocks these streaming services for Plus and Visionary users. And yes, ProtonMail is the world’s most popular truly secure email service.

      Reply
  • It would be great if you all good implement majority of these new “Protocols” such as something a bit more secure than iKE2 – VPN Encryption for iOS & any other such patches, updates, upgrades, etc. to help in making things much more difficult if not , “Next-To” impossible for certain acronym agencies to spy on any “run-of-the-mill” Joe Schmoe like myself. That would be awesome! I use your Top Tier subscription services for All my devices. I think the double PW w/ the 2rfa authentication is great if not next to perfect along with the NO LOGS! Gives a user a piece of mind to say the least. I just wanted to add my 2 cents about adding the new security & encryption protocols for iPhone (iOS) as I stopped using anything having to do with (Google) eg. (ANDROID), and it’s parent Company & all the little “info gathering” background institutions that “Alphabet” owns as well. Good ole Johnny Hanky

    Reply
  • Hi, to be honest when I was reading this
    Censorship it’s all Chinese to me. I’m health practitioner
    And don’t understand IT.. what I want to know
    Is it safer to de- activate it or leave it active?
    Last week my outlook/google was hacked my pushing malware… so after getting new phone I read feedback about proton and went with it. so I did not understand anything about this re-routing. I live in Australia. Also does paid subscription offers more security?
    Thanks in advance for reply

    Reply