ProtonMail Bridge is a desktop application that runs in the background on your computer and encrypts and decrypts your mail as it enters and leaves your device. It allows for full integration of your ProtonMail account with email clients like Microsoft Outlook, Mozilla Thunderbird, and Apple Mail.
This document discusses how Bridge handles sensitive information, describes its potential attack vectors, and explains the security features that mitigate these attacks. (Note: This security model applies to the Bridge application for Linux, macOS, and Windows.)
This security model is technical in nature, but was written in plain language so that the average user can understand the important takeaways. You can also read more about what ProtonMail is and is not designed to protect you from in the ProtonMail threat model.
Bridge security features
As part of normal, day-to-day operations, Bridge must handle different types of data with varying levels of sensitivity. This data includes (but is not limited to):
- User credentials and an access token for authentication with the Proton servers
- Public and private keys for sending and reading messages
- Encrypted messages, attachments, and metadata
We explain how Bridge secures this sensitive data in greater detail below.
Your passwords never leave your machine
Users log in to Bridge, which in turn authenticates with the ProtonMail API using the Secure Remote Password protocol. This authentication process ensures a user’s password never leaves their machine, and it generates an access token and a refresh token.
The access token is relatively short-lived and is used to authenticate any subsequent API requests; it is stored in the device’s memory. The refresh token is used to generate new access tokens and is stored securely in the operating system’s keychain (Windows Credentials Manager, macOS Keychain, or pass/gnome-keyring on Linux). The user’s hashed and salted mailbox password (used to decrypt their PGP keys) and Bridge password (used to connect an email client to Bridge) are also held in the operating system’s keychain.
Ensuring a secure connection to Proton servers
Bridge communicates with the ProtonMail API over an encrypted TLS connection. It additionally employs TLS certificate public key pinning to ensure it only connects to trusted ProtonMail servers. If Bridge receives an untrusted public key, it will assume an unknown intermediary is pretending to be a Proton server and immediately warn the user.
Bridge never stores or shares a user’s PGP keys
After the user logs in, Bridge downloads their encrypted, private PGP keys from the Proton servers and unlocks them. These keys are held in the device’s memory, never on disk. Whenever a user turns off their device, they wipe its memory. This makes it unlikely an attacker will be able to obtain a copy of a user’s PGP keys, even if they steal the user’s device. These keys are also never shared with other applications on your device and stay within Bridge’s memory space.
Bridge does not store decrypted message data
When an IMAP client requests a message body or attachment, it is downloaded from the Proton servers as an encrypted PGP message, decrypted locally, and then transmitted to the IMAP client. Similar to the user’s PGP keys, Bridge does not permanently store any message bodies or attachments to disk, further reducing the amount of sensitive data available on the device.
Here we describe the potential attack vectors of Bridge and how we mitigate these attacks.
Reducing the threat of a MITM attack
As described, Bridge employs TLS certificate pinning, which mitigates the risk of a network-level man-in-the-middle (MITM) attack.
Furthermore, the content of messages sent from Bridge to ProtonMail users or external recipients using PGP has an additional layer of protection thanks to end-to-end encryption. This means Bridge encrypts the user’s message before it leaves their device. The message remains encrypted until it reaches the recipient’s device, which decrypts it. This prevents any third party, including ProtonMail, from accessing the content of a user’s message. Messages sent this way remain inaccessible because a user’s mailbox password never leaves their device and, thus, is never transmitted to an attacker.
Bridge on Windows and macOS includes a feature that allows it to self-update. The update process has additional safeguards in place to verify that only trusted versions of Bridge that are created and signed by ProtonMail are installed.
Bridge recommended use cases
Bridge is a unique tool when compared to the other ProtonMail apps. As such, there are specific cases in which it would be more practical and useful than other ProtonMail apps.
Below are some examples of recommended use cases for Bridge:
If you find yourself without a stable Internet connection, you can use your favorite email client with Bridge to download emails while you do have good Internet access and then process them offline later. Most email clients will automatically send and receive your drafts once you are back online.
Offline backups of your emails are required
If you need to have offline copies of your messages for whatever reason, Bridge is the easiest way to accomplish this. The Bridge app enables your IMAP/SMTP client to do this automatically if you choose to do so.
Add ProtonMail security to already known email clients
If you or your staff do not feel confident learning how to use a new email service, Bridge lets you add ProtonMail encryption to your messages while continuing to use your favorite IMAP/SMTP email client. These clients include Outlook, Thunderbird, and Apple Mail, all applications that many people are familiar with. This means that once you set up Bridge, using it does not require any new training.
Bridge security model scope
No application is 100% secure, and no piece of software can protect its user against every potential threat. ProtonMail Bridge is engineered to provide additional protection to its users’ data, but certain conditions are outside of the scope of the security model.
User device security
We assume users run the Bridge app in a safe environment. For instance, we assume that Bridge program files are installed to a location where normal (non-admin) users have no write privileges. Furthermore, we expect the user’s device to be free of any malicious software (keyloggers, screen recorders, memory scanners, etc.) that could access the device’s data in memory or on disk. Bridge, unfortunately, cannot secure your data if your device is already compromised.
Additionally, we assume that the IMAP/SMTP ports that the email client connects to are not exposed beyond the device that Bridge is running on. The Bridge application ignores all connections that do not originate from the localhost, and we assume the user will not attempt to circumvent this.
Bridge installer security
We assume that the user securely downloaded the Bridge installer from our server (the server should present a valid and expected SSL certificate). For Windows and macOS, the operating system inspects the signatures on the installer file automatically before installation. It then displays the results to the user, which we assume they properly verify. We recommend Linux users refer to our support article on Verifying the ProtonMail Bridge package for instructions. If you download the Bridge application from an unauthorized source, we cannot guarantee the safety of the installer.
Our recommendations for keeping your device secure
We have invested heavily in the security of our Bridge app. You can help maximize the security of your own device by taking a few simple measures:
- Encrypt your device’s hard drive. Windows and macOS devices all have built-in encryption systems, but you have to turn them on. Once you have encrypted your drive, write down your recovery code and store it in a secure place.
- Enable your operating system’s antivirus protection, if available.
- Ensure your network ports are secured by a firewall to prevent outside machines from connecting to them.
- Do not install untrusted programs on your device. This includes unknown open source versions of Bridge. Downloading Bridge directly from ProtonMail is the safest option.
- Do not open links or download attachments from untrusted senders.
Our first priority is always our users’ security. Our goal is to make it easy for anyone to protect their privacy by creating tools that apply advanced cryptography to their messages automatically. The Bridge tool was designed to add additional security to already existing IMAP/SMTP email clients. By keeping your device secure, you can use these email clients and still take charge of your data. Thank you for your support!
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.