Recently, a self-published paper that was not peer reviewed claimed weaknesses in ProtonMail’s cryptographic architecture. The document is rather dense, and the casual reader is unlikely to be able to understand much beyond the alarming conclusion that there are allegedly “serious shortcomings in ProtonMail’s cryptographic architecture.” Below, we analyze these allegations one by one, so the average reader can judge the merits of these claims on their own.
The summary is that the claims made in this paper are not inherent to ProtonMail’s architecture. Its central assertion can also be made against practically every other end-to-end encrypted service in existence today. We do not believe the paper’s arguments constitute “serious shortcomings,” as we explain below.
Claim 1 – Web applications provide fewer security guarantees
This claim is made in section 5.1.1 of the document. While the author cites ProtonMail specifically, the claim covers all web apps in general. The central claim is essentially the following:
Because the user doesn’t have control over the web server that is providing the web app, any web service provider can change the application that is delivered to end users. This includes potentially providing a malicious application that could compromise the encryption. Because of this, ProtonMail should not provide a web application.
This issue is not specific to ProtonMail, of course, but applies to any web app in existence today. That includes all end-to-end encrypted services which provide a web app (practically all of them). The author’s claims would, therefore, apply equally well to WhatsApp, Telegram, Wire, Tresorit, Threema, etc.
The fact that web apps provide fewer security guarantees is well known and has been known since before ProtonMail was created, and it is also discussed in our published threat model. Where we disagree with the author is that we don’t believe the threat model of web apps is so fundamentally flawed that we need to take the step of not offering a web app at all.
The fact that practically every other end-to-end encrypted service also provides a web app is the surest sign that the modern Internet user requires a web app. Generally speaking, we think calling the differences between web and mobile app threat models a serious flaw in ProtonMail’s cryptography is highly misleading to the casual observer.
At ProtonMail, we have done two things to address the weakness of the web as a platform. First, we also provide native apps on every single platform. Second, we are closely following the work being done in the web standards community to introduce some form of code signing for web apps and will implement these solutions as soon as they mature.
Claim 2 – Encrypt-to-Outside doesn’t protect against a malicious recipient
This claim is made in section 5.1.2 of the document. ProtonMail has an Encrypt-to-Outside feature that lets you encrypt messages sent to Gmail or other insecure email services by protecting it with a password. The recipient of this message receives a link which takes them to a website where they enter a pre-shared password to decrypt the message.
The argument made by the author is that if Google was acting maliciously, Gmail could compromise this communication by replacing the link in the email with a phishing link. Using this malicious link, Google could capture the password entered by the recipient and use it to decrypt the message at the original link.
This is technically true, but it is akin to saying “sending an email to a malicious email service can lead to the malicious service reading your emails.” This is always true, and is true for email in general, and not ProtonMail in particular. So while troubling to contemplate, this is not a ProtonMail flaw, but a flaw of any federated protocol, such as email.
If the recipient’s email service is the probable attacker in your threat model, then you probably shouldn’t email them at that address. However, there is a solution to this problem. If you and your contact both use ProtonMail, then all communications will be automatically protected by end-to-end encryption.
Claim 3 – Weak passwords are weak
This claim is made in section 5.1.3 of the document. The argument is that because ProtonMail stores encrypted copies of the keys, we could potentially launch brute force attacks against these keys (although this is made rather difficult by the bcrypt slow hash that we utilize), and if the passwords are simple, they could potentially be guessed relatively quickly.
It is impossible to deny that weak passwords are weak. Our philosophy is to recommend best practices to users (like using 2FA), but not to force them. From past experience, we know that users prefer to make their own security decisions. That’s why we don’t force a minimum password strength, although we do strongly recommend that users use strong passwords. We don’t agree that this decision constitutes a serious cryptographic shortcoming in ProtonMail however. In future releases of ProtonMail, we will indeed do more to encourage the use of strong passwords.
Claim 4 – ProtonMail authentication doesn’t use zero-knowledge password proofs (ZKPP)
We will not address this claim in depth because the author has removed this claim (Section 5.2 in the document) in later versions of the paper. ProtonMail does, in fact, use the Secure Remote Password (SRP) protocol. However, there are a few things worth mentioning.
First, ProtonMail does provide a two password mode for user authentication, which provides additional security against offline oracle attacks. As TLS would need to be broken first to execute this attack, we do not feel the marginal increase in security is worth the tradeoff in usability, so one password mode remains the default.
Second, our threat model today generally assumes the integrity of TLS. There is a growing body of evidence that suggests it might be time to question this assumption, which poses a serious problem for all online services in existence today. Because of this, many security companies (including us) are actively working on ways to reduce the need to rely on TLS integrity.
Deciding whether these points constitute “serious shortcomings in ProtonMail’s cryptographic architecture” is an exercise best left to the reader. We don’t think they are.
Having said that, we fully believe that security is a moving target. Whether it is introducing stronger cryptography to OpenPGP, following the latest developments in browser code signing, working on combating TLS compromises or introducing advanced security features like Address Verification, we are committed to staying at the forefront of security and cryptography and providing the most secure email service possible.
The ProtonMail Team
This video analysis (published by a third party) also responds to the claimed ProtonMail weaknesses:
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.
P.S. ProtonMail always welcomes comments and engagement with the security community, whether directly through our open source software projects, or our bug bounty program. While we do not agree with the conclusions, we still appreciate the author’s comments, which led to us addressing a non-critical bug where the SRP modulus signature was not verified by the ProtonMail web client.