ProtonMail is Open Source!

Open Source Email

Earlier today, we released ProtonMail 2.0 to the world. We are happy to announce that we are also releasing ProtonMail 2.0 as open source software! From the beginning, we have been strong proponents of open source software and the core cryptography libraries that we develop and use have been open source from day one.

 

Today, we are happy to take the next step and completely open source our webmail interface. This means all the ProtonMail code that runs on your computer is now available for inspection. We hope that by opening up our platform, we will encourage additional contributors to help us make ProtonMail the world’s most secure email service.

Our move to open source has actually been coming for a long time. While it would have also been possible to open source ProtonMail 1.x, we felt that such a move was not appropriate given that the code was intended to be deprecated. By open sourcing ProtonMail 2.0, we are open sourcing the future of ProtonMail. As we continue to expand our private email service with mobile apps, you can look forward to more open source announcements as our code base matures.

ProtonMail 2.0 can be viewed online on Github at the link below. As a nod to our CERN and MIT roots, we are releasing under the permissive MIT license. Let us know if you do something cool with our code.

https://github.com/ProtonMail/WebClient

We welcome all feedback at security@protonmail.ch and look forward to continuing to improve ProtonMail with your help!

Best Regards,
The ProtonMail Team

About the Author

Admin

We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

92 comments on “ProtonMail is Open Source!

    • Je ne sais pas bien utiliser les fonctionnalités de proton mail. je souhaiterais avoir un guide en français. j’ai cliqué par inadvertance sur un lien pour ne pas recevoir les notifications mais en fait je souhaiterais les recevoir. Vous avez une fois posé la question : “pourquoi vous avez choisi protonmail?” la réponse est simple : j’ai confiance. Je n’arrive pas à répondre parfois, parce que je ne comprends pas tout ou très peu. Des mails n’ont pas été délivrés. quel est le problème.
      merci de ce que vous faites pour la communauté

      Reply
  • I’m so enjoying this simple system that my hope is to close my sole other email account.

    But: does anyone know why my gmail account alerted me with a mailer daemon when my protonmail account didn’t accept a mssg with a (clean) attachment? This happened minutes ago, and I don’t like it. The accounts certainly are not synced.

    The accounts share only an address username, and possibly my laptop has allowed an unwanted I.D. “Save,” somewhere – I dunno.

    Any light appreciated!

    Reply
  • If I understood correctly, the open-source part in about the front-end part of ProtonMail as you wrote in the “ProtonMail Open Source Cryptography” post. Thank you very much for this release and for sure it will help to make ProtonMail more secure. However, what about the code of the back-end part. It could be really good to have it also under free license in order to host ProtonMail at home on our own computer. I guess the arguments you defend on the previous post for the front-end part are also valid for the back-end part.

    Reply
    • The security risks of open sourcing the back-end code is too high. It would let an attacker know how our infrastructure is set up or let spammers get insight into how to circumvent our anti-spam measures.

      Reply
      • This approach to security ignores the fact that it’s easier to find security issues than it is to close them. An attacker being ‘blind’ by not having the source code can still find flaws and when they do it’s down to your team to fix them. If other developers can see the code they might not spot them before attackers do but they can certainly aid in providing fixes.

        Reply
      • This “security through obscurity” mentality is widely understood to be wrong. It’s the reason we all prefer to use (and you brag about) using open source crypto libraries. They are widely reviewed. The smartest people in the room have picked them apart and their vulnerabilities have been fixed to the best possible degree, exactly because they are open source. So as you say, you’re software is built upon that solid base, but how can you expect any user who values security and/or privacy to trust that you are capable of implementing this tool in a manner which does not circumvent the security of that base?

        Reply
        • Because of spam issues, it is not secure to open source the backend code. Open sourcing the backend also does not increase trust because the software runs on our servers.

          Reply
          • SpamAssassin is open source and still it’s an extremely powerful tool, for example. Open sourcing the back-end would permit other people to use this (awesome) service on private servers, which reasonably goes versus your business plan. Please don’t use the spam excuse.

          • We don’t rely solely on SpamAssassin as that doesn’t work on internal emails which we can’t read.

      • If it’s not open source, you should assume that governments and commercial interests have access to your information and act accordingly. Words are wind. The only way to know for sure is if we can verify the source.

        Reply
      • I think it is equally important for ProtonMail to understand the right of one to protect their own privacy even from the prying eyes of Google and its many intrusive services. For that reason alone, I’ve long ago deleted my gmail account and no longer wish to be tied down by such privacy-violating corporate thugs.

        In line with that thought, I do hope that any Android application development also includes a non-Google Play app option. I have more than ample reason for not using any of Google Services and are rightfully concerned about how my privacy is violated, even when using the Google Play Store. This is why I choose not to use Google Play at all. Never mind the
        fact that in order to access apps through Google Play, Google itself forces users to have a Gmail account——-This is outright blackmail and I find it deplorable that very few companies desire to take a firm stand against this borderline monopolizing by Google.

        Lets face facts shall we…

        Google has already been implicated in dozens of Privacy violations in just the past ten years alone. Fast forward to the present date and now Google is facing anti-trust charges for their questionable business ethics——-and yet, hardly anyone else in silicon valley appears to have the guts to stand up to Google to force a change for the better!

        Please don’t tell me the makers of ProtonMail agree with Googles draconian mindset?!

        Please——-tell me that ProtonMail is serious enough about protecting user privacy——-even to the point of providing them with a non-Google option…(i.e., such as [ appsapk.com ]…)

        If ProtonMail were deliver on a non-Google-Play application, I will then consider an account because that is how important I realize the issue of user privacy and dignity really is——-I only hope that ProtonMail has reached that same conclusion——-for if we continue to let Google and other corporate thugs have their way with us, the future of this world will be a lot more dismal than Orson Welles could’ve ever imagined…

        https://www.schneier.com/essays/archives/2006/05/the_eternal_value_of.html

        Reply
        • Amen,

          …as similar arguments hold for Apple and Microsoft, I would argue the Ubuntu Phone is the perfect way out, for any one trying to escape from getting encapsulated in the Apple/Google/Microsoft/Facebook empires.

          While large companies are trying to force intrusive cloud services down our throats (Windows 10 anyone? Adobe Creative Cloud? Or the whole Apple/Google infrastructure for all that matter?), trying to make us depend on their services and raping us privacy-wise, Protonmail could make a stand by teaming up with Canonical and provide decent/paid/secure/private cloud services for the Ubuntu platform, both desktop and mobile.

          One service that seems to go in this direction is Telegram, a very nice alternative to WhatsApp, now that Facebook acquired that one (Gosh, I wonder how they are going to make that US$19 billion back? What could be so precious, given that the service is for “free”??).

          Ahem, let me finish by stating that it’s wonderful to have a service like Protonmail, be it by means of an App or a web interface. It really made my day when I discovered there’s a perfectly decent alternative to Gmail. 🙂 <3

          Reply
  • Wow, Android beta available already tomorrow! Perfect! You guys are amazing. Your service is one of the most amazing ones after Snowden revelations.
    P.S. Nevertheless I’m still missing the possibility of aliases or controlling/merging more account under the same login. This is the last essential privacy feature I’m still missing.

    Reply
  • It’s good to see that ProtonMail is headed in the right direction. It’s impossible to have privacy or security without free (as in freedom) software.

    I hope the organization will continue down this path and make the rest of their software free software.

    Have you considered the Apache 2.0 License? It helps prevent patent treachery.

    Reply
  • Is it not dangerous for safety and privacy of Proton Mail to share any parts of code with people? I thought the code is top secret matter…

    Reply
  • I have been using the Thunderbird e-mail client with Gmail. I like do not care for Gmail’s online method for accessing my e-mail, but am happy with the Thunderbird software (on my computer).

    Do you have now, or will you be offering in the near future, an e-mail client that would handle my e-mail activity right on my computer, and then just connect to your servers to upload or download the e-mails, as Thunderbird does?

    Thank you.

    Reply
    • We are considering providing hosting for other at risk projects since we know many of them cannot afford the costly solutions we put in to get comprehensive protection.

      Reply
  • Just out of curiosity for those of us whom are considering a donation to ProtonMail, in order to obtain immediate access to a new email account——-Does ProtonMail accept donations on the premise that a users payment information is retained and subsequently charged at a later date for any reason?——-If so, does that mean that ProtonMail intends to create paid-for email account access as opposed to free email account access?

    If the donation is made only as a one-time donation, and furthermore, email subscribers are not expected to pay for account access after that, then why is payment information kept? For what purpose does that serve other than to raise suspicion of intent on the part of ProtonMail?

    Any respondents to these questions should please take them as seriously as I do for these are not unreasonable questions to ask and potential account holders have the right to know this information….

    Reply
  • How do you get on your request page? It says to put in your current email when a slot becomes available, and then says use the current form, which rejects your current email when you try to make a request??????

    Reply
  • Is not using Open Source software in direct conflict with Secure protected email service? Your giving people like me (programmers) huge in-roads to hacking / leveraging known flaws?

    I was considering also starting an email service to provide a non-nsa letter signer type service – you have an awesome idea – open source is a major flaw!!!!

    Jeff

    Reply
  • I really love the simple and clean interface of Protonmail. This is the way email should be. I also appreciate the added benefits of the security Protonmail provides. To know that our private communications are truly being protected and fully encrypted is the peace of mind I expect in an email provider.

    The fact that we are not served ad’s inside nor outside of our inboxes is also commendable and again just proves that Protonmail really does take user privacy seriously.

    While I cannot make a donation today, I firmly intend to the next chance I get. I hope the developers of Protonmail continue to maintain this fine service long into the future——-and please, please——-don’t ever become like the trashy and privacy obfuscating services being offered by Google, Facebook and the like. Their defiant and utterly repulsive but forceful attitude with regard to how they treat user privacy is absolutely deplorable and should be rightfully boycotted where ever possible!

    Thank you developers of Protonmail. You Rock!

    Reply
  • Is my email only to other protonmail accounts secure meaning everyone I email will have to use protonmail too or will it work when I email another email provider?

    Reply
  • Hello! Good web-service!

    But help me to understand it, that it has email address, then I know, who send me e-mail, and all people will know where I will send my encrypted emails…

    Thx!

    Reply
  • Having grandchildren being negatively affected by other email providers proton gave our family secured freedom to share our lives in a trusted digital world .Thank-Redge Hamer

    Reply
  • hey guys look i am a newbie to all this tech stuff bare basic skills are all i know but i m one who thinks government and corporate america are becoming far to nosey so i want to learn as much as i can but unfortunately my financial situation is a little lacking in funds as im on disability retirement but any info you can give me to help increase my tech knowledge and capabilities would be greatly appreciated thanx joseph v

    Reply
  • Talking about security while your server side software is closed source is a joke…
    Happy fooling people around with all those shiny ads about security…

    Reply
    • Server side software runs in the backend and cannot be independently verified either way so there is no trust benefit to open sourcing it. But not open sourcing it does allow us to combat spammers better by not disclosing how we fight spam.

      Reply
      • “cannot be independently verified either way so there is no trust benefit to open sourcing it”

        This is a false sentiment. Any software can be verified that it is handling data correctly, has no bugs that might inadvertently expose data.

        Open sourcing the front end is akin to allowing us to verify that the padlock is secure, while we have to trust that you have built the safe correctly.

        I’m not saying I don’t trust what you are doing, I think its great. But don’t feed us lines. If you want to keep part of your system closed IP so you can profit, just say that.

        Reply
        • We also cannot really open source the backend because it would expose details that could have security consequences. For example, spammers could use the code to figure out how to bypass our anti-spam protection measures.

          Reply
          • “We also cannot really open source the backend because it would expose details that could have security consequences”

            Another line.

            Any security that relies on secrecy of the algorithm is bound to fail, someone will reverse engineer it, find a weakness, create an exploit etc. I don’t think people will care if you keep your spam filters proprietary, what people are interested in vetting is the crypto. If you are using industry standard methods there is no reason ‘security’ would be compromised by exposing the code, only the keys must be kept private.

            Please recognise that folks asking for the code to be open sourced have a good understanding of what this means. Avoidance of the true issues actually brings doubt on the integrity of the system you are trying to protect. Your previous statement claiming there is no benefit in public auditing of the system is either a deliberate falsehood or demonstrates poor understanding of how security works.

  • Since there is no assurance that our private phone numbers will not be leaked, and since you claim to require sms phone number as purely an anti-spam measure, why not institute an optional bitcoin escrow deposit (perhaps $5-10 deposit for 10 emails per hour) as a safeguard against spam? Then we can have real privacy possibilities for nerds who know the difference between real privacy and “trust us, it’s private”. Truly private messaging is on the verge of replacing email, so why not grab some market share before you are rendered obsolete by decentralized apps?

    Reply
    • Phone verification is only requested for less than 10% of user signups. All verification methods can be bypassed by upgrading to a paid account, and this is possible with Bitcoin.

      Reply
  • Look, I believe in privacy and it is in large part why I donated several hundred dollars in the beginning of protonmails campaign. In return I was given an email address. Now I find out I cannot get a free version of protonmail for my android? I really do not wish to pay again…and I really adhor the idea of having to have a google account. Google is hugely responsible for selling information…and they are by far the worse offender when it comes to you asking them to remove things. They care nothing of privacy because their revues revolves around selling the hell out of whatever they can convince people to buy. Hence cookies and tracking, refusal to remove things and so forth.

    When is protonmail going to have a FREE version for android which does NOT involve having a google+ account? Some of us value out privacy hence no face book, no twitter and no google accounts. What I do or do not do should never be anyone else’s business.

    Reply
  • Hmmm very douious indeed, very dubious…. strange things sometimes occur, like the cursor spewing out private ininfo if I just past to a random place…shouldn’t that sorta thing be totally disabled when I leave proton Mail??

    Reply
  • Protonmail android app store email on local device or not? My phone does not support encryption. If store then other application can access that data by any type of permission?

    Reply
  • I have paid $75.00 donation and as of today have not received any website link to be connected to begin using protonmail. Please look into this.
    I have lost my record for ID used when opening protonmail account.

    Payment was charged from Bank of America debit card under name of myong sop shin and segesys institute.
    The payment is still in processing after three days.
    Thanks.
    Myong Sop Shin
    mtonyshin@gmail.com

    Reply
    • They will be once the code is more stable and we are ready to accept pull requests. Right now, the mobile code is still changing very quickly.

      Reply