ProtonMail is Open Source!

Earlier today, we released ProtonMail 2.0 to the world. We are happy to announce that we are also releasing ProtonMail 2.0 as open source software! From the beginning, we have been strong proponents of open source software and the core cryptography libraries that we develop and use have been open source from day one.

 

Today, we are happy to take the next step and completely open source our webmail interface. This means all the ProtonMail code that runs on your computer is now available for inspection. We hope that by opening up our platform, we will encourage additional contributors to help us make ProtonMail the world’s most secure email service.

Our move to open source has actually been coming for a long time. While it would have also been possible to open source ProtonMail 1.x, we felt that such a move was not appropriate given that the code was intended to be deprecated. By open sourcing ProtonMail 2.0, we are open sourcing the future of ProtonMail. As we continue to expand our private email service with mobile apps, you can look forward to more open source announcements as our code base matures.

ProtonMail 2.0 can be viewed online on Github at the link below. As a nod to our CERN and MIT roots, we are releasing under the permissive MIT license. Let us know if you do something cool with our code.

https://github.com/ProtonMail/WebClient

We welcome all feedback at security@protonmail.ch and look forward to continuing to improve ProtonMail with your help!

Best Regards,
The ProtonMail Team

About the Author

Admin

We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.

Leave a Reply to rz Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

149 comments on “ProtonMail is Open Source!

    • Je ne sais pas bien utiliser les fonctionnalités de proton mail. je souhaiterais avoir un guide en français. j’ai cliqué par inadvertance sur un lien pour ne pas recevoir les notifications mais en fait je souhaiterais les recevoir. Vous avez une fois posé la question : “pourquoi vous avez choisi protonmail?” la réponse est simple : j’ai confiance. Je n’arrive pas à répondre parfois, parce que je ne comprends pas tout ou très peu. Des mails n’ont pas été délivrés. quel est le problème.
      merci de ce que vous faites pour la communauté

      Reply
      • Excellente initiative qui montre que l’esprit du partage et de la liberté résiste dans ce monde de pillards

        Moi aussi, j’apprécierais tout ce qui pourrait être traduit en français, mais bon, je ne vais pas me plaindre de mon handicap alors qu’on m’offre un si bel outil!

        Merci aux «protons»

        Eric Valissant

        Reply
  • I’m so enjoying this simple system that my hope is to close my sole other email account.

    But: does anyone know why my gmail account alerted me with a mailer daemon when my protonmail account didn’t accept a mssg with a (clean) attachment? This happened minutes ago, and I don’t like it. The accounts certainly are not synced.

    The accounts share only an address username, and possibly my laptop has allowed an unwanted I.D. “Save,” somewhere – I dunno.

    Any light appreciated!

    Reply
  • If I understood correctly, the open-source part in about the front-end part of ProtonMail as you wrote in the “ProtonMail Open Source Cryptography” post. Thank you very much for this release and for sure it will help to make ProtonMail more secure. However, what about the code of the back-end part. It could be really good to have it also under free license in order to host ProtonMail at home on our own computer. I guess the arguments you defend on the previous post for the front-end part are also valid for the back-end part.

    Reply
    • The security risks of open sourcing the back-end code is too high. It would let an attacker know how our infrastructure is set up or let spammers get insight into how to circumvent our anti-spam measures.

      Reply
      • This approach to security ignores the fact that it’s easier to find security issues than it is to close them. An attacker being ‘blind’ by not having the source code can still find flaws and when they do it’s down to your team to fix them. If other developers can see the code they might not spot them before attackers do but they can certainly aid in providing fixes.

        Reply
      • This “security through obscurity” mentality is widely understood to be wrong. It’s the reason we all prefer to use (and you brag about) using open source crypto libraries. They are widely reviewed. The smartest people in the room have picked them apart and their vulnerabilities have been fixed to the best possible degree, exactly because they are open source. So as you say, you’re software is built upon that solid base, but how can you expect any user who values security and/or privacy to trust that you are capable of implementing this tool in a manner which does not circumvent the security of that base?

        Reply
        • Because of spam issues, it is not secure to open source the backend code. Open sourcing the backend also does not increase trust because the software runs on our servers.

          Reply
          • SpamAssassin is open source and still it’s an extremely powerful tool, for example. Open sourcing the back-end would permit other people to use this (awesome) service on private servers, which reasonably goes versus your business plan. Please don’t use the spam excuse.

          • We don’t rely solely on SpamAssassin as that doesn’t work on internal emails which we can’t read.

          • Please consider moving all your spam filters into a proprietary module, and releasing the rest as open source.

            Allowing organizations and individuals to run Protonmail on their own infrastructure would have tremendous value to the community. I know of several non profits, and a government which would switch their infrastructure from roundcube/dovecot/postfix to Protonmail if they could self host. (though I would guess postfix would still be used 😉

            Mahalo for your considerations.

      • If it’s not open source, you should assume that governments and commercial interests have access to your information and act accordingly. Words are wind. The only way to know for sure is if we can verify the source.

        Reply
      • I think it is equally important for ProtonMail to understand the right of one to protect their own privacy even from the prying eyes of Google and its many intrusive services. For that reason alone, I’ve long ago deleted my gmail account and no longer wish to be tied down by such privacy-violating corporate thugs.

        In line with that thought, I do hope that any Android application development also includes a non-Google Play app option. I have more than ample reason for not using any of Google Services and are rightfully concerned about how my privacy is violated, even when using the Google Play Store. This is why I choose not to use Google Play at all. Never mind the
        fact that in order to access apps through Google Play, Google itself forces users to have a Gmail account——-This is outright blackmail and I find it deplorable that very few companies desire to take a firm stand against this borderline monopolizing by Google.

        Lets face facts shall we…

        Google has already been implicated in dozens of Privacy violations in just the past ten years alone. Fast forward to the present date and now Google is facing anti-trust charges for their questionable business ethics——-and yet, hardly anyone else in silicon valley appears to have the guts to stand up to Google to force a change for the better!

        Please don’t tell me the makers of ProtonMail agree with Googles draconian mindset?!

        Please——-tell me that ProtonMail is serious enough about protecting user privacy——-even to the point of providing them with a non-Google option…(i.e., such as [ appsapk.com ]…)

        If ProtonMail were deliver on a non-Google-Play application, I will then consider an account because that is how important I realize the issue of user privacy and dignity really is——-I only hope that ProtonMail has reached that same conclusion——-for if we continue to let Google and other corporate thugs have their way with us, the future of this world will be a lot more dismal than Orson Welles could’ve ever imagined…

        https://www.schneier.com/essays/archives/2006/05/the_eternal_value_of.html

        Reply
        • Amen,

          …as similar arguments hold for Apple and Microsoft, I would argue the Ubuntu Phone is the perfect way out, for any one trying to escape from getting encapsulated in the Apple/Google/Microsoft/Facebook empires.

          While large companies are trying to force intrusive cloud services down our throats (Windows 10 anyone? Adobe Creative Cloud? Or the whole Apple/Google infrastructure for all that matter?), trying to make us depend on their services and raping us privacy-wise, Protonmail could make a stand by teaming up with Canonical and provide decent/paid/secure/private cloud services for the Ubuntu platform, both desktop and mobile.

          One service that seems to go in this direction is Telegram, a very nice alternative to WhatsApp, now that Facebook acquired that one (Gosh, I wonder how they are going to make that US$19 billion back? What could be so precious, given that the service is for “free”??).

          Ahem, let me finish by stating that it’s wonderful to have a service like Protonmail, be it by means of an App or a web interface. It really made my day when I discovered there’s a perfectly decent alternative to Gmail. 🙂 <3

          Reply
  • Wow, Android beta available already tomorrow! Perfect! You guys are amazing. Your service is one of the most amazing ones after Snowden revelations.
    P.S. Nevertheless I’m still missing the possibility of aliases or controlling/merging more account under the same login. This is the last essential privacy feature I’m still missing.

    Reply
  • It’s good to see that ProtonMail is headed in the right direction. It’s impossible to have privacy or security without free (as in freedom) software.

    I hope the organization will continue down this path and make the rest of their software free software.

    Have you considered the Apache 2.0 License? It helps prevent patent treachery.

    Reply
  • Is it not dangerous for safety and privacy of Proton Mail to share any parts of code with people? I thought the code is top secret matter…

    Reply
  • I have been using the Thunderbird e-mail client with Gmail. I like do not care for Gmail’s online method for accessing my e-mail, but am happy with the Thunderbird software (on my computer).

    Do you have now, or will you be offering in the near future, an e-mail client that would handle my e-mail activity right on my computer, and then just connect to your servers to upload or download the e-mails, as Thunderbird does?

    Thank you.

    Reply
    • We are considering providing hosting for other at risk projects since we know many of them cannot afford the costly solutions we put in to get comprehensive protection.

      Reply
  • Just out of curiosity for those of us whom are considering a donation to ProtonMail, in order to obtain immediate access to a new email account——-Does ProtonMail accept donations on the premise that a users payment information is retained and subsequently charged at a later date for any reason?——-If so, does that mean that ProtonMail intends to create paid-for email account access as opposed to free email account access?

    If the donation is made only as a one-time donation, and furthermore, email subscribers are not expected to pay for account access after that, then why is payment information kept? For what purpose does that serve other than to raise suspicion of intent on the part of ProtonMail?

    Any respondents to these questions should please take them as seriously as I do for these are not unreasonable questions to ask and potential account holders have the right to know this information….

    Reply
  • How do you get on your request page? It says to put in your current email when a slot becomes available, and then says use the current form, which rejects your current email when you try to make a request??????

    Reply
  • Is not using Open Source software in direct conflict with Secure protected email service? Your giving people like me (programmers) huge in-roads to hacking / leveraging known flaws?

    I was considering also starting an email service to provide a non-nsa letter signer type service – you have an awesome idea – open source is a major flaw!!!!

    Jeff

    Reply
  • I really love the simple and clean interface of Protonmail. This is the way email should be. I also appreciate the added benefits of the security Protonmail provides. To know that our private communications are truly being protected and fully encrypted is the peace of mind I expect in an email provider.

    The fact that we are not served ad’s inside nor outside of our inboxes is also commendable and again just proves that Protonmail really does take user privacy seriously.

    While I cannot make a donation today, I firmly intend to the next chance I get. I hope the developers of Protonmail continue to maintain this fine service long into the future——-and please, please——-don’t ever become like the trashy and privacy obfuscating services being offered by Google, Facebook and the like. Their defiant and utterly repulsive but forceful attitude with regard to how they treat user privacy is absolutely deplorable and should be rightfully boycotted where ever possible!

    Thank you developers of Protonmail. You Rock!

    Reply
  • Is my email only to other protonmail accounts secure meaning everyone I email will have to use protonmail too or will it work when I email another email provider?

    Reply
  • Hello! Good web-service!

    But help me to understand it, that it has email address, then I know, who send me e-mail, and all people will know where I will send my encrypted emails…

    Thx!

    Reply
  • Having grandchildren being negatively affected by other email providers proton gave our family secured freedom to share our lives in a trusted digital world .Thank-Redge Hamer

    Reply
  • hey guys look i am a newbie to all this tech stuff bare basic skills are all i know but i m one who thinks government and corporate america are becoming far to nosey so i want to learn as much as i can but unfortunately my financial situation is a little lacking in funds as im on disability retirement but any info you can give me to help increase my tech knowledge and capabilities would be greatly appreciated thanx joseph v

    Reply
  • Talking about security while your server side software is closed source is a joke…
    Happy fooling people around with all those shiny ads about security…

    Reply
    • Server side software runs in the backend and cannot be independently verified either way so there is no trust benefit to open sourcing it. But not open sourcing it does allow us to combat spammers better by not disclosing how we fight spam.

      Reply
      • “cannot be independently verified either way so there is no trust benefit to open sourcing it”

        This is a false sentiment. Any software can be verified that it is handling data correctly, has no bugs that might inadvertently expose data.

        Open sourcing the front end is akin to allowing us to verify that the padlock is secure, while we have to trust that you have built the safe correctly.

        I’m not saying I don’t trust what you are doing, I think its great. But don’t feed us lines. If you want to keep part of your system closed IP so you can profit, just say that.

        Reply
        • We also cannot really open source the backend because it would expose details that could have security consequences. For example, spammers could use the code to figure out how to bypass our anti-spam protection measures.

          Reply
          • “We also cannot really open source the backend because it would expose details that could have security consequences”

            Another line.

            Any security that relies on secrecy of the algorithm is bound to fail, someone will reverse engineer it, find a weakness, create an exploit etc. I don’t think people will care if you keep your spam filters proprietary, what people are interested in vetting is the crypto. If you are using industry standard methods there is no reason ‘security’ would be compromised by exposing the code, only the keys must be kept private.

            Please recognise that folks asking for the code to be open sourced have a good understanding of what this means. Avoidance of the true issues actually brings doubt on the integrity of the system you are trying to protect. Your previous statement claiming there is no benefit in public auditing of the system is either a deliberate falsehood or demonstrates poor understanding of how security works.

          • If Anti-Spam is the only issue, maybe your anti-spam code could be externalize in a separate library, in which case you could open source the rest of the backend?

  • Since there is no assurance that our private phone numbers will not be leaked, and since you claim to require sms phone number as purely an anti-spam measure, why not institute an optional bitcoin escrow deposit (perhaps $5-10 deposit for 10 emails per hour) as a safeguard against spam? Then we can have real privacy possibilities for nerds who know the difference between real privacy and “trust us, it’s private”. Truly private messaging is on the verge of replacing email, so why not grab some market share before you are rendered obsolete by decentralized apps?

    Reply
    • Phone verification is only requested for less than 10% of user signups. All verification methods can be bypassed by upgrading to a paid account, and this is possible with Bitcoin.

      Reply
  • Look, I believe in privacy and it is in large part why I donated several hundred dollars in the beginning of protonmails campaign. In return I was given an email address. Now I find out I cannot get a free version of protonmail for my android? I really do not wish to pay again…and I really adhor the idea of having to have a google account. Google is hugely responsible for selling information…and they are by far the worse offender when it comes to you asking them to remove things. They care nothing of privacy because their revues revolves around selling the hell out of whatever they can convince people to buy. Hence cookies and tracking, refusal to remove things and so forth.

    When is protonmail going to have a FREE version for android which does NOT involve having a google+ account? Some of us value out privacy hence no face book, no twitter and no google accounts. What I do or do not do should never be anyone else’s business.

    Reply
  • Hmmm very douious indeed, very dubious…. strange things sometimes occur, like the cursor spewing out private ininfo if I just past to a random place…shouldn’t that sorta thing be totally disabled when I leave proton Mail??

    Reply
  • Protonmail android app store email on local device or not? My phone does not support encryption. If store then other application can access that data by any type of permission?

    Reply
  • I have paid $75.00 donation and as of today have not received any website link to be connected to begin using protonmail. Please look into this.
    I have lost my record for ID used when opening protonmail account.

    Payment was charged from Bank of America debit card under name of myong sop shin and segesys institute.
    The payment is still in processing after three days.
    Thanks.
    Myong Sop Shin
    mtonyshin@gmail.com

    Reply
    • They will be once the code is more stable and we are ready to accept pull requests. Right now, the mobile code is still changing very quickly.

      Reply
  • I would much prefer to run this on my own servers. I know you have done an excellent job with encryption but its still your server.. if its MY server, the US government HAS to give me a warrant to search it. I would pay for this. Of course. Please let me know if this is an option in the future.

    Reply
  • Well done. I think it would be better if protonmail source code were licenced under one of Free Software Foundation licences, it would benefit both protonmail, service users and future developers. Perhaps it would also help to develop it for working better with free software browsers.
    http://choosealicense.com/licenses/

    Reply
  • Well done! It would be even better if the source code were to be licences under one of Free Software Foundation categories nominally called GNU such as GNU LGPLv3

    Reply
  • No where on your website do I see any talk about this TOR technology. I suppose it’s another web browser. Should one use it? How to get it?

    thanks,

    Reply
  • I love ProtonMail because it gives me a safe place to receive password resets and submit requests to my service providers without worry of a compromise. Now I just gotta upgrade and hook up my personal domain 🙂

    Reply
  • Good afternoon. Will the source code of the mobile apps (Android specificly) be released soon?
    I have been using Protonmail for a while and I love it, but I would like to do a few changes in the moblie app.
    How long do you think it will take until the release of the source code?

    Reply
    • We’re migrating right now to a new version of our backend API, when that process is completed, we will open up the mobile code so that developers who work on it will be starting with the latest API spec.

      Reply
      • So, when the source code for the mobile apps is going to be released? How can we trust an email service who claims to care about privacy if it forces you to use a proprietary app? Please, please, please, release the code and possibily distribute the app on F-Droid.

        Reply
    • I also would like to Thank Proton Mail for respecting our privacy.
      I know open-source is important to a lot of people however allowing both
      back end and front end open source would increase our risk of remaining private.

      Cheers to Proton Mail

      Reply
  • I love the app so far and it seems to be getting better and better, also for the VPN could you guys as a side project make I way for people to make there own VPN if it ant hard. Thank you for the service and hope to see the expansion of this app

    Reply
  • Can you please advise me on how to acquire a “security code” to allow a contact to open an encrypted email from my
    proton mail account send to a non-proton user.

    Reply
  • I have tried on 3 separate occasions to create a account. I received the ProtonMail verification number as expected. This is not difficult but with all verification codes sent to me the response said it failed. I can read and write, I know my numbers and I can count. I cannot understand what the problem is!!!

    Reply
  • This is great to have ethical views before business.
    Will you go libre with licence GPL like (copyleft) to guarantee a bright and indépendant future ?
    Also as being opensourced, do you consider publishing your app on the infamous F-droid store as well ?
    Cheers!

    Reply
  • bonjour
    jai une question qui me turlupine,
    vous expliquez que votre support est situé en Suisse et respecte l’anonymat
    OK
    ma question est simple,
    on aurait pu croire que vos serveurs etaient tous situes en Suisse cependant il apparait que votre ISP est situe en Israel
    pouvez vous developper? moi, comme beaucoup de gens serions interresses de savoir

    merci

    Reply
  • loging in the password field would not hide my password. it completely showed the characters or the characters showed for 2 or 3 seconds.
    i did click on the eye icon several times.
    also i have found my protonmail link all over apps that save and open apps for history or backup cloud or device acct.

    PLEASE HELP…..I FEEL.VERY COMFORTABLE SAYING SOMEONE IS SCREEN MIRRORING OR HAS PIGGY BACKED ONTO ME TO HACK INTO ALL MY ACCTS. I JUST DONT KNOW WHAT EVIDENCE TO GATHER.

    MY ID IS:
    kalalaubc1@protonmail.ch
    honuhoku16@protonmail.ch

    also my
    hokulei@protonmail.com (3 wks old)
    was taken over. i think they maybe using it.

    i await your reply.
    cori lei smith
    kalalaubc1@protonmail.ch

    Reply
  • Could you please advise why my Plus (Upgrade) is not capturing and putting spam emails in ‘Spam”?

    When I was a basic member, proton was placing at least 93% of spam in the spam folder so I could quickly
    browse and immediately delete. Since I have upgraded to Plus…that 93% of Spam emails are in my Inbox.
    It’s a bit disarming, that I may accidentaly open one of these purposeful spam intrusions. Could you advise
    why this is happening and how to rectify?

    I know this following request is minor…could we please have the capability to change ink/print color?
    Black ink/print gets mundane after awhile. My preference would be ‘dark blue’ and a ‘bright fuschia’
    ink color.

    Reply
  • My husband set up a protron mail and now he can’t get back into it or receive any emails. Can you please help us. Thanks

    Reply
  • I do not have google play store installed, as I see it as an untrusted service.

    Any ETA on when the android and/or iOS apps will become open source?

    Are there any alternative ways of getting the apk (eg a f-droid repository or an ftp/download site hosted on a protonmail.com domain) that doesn’t involve going through a 3rd party site that probably loads malware with it / having a second device and manually pulling the apk from there?

    The web version keeps logging me out whenever I switch to a different user.

    Reply
  • only vpn i look twice @.

    Keep blazing the trail…..we’re here, we’re following. Big responsibility. We trust you with our privacy, more than our governments. Something wrong when the system was built broken. And nobody has the bollocks to CHANGE THE SYSTEM

    Reply
  • I’ve got a few questions if I decide to pay for email service if someone hacks in & changed my password (this has happened in the past and even the recovery email password) am I guaranteed 100% customer ? Which I mean getting back into my account & my 2nd account?

    You’d change me $8.00 a month….I could pay for the account with all the coverage but $8.00 monthly.
    If I were to do this I’d want to open a new account. Please get back to me asap, thanks Angie Standerfer
    9399838272@protonmail.com

    Have a good day!

    Reply
    • We have a number of checks that we do to see if you are indeed the account holder. If we are satisfied, then sometimes we can help you regain access to the account (but the previously received emails will be encrypted and it will not be possible to decrypt them).

      Reply
  • Is there any other mail server/client that is compatible with your system? Something I can install on my own server and still exchange encrypted mail with ProtonMail users?

    To other users that might read this: What do you consider is the best open source webmail front end and mail server combination?

    Reply
  • Has an independent security audit of ProtonMail’s open source code been performed? If so, can you a publish report on the main website? [ with reviewer details and qualifications etc. ]
    The protonmail.uservoice.com website had links that purport to be direct downloads for the various android app builds (apks) Can you provide a full list of the corresponding sha1 hashes on the main protonmail.com website to act as the authoritive canonical source for the hash codes?

    Have you published white papers on the various encryption algorithms employed by you and/or architectural overviews of your network structure and design ?
    All this I respectfully suggest in the spirit of openness and transparency. May I also suggest the publishing of your current feature roadmap. Many thanks. M.

    Reply
    • Yes, you can find the audit information for OpenPGPjs online.

      We don’t have official APK download yet.

      You can find the whitepaper for a large part of the crypto by going to our blog post about encrypted email authentication. You can also find the methodology within our open source libraries.

      Reply
  • Do you have any guide or plan to release guides/documentation for ‘how to’ run ProtonMail on-prem?
    Reply

    Reply