ProtonMail is designed to guard against a broad range of threats. But there is no such thing as perfect security. This threat model describes the threats ProtonMail can and cannot counter.
Updated: May 3, 2019
Email is one of the most common modes of communication, but it is also one of least secure. First introduced in the 1980s, email was developed well before many threats of the modern Internet were even envisioned, much less understood. Despite its flaws, email is not going away any time soon and will continue to play a major role in our lives and our work. In view of email’s ubiquity and its drawbacks, we designed ProtonMail to mitigate many of the security and privacy vulnerabilities of email while preserving its ease of use.
Of course, there is no way to design a system that is 100% secure, and ProtonMail is no exception. Along the way, we have made many design decisions that sometimes prioritize security over usability, and other times usability over security. The result is a system that is vastly more private than the most popular free email services but nonetheless does not offer complete protection, as nothing can truly offer complete protection. In this article, we explain what ProtonMail is and isn’t designed to protect against so that you can make an informed choice about when to use ProtonMail for your communications.
ProtonMail security overview
Emails between ProtonMail users are always end-to-end encrypted, meaning only the sender and the recipient can read the email message. Encryption takes place on the sender’s device using the recipient’s public key. All messages (including messages to and from non-ProtonMail users) are also stored using zero-access encryption on our servers and therefore inaccessible to us. Private keys are encrypted using users’ account password in a way that is not accessible to us.
The use of strong encryption protects messages from many types of data exposure, including mass surveillance, government requests, and data breaches. This is different from other email providers, such as Google or Yahoo, which do retain the ability to read their users’ messages. This allows them to scan messages for advertising purposes or share them with third parties.
While ProtonMail does not have the ability to decrypt message contents or attachments, like any email service we have access to metadata (such as sender/recipient and subject lines), because without this information we could not deliver messages to their final destination. Because ProtonMail is based in Switzerland, this metadata remains under the protection of some of the world’s strongest privacy laws. However, if presented with a valid order from a Swiss court involving a case of criminal activity that is against Swiss law, ProtonMail can be compelled to share account metadata (but not message contents or attachments) with law enforcement.
Emails between ProtonMail accounts and non-ProtonMail accounts are also zero-access encrypted on our servers, but they are not end-to-end encrypted in transit, and copies stored on your recipient’s email service may be vulnerable to exposure. For example, if you send an email to somebody using Yahoo mail and Yahoo is breached, that message may be exposed through the recipient’s inbox. This is why for sensitive communications, we recommend that your contacts also utilize a ProtonMail account. ProtonMail does, however, offer the ability to send end-to-end encrypted emails to non-ProtonMail accounts through our outside encryption feature or through PGP (for advanced users).
What ProtonMail does not guard against
Compromised account or device
This is the most common type of compromise. Even if you use the world’s most secure electronic communication system, advanced encryption does you no good if your password has been compromised or there is a keylogger on your computer recording all of your keystrokes. ProtonMail does not and can not guard against a compromise of a user’s machine.
Learn more about common types of user compromise and how to avoid them.
Man-in-the-Middle (MITM) attacks
This is a far more difficult attack that can typically only be executed by a strong adversary (like a government) and is generally a targeted attack. An MITM attack cannot easily be used on a large scale to perform mass surveillance.
As the name suggests, an MITM is where an adversary sits between the user’s device and the server. Because ProtonMail messages are encrypted before they leave the user’s browser, an attacker cannot get message data by simply listening in on the communications. The attacker would have to actually send the user’s browser a modified version of the ProtonMail website, which may secretly pass the account password back to the attacker.
Fortunately, there are several ways to protect against an MITM attack. ProtonMail employs TLS to secure the delivery of our software to users’ browsers and prevent tampering of our code en route. Generally speaking, a successful MITM attack requires breaking TLS, typically by using a forged TLS certificate. There are browser plugins that can be used to detect forged certificates and greatly reduce the risk of an MITM attack, such as Certificate Patrol. Using ProtonMail’s mobile apps and our desktop Bridge software may reduce the risk of MITM attacks as those environments are more difficult to compromise than web.
ProtonMail also features another anti-MITM feature called Address Verification. This allows users to “trust” the public key of a contact you have verified. This is a form of key-pinning that provides extra protection by detecting if a fake public key is delivered to your device for that contact. This feature gives ProtonMail higher security compared to other encrypted email services because you are protected against key tampering and the trust model is trust on first use instead of trust on every use. For highly sensitive communications, we recommend enabling Address Verification.
Another attack vector would be if an attacker somehow gained access to ProtonMail’s servers in Switzerland without us noticing. Such an attacker could conceivably change the ProtonMail software to send bad encryption code to users’ browsers that would somehow allow the attacker to get unencrypted data. ProtonMail has implemented numerous safeguards against this on the server level which make this a difficult attack to pull off successfully in an undetectable way.
ProtonMail recommended use cases
ProtonMail offers good (but not perfect) protection for the vast majority of users. There are, however, some risks for users facing a strong adversary, such as a government focusing all its resources on a very specific target. In such a case, we don’t think encryption would be of much benefit, as this XKCD comic would apply.
Below are some examples of recommended and not recommended use cases for ProtonMail:
Sensitive business communications
You have sensitive business information that you want to make sure is protected from competitors and other malicious parties. For example, you fear a competitor may want to sue you under false pretenses to get access to sensitive data. In this case, ProtonMail offers a great deal of protection. ProtonMail will not release any data unless provided with a valid order from the Swiss authorities. Even if an adversary went through the expensive and time-consuming procedure of obtaining such an order, ProtonMail’s zero-access cryptography means we would not be able to release decrypted data, apart from metadata.
Anyone with privacy concerns
ProtonMail is also perfect for an individual (or corporation) that does NOT want the government to have access to all of their emails at any time, and does not like Google or Microsoft constantly scanning and archiving all conversations. With ProtonMail, the barrier of entry for mass surveillance is high enough that mass surveillance simply is not practical. This is an example where ‘good privacy’ can act as a meaningful substitute to ‘perfect privacy.’
Organizations with data security needs
ProtonMail can help organizations comply with data privacy regulations. Our encryption meets the standard set out by the GDPR for technical measures to protect personal data. Our zero-access encryption also greatly reduces the risk of a data breach, and significantly reduces the impact of a breach in the unlikely event that there were to be a breach.
If you are attempting to leak state secrets (as was the case of Edward Snowden) or going up against a powerful state adversary, email may not be the most secure medium for communications. The Internet is generally not anonymous, and if you are breaking Swiss law, a law-abiding company such as ProtonMail can be legally compelled to log your IP address. A powerful state adversary will also be better positioned to launch one of the attacks described above against you, which may negate the privacy protection provided by ProtonMail. While we can offer more protection and security, we cannot guarantee your safety against a powerful adversary.
We would like to conclude with a few thoughts about privacy and surveillance in general. Some people make the assertion that if you are not a criminal, there is no need for privacy. A very powerful counterargument to that, which we recommend everybody watch, can be found here.
There are also critics who assert that by building ProtonMail, we are providing a tool for criminals to evade the authorities. Like any technology, ProtonMail can be used for good or bad. However, the vast majority of our users are individuals seeking greater control over their data, or journalists and activists living under authoritarian regimes where freedom of speech and privacy are not respected. The truth about data security is that there is no middle ground: any weakening of encryption will make all of us less secure.
We can either choose to live in a world where everybody is under surveillance, or a world where everybody (criminals included) have privacy. We feel that the right to privacy is a fundamental human right, and we are willing to fight and work toward protecting that right.
The ProtonMail Team