The ProtonMail Threat Model

ProtonMail is designed to guard against a broad range of threats. But there is no such thing as perfect security. This threat model describes the threats ProtonMail can and cannot counter.

Updated Nov. 18, 2019, to remove reference to an outdated plugin recommendation.

Email is one of the most common modes of communication, but it is also one of least secure. First introduced in the 1980s, email was developed well before many threats of the modern Internet were even envisioned, much less understood. Despite its flaws, email is not going away any time soon and will continue to play a major role in our lives and our work. In view of email’s ubiquity and its drawbacks, we designed ProtonMail to mitigate many of the security and privacy vulnerabilities of email while preserving its ease of use.

Of course, there is no way to design a system that is 100% secure, and ProtonMail is no exception. Along the way, we have made many design decisions that sometimes prioritize security over usability, and other times usability over security. The result is a system that is vastly more private than the most popular free email services but nonetheless does not offer complete protection, as nothing can truly offer complete protection. In this article, we explain what ProtonMail is and isn’t designed to protect against so that you can make an informed choice about when to use ProtonMail for your communications.

ProtonMail security overview

Emails between ProtonMail users are always end-to-end encrypted, meaning only the sender and the recipient can read the email message. Encryption takes place on the sender’s device using the recipient’s public key. All messages (including messages to and from non-ProtonMail users) are also stored using zero-access encryption on our servers and therefore inaccessible to us. Private keys are encrypted using users’ account password in a way that is not accessible to us.

The use of strong encryption protects messages from many types of data exposure, including mass surveillance, government requests, and data breaches. This is different from other email providers, such as Google or Yahoo, which do retain the ability to read their users’ messages. This allows them to scan messages for advertising purposes or share them with third parties.

While ProtonMail does not have the ability to decrypt message contents or attachments, like any email service we have access to metadata (such as sender/recipient and subject lines), because without this information we could not deliver messages to their final destination. Because ProtonMail is based in Switzerland, this metadata remains under the protection of some of the world’s strongest privacy laws. However, if presented with a valid order from a Swiss court involving a case of criminal activity that is against Swiss law, ProtonMail can be compelled to share account metadata (but not message contents or attachments) with law enforcement.

Emails between ProtonMail accounts and non-ProtonMail accounts are also zero-access encrypted on our servers, but they are not end-to-end encrypted in transit, and copies stored on your recipient’s email service may be vulnerable to exposure. For example, if you send an email to somebody using Yahoo mail and Yahoo is breached, that message may be exposed through the recipient’s inbox. This is why for sensitive communications, we recommend that your contacts also utilize a ProtonMail account. ProtonMail does, however, offer the ability to send end-to-end encrypted emails to non-ProtonMail accounts through our outside encryption feature or through PGP (for advanced users).

What ProtonMail does not guard against

Compromised account or device

This is the most common type of compromise. Even if you use the world’s most secure electronic communication system, advanced encryption does you no good if your password has been compromised or there is a keylogger on your computer recording all of your keystrokes. ProtonMail does not and can not guard against a compromise of a user’s machine.

Learn more about common types of user compromise and how to secure your data

Man-in-the-Middle (MITM) attacks

This is a far more difficult attack that can typically only be executed by a strong adversary (like a government) and is generally a targeted attack. An MITM attack cannot easily be used on a large scale to perform mass surveillance.

As the name suggests, an MITM is where an adversary sits between the user’s device and the server. Because ProtonMail messages are encrypted before they leave the user’s browser, an attacker cannot get message data by simply listening in on the communications. The attacker would have to actually send the user’s browser a modified version of the ProtonMail website, which may secretly pass the account password back to the attacker.

Fortunately, there are several ways to protect against an MITM attack. ProtonMail employs TLS to secure the delivery of our software to users’ browsers and prevent tampering of our code en route. Generally speaking, a successful MITM attack requires breaking TLS, typically by using a forged TLS certificate. There are browser plugins that can be used to detect forged certificates and greatly reduce the risk of an MITM attack. Using ProtonMail’s mobile apps and our desktop Bridge software may reduce the risk of MITM attacks as those environments are more difficult to compromise than web.

ProtonMail also features another anti-MITM feature called Address Verification. This allows users to “trust” the public key of a contact you have verified. This is a form of key-pinning that provides extra protection by detecting if a fake public key is delivered to your device for that contact. This feature gives ProtonMail higher security compared to other encrypted email services because you are protected against key tampering and the trust model is trust on first use instead of trust on every use. For highly sensitive communications, we recommend enabling Address Verification.

Learn how to use Address Verification.

Unauthorized backdoor

Another attack vector would be if an attacker somehow gained access to ProtonMail’s servers in Switzerland without us noticing. Such an attacker could conceivably change the ProtonMail software to send bad encryption code to users’ browsers that would somehow allow the attacker to get unencrypted data. ProtonMail has implemented numerous safeguards against this on the server level which make this a difficult attack to pull off successfully in an undetectable way.

ProtonMail recommended use cases

ProtonMail offers good (but not perfect) protection for the vast majority of users. There are, however, some risks for users facing a strong adversary, such as a government focusing all its resources on a very specific target. In such a case, we don’t think encryption would be of much benefit, as this XKCD comic would apply.

Below are some examples of recommended and not recommended use cases for ProtonMail:


Sensitive business communications

You have sensitive business information that you want to make sure is protected from competitors and other malicious parties. For example, you fear a competitor may want to sue you under false pretenses to get access to sensitive data. In this case, ProtonMail offers a great deal of protection. ProtonMail will not release any data unless provided with a valid order from the Swiss authorities. Even if an adversary went through the expensive and time-consuming procedure of obtaining such an order, ProtonMail’s zero-access cryptography means we would not be able to release decrypted data, apart from metadata.

Anyone with privacy concerns

ProtonMail is also perfect for an individual (or corporation) that does NOT want the government to have access to all of their emails at any time, and does not like Google or Microsoft constantly scanning and archiving all conversations. With ProtonMail, the barrier of entry for mass surveillance is high enough that mass surveillance simply is not practical. This is an example where ‘good privacy’ can act as a meaningful substitute to ‘perfect privacy.’

Organizations with data security needs

ProtonMail can help organizations comply with data privacy regulations. Our encryption meets the standard set out by the GDPR for technical measures to protect personal data. Our zero-access encryption also greatly reduces the risk of a data breach, and significantly reduces the impact of a breach in the unlikely event that there were to be a breach.

Learn more about GDPR-compliant email and HIPAA compliance.

Not recommended

If you are attempting to leak state secrets (as was the case of Edward Snowden) or going up against a powerful state adversary, email may not be the most secure medium for communications. The Internet is generally not anonymous, and if you are breaking Swiss law, a law-abiding company such as ProtonMail can be legally compelled to log your IP address. A powerful state adversary will also be better positioned to launch one of the attacks described above against you, which may negate the privacy protection provided by ProtonMail. While we can offer more protection and security, we cannot guarantee your safety against a powerful adversary.


We would like to conclude with a few thoughts about privacy and surveillance in general. Some people make the assertion that if you are not a criminal, there is no need for privacy. A very powerful counterargument to that, which we recommend everybody watch, can be found here.

There are also critics who assert that by building ProtonMail, we are providing a tool for criminals to evade the authorities. Like any technology, ProtonMail can be used for good or bad. However, the vast majority of our users are individuals seeking greater control over their data, or journalists and activists living under authoritarian regimes where freedom of speech and privacy are not respected. The truth about data security is that there is no middle ground: any weakening of encryption will make all of us less secure.

We can either choose to live in a world where everybody is under surveillance, or a world where everybody (criminals included) has privacy. We feel that the right to privacy is a fundamental human right, and we are willing to fight and work toward protecting that right.

Best Regards,
The ProtonMail Team

About the Author

Proton Team

Proton was founded by scientists who met at CERN and had the idea that an internet where privacy is the default is essential to preserving freedom. Our team of developers, engineers, and designers from all over the world is working to provide you with secure ways to be in control of your online data.

Comments are closed.

241 comments on “The ProtonMail Threat Model

  • GOOD FOR YOU !!! ANY help that the private community can provide to itself, the less and less we must depend on ‘commercial’ solutions – either ‘for profit’ or thru Government….

    With the ENORMOUS brain power that’s housed even by the small group that have created ProtonMail, all I can do is beg for help in one, specific area – MOBILE. IF you can provide ProtonMail to the mobile (phone and tablet) community, the leap forward for those platforms and their privacy may be unmeasurable, it will be so high. There are millions of devices that are screaming for a privacy solution and even though almost every information-gathering organization is arguing firmly against a ’solution’, they are flatly LYING to whomever has asked the question. My data, and my conversations and MY chatter are MINE – NO ONE ELSES!!!

    Please..please..please from a lowly user…. HELP… we are slaves to the use of our mobile devices. They have the very real chance of truly turning us into REAL slaves very quickly.



    • This serivce ProtonMail is useless while there are so many backdoors in M$ Window$ and bugs in OpenSSL that HTTPS web service is not secure at all.
      You forgot also that quantum computers maybe used to break HTTPS, but with high probablility it is not needed while there are so many bug in web browsers or back doors.

      The only safe way to encrypt something is to use On Pad XOR’s and exchange keys physicaly then use them for encryption/decryption using simple software.
      Forget about security when turning M$ Window$ and worry when using openSource Linux with bags.

      The only solution is use microcontrollers and examine each line of code yourself.
      This is what I’ve did and it works.

      • With all this negativity I’m amazed you haven’t just moved into the wilderness to live in a shack on a mountain, maybe you still will. However you need to have a serious look at QubesOS and Whonix which will thwart most known backdoors, rootkits and other methods of infiltration by governemnt organizations and large coordinated black hat groups.

        Couple this with some good VPN/Tor usage and wonderful tech like Protonmail and you have a pretty hard nut to crack.

        P.S. Most experts conclude that real Quantum computers are still 20 years away, regardless of what the conspiracy nuts say.

        • I have to LOL whenever I see a jaded comment that ends with a line about conspiracy nuts when most “conspiracy nut” theories about government spying, aerial spying, MITM attacks and more have been found to be true. It’s true, they weren’t black helicopters; rather, biplanes flying around with FBI Stingray & FishHawk software to intercept our phone calls.

          Pull the covers back over your head and go back to sleep. You won’t see it coming that way.

          • judging by the comment you made comrade i am assuming that you are getting more than your daily allowance of the infamous obama KOOL-AID. I recommend that you spend less time demonizing those who try to shed light on things our government do under the guise of national security. and for all you other fans out there in left field with no clue as to how this country was meant to work can you tell me one tragic even.t that was prevented by our unaccountable big brothers domestic spying endeavors was sandy hook prevented the Boston bombing was that shooting at a church etc prevented no it is time we stop sacrificing our basic rights and freedoms for false sense of security signed JFK 2 @YOOPERSLAYER

          • Yes, but think of this, it took one guy 7 years to get the PhD he needed just to be able too start working on a quantum computer that could only solve 5*3. And, the cost of operating a quantum is more than anyone short of a huge company like google or 2 government agencies pooling their resources( most likely not gonna happen, for now anyways), i mean, quantum computers have to be stored at -213.5 C (or somewhere near that). So it is safe to assume that quantum computers capable of breaking encryption on any level is awhile away.

        • I am a Chinese people, Please forgive my bad English.
          In the war, first made spears and later made shields. A year ago, China successfully launched the first quantum science experiment satellite. Quantum key distribution no one can eavesdrop. If there is no quantum computers, we why do the shields?

      • I don’t really get your point. The idea of this mail system is that the privcy key to decrypt is generated locally in your own device and will never leave your device. Because of that, to hack this key costs a lot of effort. No hacker will be interested on a target with unknown value, when it will take long to do that. Like it says, unless you are Snowden, and every body knows the content of your email worth a million, you are save to use the service.

      • Would you be kind enough to share the specifics of how you accomplished this? Schematics + code would be a boon to all if verifiable and released..
        Thanks in advance for your response.

        • Re: “The only solution is use microcontrollers and examine each line of code yourself.
          This is what I’ve did and it works”
          (should have prefaced the previous response)

      • This application is intended as Email encryption for the masses which is very much needed – Proton mail spells it out very clearly that their is a trade off between usability and security, yet their are still moaners out there who instead of providing a usable solution just snipe from the sidelines – Thank you Proton Mail for providing much needed Email security

      • The main issue here is probably host security. In particular we have to consider user-space, kernel-level and hardware level host security.
        For now let us assume, we don’t have to fear physical attacks (otherwise we will clearly have a very hard time, one could have a look at heads or keep the computer with themself 24/7).
        To protect against user-space attacks good isolation (like vms i.e. qubes os) combined with good security practices (i.e. never open email attachments in the domain running mail client, isolate email client with general networking to avoid compromise through e.g. network stacks…, minimize parsing in client i.e. read emails in plaintext). In practice this boils down to opening every link, atachment etc. in a separate VM and isolating the email client from other endangered parts of them system.
        In order to protect against kernel-level attacks we need to make sure the virtualization is run *below* the kernel i.e. we have baremetall virtualization. Also we need to carefully protect the privileged domain 0 in which the hypervisor is run (air-gap at least).

        For these tasks I think Qubes OS is a good solution.

        Protecting against attacks on lower levels is a much harder problem. The best guess is to use hardware one trusts and clearly one should look for free and minimal firmware whenever possible (e.g. libreboot).

        However assuming no hardware backdoor and no physical attacks, I think one can archive quite good security even against powerful attackers.

      • The likely hood that ANY user of Proton Mail (target demographic wise for which services are meant) that a Quantum Computer & NSA State Actir targeted attack against YOU is going to happen? Less than 1%. 100% anonymity and security is impossible in any given system nor is ONE Security measure by any means going to make a difference. Tor called its ext .onion because for true Digital Security you need a multilayered approach with redundancies & honeypots (^sophistication by personal threat matrix). I use an Open-WRT flashed netgear nighthawk X10 for its quad core processor, Ram, extensive nand Flash, RF & line noise reduction filtering & signal amp, 6 port gbs with 1-2 aggregates for 2gps, & its 10GbE SFP+ port; I use a service provider docsiss 3.1 Cable Modem with additional downstream signal amplification, interference/impedance Intelligent Active & Passive Refuction & Cancelling TECH, network mon that extends to cable or fiber & ISP gateway that serves me I use a form of BGP & GRE tunneling plus OSPF+ & RIPv2 up/down; the wifi is top notch wave2 ac mu-mimo & I use a bit pricy VPN provider with xtra security “360′”, NAT, crypt DNS & stealth protocols w/ lt2p/IPSec, SSH2, SSTP, & OpenVPN TCP/UDP but i use GRE/SSTP through DNS port 53 & 2048b SSL, Sha512 HMAC, 2048b Diffie Helman, 4096b RSA & 256 AES-CBC for PFS & avoidance of DPI, once on Providers Servers, Multihop & port forward for maximum Protection; Theoughput – Exceeds ISP throttled Plan Rate despite heavy Keys; anyway x10 has a SPI & NAT factory; plus I deny by default & use acl to further harden; connected to x10 is intel quad core 250gb ssd pfSENSE box running FreeBSD which which is on GatewaySec Vlan ensuring all traffic will flow through it & then back to x10 where 2nd Security Vlan uses 10GbE to link a fully managed multilayer 2-4 Access Switch w/ every feature to maximize security & net performance, beside it proceeds to Wifi WIPS controller w/ self healing, BT secure RF also & intelligent frequency signal monitoring with real time RF heat map and optimizes channels & settings for Optimal Wireless; here I have a nighthawk x8 custom modded & nighthawk x4s w/ 2 128gb USB 3.0; & a 2 TB Ssd on esata link; since I have 5 5ghz bands & 3 2.4ghz bands plus 20/40/60/80+80/160 FAT signal bands auto load balanced & optimized by my dedicated Radar/monitoring bands to ensure RF signals xfer Max Data & lag/lacp can use 40gb fiber for NAS access & the wireless AD specialized receiver can utilize 5gb RF xfer ; adjacent to this I had spare i7 quad core w/ 16 gb ddr4ram & ssd/hd combo SFF desktop running ubunutu & VMware SDN plus a VM running untangle which is paired W/ wan optimization appliance with SD-wan layer aes-NI HW accel, physical L1-4 SDN L5-8 so it provides unparalleled wan throughout increase & protocol opt; cutting useless traffic & Filler client server node browser talking also increasing security providing best Web Cache & auto VPN + # of excellent security & monitoring features & qos/traffic management combined with the switches plethora of services both wired & wifi run at 100% with max TCP window size on both wan ends & wan-LAN & LAN-LAN (jumbo frames) so I have 3 Custom Firemware Routers running advanced wifi monitoring & security along with 3 devices with application layer, ssl inspection & all other traffic monitoring to feed behavior anomaly detection profiles & continue to max internal lab & load balances wans until they cannot be anymore efficient my switch also connects a refurbished server I bought w/ 2 E5 Xenon 8 core CPU @ 2.8ghz each; headless access through remote controller feature, 6 Bay RAID w/ hardware controller & ssd cache with enterprise hdd @ 4 TB ea 2x SFP+ NICs & 2x 1000naseT nics, I sprung for WinnServer 2016 bc it’s the first secure Windows OS w/ full Bash Ubuntu Linux Subsystem, Hypervisor Security both for kernel & Applications (Device & Credential Guard Respectively) Container MicroService Docker Virtual Based Secure VMs; atp with more Rt net monitoring & Superior AD w/ Domain Federation for sync with AzureAD Premium & its nextgen granular security features, keyvault, MFA w/ SSO full O365 E5 apps control, feature set & xtra level of protection w/ EMM & MDM through above & MS Intune w/ wan opt device/load balancer/vpn auto gateway provididing a site to site secured link to Azure Cloud VPN gateway & network providing completely private versions of O365 & Azure clouds with multilayered encryption, security, & hybrid on prem, physical network HW SDN SW virtual network nodes following physical topology plus SD-wan multiple VPN services, protocols & servers allowing me to use my Home Office as “Organization HQ” & employees to work securely from anywhere, anytime all through the magic of layered security hybrid setups allowing what started as a home Lab setup to become a Global Secure Private Business (with 6 employees but Global!) providing full custom managed IT Solutions, LOB app Designs SW, web or mobile, & enterprise architecture design & implementation optional admin as well w/ desktop, tablet, smart phone company portals & ability to push Apps on Demand per Employee, operations & logistics innovation & RT predictive analytics providing edge over competitors also Business Processes/Workflow automation increasing revenue, opening new avenues for streams of revenues, customer personalized experience for increasing satisfaction, sales, and loyalty + much more.

        Remember given the dedication, resources, and time spent no system is 100% secure but Security at every OSI layer, use of SW virtualization based security & best practices for security policies & operations based on minimum priveleges or access for job complete & Deny by default FW rules, arp cache poison prevention & monitoring, TCP “ack” or state monitoring, & Mac & IP address binding in pool plus VLAN segmentation, Managed L2-4 switches w/ SNMP v1,2,3 & all Rmon; ids, ips, malware & av scanning at every layer from net & transport to endpoint application layers, content management, forward and reverse proxy usage, full disk encryption, encrypt at rest, VPN, DNS Security, network segmentation through subnet isolation, VLANs, separate up classes for logical (virtual) network nodes 192.168.x.x;, 172.x.x.x; proper use of switches traffic org & qualification, proper flow of incoming packets & deep inspection of such; isolate critical infrastructure, make use of behavioral analysis of network to establish normal traffic flow, spam protection, use of NFC fobs, smartphone apps that allow for same so sensitive data services apps or infrastructure cannot be accessed unless user has device to transmit NFC key as HW token, complex PW, biometric either fingerprint or face scanning, & OTP min 6 dig that are valid for 15-30sec max

        Total removal of headers Device signature, or cookie info careful for iBeacon sand webbeacons too; use brave or FF with full security addlns to prevent exposure & flash cookie persistent……use combo of HW SW & cloud based security for maximum protection especially DNS particularly “last mile” ALWAYS ENCRYPT, ALWAYS USE SITE TO SITE TUNNELS (VPNs) both IPSec l2tp between locations & a good client service for all traffic ; with no logging policies, high speed, xtra hardened servers, & option adding like extra NAT layer, 2nd FW, port forward, multihop, cascading, double encryption, vpn chaining, or vpn-anonomizer of choice – vpn – your destination & use protocol combination or most secure with OpenVPN customizable sec Algos, & router based VPN to cover smart devices “tv bluerays speakers dvr thermostats

        & utiliZe wips to secure wifi signals & prevent rouge AP or spoofing; use netgears full cloud suite or for DNS utilize opendns umbrella or comodo similar alternative ; & always use proper access policies controls & configurations so your network doesn’t fall to human error

        • . . . . . or you just could have bought a Mac running OS X v. 11 . . . and installed ProtonVPN


      • Just for now everybody need to know: All BIOS-es/Firmwares and CPU are backdoored (CPU at microcode level), most motherboard have hidden keylogger functionality, all complex software peaces are exploitable in many ways, the best encryption is unknown encryption or standard encryption with custom mod output know only to sender and receiver. Public, open source or NIST approved are unsafe in any way because NSA put backdoors in every aspect of encryption like predictable buggy random function generators/functions, fucked constant inside crypto algorithms, or advanced clockwise mathematics, use pre-calculated SHA256 data from BITCOIN mining pulls, use his own crypto pulls with ASIC or just hack into your PC using exploitation/MITM/inbuild backdoors/remote reading and decoding of energy emission from electric wires or just use his own remote controlled hardware implants. Quantum computing are real too but every non discrete algorithms like AES can resist to Quantum. If in advance you scramble(fuck) the output of your AES256/512 in sender with own algorithm and then defuck in correct in receiver then the Quantum and de-crypto farm will dies all together. Output/Input of PGP or RSA can be scrambled/descrambled in the same way. Data can be demixed/mixed with own custom algorithm and then sended/received over 2 or more parallel independent data channels for higher security. I just to know. Anonymous 100% safe communication over public networks with standard backdoored PC/Laptop/Mobile or OS are real and possible NOW.

      • You can use ProtonMail on your favorite browser on your mobile devices. ProtonMail does require up to date modern browsers in order to ensure the highest level of security.

    • I would use anything like Telegram for my mobile phone. Or, because they seem to disclose to your buddies in contact list the fact that you’re a telegram user, I would go by Neuro Transmitter instead ;)

  • Not completely related to the aspect of security that you’re covering but will you be implementing DKIM and an associated DMARC policy for your domain? It would be nice to know that messages supposedly coming from really are what they claim to be and minimise the likelihood of comms being breached simply by a phishing email having a user reply to a email beliving it was sent from there.

    Requesting mail servers reject spoofed mail outright via a full DMARC ‘reject’ would go a long way to mitigating this.

    • Yahoo recently updated their DMARC policy to do this. There’s been lots of controversy about this so we plan to wait and see.

  • “I can’t in good conscience allow the U.S. government to destroy privacy, internet freedom and basic liberties for people around the world with this massive surveillance machine they’re secretly building.”

    I boldly stepped forward to expose the National Security Agency’s vast spying on our phone records and online communications. I don’t see why you’ve problem with me.

    • Don’t sweat it Mr. Snowden. There’s more than half the people on the planet (or at least here in America) who think what you did was a damn Good Thing???!

      Were I in your shoes working where you were and with the way I see things, I too would have done the same. You’re a hero to many, so you keep your chin up bud.

      • Bad joke refering to our hero Edward Snowden in a negative way. Why should Edward Snowden not be able to use protonmail? You should be thankful to him, for it was due to him only that you got so many donations on indygogo (including my own).

        • It didn’t seem like a bad joke, more a realistic approach. All they were saying is that they are not secure enough to protect those kind of communications. That’s important information.

          • Hey, you know, I was wondering essentially the same thing–but, dmpstrb., I think those to whom you’re referring have demonstrated elementary reading skills, but are seriously lacking in the comprehension department. The Snowden-related gaffe, above, was almost unbelievable to me, too, but, as so many commenters had already demonstrated their difficulties with simple writing,* it wasn’t *that* unbelievable.

            * “I’ve did,” “things the government do,” “We are a slave . . . ,” etc.

            [And, “Can’t Say,” no real offense at all in my mention of your contribution: I essentially agree with your point and admire your enthusiasm about it–and I really don’t care that much about little writing/grammar errors, but I think it is best not to suggest, specifically, that we, with our limited privacy rights, sufferer indignities of the same magnitude as those suffered by human beings who have been forced into true slavery. I certainly imagine that was just an oversight because you [rightly] feel very strongly about privacy. Pax.]

    • I’m just a normal every day type guy in the US. I doubt anyone would be interested in anything I might email to my children or friends…my emails are mainly chit chat about family stuff;; very boring. HOWEVER! I will do whatever I can to protect my privacy…it used to be a constitutional right, but the US government has sort of done away with that; they deny that assertion but the entire planet knows the truth. So for me…proton email is great!

      Thanks for providing this email service to us plain folks.


    Edward Snowden – If you are Edward Snowden, or the next Edward Snowden, we would not recommend that you use ProtonMail.

    Why not?

    • There are more difficult to use, but more secure solutions out there, which are more appropriate for Snowden’s use case.

      • So you admit you have (at least) a secret weakness, that’s a frank consent…
        So why not going further ;) : what are, in you opinion, “more secure solutions out there” ?

      • Then what are the “more difficult to use, but more secure solutions” that you are referring to?

          • You offer an amazing product and also fall on your sword to highlight the minor weakness. Congrats to you. Reminds me of how Google approaches the Chromebook where they point out what needs improved when it is already 50 times more secure than any Mac. I hope you guys do well, you definitely have an awesome philosophy regarding transparency.

          • Thunderbird with Enigmail isn’t that hard. But far too many seem to assume that it is.

            Also, how would you distinguish ProtonMail from CounterMail?

          • I guess that a crypto-paranoid could add pgp to his protonmail as a further lyer of security. Would it incrase the secureity of the service? Could it make more adapt to lifanddeath situations?

          • @Mirimar: Thunderbird+Enigmail is reasonably easy to use, but still is used (absent contortions and significant inconvenience) on a network-connected computer. For the use case of a targeted person sending or receiving life-important information that would be a no.

            @DM: Use of PGP together with Protonmail would not be measurably more secure than using PGP alone.

  • So you guys don’t have access to the plaintexts (at least in theory) but do have access to all the so called metadata?

    • Right now we have access to some metadata (see our privacy policy for details), but the 2.0 version of ProtonMail will incorporate some enhancements that allow us to have little to no metadata.

    • Yes and no, it depends on what the target is. If they want to know your message content, the keylogger will still get it. If they want to get into your account, then 2FA might work. In any case, our plan is to add 2-factor authentication.

      • I’m wondering how these keyloggers work. Is a virtual keyboard a solution? It would make the hardware keylogger useless but what about software ones? Can they capture screen?

        I guess that the best method to be totally secure is to use some Live CD Linux distribution, use only your own computer and to log into Protonmail under Linux.

        • a live linux cd boot can be defeated with a bios hardware hack that works in conjunction with a cd drive that also has hacked firmware. The bios will checksum the cd drive firmware before passing control to the CD drive to boot the linux distro to make sure it is passing control to the hacked firmware of the CD drive that mounts a fuse file system along with the linux distro. I replaced my CD drive with the same exact one which was a $40 USB DVD Drive from Lite-On and was shocked when the screen said bios error from one boot to the next when all I did was swap the DVD drive with the same one ( but new and not hacked yet ). The boot CD was the same each time too but it only allowed me to boot the live CD from the older DVD drive even though they were the same exact model. Crazy stuff. I’ve been being targeted by the Triads for 3 years now because of my blog, this happened to me first hand.

      • You could go the route of Agora and use a message encrypted with your personal pgp key for the 2nd form of auth. I keep a machine completely unhooked from the net to encrypt & decrypt messages. If you could make it possible for us to post our public keys to some sort of profile so people could contact us with an extra layer of security if needed.

      • Is PhotonMail utilizing AES-512, or 256?

        One thing you may want to consider is double encryption layers, such as AES-512 outer encryption and SAH-756 internal encryption, all passed through the SSL tunnel.

        Another, again albeit developer complicated implemedntation, would to build in an C2C IPSec tunnel that traverses through the SSL tunnel. This in particular would be simpler to implement in a fat client.

        Another solution, albeit quite complicated from a developer standpoint, would be to incorporate PGP into a desktop client that would create a fully system unique random set of PGP PKI certs that are not stored on any server, abut this would still be susceptible to an endpoint compromise,

        • Not sure if this is trolling or not, but there is no such thing as AES-512 or SAH-whatever. It’s tricky to use technologies that do not exist, although it’s certainly ephemeral if you could.

          • actully, there is a 512 form: the algorithm that was chosen to become the advanced encryption standerd (AES) was rijndeal
            rijdeal supports in fact key sizes up to 512 bits,(the aes version did indeed specify 128 and 256 bits, but that decision was made because it would be too slow in unpowered devices like smart cards. fun fact: speed is the reason why rijndeal won in the first place, the most secure aes finalist was the algorithm named serpent, but because it wasnt fast enough in slow devices, rijndeal was chosen instead.

    • RSA was co created by the NSA decades ago …………

      Plus RSA, NSA too damn close imho …………

  • One might argue that there are different threat models depending on whether two users are communicating within Proton Mail versus sending “secure” emails to another provider using symmetric encryption. The latter depends on a Proton user supplying an encrypted email recipient a decryption pass-phrases. Depending on how that’s done and how strong the pass-phrase is, that might be riskier than communicating within Proton Mail.

  • Hi.
    I believe I read all the articles on the website (there are not too many :) ), but I still don’t get where private key is stored and how is it synced between devices.
    If all the crypto happens in a browser (javascript?) it means that the key should be somehow synced between different browsers.

    • The key is first encrypted with your mailbox password (which we don’t have access to) before it is moved through ProtonMail to your browser on different devices.

      • If the encryption key comes from my password, what happens if I change my password in the future?
        Do you stiil use the encryption key generated by the old password or do you generate a new encryption key based on the new password? If so, how do you keep reading the old cyphered e-mail with the old key?

        • Changing the mailbox password will permanently make old encrypted emails unreadable, it is a form of secure delete.

          • What If I just feel like changing my mailbox password but don’t want to render the old encrypted emails useless since they become unreadable on changing the password ?..

          • When we enable this feature, it will be done in such a way that you can still get access to your old emails by entering the old password.

          • Would be nice to have a mass re-encrypt feature.. supply the old password, supply the new password, now all historical emails are re-encrypted with the newly changed password.

      • Just being curious, If ProtonMail does not have access to user password how user authentication works?

  • Many thanks for a system that a common man can trust.
    I want to know the procedure to get multiple mail accounts,
    (say for orgnisational /office purpose) to be created from single mail ID as you only permit one account per e mail ID currently.
    Also I want to know about the investment opportunity in your venture.


    There is an account security method I wish to implement, but cannot find as a feature option within the current E-mail product market. Please, ProtonMailers, tell me why this method is being avoided by other encryption tool designers. OR, take this idea and RUN with it, using it within ProtonMail in your own way!

    LIMITED ATTEMPT ACCESS PROTOCOL: Many years ago while trying to access an ATM cash machine with my credit card, I had a ‘brain fart’ and could not remember my 4 digit ACCESS PIN number. After several unsuccessful tries, the ATM machine swallowed my credit card, shutting down the cash transaction.

    EUREKA: Instead of becoming upset, I instantly thought, “I want this feature on my E-mail account immediately!”

    Alas, nobody offers this feature for Web based E-mail. NOBODY, only server based tools I configure myself offer this option, sort of. Why is that!? This seems quite shocking for 2014. Every time I ask system administrators for this on my Web E-mail server, they all clam up and say nothing., won’t respond to E-mails, etc. I’ve dumped several hosting services as a result.

    Is this the elephant in the room? Would this feature “take away the keys from the locksmith” so to speak, and this is why ‘the establishment’ is afraid of ‘going there’? Ergo, the locksmith is the one with the CRAY computer, and thus, full access.

    I would like to select the option of 100 LOGIN attempts allowed per 24 hour day, rather than the 3-5 attempts (?) that an ATM allows. When each attempt is entered by hand, rather than a BOT, that is a lot of attempts, likely enough to solve the occasional problem of a password brain fart. One can sequentially try past passwords, go backwards until the login works.

    But for a brute force tool, 100 attempts is almost nothing, if no words of language (and other smart choices) are used for creating the password.

    ***It seems to this encryption layman that most passwords are broken by A—poorly conceived, and managed passwords, and B—by brute force methods that simply use mathematic algorithms to try millions of combinations. (And C–Keylogger ware.) WTF, why is any login interface allowing so many combinations to be tried in the first place? This is insanity…going on for more than a decade now!

    Perhaps…this feature itself is so easily hacked? Perhaps today the hacker just resets the LOGIN engine, and/or server app to accept unlimited attempts, game over? Well, why not code around that problem…in a new way using your exceptional MIT brain trust, just assembled.

    2X PASSWORDS, as ProtonMail features, would seem to largely accomplish the same result. Because cracking first one, and then the second password is obviously going to hamper brute force methods tremendously. However, since the ProtonMail system is so dependent on the browser, which is endlessly full of gaping holes, I sense that this idea is not completely dated yet. The need to use Webmail much of the time, versus POP mail rooted on ones personal machine, is the curse being overlooked.

    While an anathema to Crypto experts (???) perhaps this idea is perfect to meet your stated priorities of A SIMPLE TO USE INTERFACE. While certainly messy in its own way, it IS quite easy to comprehend conceptually. Beginners will understand what is going on instantly; limited attempts possible per day needs zero tutorial to understand.

    The idea would seem perfect for one of the two passwords within ProtonMail. And/or, perfect for mobile applications since short PIN numbers are already one of the common aspects of those kinds of tools, like Cell phones. One could allow the user to select the amount of attempts allowed, or, for greater (or lesser?) security, this choice of how many attempts are allowed per day, could be tightly controlled right at your servers, a limited amount of attempts could be coded at the CORE LEVEL.

    Such as 10, 100, 500, no more than 5-10 options, but not smaller derivations, such 11, 112, etc. If the tool NEVER EVER allowed more than 500 LOGIN attempts per day, no matter what, built in to that core, that would seem very useful.

    What am I to make of this elephant in the room?

    1—While perfect for financial uses (where there is a unique physical card bundled into every login) Is this feature just stupid in encryption technological terms when applied to E-mail?

    2– Is it just a psychological dissonance scuttling the idea, ergo, too depressing for system admins to contemplate with any real depth, that they are ‘giving their own keys away’, that they are giving up so much power?

    I await your reply,

    LAVABIT refugee

    • Such a system will surely enhance (somewhat) the security but it will offer an easy way to lock you (and all other users) out of the system. Once you obtain the user’s login name, all you do is “try” to log-in with nonsensical passwords until the system shuts you out. Automating that will probably not take more than a 10 line script and the whole mail-system stops working.

      The reason why it works for ATMs is that there the “log in” is the physical card and if you have the card but not the password, there is a fair chance you are not the rightful user of the card.

      In the email-system, the physical card is replaced by your log-in name and that is most probably your email address, so it is too easy to find out and your suggestion makes the system vulnerable to a “DoS” kind of attack.

  • Hi,

    very interesting. You give some hints, how you obtain security. Since I am in security issues for many years, I would like to see your model in detail, because if someone cannot explain the security system he uses in detail, it is probably insecure. Pleease send me a detailled model of your service. Kind regards,

    Felix Thommen

  • Seems like a long awaited service. Anyway – “ProtonMail offers good (but not perfect) protection” – you might want to add/modify that no service ever created will offer the perfect protection because that simply doesn’t/will not exist.

    Looking forward to your first version!

  • Would be nice if you can also implement Google Authenticator App as second authentication, like many other services already have.

          • Lloyds Bank uses second authentication, the second password changes in sequence at every login. For example, if your second password is MYBank, you will be asked for digits 1,3,5 (MBn) and if you enter a second time, you will be asked for something different, such as 2,4,6 (Yak).

  • “ProtonMail’s zero access cryptography means we would only be able to release encrypted data since we do NOT hold the encryption keys.”

    You rather meant <decryption here, right?

  • Your threat model includes “unauthorized backdoor”. Why do you add “unauthorized” to backdoor? Do you have an “authorized backdoor”?
    You specifically mention that your service is not appropriate for Snowden, yet how do you plan to deal with Hushmail styled threats? What design you do have to mitigate the threat if itself becomes the attacker?

  • I have nothing to either hide or steal, but I still like this email idea. Keep up the good work. Maybe down the line you will come up with a search engine with the same type of security. It makes me nervous to do online banking and such, but it is a necessary evil.

    • @Kelly C, maybe this site is something for you
      They offer also for IE a default search window, so if you type your search string into your browsers addressbar you will search directly to startpage secure server whiteout logging your search strings.

      Find out for yourself.

  • Will ProtonMail be incorporating a IPsec session or ToR proxy into the service[s]?

    Congratulations on recent crowd fund success!

  • This is the perfect website for everyone who wishes to understand this topic.

    You know a whole lot its almost hard to argue with you
    (not that I personally will need to…HaHa). You certainly put a brand new spin on a topic that has been written about for
    years. Great stuff, just great!

  • Your rival hushmail requires a login at least once every 3 weeks or the account is shut down. For Yahoo and Hotmail, I believe it is around 90 days.

    Could you tell us your requirements before an account is “inactive”?

    Also any idea when the new round of “invites” will go out please?

    • For now, accounts never go inactive. As long as we have space, we’ll keep all accounts.

  • If I understand:
    Protonmail Protonmail = Fully encrypted
    Protonmail –> Other mails = Encrypted on Protonmail server? not on other mails servers
    Protonmail –> Other mails + Encrypt for Outside Users = Fully encrypted (proton server+other servers)
    Other mails –>Protonmail = ?

    • Other mails –>Protonmail = encrypted on ProtonMail server, not on other mails servers

      • #lastquestion
        So, what the cadena mean on the mailbox? Because When I send msg to other mails the cadena is closed but when other mails send msg to me the cadena is open.

      • How does ProtonMail encrypt the messages coming in from other servers without having access to the private key?

        • We don’t need the private keys for this, it is sufficient to encrypt with public keys.

  • Oh I can’t edit my previous msg but do you have somewhere where we can make suggestions?

  • Hi, looking forward very much to joining your email program, a couple of questions if i may?
    When receiving emails from say Gmail and Hotmail are THEY encrypted as soon as they “hit” Protonmail or how does that work? Unless EVERY AND ALL email programs are encrypted surely there is a “hole” there somewhere, or not??? No IT expert here……but curios!
    Also, will Protonmail have the instant message and web cam facility as in Gmail etc?
    Thanks Ray

    • We intend to eventually build in an instant messenger. Emails are encrypted when they enter the ProtonMail system. For maximum privacy, we recommend that both the sender and the recipient use ProtonMail.

  • Thanks for your important work.

    Are you planning to implement the new end-to-end encryption protocols that are being developed by the Dark Mail Alliance ( into ProtonMail? What do you think about these new protocols?

    • We like the idea, but in practice, it will be difficult to replace SMTP (the existing protocol) in the near term.

  • Hi, great initiative, thanks!!

    I’m considering becoming a “Lifetime Protonmail+” supporter, but I’d just have three quick questions first, if I may:

    – Besides symmetric encryption, are you planning to implement optional PGP asymmetric encryption between PM and non-PM users?
    – Will users have the option to remove their private key from your servers to store it locally?
    – Independently of your server’s disks encryption, are you considering the possibility of encrypting to the user’s public key incoming unencrypted emails from non-PM senders?

    Many thanks, and looking forward to your service (and whitepaper).

    • All these features you mentioned are currently under consideration, I think eventually, most of them will be implemented as we want to maintain more compatibility with PGP.

  • I’m all for fully private email. I may well sign up for this. The privacy of all email, from any provider, should be considered sacrosanct by democratic governments. I appreciate that it may be necessary to investigate communications between genuine terrorist or extreme crime suspects, but the blanket surveillance carried out by many nations is not acceptable, and I think it should be accepted as a given that the ordinary citizen has a right to protect himself/herself from such surveillance by the use of strong encryption, not only in email, but in any form of communication.

  • One question: Does protonmail support STARTTLS? That is, does it use TLS encryption for emails received from other providers (with Strict mode for gmail/hotmail and other large providers known to support STARTTLS).

    Otherwise, it would seem that it would render protonmail-to-protonmail emails a lot more secure than gmail-to-gmail, but gmail-to-protonmail vastly more insecure than current gmail-to-gmail emails. Since in the gmail-to-protonmail case, not only can gmail (and anyone capable of compelling Google to act on their behalf) read the emails, but also protonmail and any network adversary in between the two (e.g. any ISP from $DatacenterLocation, U.S. to $CERNLocation, Switzerland and any tap on their links).

    I would assume that, at least at first, most mails to protonmail users will come from non protonmail users, so the security of inter domain incoming messages should not be any worse than if the user where still using gmail, hotmail or the like.

    • We implement STARTTLS opportunistically, which means if the other side supports it, then the connection will use TLS.

    • When the adoption increases, we will be adding this. At this moment, our DNS doesn’t even support it unfortunately.

  • Why would you not use Eliptic Curve cryptography instead of not-even-in-suite-B and perhaps soon to be broken RSA ?

    For a more detailed rationale please see the excellent BlackHat 2013 “The Factoring Dead” talk.

    • We are considering EC as well, but flaws have also been found in EC. RSA is still in many ways, more tried and true.

  • To those who say, “I have nothing to hide why should I care? Only criminals need worry about the NSA/ law enforcement monitoring;” do you understand that you have just shredded the Constitution and turned American jurisprudence upside down?

    The “nothing to hide” view means everyone is guilty unless proven innocent. I prefer innocent until proven guilty.

  • “1. Compromised User – This is the most common type of compromise. Even if you use the world’s most secure electronic communication system, advanced encryption does you no good if there is a keylogger on your computer recording all of your keystrokes. ProtonMail does not and can not guard against a compromise of a user’s machine.”

    Excuse my stupidity, what about a little feature like “2-way authentication” which can eliminate the access to the email’s secrets even if the passwords get known for the attacker? also there’s “Login Approvals” feature. a lot of ideas out there about this issues.

  • “On a more serious note, there are also critics who assert that by building ProtonMail, we are providing a powerful tool for criminals to evade the authorities.”

    This is the “what about the terrorists” question. I can think of two ways to answer it:

    1) “Which terrorists are you talking about? The ones who work for Al Qaeda, or the ones who work for the US government?”

    2) “Implied in your question is a suggestion you want us reading your emails, every email that comes through our servers in fact. Do you really want this for yourself? Do you expect our other customers to put up with it?”

    • To answer question 1:
      Did you know that most terrorist attacks are designed by the FBI, for use in sting operations. They don’t expect the fact that the internet is not just for porn

  • Does ProtonMail envision a feature that allows an email that is sent out (in error) to be recalled (if it has not already been accessed by the wrong recipient)? Thank you.

      • ProtonMail, I would really appreciate it if you let us recall emails within 2 minutes of sending them?

        Just wait 2 minutes before delivering it so we can recall it if necessary…

        • Yes, this is a feature we like as well and will want to add later. However, the implementation is difficult.

  • I call bull**** … Sorry
    This just CAN NOT work like you state …

    So let’s say someone sends me a mail.
    As we all know , mails are just plaintext, arriving at your SMTP.
    From that moment you are already in possession of my mail.
    And you can easily read it, if you wanted to.
    Or hand it to any authority , if required by law.

    But you say the mail is encrypted. So you “can only hand over encrypted data”.

    Then, please explain me, HOW will this mail magically end up encrypted in my mailbox??
    Something/someone has to encrypt it, right?!?
    And what you encrypt , you are also able to decrypt.

    And how can that be done without you knowing my password?
    Or : me being able to decrypt the mail , that was encrypted by you….

    • We encrypt with your public key, we don’t have your private key, so we can’t decrypt. It’s simply asymmetric cryptography.

  • I’m no security expert but I think it would be better if you explained the SMPT threat in simpler terms: That normal emails going in and out of Proton Mail are subject to mass-surveillance and that the entry/exit nodes of this type of service will surely attract those who like to keep watch. Thus even if one uses TAILS, a single normal email message to or from a Proton Mail server which contains any information that identifies the user will tip a powerful adversary off as to the user’s use of the service, prompting a more-targeted attack on the end point — i.e. end user PC’s BIOS or display drivers or whatever. It’s probably fair to say Proton Mail’s SMTP gateway is still a useful mass surveillance tool for creating a list of persons of possible interest (POPI) who are considered as having something to hide. Creating POPI can be avoided if end users can create non-SMPT accounts — i.e. Proton Mail to Proton Mail only accounts.

  • This looks fantastic. I have five webmail accounts, and am already considering replacing them all with one ProtonMail. Must read the rest of the website, but this is really exciting. Kudos all around!

  • Just wondering I have signed up an invite for the protonmail email address, but not sure how long it will take to actually get it?

  • How is protonmail to be fund going forward? How can I count on protonmail being around in a long time if it offers a free service? I’m concerned about financial sustainability.

    • Due to donations in our crowdfunding campaign and other financing we have raised since, we have a very strong balance sheet. In the future, we will add paid accounts to continue to generate revenue.

  • Can’t wait to have my proton mail address…

    FWI, apparently the right to privacy isn’t part of our civil liberties any more, here in France… Check out (part of) our minister of interior’s speech:

    Gross translation for those who don’t speak French:

    “There’s nothing in these law texts, nothing, that constitutes a violation of our liberties. There’s no violation of our right to come and go anywhere, no violation of our civil liberties, really, none! None! None! If you can spot one article in these law texts that jeopardize our liberties, feel free to tell me where it is. However, [short silence] there are some measures that could seem to be altering privacy and the right to privacy…”

    Seriously, WTF?

  • to management

    Don’t let yourself get dragged in and pressured by the freeloaders of the world. those asking for app and client integration (IOS, WP, Droid, Office, Thunderbird and others) are the people that will make the device remember the passfraze and have no password on their device and when their email has been had by the …… (whoever) they will blame your team/service for it.

    human GREED knows no bounds – “give a mouse a cookie and it’ll ask for a glass of milk” then blame you for obesity (just look at US people) people are fat because they are lazy overeating PIGS yet they don’t blame their eating habits and unhealthy lifestyles! no they prefer to place the blame on the food industry or anything/one except themselves.
    they despise and get outraged when the MAN spies on them and yet they look to the government for all their needs. how is that for a paradox. human psychology is just that twisted but simple like a child!

    truth be told 90% of your users have no idea what securing their comms. mean – they ask you for the service and yet they Social Media all day long.

    as long as you keep it in the browser it stays as secure as the machine that comms. are being executed on!
    Keep it up and don’t let into the pressure. the hell with functionality more security!!!!
    people who find security difficult aren’t concerned with it in the first place.

  • I generally like your approach, except I have a question that seems to be hand waved in your Ted talk.
    My question is how does Alice and Bob authenticate each other’s public key? Please excuse me if I didn’t find the answer somewhere on your website.

    • When sending emails to other protonmail users, the public key is retrieved automatically. Sending emails to 3th party email providers like gmail with gpg will require you to manually get his public key from a key server or simply ask the reveiving person for his key prior to sending classified information.
      That said, as of now there is no way to manually enter someones public key so end to end encrypted messages only work for protonmail to protonmail users or non protonmail user to protonmail user by sharing your public key (can be exported in the settings menu)

  • secure tools for all:
    browser: Tor Browser
    search –, (DuckDuckGo?)
    mail: protonmail
    text: openpgp
    algoritm: AES256
    internet: tor
    os: tails
    ip: prepaid sim card ip
    money: bitcoin

    more?!… :)

    • Throw away all electronic devices and live in a cave?
      Protonmail adresses privacy issues in a sensible way for ordinary people. For average users who are not specifically targeted by the secret services these are all overkill. A vpn, protonmail, duckduckgo, firefox, ad block, android, no social media, strong passwords will do just fine. Except when they specifically target you in which case, there’s probably a valid reason.

  • Hi,

    About protection against keylogger systems, wouldn’t it be useful to implement an artificial keyboard (with shuffled letters) into the Protonmail interface that would allow the user to type sensitive e-mails using the mouse?

      • I love this idea! Please use it

        I would love to be able to send emails this way without anyone spying on my keyboard.

        (But give us the option to still use the keyboard at times)

  • I like your work, but I do think that the keylogger problem must be addressed before proton mail can be promoted as a secure solution for the “non techie” user.
    Have you considers adding the possibility to use YubiKey or the like to protect peoples login?

  • Hello, thank you for the service. I might be being dumb here, but if I were to send a message to someone who was using G Mail, or a private mail server for a workplace, would that email be unencrypted in transit? I mean would the message be absolute plain text ready to be
    hoovered up by government in transit? Thanks!

  • “There will always be a trade off between security and usability, anybody that tells you otherwise is lying.”
    Then I guess I’m lying. Whatsapp introduced encryption and no useabillity has been lost (don’t trust whatsapp though)
    Signal (previously textsecure) is VERY secure and VERY usable. More secure than pgp (all be it very close) and way more useable.
    Fingerprints & biometric authentication, pretty self explanatory. Iphone touch ID is way more secure and way easier than a password.
    Saying that more security = less useabillity. Is just simply not true. Then again I suppose I’m “lying”

    That being said, go protonmail! I love what you guys are doing. And your *more secure* email client is way more convenient than encrypting stuff myself. Oh well..

  • You are doing the LORD’s work, helping to free mankind.

    Please continue to fight evil, and proceed ever more boldly against it.

  • Can protonmail email addresses be integrated into the Mail app on a Mac? Or do they have to be accessed on a browser like Safari?

  • Ist denn die deutsche Sprache so schrecklich, das es für einen Anbieiter aus der Schweiz nicht mehr in deutsch möglich ist, eine Webseite zu gestalten ?

  • I would use TrueCrypt to make a container with an encrypted folder inside. I would also send the keys in something like a bill using snailmail for the receiver to decrypt at leisure using a secure and disconnected computer. Poof – in a cloud of smoke…

  • You are doing an excellent job so far, congrats!

    I read the comments and blog page and I have a couple of doubts I would like to clarify in terms of how the login is performed. Let me summarize it this way:

    LP: Login Pwd
    LPh: Login Pwd Hash
    PubK: Public Key
    PriK: Private Key
    MP: MailBox Pwd
    USoC: Unique String of Characters

    Login Phase
    1. Client sends LP over TLS (LP or LPh is sent?)
    2. Server validates LP with the hash store on its DB and authenticates the user if correct
    3. Server push PriK encrypted to the client + Encrypted Emails (is this correct?)
    4. Client decrypts PriK with MP locally
    5. Client has access to Emails in cleartext
    6. Server uses MP to decrypt the USoC on client´s side to and send this to the server
    7. If server checks if USoC are correctly decrypted, server knows you decrypted your mailbox successfully.

    Please correct the steps and the order if needed. Thanks in advance!

    • Mostly right, except we check if the mailbox decryption succeeded locally without contacting the server.

  • Hey, i was just wondering if you will be releasing an Android app for proton mail? And also are there any Software in the workings for android phones from the Company?

  • Hi,

    When one is applying for a Proton email account, once it is setup is the original notification email then securely deleted?

    Philip Mulcahy

  • My personal iPhone was hacked at work. I’m assuming spyware.

    I restored phone.

    But they still seemed to be able to see or hack back in quickly. Possibly via Bluetooth or Wifi address. I don’t know as I’m no expert.

    Possibly from the links sent to email account confirming account changes. And then linked recovery/security email accounts.

    They were persistent.

    I think Spyware is a big problem. Not so much the transmission of information. It’s the viewability of the information at the receivers end. When the receiver opens & views the email.

    • That website is not accurate, ssl labs is a more accurate tester. Our systems have been fully patched and protected against DROWN.

      • OK, thanks, I see.

        By the way, ssl labs rates with “A” and with “A+”. Would you then recommend the latter as safer for logging-in?

  • ” There will always be a trade off between security and usability, anybody that tells you otherwise is lying”

    ‘Always’ is not correct. ‘Often’ is more correct. Examples:

    – ssh protects against passive-MITM. It is no harder to use than telnet – in fact when exporting X-displays it is even easier to use.
    – https protects against passive-MITM – even with unsigned certificates, and is no harder to use for the user than http.

    Both examples are more secure than the unencrypted alternative, but neither is harder to use. So there is not ‘always’ a trade off between security and usability – but often there will be.

  • This is great for businesses who want to keep their emails private.

    Personally I just love being on the cutting edge of technology.

  • You have no idea how happy I am that I finally found someone else who feels the exact same way I do about Google and Microsoft. I’ve been waiting for you since the beginning of the World Wide Web. My husband and my best friend used to think that I went off my rocker when I would repeatedly tell them that “That was NOT on my computers when I shut them down last night!”. Lol, I was finally vindicated (so to speak) this past spring when my husband ran into a poor guy in Walmart just freaking out something awful because he woke up one morning and found his computer was now useless because the backdoor installation of Windows 10 was completely incompatible with the slightly older,but still perfectly fine, motherboard inside of his Windows 7 computer.

  • Nice explanation! Thanks!

    I have one more question, since normally nobody is going to go for the Swiss courts thing from other countries. However, if some one does and gets a court order, do you(the company) go protecting your users filing an appeal against the order? Or you tell your user about such a court order prior to handing the encrypted data to them? Can a particular user pursue their case in Swiss Court if they know someone is trying to get hands on their data?

    • Under Swiss law, it is obligatory for the authorities to notify the user whose data they are going after and the user can then go to court to fight against this.

  • Thank you for making this service available. I am not a criminal, but do live where everything over the internet is reviewed. I have private things that I wish to remain private.
    I shall be donating when I have the resources to do so. My children require the vast bulk of my now very limited resources.
    Thanks again.

  • Thank you for your work in this area. It seems to me that you are finding a pretty good balance between usability and protection. Certainly you are furthering the worlds awareness and pushing people toward developing better habits and demanding better solutions to use.
    Keep it up and the instant I can migrate emails I will be getting a commercial account.


  • This sounds quite exciting and intriguing. I’ve only come across Proton in the past week as a friend sent an email and said he’d changed to Proton because of the amount of spam he’d been getting.

    I’m on gmail and getting a huge amount of spam these days. It goes straight to junk and I delete the lot but I am very interested in not having my emails archived and surveilled just because the facility to do that exists.

    I need it to be simple to use as I’m not a tech person and don’t know enough about computing to understand it all without getting goggle-eyed.

  • Hello,

    Very interesting article.

    As you know, governments are sometimes more interested by the metadata included in an email exchange than by the content ; the ProtonMail mailbox is encrypted, email content (object field) sent can be encrypted too (protected by a password), but are metadata such as From: To: Subject: fields also encrypted?
    These fields are usually kept in clear text as routing is necessary, am I right?
    If not encrypted, when handing out the mailbox to authorities which requested it, does it contain these metadata (through firewall/router/IDS logs) too?

    Thanks for the explanation.

  • I am still receiving threatening mail from your client using my name howplmr@protonmail.
    Please request this person to stop sending me mail.
    Thank You.
    I will apply to the Courts in Switzerland and England if this is not stopped.

    • Mr. Palmer, respectfully, threatening legal action as a response to a scientific body dedicated not to greed or power, but to advancing knowledge at the highest levels, and who then, chooses to go a step farther – or, in fact, a huge leap farther – and provide an excellent, free, encrypted email service for the betterment of humanity and that, in my case, greatly minimizes the chance that hitting “send” will cost me my life, as it almost has more than once. Sir, I beg you, in the spirit of all things decent, to consider the countless number of souls for whom every internet interaction is a risk of far more than bothersome harassment. Because once you’ve lain on your bedroom floor, trying not to breathe while you listen to your husband speed-dial his attorney for the murder he thinks he just committed – your murder – once you’ve spent a decade changing your name and moving your children from place to place because someone with means and motive obsessively hunts you down; someone rich enough and resourceful enough to make very good use of the internet; well, sir, when that is your reality, this service is a godsend. Truly. It’s actually quite good, and it’s free.
      It’s very hard in today’s world to survive without email, and I believe that in the past couple of years it’s become empirically obvious that the beautiful interconnectedness of the internet is also a dream come true for every murderous stalker and a nightmare to their victims. And in my case, as I’m sure is true in so many others, this includes my 3 beautiful, teenage children, none of whom will even carry a cell phone.
      I’m somewhat surprised that I wrote all this, and it’s likely you and many others will tell me to bugger off, but who knows, possibly you will see things in a new way and just block the email address of that jerk harassing you.
      I wish you all the best.

  • I’m probably just missing something, but I still don’t understand, what exactly makes this email service more secure than Gmail and Yahoo Mail? I understand that you have scientists working on Proton Mail to make it secure, but what’s the difference, and how does that make it’s security better than that of other email services?

  • IM :
    -do you intend on built an Instant Messenger where the both users should use their own pgp in write:read operation ?
    -Should it be not a short version of jabber/otr ?
    -Could 443/htttps be used in this case ?
    -Will it be more resistant to any interception ?
    -Should it be possible that this communication be almost undetectable ?
    -Should this im improve the anonymity or the security ?

  • You recommend certificate patrol.
    What do you think about calomel ssl validation ? Is it not the same control ? which one does fit better ?

  • I appreciate the free account. A lot of people are not concerned about their privacy, but I am. I run a VPN on every electronic device I own including my internet connection. The ability to mask my IP address is important so crooks can’t pinpoint my location or access my life. The VPN does not log any PII; just like Proton. After extensive research, Proton is the way to go. Reading Greenwald’s book on Snowden scared the crap out of me, as if I wasn’t paranoid enough about what they could be doing after reading, Bamford’s ‘Body of Secrets’. I am thankful for the Proton Team opening this up to the public. Thank you.

  • Thank you so much. CERN continues to be a model of the highest value in plasmic dimensions. I was drawn to the physics, then awed – stunned , really – by that machine. (I’m the extreme theoretical, head not just in the clouds, but in the clouds of some alternate universe. Seeing the LHC for the first time shot me back to earth with enough force to leave me with what I’m sure was a concussion. I know I was definitely dizzied by it, and didn’t mind at all. The LHC redefines “extraordinary machine.”)
    I was then quite quickly caught in the beauty of the soul in the system – see, I warned you I was all theoretical freakiness – but in complete seriousness, the example of a truly internationally diverse group of people united in purpose toward a shared goal represents the highest ideal of humanity and a very bright light in a world where that is increasingly rare.. Do not underestimate the power of that example. I cannot commend you enough on that score.
    Add the email; which in itself is an objective good, and like everything else that comes from CERN, it is a many-faceted form of awesome.
    Although this is a bit lengthy, I was just really struck by the need to express my gratitude.
    Serene Tami Sargent.
    P.S. Wolfgang Pauli rocks.

  • I would add one more argument rebutting to the rebuttal that if you have nothing to hide, you have nothing to fear. Occasionally people are suddenly launched to power by mere competence and circumstances and find themselves representing millions. As soon as a person who has “nothing to hide” becomes a public figure, if their entire life has been subject to scrutiny up to that point, then anyone with access to their private details, relationships, or even the details of the people around them has enormous power over that person to make them do and say not what the people who elected them want, but what those who have access to their personal data want. To prevent this abuse of power by those with access to everyone’s data, we need privacy.

  • Thank you for explaining how ProtonMail was designed and works. Privacy is important to everyone.

    Also thanks for making the explanation easy to understand for even a Level 1 older person like me.

  • I cracked up over the Edward Snowden bit and the ‘Strong Adversary’. Yeah, that sounds about right. Cheers to your team, and thanks for taking a stand. I like curtains. The neighbors are nosey.

  • I find it an excellent service
    Secure emails.
    And my business group, family and friends soon
    Will have your @
    It would be interesting to accept the card
    Experta-Banco dle Pichincha Ecuador

  • only I Me ,myself ,somehow have been very mliciously ,mentally atacked , not for money ,only records pictures and my time ,This relly sounds silly but things are in fact ,but only when I use the equipment, listening,video, playback wee hours am,sounds all crazy, changing, emailwording putting it back on the screen to mock me rediculous! all on video ,screen shots ! every day replacing passwords sometimes,many x aday. check att records its true! my gmail carrier never has stepped up yet to help, still going on every day .can protonMail ,help? is there any restrictions? who can I search with if I have ProtonMail?

  • We salute you for standing up for the rights of ordinary law abiding citizens, who stand
    defenseless against the massive invasion of their privacy from governments and corporations to name a few.
    May your tribe increase.

  • first time i have done any reading on the threat model of your site and my trust in privacy was just automatic because you were recommended by my husband. I have sensitive material in my mail box with you and I’m extremely thankful for the work you do. Also a bit envious of the brain power to be able to develop the safe place where we can absolutely let go of the worry we have with our g-/mail or yahoo accounts. I had to reply b/c of the awesome and witty comic relief above because it is so refreshing and a laugh is always needed. I would love to help work on projects your team puts together and I wish so badly we could get rid of all of the sneaky and nosy bastards who refuse to leave us alone. Thanks for your diligence and your wit. Godspeed.

  • How do you know if keylogger is on your mobile phone. I have been hacked by an IT professional several times. Is that how? If so how do you get rid of it? Is there a program that can detect it?
    I wanted to know before getting your email.
    Thank you

    • We can’t really protect endpoints, as securing your device is something you have to do, and not something we can do for you.

  • I thank you sincerely for providing me with some form of privacy. My fiance is in the Russian Federation and our email keeps going missing, so I’ve turned to you for help. I truly feel it’s a case of some moron in charge of a public use Pc that is censoring our mail. I’ll see how I get on now and I’m sure it will be fine. Thank you again.

  • While I might like Protomail, the idea of arguing with arrogant complete strangers who all think themselves computer experts on any comment board is a waste of sanity.

  • Hello,

    How can you guarantee that due to a court order or malicious insider the java script code sent to the user is not modified to get the user’s encryption keys? Such things already happened with other “secure” email providers. So the fact that you don’t have the keys but have the technical possibility of getting them does not really guarantee security to user’s email. In this case a trusted independent client email application with GnuPG capability seems more reliable then java script code which the user has no real control of.

    Regards, Alex.

  • I have had my account almost since the beginning. In fact I had to wait about 2 months for my invitation. I continue to be pleased to be a part of the new way of thinking about privacy. I continue to share the information with friends. Thank you for all you do. Jodya

  • God bless you all for identifying a honeypot trap, so-called “if you have nothing to hide, you have nothing to fear.” Garbage.

    “Those who exchange freedom for security deserves neither”… says one man…

  • In a world increasingly intolerant of of the rights of others if they don’t coincide with your views, it’s gratifying to come across people such as yourselves that recognize the basic need for privacy. Thank you.

  • Good day,

    Please advise how your company feels about its wonderful product being used in order to facilitate hate mail?

    I would like to be connected with whomever is in charge of dealing with these types of issues as it is defamatory and has caused a great deal of hurt and unrest.

    Kind regards,


  • Hello I am in Australia. My sister has received two emails from an unknown person using Proton email. The emails sent to my sister are of a threatening nature and causing her a lot of distress. What can she do to find out who is sending her the emails seeing as how you are based in Switzerland.

    Regards Mandy

    • Hi! If you have proof that this address is being used for something illegal or is involved in any illegal activities, please send them to and our abuse team will investigate and take proper measures if needed.

  • I think you all are doing a great job! I recommend you to friends, fellow students (I’m going to college for my BS in Computer Science) and family.

    Keep up the good work.