The ProtonMail Threat Model

In this article, we will describe both the threats ProtonMail is designed to guard against, and also the threats ProtonMail is NOT designed to counter.

From a high level, our premise is that a service like the now-defunct Lavabit does add value, despite some inherent weaknesses. We designed ProtonMail around many of the same principles, but with some significant improvements. At the very core, email as a secure communication medium is fundamentally flawed. The SMTP protocol was first introduced in the 1980’s well before many of the threats of the modern internet were even envisioned, much less understood. However, despite its age and flaws, SMTP is not going away anytime soon, and email will continue to play a major role in our lives. For truly secure communications, one cannot really recommend email, but for most of us, there is no other option.

Our second philosophy is that security needs to be made easy enough to be usable. The most secure system is simply not useful if it is so complicated nobody is willing to use it. As ProtonMail developers, we will be the first to tell you that there are certainly more secure ways we could have built a service like ProtonMail. The reason we built ProtonMail the way we did is not because we weren’t aware of these other methods, but because we would have had to sacrifice too much usability. There will always be a trade off between security and usability, anybody that tells you otherwise is lying. And just because a system is not 100% secure does not mean you should not use it, the key is understanding the limitations of your security. And for the record, there is no such a thing as a 100% secure system.

At ProtonMail, our goal is to guard against mass surveillance and we feel the best way to do that is to give encryption to everybody. The only way to do that, is to make encryption easy to use. This is why ProtonMail works out of any modern web browser, and why we went to great lengths to make the cryptography completely invisible to the user. However, this approach does come with certain shortcomings.

1. Compromised User – This is the most common type of compromise. Even if you use the world’s most secure electronic communication system, advanced encryption does you no good if there is a keylogger on your computer recording all of your keystrokes. ProtonMail does not and can not guard against a compromise of a user’s machine.

2. Man-in-the-Middle (MITM) Attacks – This is a very rare attack where an adversary will sit between the user and the ProtonMail servers and tamper with the data being relayed between the user and the server. However, because ProtonMail messages are encrypted before they leave the user’s browser, an attacker cannot get message data by simply listening in on the communications. The attacker would have to actually send the user’s browser a modified version of the ProtonMail website which may secretly pass the mailbox password back to the attacker. This is a far more difficult attack that can typically only be executed by a strong adversary (like a government) and is generally a targeted attack. It cannot easily be used on a large scale to perform mass surveillance.

Fortunately, there are several ways to protect against a MITM attack. ProtonMail employs SSL to ensure our encryption codes are properly delivered to user’s browsers and not tampered with en-route. Generally speaking, a successful MITM attack requires breaking SSL, typically by using a forged SSL certificate. There are browser plugins in existence today which can be used to detect forged certificates and greatly reduce the risk of a MITM attack. We recommend Certificate Patrol or Perspectives (although the second one may need more time to mature).

3. Unauthorized backdoor – Another attack vector would be if an attacker somehow gained access to ProtonMail’s servers in Switzerland without us noticing. Such an attacker could conceivably change the ProtonMail software to send bad encryption code to user’s browsers that would somehow allow the attacker to get unencrypted data. ProtonMail has implemented numerous safeguards against this on the server level. We have routines that constantly scan for code changes and will detect them. The attacker would have to gain control of the server, instantly change the behavior of the code scanners, and then modify the software all without anybody at ProtonMail noticing. The odds of this being successfully executed is indeed quite low.

Our risk analysis indicates that ProtonMail offers good (but not perfect) protection for the vast majority of users. There are however some risks for users facing a strong adversary, such as a government focusing all its resources on a very specific target. In such a case, we don’t think crypto would be of much benefit as this XKCD comic would apply.

Below are some examples of recommended, and not recommended use cases for ProtonMail


Edward Snowden – If you are Edward Snowden, or the next Edward Snowden, and have a life and death situation that requires privacy, we would not recommend using ProtonMail. For extremely sensitive situations, it is simply not a good idea to use email as a medium for communications.


Sensitive business communications – You have sensitive business information that you want to make sure is protected from competitors and other malicious parties. For example, you fear a competitor may want to sue you under false pretenses to get access to sensitive data. In this case, ProtonMail offers a great deal of protection. ProtonMail will not release ANY data unless provided with an enforceable Swiss court order. To get such an order, the case must first work its way through the Swiss courts where stricter privacy laws might result in a different ruling. Even if an adversary went through the expensive and time consuming procedure of obtaining such an order, ProtonMail’s zero access cryptography means we would only be able to release data that is encrypted since we do NOT hold the decryption keys.

Private Citizen with Privacy Concerns – ProtonMail is also perfect for an individual (or corporation) that does NOT want the government to have access to all of their emails at any time, and does not like Google or Microsoft constantly scanning and archiving all conversations. With ProtonMail, the barrier of entry for mass surveillance is high enough that mass surveillance simply is not practical. This is an example where ‘good privacy’ can act as a meaningful substitute to ‘perfect privacy’.

We would like to conclude with a few thoughts about privacy and surveillance in general. Some people make the assertion that if you are NOT a criminal, there is no need for privacy. To those critics, we simply ask, does that mean that only criminals have curtains over their windows?

On a more serious note, there are also critics who assert that by building ProtonMail, we are providing a powerful tool for criminals to evade the authorities. There is no denying that ProtonMail provides a high level of security and privacy for criminals, but one has to remember that the world does not consist of just criminals. There are also dissidents, and democracy activists living under authoritarian regimes where freedom of speech is not respected. Then, there are the rest of us, law abiding private citizens who simply want control over our online data. We can either choose to live in a world where everybody is under surveillance, or a world where everybody (criminals included) have privacy. We feel that the right to privacy is a fundamental human right, and we are willing to fight and work towards protecting that right.

Share This!Share on Google+Share on RedditShare on FacebookEmail this to someoneTweet about this on Twitter

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

174 comments on “The ProtonMail Threat Model

  • GOOD FOR YOU !!! ANY help that the private community can provide to itself, the less and less we must depend on ‘commercial’ solutions – either ‘for profit’ or thru Government….

    With the ENORMOUS brain power that’s housed even by the small group that have created ProtonMail, all I can do is beg for help in one, specific area – MOBILE. IF you can provide ProtonMail to the mobile (phone and tablet) community, the leap forward for those platforms and their privacy may be unmeasurable, it will be so high. There are millions of devices that are screaming for a privacy solution and even though almost every information-gathering organization is arguing firmly against a ’solution’, they are flatly LYING to whomever has asked the question. My data, and my conversations and MY chatter are MINE – NO ONE ELSES!!!

    Please..please..please from a lowly user…. HELP… we are slaves to the use of our mobile devices. They have the very real chance of truly turning us into REAL slaves very quickly.



    • This serivce ProtonMail is useless while there are so many backdoors in M$ Window$ and bugs in OpenSSL that HTTPS web service is not secure at all.
      You forgot also that quantum computers maybe used to break HTTPS, but with high probablility it is not needed while there are so many bug in web browsers or back doors.

      The only safe way to encrypt something is to use On Pad XOR’s and exchange keys physicaly then use them for encryption/decryption using simple software.
      Forget about security when turning M$ Window$ and worry when using openSource Linux with bags.

      The only solution is use microcontrollers and examine each line of code yourself.
      This is what I’ve did and it works.

      • With all this negativity I’m amazed you haven’t just moved into the wilderness to live in a shack on a mountain, maybe you still will. However you need to have a serious look at QubesOS and Whonix which will thwart most known backdoors, rootkits and other methods of infiltration by governemnt organizations and large coordinated black hat groups.

        Couple this with some good VPN/Tor usage and wonderful tech like Protonmail and you have a pretty hard nut to crack.

        P.S. Most experts conclude that real Quantum computers are still 20 years away, regardless of what the conspiracy nuts say.

        • I have to LOL whenever I see a jaded comment that ends with a line about conspiracy nuts when most “conspiracy nut” theories about government spying, aerial spying, MITM attacks and more have been found to be true. It’s true, they weren’t black helicopters; rather, biplanes flying around with FBI Stingray & FishHawk software to intercept our phone calls.

          Pull the covers back over your head and go back to sleep. You won’t see it coming that way.

          • Yes, but think of this, it took one guy 7 years to get the PhD he needed just to be able too start working on a quantum computer that could only solve 5*3. And, the cost of operating a quantum is more than anyone short of a huge company like google or 2 government agencies pooling their resources( most likely not gonna happen, for now anyways), i mean, quantum computers have to be stored at -213.5 C (or somewhere near that). So it is safe to assume that quantum computers capable of breaking encryption on any level is awhile away.

      • I don’t really get your point. The idea of this mail system is that the privcy key to decrypt is generated locally in your own device and will never leave your device. Because of that, to hack this key costs a lot of effort. No hacker will be interested on a target with unknown value, when it will take long to do that. Like it says, unless you are Snowden, and every body knows the content of your email worth a million, you are save to use the service.

      • Would you be kind enough to share the specifics of how you accomplished this? Schematics + code would be a boon to all if verifiable and released..
        Thanks in advance for your response.

        • Re: “The only solution is use microcontrollers and examine each line of code yourself.
          This is what I’ve did and it works”
          (should have prefaced the previous response)

      • This application is intended as Email encryption for the masses which is very much needed – Proton mail spells it out very clearly that their is a trade off between usability and security, yet their are still moaners out there who instead of providing a usable solution just snipe from the sidelines – Thank you Proton Mail for providing much needed Email security

      • You can use ProtonMail on your favorite browser on your mobile devices. ProtonMail does require up to date modern browsers in order to ensure the highest level of security.

    • I would use anything like Telegram for my mobile phone. Or, because they seem to disclose to your buddies in contact list the fact that you’re a telegram user, I would go by Neuro Transmitter instead 😉

  • Not completely related to the aspect of security that you’re covering but will you be implementing DKIM and an associated DMARC policy for your domain? It would be nice to know that messages supposedly coming from really are what they claim to be and minimise the likelihood of comms being breached simply by a phishing email having a user reply to a email beliving it was sent from there.

    Requesting mail servers reject spoofed mail outright via a full DMARC ‘reject’ would go a long way to mitigating this.

  • “I can’t in good conscience allow the U.S. government to destroy privacy, internet freedom and basic liberties for people around the world with this massive surveillance machine they’re secretly building.”

    I boldly stepped forward to expose the National Security Agency’s vast spying on our phone records and online communications. I don’t see why you’ve problem with me.

    • Don’t sweat it Mr. Snowden. There’s more than half the people on the planet (or at least here in America) who think what you did was a damn Good Thing???!

      Were I in your shoes working where you were and with the way I see things, I too would have done the same. You’re a hero to many, so you keep your chin up bud.

      • Bad joke refering to our hero Edward Snowden in a negative way. Why should Edward Snowden not be able to use protonmail? You should be thankful to him, for it was due to him only that you got so many donations on indygogo (including my own).

        • It didn’t seem like a bad joke, more a realistic approach. All they were saying is that they are not secure enough to protect those kind of communications. That’s important information.

    • I’m just a normal every day type guy in the US. I doubt anyone would be interested in anything I might email to my children or friends…my emails are mainly chit chat about family stuff;; very boring. HOWEVER! I will do whatever I can to protect my privacy…it used to be a constitutional right, but the US government has sort of done away with that; they deny that assertion but the entire planet knows the truth. So for me…proton email is great!

      Thanks for providing this email service to us plain folks.


    Edward Snowden – If you are Edward Snowden, or the next Edward Snowden, we would not recommend that you use ProtonMail.

    Why not?

    • There are more difficult to use, but more secure solutions out there, which are more appropriate for Snowden’s use case.

      • So you admit you have (at least) a secret weakness, that’s a frank consent…
        So why not going further 😉 : what are, in you opinion, “more secure solutions out there” ?

          • I agree, nothing is without weakness. Want to stay 99,99% private (100% is impossible, I am really sorry.) ? Go to a jungle, build an underground bunker, add extreme security measures to it, put food in there enough for the rest of your life, and stay there.

          • I am glad that ProtonMail is willing to admit their weaknesses. This just makes their greatness better. Maybe ProtonMail could create a browser too?

          • You offer an amazing product and also fall on your sword to highlight the minor weakness. Congrats to you. Reminds me of how Google approaches the Chromebook where they point out what needs improved when it is already 50 times more secure than any Mac. I hope you guys do well, you definitely have an awesome philosophy regarding transparency.

          • Thunderbird with Enigmail isn’t that hard. But far too many seem to assume that it is.

            Also, how would you distinguish ProtonMail from CounterMail?

          • I guess that a crypto-paranoid could add pgp to his protonmail as a further lyer of security. Would it incrase the secureity of the service? Could it make more adapt to lifanddeath situations?

          • @Mirimar: Thunderbird+Enigmail is reasonably easy to use, but still is used (absent contortions and significant inconvenience) on a network-connected computer. For the use case of a targeted person sending or receiving life-important information that would be a no.

            @DM: Use of PGP together with Protonmail would not be measurably more secure than using PGP alone.

  • So you guys don’t have access to the plaintexts (at least in theory) but do have access to all the so called metadata?

    • Right now we have access to some metadata (see our privacy policy for details), but the 2.0 version of ProtonMail will incorporate some enhancements that allow us to have little to no metadata.

    • Yes and no, it depends on what the target is. If they want to know your message content, the keylogger will still get it. If they want to get into your account, then 2FA might work. In any case, our plan is to add 2-factor authentication.

      • I’m wondering how these keyloggers work. Is a virtual keyboard a solution? It would make the hardware keylogger useless but what about software ones? Can they capture screen?

        I guess that the best method to be totally secure is to use some Live CD Linux distribution, use only your own computer and to log into Protonmail under Linux.

        • a live linux cd boot can be defeated with a bios hardware hack that works in conjunction with a cd drive that also has hacked firmware. The bios will checksum the cd drive firmware before passing control to the CD drive to boot the linux distro to make sure it is passing control to the hacked firmware of the CD drive that mounts a fuse file system along with the linux distro. I replaced my CD drive with the same exact one which was a $40 USB DVD Drive from Lite-On and was shocked when the screen said bios error from one boot to the next when all I did was swap the DVD drive with the same one ( but new and not hacked yet ). The boot CD was the same each time too but it only allowed me to boot the live CD from the older DVD drive even though they were the same exact model. Crazy stuff. I’ve been being targeted by the Triads for 3 years now because of my blog, this happened to me first hand.

      • You could go the route of Agora and use a message encrypted with your personal pgp key for the 2nd form of auth. I keep a machine completely unhooked from the net to encrypt & decrypt messages. If you could make it possible for us to post our public keys to some sort of profile so people could contact us with an extra layer of security if needed.

      • Is PhotonMail utilizing AES-512, or 256?

        One thing you may want to consider is double encryption layers, such as AES-512 outer encryption and SAH-756 internal encryption, all passed through the SSL tunnel.

        Another, again albeit developer complicated implemedntation, would to build in an C2C IPSec tunnel that traverses through the SSL tunnel. This in particular would be simpler to implement in a fat client.

        Another solution, albeit quite complicated from a developer standpoint, would be to incorporate PGP into a desktop client that would create a fully system unique random set of PGP PKI certs that are not stored on any server, abut this would still be susceptible to an endpoint compromise,

  • One might argue that there are different threat models depending on whether two users are communicating within Proton Mail versus sending “secure” emails to another provider using symmetric encryption. The latter depends on a Proton user supplying an encrypted email recipient a decryption pass-phrases. Depending on how that’s done and how strong the pass-phrase is, that might be riskier than communicating within Proton Mail.

  • Hi.
    I believe I read all the articles on the website (there are not too many 🙂 ), but I still don’t get where private key is stored and how is it synced between devices.
    If all the crypto happens in a browser (javascript?) it means that the key should be somehow synced between different browsers.

  • Many thanks for a system that a common man can trust.
    I want to know the procedure to get multiple mail accounts,
    (say for orgnisational /office purpose) to be created from single mail ID as you only permit one account per e mail ID currently.
    Also I want to know about the investment opportunity in your venture.


    There is an account security method I wish to implement, but cannot find as a feature option within the current E-mail product market. Please, ProtonMailers, tell me why this method is being avoided by other encryption tool designers. OR, take this idea and RUN with it, using it within ProtonMail in your own way!

    LIMITED ATTEMPT ACCESS PROTOCOL: Many years ago while trying to access an ATM cash machine with my credit card, I had a ‘brain fart’ and could not remember my 4 digit ACCESS PIN number. After several unsuccessful tries, the ATM machine swallowed my credit card, shutting down the cash transaction.

    EUREKA: Instead of becoming upset, I instantly thought, “I want this feature on my E-mail account immediately!”

    Alas, nobody offers this feature for Web based E-mail. NOBODY, only server based tools I configure myself offer this option, sort of. Why is that!? This seems quite shocking for 2014. Every time I ask system administrators for this on my Web E-mail server, they all clam up and say nothing., won’t respond to E-mails, etc. I’ve dumped several hosting services as a result.

    Is this the elephant in the room? Would this feature “take away the keys from the locksmith” so to speak, and this is why ‘the establishment’ is afraid of ‘going there’? Ergo, the locksmith is the one with the CRAY computer, and thus, full access.

    I would like to select the option of 100 LOGIN attempts allowed per 24 hour day, rather than the 3-5 attempts (?) that an ATM allows. When each attempt is entered by hand, rather than a BOT, that is a lot of attempts, likely enough to solve the occasional problem of a password brain fart. One can sequentially try past passwords, go backwards until the login works.

    But for a brute force tool, 100 attempts is almost nothing, if no words of language (and other smart choices) are used for creating the password.

    ***It seems to this encryption layman that most passwords are broken by A—poorly conceived, and managed passwords, and B—by brute force methods that simply use mathematic algorithms to try millions of combinations. (And C–Keylogger ware.) WTF, why is any login interface allowing so many combinations to be tried in the first place? This is insanity…going on for more than a decade now!

    Perhaps…this feature itself is so easily hacked? Perhaps today the hacker just resets the LOGIN engine, and/or server app to accept unlimited attempts, game over? Well, why not code around that problem…in a new way using your exceptional MIT brain trust, just assembled.

    2X PASSWORDS, as ProtonMail features, would seem to largely accomplish the same result. Because cracking first one, and then the second password is obviously going to hamper brute force methods tremendously. However, since the ProtonMail system is so dependent on the browser, which is endlessly full of gaping holes, I sense that this idea is not completely dated yet. The need to use Webmail much of the time, versus POP mail rooted on ones personal machine, is the curse being overlooked.

    While an anathema to Crypto experts (???) perhaps this idea is perfect to meet your stated priorities of A SIMPLE TO USE INTERFACE. While certainly messy in its own way, it IS quite easy to comprehend conceptually. Beginners will understand what is going on instantly; limited attempts possible per day needs zero tutorial to understand.

    The idea would seem perfect for one of the two passwords within ProtonMail. And/or, perfect for mobile applications since short PIN numbers are already one of the common aspects of those kinds of tools, like Cell phones. One could allow the user to select the amount of attempts allowed, or, for greater (or lesser?) security, this choice of how many attempts are allowed per day, could be tightly controlled right at your servers, a limited amount of attempts could be coded at the CORE LEVEL.

    Such as 10, 100, 500, no more than 5-10 options, but not smaller derivations, such 11, 112, etc. If the tool NEVER EVER allowed more than 500 LOGIN attempts per day, no matter what, built in to that core, that would seem very useful.

    What am I to make of this elephant in the room?

    1—While perfect for financial uses (where there is a unique physical card bundled into every login) Is this feature just stupid in encryption technological terms when applied to E-mail?

    2– Is it just a psychological dissonance scuttling the idea, ergo, too depressing for system admins to contemplate with any real depth, that they are ‘giving their own keys away’, that they are giving up so much power?

    I await your reply,

    LAVABIT refugee

    • Such a system will surely enhance (somewhat) the security but it will offer an easy way to lock you (and all other users) out of the system. Once you obtain the user’s login name, all you do is “try” to log-in with nonsensical passwords until the system shuts you out. Automating that will probably not take more than a 10 line script and the whole mail-system stops working.

      The reason why it works for ATMs is that there the “log in” is the physical card and if you have the card but not the password, there is a fair chance you are not the rightful user of the card.

      In the email-system, the physical card is replaced by your log-in name and that is most probably your email address, so it is too easy to find out and your suggestion makes the system vulnerable to a “DoS” kind of attack.

  • Hi,

    very interesting. You give some hints, how you obtain security. Since I am in security issues for many years, I would like to see your model in detail, because if someone cannot explain the security system he uses in detail, it is probably insecure. Pleease send me a detailled model of your service. Kind regards,

    Felix Thommen

  • Seems like a long awaited service. Anyway – “ProtonMail offers good (but not perfect) protection” – you might want to add/modify that no service ever created will offer the perfect protection because that simply doesn’t/will not exist.

    Looking forward to your first version!

  • Would be nice if you can also implement Google Authenticator App as second authentication, like many other services already have.

          • Lloyds Bank uses second authentication, the second password changes in sequence at every login. For example, if your second password is MYBank, you will be asked for digits 1,3,5 (MBn) and if you enter a second time, you will be asked for something different, such as 2,4,6 (Yak).

  • “ProtonMail’s zero access cryptography means we would only be able to release encrypted data since we do NOT hold the encryption keys.”

    You rather meant <decryption here, right?

  • Your threat model includes “unauthorized backdoor”. Why do you add “unauthorized” to backdoor? Do you have an “authorized backdoor”?
    You specifically mention that your service is not appropriate for Snowden, yet how do you plan to deal with Hushmail styled threats? What design you do have to mitigate the threat if itself becomes the attacker?

  • I have nothing to either hide or steal, but I still like this email idea. Keep up the good work. Maybe down the line you will come up with a search engine with the same type of security. It makes me nervous to do online banking and such, but it is a necessary evil.

    • @Kelly C, maybe this site is something for you
      They offer also for IE a default search window, so if you type your search string into your browsers addressbar you will search directly to startpage secure server whiteout logging your search strings.

      Find out for yourself.

  • Will ProtonMail be incorporating a IPsec session or ToR proxy into the service[s]?

    Congratulations on recent crowd fund success!

  • This is the perfect website for everyone who wishes to understand this topic.

    You know a whole lot its almost hard to argue with you
    (not that I personally will need to…HaHa). You certainly put a brand new spin on a topic that has been written about for
    years. Great stuff, just great!

  • Your rival hushmail requires a login at least once every 3 weeks or the account is shut down. For Yahoo and Hotmail, I believe it is around 90 days.

    Could you tell us your requirements before an account is “inactive”?

    Also any idea when the new round of “invites” will go out please?

  • If I understand:
    Protonmail Protonmail = Fully encrypted
    Protonmail –> Other mails = Encrypted on Protonmail server? not on other mails servers
    Protonmail –> Other mails + Encrypt for Outside Users = Fully encrypted (proton server+other servers)
    Other mails –>Protonmail = ?

      • #lastquestion
        So, what the cadena mean on the mailbox? Because When I send msg to other mails the cadena is closed but when other mails send msg to me the cadena is open.

  • Hi, looking forward very much to joining your email program, a couple of questions if i may?
    When receiving emails from say Gmail and Hotmail are THEY encrypted as soon as they “hit” Protonmail or how does that work? Unless EVERY AND ALL email programs are encrypted surely there is a “hole” there somewhere, or not??? No IT expert here……but curios!
    Also, will Protonmail have the instant message and web cam facility as in Gmail etc?
    Thanks Ray

    • We intend to eventually build in an instant messenger. Emails are encrypted when they enter the ProtonMail system. For maximum privacy, we recommend that both the sender and the recipient use ProtonMail.

  • Thanks for your important work.

    Are you planning to implement the new end-to-end encryption protocols that are being developed by the Dark Mail Alliance ( into ProtonMail? What do you think about these new protocols?

  • Hi, great initiative, thanks!!

    I’m considering becoming a “Lifetime Protonmail+” supporter, but I’d just have three quick questions first, if I may:

    – Besides symmetric encryption, are you planning to implement optional PGP asymmetric encryption between PM and non-PM users?
    – Will users have the option to remove their private key from your servers to store it locally?
    – Independently of your server’s disks encryption, are you considering the possibility of encrypting to the user’s public key incoming unencrypted emails from non-PM senders?

    Many thanks, and looking forward to your service (and whitepaper).

    • All these features you mentioned are currently under consideration, I think eventually, most of them will be implemented as we want to maintain more compatibility with PGP.

  • I’m all for fully private email. I may well sign up for this. The privacy of all email, from any provider, should be considered sacrosanct by democratic governments. I appreciate that it may be necessary to investigate communications between genuine terrorist or extreme crime suspects, but the blanket surveillance carried out by many nations is not acceptable, and I think it should be accepted as a given that the ordinary citizen has a right to protect himself/herself from such surveillance by the use of strong encryption, not only in email, but in any form of communication.

  • One question: Does protonmail support STARTTLS? That is, does it use TLS encryption for emails received from other providers (with Strict mode for gmail/hotmail and other large providers known to support STARTTLS).

    Otherwise, it would seem that it would render protonmail-to-protonmail emails a lot more secure than gmail-to-gmail, but gmail-to-protonmail vastly more insecure than current gmail-to-gmail emails. Since in the gmail-to-protonmail case, not only can gmail (and anyone capable of compelling Google to act on their behalf) read the emails, but also protonmail and any network adversary in between the two (e.g. any ISP from $DatacenterLocation, U.S. to $CERNLocation, Switzerland and any tap on their links).

    I would assume that, at least at first, most mails to protonmail users will come from non protonmail users, so the security of inter domain incoming messages should not be any worse than if the user where still using gmail, hotmail or the like.

    • We implement STARTTLS opportunistically, which means if the other side supports it, then the connection will use TLS.

    • When the adoption increases, we will be adding this. At this moment, our DNS doesn’t even support it unfortunately.

  • Why would you not use Eliptic Curve cryptography instead of not-even-in-suite-B and perhaps soon to be broken RSA ?

    For a more detailed rationale please see the excellent BlackHat 2013 “The Factoring Dead” talk.

  • To those who say, “I have nothing to hide why should I care? Only criminals need worry about the NSA/ law enforcement monitoring;” do you understand that you have just shredded the Constitution and turned American jurisprudence upside down?

    The “nothing to hide” view means everyone is guilty unless proven innocent. I prefer innocent until proven guilty.

  • “1. Compromised User – This is the most common type of compromise. Even if you use the world’s most secure electronic communication system, advanced encryption does you no good if there is a keylogger on your computer recording all of your keystrokes. ProtonMail does not and can not guard against a compromise of a user’s machine.”

    Excuse my stupidity, what about a little feature like “2-way authentication” which can eliminate the access to the email’s secrets even if the passwords get known for the attacker? also there’s “Login Approvals” feature. a lot of ideas out there about this issues.

  • “On a more serious note, there are also critics who assert that by building ProtonMail, we are providing a powerful tool for criminals to evade the authorities.”

    This is the “what about the terrorists” question. I can think of two ways to answer it:

    1) “Which terrorists are you talking about? The ones who work for Al Qaeda, or the ones who work for the US government?”

    2) “Implied in your question is a suggestion you want us reading your emails, every email that comes through our servers in fact. Do you really want this for yourself? Do you expect our other customers to put up with it?”

    • To answer question 1:
      Did you know that most terrorist attacks are designed by the FBI, for use in sting operations. They don’t expect the fact that the internet is not just for porn

  • Does ProtonMail envision a feature that allows an email that is sent out (in error) to be recalled (if it has not already been accessed by the wrong recipient)? Thank you.

  • I call bull**** … Sorry
    This just CAN NOT work like you state …

    So let’s say someone sends me a mail.
    As we all know , mails are just plaintext, arriving at your SMTP.
    From that moment you are already in possession of my mail.
    And you can easily read it, if you wanted to.
    Or hand it to any authority , if required by law.

    But you say the mail is encrypted. So you “can only hand over encrypted data”.

    Then, please explain me, HOW will this mail magically end up encrypted in my mailbox??
    Something/someone has to encrypt it, right?!?
    And what you encrypt , you are also able to decrypt.

    And how can that be done without you knowing my password?
    Or : me being able to decrypt the mail , that was encrypted by you….

    • We encrypt with your public key, we don’t have your private key, so we can’t decrypt. It’s simply asymmetric cryptography.

  • I’m no security expert but I think it would be better if you explained the SMPT threat in simpler terms: That normal emails going in and out of Proton Mail are subject to mass-surveillance and that the entry/exit nodes of this type of service will surely attract those who like to keep watch. Thus even if one uses TAILS, a single normal email message to or from a Proton Mail server which contains any information that identifies the user will tip a powerful adversary off as to the user’s use of the service, prompting a more-targeted attack on the end point — i.e. end user PC’s BIOS or display drivers or whatever. It’s probably fair to say Proton Mail’s SMTP gateway is still a useful mass surveillance tool for creating a list of persons of possible interest (POPI) who are considered as having something to hide. Creating POPI can be avoided if end users can create non-SMPT accounts — i.e. Proton Mail to Proton Mail only accounts.

  • This looks fantastic. I have five webmail accounts, and am already considering replacing them all with one ProtonMail. Must read the rest of the website, but this is really exciting. Kudos all around!

  • Just wondering I have signed up an invite for the protonmail email address, but not sure how long it will take to actually get it?

  • How is protonmail to be fund going forward? How can I count on protonmail being around in a long time if it offers a free service? I’m concerned about financial sustainability.

    • Due to donations in our crowdfunding campaign and other financing we have raised since, we have a very strong balance sheet. In the future, we will add paid accounts to continue to generate revenue.

  • Can’t wait to have my proton mail address…

    FWI, apparently the right to privacy isn’t part of our civil liberties any more, here in France… Check out (part of) our minister of interior’s speech:

    Gross translation for those who don’t speak French:

    “There’s nothing in these law texts, nothing, that constitutes a violation of our liberties. There’s no violation of our right to come and go anywhere, no violation of our civil liberties, really, none! None! None! If you can spot one article in these law texts that jeopardize our liberties, feel free to tell me where it is. However, [short silence] there are some measures that could seem to be altering privacy and the right to privacy…”

    Seriously, WTF?

  • to management

    Don’t let yourself get dragged in and pressured by the freeloaders of the world. those asking for app and client integration (IOS, WP, Droid, Office, Thunderbird and others) are the people that will make the device remember the passfraze and have no password on their device and when their email has been had by the …… (whoever) they will blame your team/service for it.

    human GREED knows no bounds – “give a mouse a cookie and it’ll ask for a glass of milk” then blame you for obesity (just look at US people) people are fat because they are lazy overeating PIGS yet they don’t blame their eating habits and unhealthy lifestyles! no they prefer to place the blame on the food industry or anything/one except themselves.
    they despise and get outraged when the MAN spies on them and yet they look to the government for all their needs. how is that for a paradox. human psychology is just that twisted but simple like a child!

    truth be told 90% of your users have no idea what securing their comms. mean – they ask you for the service and yet they Social Media all day long.

    as long as you keep it in the browser it stays as secure as the machine that comms. are being executed on!
    Keep it up and don’t let into the pressure. the hell with functionality more security!!!!
    people who find security difficult aren’t concerned with it in the first place.

  • I generally like your approach, except I have a question that seems to be hand waved in your Ted talk.
    My question is how does Alice and Bob authenticate each other’s public key? Please excuse me if I didn’t find the answer somewhere on your website.

    • When sending emails to other protonmail users, the public key is retrieved automatically. Sending emails to 3th party email providers like gmail with gpg will require you to manually get his public key from a key server or simply ask the reveiving person for his key prior to sending classified information.
      That said, as of now there is no way to manually enter someones public key so end to end encrypted messages only work for protonmail to protonmail users or non protonmail user to protonmail user by sharing your public key (can be exported in the settings menu)

  • secure tools for all:
    browser: Tor Browser
    search –, (DuckDuckGo?)
    mail: protonmail
    text: openpgp
    algoritm: AES256
    internet: tor
    os: tails
    ip: prepaid sim card ip
    money: bitcoin

    more?!… 🙂

    • Throw away all electronic devices and live in a cave?
      Protonmail adresses privacy issues in a sensible way for ordinary people. For average users who are not specifically targeted by the secret services these are all overkill. A vpn, protonmail, duckduckgo, firefox, ad block, android, no social media, strong passwords will do just fine. Except when they specifically target you in which case, there’s probably a valid reason.

  • Hi,

    About protection against keylogger systems, wouldn’t it be useful to implement an artificial keyboard (with shuffled letters) into the Protonmail interface that would allow the user to type sensitive e-mails using the mouse?

  • I like your work, but I do think that the keylogger problem must be addressed before proton mail can be promoted as a secure solution for the “non techie” user.
    Have you considers adding the possibility to use YubiKey or the like to protect peoples login?

  • Hello, thank you for the service. I might be being dumb here, but if I were to send a message to someone who was using G Mail, or a private mail server for a workplace, would that email be unencrypted in transit? I mean would the message be absolute plain text ready to be
    hoovered up by government in transit? Thanks!

  • “There will always be a trade off between security and usability, anybody that tells you otherwise is lying.”
    Then I guess I’m lying. Whatsapp introduced encryption and no useabillity has been lost (don’t trust whatsapp though)
    Signal (previously textsecure) is VERY secure and VERY usable. More secure than pgp (all be it very close) and way more useable.
    Fingerprints & biometric authentication, pretty self explanatory. Iphone touch ID is way more secure and way easier than a password.
    Saying that more security = less useabillity. Is just simply not true. Then again I suppose I’m “lying”

    That being said, go protonmail! I love what you guys are doing. And your *more secure* email client is way more convenient than encrypting stuff myself. Oh well..

  • You are doing the LORD’s work, helping to free mankind.

    Please continue to fight evil, and proceed ever more boldly against it.

  • Can protonmail email addresses be integrated into the Mail app on a Mac? Or do they have to be accessed on a browser like Safari?

  • Ist denn die deutsche Sprache so schrecklich, das es für einen Anbieiter aus der Schweiz nicht mehr in deutsch möglich ist, eine Webseite zu gestalten ?

  • I would use TrueCrypt to make a container with an encrypted folder inside. I would also send the keys in something like a bill using snailmail for the receiver to decrypt at leisure using a secure and disconnected computer. Poof – in a cloud of smoke…

  • You are doing an excellent job so far, congrats!

    I read the comments and blog page and I have a couple of doubts I would like to clarify in terms of how the login is performed. Let me summarize it this way:

    LP: Login Pwd
    LPh: Login Pwd Hash
    PubK: Public Key
    PriK: Private Key
    MP: MailBox Pwd
    USoC: Unique String of Characters

    Login Phase
    1. Client sends LP over TLS (LP or LPh is sent?)
    2. Server validates LP with the hash store on its DB and authenticates the user if correct
    3. Server push PriK encrypted to the client + Encrypted Emails (is this correct?)
    4. Client decrypts PriK with MP locally
    5. Client has access to Emails in cleartext
    6. Server uses MP to decrypt the USoC on client´s side to and send this to the server
    7. If server checks if USoC are correctly decrypted, server knows you decrypted your mailbox successfully.

    Please correct the steps and the order if needed. Thanks in advance!

  • Hey, i was just wondering if you will be releasing an Android app for proton mail? And also are there any Software in the workings for android phones from the Company?

  • Hi,

    When one is applying for a Proton email account, once it is setup is the original notification email then securely deleted?

    Philip Mulcahy

  • My personal iPhone was hacked at work. I’m assuming spyware.

    I restored phone.

    But they still seemed to be able to see or hack back in quickly. Possibly via Bluetooth or Wifi address. I don’t know as I’m no expert.

    Possibly from the links sent to email account confirming account changes. And then linked recovery/security email accounts.

    They were persistent.

    I think Spyware is a big problem. Not so much the transmission of information. It’s the viewability of the information at the receivers end. When the receiver opens & views the email.

    • That website is not accurate, ssl labs is a more accurate tester. Our systems have been fully patched and protected against DROWN.

  • ” There will always be a trade off between security and usability, anybody that tells you otherwise is lying”

    ‘Always’ is not correct. ‘Often’ is more correct. Examples:

    – ssh protects against passive-MITM. It is no harder to use than telnet – in fact when exporting X-displays it is even easier to use.
    – https protects against passive-MITM – even with unsigned certificates, and is no harder to use for the user than http.

    Both examples are more secure than the unencrypted alternative, but neither is harder to use. So there is not ‘always’ a trade off between security and usability – but often there will be.

  • This is great for businesses who want to keep their emails private.

    Personally I just love being on the cutting edge of technology.