SSL and TLS Ciphers

To further protect users, ProtonMail utilizes only high strength ciphers for SSL and TLS.

We are posting our ciphersuite configurations for Postfix and Apache here for reference, we recommend all system administrators adopt these settings for better security.

Postfix ( )

smtpd_tls_mandatory_protocols = SSLv3, TLSv1

smtpd_tls_mandatory_ciphers = high

Apache ( ssl.conf )

SSLProtocol -ALL +SSLv3 +TLSv1

SSLCipherSuite HIGH:!aNULL:!MD5

Finally, a quick note regarding TLS 1.2, we will transition to this protocol as soon as CentOS supports it.

About the Author

Andy Yen

Andy is the Founder and CEO of ProtonMail. Originally from Taiwan, he is a long time advocate of privacy rights and has spoken at TED, SXSW, and the Asian Investigative Journalism Conference about online privacy issues. Previously, Andy was a research scientist at CERN and received his PhD in Particle Physics from Harvard University. You can watch his TED talk online to learn more about ProtonMail's mission.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

9 comments on “SSL and TLS Ciphers

  • Hi Andy,

    You have started a great Project here. I was considering trying the Beta release, however after seeing this blog post, I have a few questions.

    In what situations is SSL3 used? SSL3 is vulnerable to BEAST(Not saying its easy)? How is the SSL Renegotiation treated in TLS1.0?

    Appreciate your reply in this aspect. keep up the good work.



    • If your browser supports TLS 1.0, it should use that instead of SSLv3. SSLv3 is supported for compatibility reasons.

    • We do not send confirmation emails, only emails when your invite is activated and you can register your account.

  • I was getting excited about the project, but TLS 1.0 is too weak. Will be waiting for when SHA2 signatures are supported đŸ™‚

  • I think SSLv3 should be removed. Those who use this service will likely not be using IE 6 – the only reason to keep it around (for compatibility) – otherwise it could be exploited by an attacker using a downgrade attack. Really no reason to keep it around – using any browser from beyond 2005/2006 should have support for at least TLS 1.0. I also might recommend disabling RSA key exchanges as soon as you get support for ECDHE key exchanges, as RSA does not provide forward secrecy. In the meantime, I’d recommend prioritizing DHE over RSA, not the other way around, as DHE provides FS (albeit with a higher computational cost than ECDHE). One final note – it seems CentOS is well overdue for an Apache upgrade. Fedora has Apache 2.4.X support (which includes wonderful things like TLS 1.2 and AES-GCM and ECDHE!), which you may want to consider before adding more servers as a more modern, but similarly stable, alternative for your web frontend.

  • Greetings Andy,
    this article is becoming very old but there is no more regarding this subject.
    The service is neat but I was a bit disappointed after I had seen which cipher suites and protocols are allowed.
    I can easily understand why compatibility is important when you provide a regular web application but I hope that your customers are more security concerned and have moved to the latest standards regarding that.

    Actually, I was even expecting for TLS 1.3 and Elliptic Curve Digital Signature Algorithm as well, are these features planned?