Fighting Censorship with ProtonMail Encrypted Email Over Tor

protonmail tor

As part of our efforts to continue protecting user privacy, we are launching a Tor hidden service to combat censorship and surveillance of ProtonMail users.

UPDATE October 2021: New TLS certificate. See below.

In the past two years, ProtonMail has grown enormously, especially after the recent US election, and today we are the world’s largest encrypted email service with over 2 million users. We have come a long way since our user community initially crowdfunded the project. ProtonMail today is much larger in scope than what was originally envisioned when our founding team met at CERN in 2013.

As ProtonMail has evolved, the world has also been changing around us. Civil liberties have been increasingly restricted in all corners of the globe. Even Western democracies such as the US have not been immune to this trend, which is most starkly illustrated by the forced enlistment of US tech companies into the US surveillance apparatus. In fact, we have reached the point where it simply not possible to run a privacy and security focused service in the US or in the UK.

At the same time, the stakes are also higher than ever before. As ProtonMail has grown, we have become increasingly aware of our role as a tool for freedom of speech, and in particular for investigative journalism. Last fall, we were invited to the 2nd Asian Investigative Journalism Conference and were able to get a firsthand look at the importance of tools like ProtonMail in the field.

Recently, more and more countries have begun to take active measures to surveil or restrict access to privacy services, cutting off access to these vital tools. We realize that censorship of ProtonMail in certain countries is not a matter of if, but a matter of when. That’s why we have created a Tor hidden service (also known as an onion site) for ProtonMail to provide an alternative access to ProtonMail that is more secure, private, and resistant to censorship.

Tor Hidden Service for Encrypted Email

Starting today, it is also possible to connect to ProtonMail directly through the Tor network using our new onion site. In order to use our onion site, you need to first set up Tor on your computer. Instructions for using ProtonMail encrypted email with Tor can be found here. After Tor is properly set up, ProtonMail’s onion site can be visited at the following URL:


We would like to give a special thanks to Roger Dingledine and the Tor Project for creating the Tor software and also providing insightful comments and suggestions regarding ProtonMail’s onion site implementation.

Tor Email Privacy

There are several reasons why you might want to use ProtonMail over Tor. First, routing your traffic to ProtonMail through the Tor network makes it difficult for an adversary wiretapping your internet connection to know that you are using ProtonMail. Tor applies extra encryption layers on top of your connection, making it more difficult for an advanced attacker to perform a man-in-the-middle attack on your connection to us. Tor also makes your connections to ProtonMail anonymous as we will not be able to see the true IP address of your connection to ProtonMail.

Tor can also help with ProtonMail accessibility. If ProtonMail becomes blocked in your country, it may be possible to reach ProtonMail by going to our onion site. Furthermore, onion sites are “hidden” services in the sense that an adversary cannot easily determine their physical location. Thus, while could be attacked by DDoS attacks, protonirockerxow.onion cannot be attacked in the same way because an attacker will not be able to find a public IP address.

Note, it is also possible to visit ProtonMail via Tor at our regular site,, but there are several advantages to using the onion site. First, onion site connections provide true end-to-end encryption on the Tor level, meaning that the extra encryption that Tor applies is present until your connection reaches our infrastructure, whereas a non-onion Tor connection does not have Tor encryption beyond the last node. Secondly, Tor also provides end-to-end authentication, with helps to mitigate some of the weaknesses with the existing Certificate Authority system that is used to secure most of the Internet (more about this later).

Using Tor does come with some downsides however. Tor connections typically are much slower than a standard internet connection, so performance will suffer as a result. ProtonMail’s onion site is still considered to be experimental, so its reliability may not be as high as our standard site.

Since our onion site is still experimental, we are not making any recommendations yet regarding the use of ProtonMail’s onion site. Even without using Tor, your ProtonMail inbox is still strongly protected with PGP end-to-end encryption, secure authentication (SRP), and optional two-factor authentication. However, ProtonMail definitely has users in sensitive situations where the extra security and anonymity provided by Tor could literally save lives.

ProtonMail’s Onion Site – Technical Details

In implementing ProtonMail’s onion site, we took a few additional precautions to ensure the highest level of security to protect against advanced threats.

HTTPS with Tor

As an added security feature, we have decided to offer our onion site with HTTPS only. To accomplish this, we partnered with SSL Certificate provider Digicert to provide a valid certificate for our .onion website. Previously, Digicert issued the first-ever onion SSL certificate to Facebook and we’re glad that Digicert was able to do the same for ProtonMail.

tor ssl certificate

ProtonMail’s .onion SSL certificate has Extended Validation, which provides an additional layer of protection against phishing because you can be certain that the onion site you are connecting to belongs to us. For extra security, you can also manually verify the SSL certificate for protonirockerxow.onion with the following SHA256 hash.






While HTTPS is not strictly necessary for onion sites, we decided to make it mandatory for ProtonMail for several reasons:

First, we will likely take advantage of the ability to keep the location of onion sites secret by hosting our .oinio website far away from our current infrastructure in an undisclosed location and country. In this situation, HTTPS adds an additional encryption layer to protect the traffic between the onion front end and our core infrastucture. HTTPS also allows us to continue enforcing the usage of secure cookies, which improves user security.

Secondly, we believe in security in depth. For this reason, we don’t believe HTTPS is entirely redundant for onion sites. If someday Tor were to be compromised, enforcing HTTPS adds another layer of security for the end user. Similarly, Tor also provides security in case HTTPS is compromised. The notion of HTTPS being compromised is one that we take seriously, considering that there are hundreds of CAs (Certificate Authorities) that are trusted by default, with many of them under direct government control in high risk countries.

Thus, by using our onion site, your emails are protected by three layers of end-to-end encryption, there’s Tor’s encryption on the outer layer, HTTPS in the middle layer, and PGP as the final layer of defense for the emails themselves.

What’s Next?

You can find a more simplified and condensed version of all of this on the following webpage we have created to give the 30-second summary of ProtonMail’s Tor support:

In the coming months, we will be hard at work making additional security and privacy enhancements to ProtonMail, including finishing some of the leftover items from our 2016 Security Roadmap. Moving forward in 2017, we will be putting added focus on making ProtonMail more censorship resistant, and providing our user community with the tools required to connect securely to ProtonMail, even from compromised locations.

Best Regards,
The ProtonMail Team

A statement from the Tor Project can be found in the joint press release.

For questions and comment, you can reach us at

ProtonMail is funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!

You can get a free secure email account from ProtonMail here.

About the Author

Proton Team

Proton was founded by scientists who met at CERN and had the idea that an internet where privacy is the default is essential to preserving freedom. Our team of developers, engineers, and designers from all over the world is working to provide you with secure ways to be in control of your online data.


Comments are closed.

79 comments on “Fighting Censorship with ProtonMail Encrypted Email Over Tor

    • Evan, if your question is whether you can run a Tor service that will route traffic for other users, but only those trying to contact one specific hidden service, no, you cannot do this — and for good reason.

      When a node needs to contact the hidden service, it will pick a random set of nodes to route traffic through. These intermediate nodes only know the prior and following node. They don’t know the origin or the final destination of the traffic, unless they are the origin or final destination. Therefore, your node cannot filter traffic based on the source or destination of the traffic because your node doesn’t know this information.

      You must either route for all Tor hidden services or none at all (by not running a relay).

  • Great job, thanks, keep the good work! Now that we are dealing with Tor, excuse me a question: is it or will it be possible to route the Android ProtonMail app to Tor using Orbot? If it’s already possible, any instructions from your side? Many thanks.

  • – duckduckgo has its server in the u.s.a.
    – startpage also.
    – blog (tor blog also) are censored & spoiled with corrupted and spam comment coming from their admin/team.
    – policy of some famous site (which mailing-list) are strict and explain clearly that they retain every post : they do not erase it after a weak, users have not the option to delete that they write ; all is recorded and sent to the uk:us spy/police force ( they share the data with any one who request it anyway).
    – most of e-mail provider are not accepted.
    – most of u.k blog/site will in a near future implement a backdoor : their visitors/posters will not be anymore anonymized ( it is certainly yet done … maybe).
    _ reviews are sponsored and the opinions mismatch.
    _ fake news are becoming an aggressive strategy of propaganda .

    * now that you open an onion site , what is the best secure/safe if you are not living in a very censored land (most of countries are under mass surveillance and censorship) :
    a) the normal site or
    b) the onion site (experimental) ?
    c) In which one you trust without any doubt ?

    * i am happy you added the https support and av for the onion site i expected that since a long time.
    ** htlm5 caneva image data are a request from this site if you allow javascript.

    Thanks a lot for your article.

    • Startpage is a comapny from the Netherlands (EU) and you can choose to only use the European Servers :)

    • Simply using Tor can make you somewhat of a target, Snowden’s leaked training documents on XKeyscore showed that. If you don’t need anonymity for safety reasons, it’s probably better to use I2P instead. It’s designed for countering dragnet surveillance and therefore draws less attention to itself.

      • hello,

        @ Simply using Tor can make you somewhat of a target
        yes and if you drive an alpha-romeo or a plane too lol
        @ If you don’t need anonymity for safety reasons, it’s probably better to use I2P instead.
        i do not know if you did a mistake or not writing “don’t need anonymity for safety reason” ???

        Tor+Protonmail & -https+onion+Protonmail- are two option and anonymity is > security.(using tor or onion) and security > anonymity.(using ProtonMail).
        I2P is not (like email protocol) designed with privacy or security in mind but for sharing anonymously and in a safe way using encryption and a strict process.
        – Most of hackers and bad guys (whom police force running for their own interest) have infiltrated a lot of I2P platform it is the reason why some ‘nobody’ are behind the bars or in trouble : it means that some users are working on both side destroying the sens of ‘trust’ of the I2P protocol (manning case is a famous example).
        *human factor is a high risk.
        So if i do not need anonymity for safety reason i should use clearly I2P !
        – Experimented users or testers could try some tor service and I2P-otr but , remember , you are a part of a group only if you are invited and only if it is accepted by the other members because i2P runs as group-sharing
        So if i do need anonymity for safety reason i should use clearly I2P !
        *trust is a high risk.

        + But if i need anonymity (in the purpose that my privacy be my own business & respected as is ; and be safe when i receive and send message) and communicating/sharing using the basics rights like freedom of speech or to be informed and not abused by false information or disturbed minds ; i , i should use clearly an secure e-mail provider like ProtonMail with Tor.
        All is secure & safe to use and you can also using pgp to be certain of the integrity & the identity of your messages/correspondents.
        *human factor is in this configuration reduced.
        *trust is in this configuration improved.

        I should conclude that you must use the tool according on your projects and not because this one (e-mail e.g.) is more or less safe in the case of death or life (urban legend) or because the other (I2P e.g.) should be built in a closed/virtual/invisible network and should not be more or less infiltrated by a third actor (urban legend).

        thank you.

        • That kinda proves my point. People are discovered on i2p if they’re directly targeted, the same is true of Tor. However, Tor is an explicit target of intelligence agencies and simply searching for it on a search engine raises a red flag, the same isn’t true of i2p. Unless you suspect that you could be a direct target of a 3rd party (government or othewise), using i2p is preferable to Tor.

          • “Fighting Censorship with ProtonMail Encrypted Email Over Tor” is the topic :
            it is not i2p-sigaint-darknet/tor-onion-protonmail
            The goal of tor is not to be mr nobody (an individual) but to be everyone (a group).
            Both are hiding you from indiscreet eyes & are building a resistance.

          • no, tor also have tools for sharing or e-mailing safely & anonymously without to be a “target” : onion-share or tor messenger or email through tor like proton-mail e.g . Using tor is not at all a red flag it is all the opposite as soon as there are a lot of user : you are masked so invisible ; a mass surveillance is difficult ; you cannot be a target ; it is the purpose of this free project so you have not understood clearly that point.
            i2p (the network) is another project by another way for another user : it is less secure (except for friendtofriend) and more infiltrated : you are a target as soon as you come in because it is under survey ; one more again , remember manning case … and another whom you can watch the face on the net who are more experimented than yourself.
            i2p is an unstable / darknet version of to be anonymous = untrust.

          • Manning went public, that’s why she was found. She wasn’t “discovered”. Also, there’s no evidence that she used I2P, so I don’t know why you’re bringing her up in the first place.
            As for Tor, look into the Snowden leaks. There are several internal presentations by the NSA where they state that they consider searching for Tor suspicious. Unless your computer has Tor included already, you’ll need to download it at some point and you won’t be downloading it over the Tor network, will you?

          • > That Guy
            On May 21, 22-year-old Army intelligence analyst Bradley Manning initiated a series of online chats with former hacker Adrian Lamo after a story on Lamo was published at

            # THIS CHAT WAS UNDER I2P : TOR IS NOT ILLEGAL ; in short you do not know what you are speaking about -you should maybe post in your native language- (read again arcus and kiaburg post above, it seems that you are misinformed and do not understand english/us. i should add that privacy, anonymity, security are serious topics.)

            The chats continued over several days, during which Manning claimed that he was responsible for leaking classified material to the whistle-blower site Wikileaks.

            Lamo tipped off the FBI and the Army about Manning’s claims, and on May 26, Manning was seized by Army authorities and put into pre-trial detention in Kuwait. He remains in Kuwait while the Army Criminal Investigation Division and other agencies investigate whether he leaked classified information and determine if he should be charged with any crime.*


  • Can the same level of anonymity or privacy be achieved by using a VPN to connect to ProtonMail?

    • Probably not, most VPN services cannot really be trusted as you don’t know who is operating them.

  • I’ve been thinking about the need for encrypted email companies (and even others) to route emails between them encrypted (incl headers). Would using TOR hidden services for email routing across hosts ensure email encryption by itself? Even if using current email protocols underneath? And even if the TOR network were de-anonimized again?

  • First, thank you for providing this! I love ProtonMail, and with each new update it gets better and better!

    When using your Tor location, your site says:

    “ProtonMail requires Javascript. Enable Javascript and reload this page to continue.”

    couldn’t this provide a vulnerability when using your new service? What settings do you recommend?

    • Javascript (not java) is used on protonmail to encrypt/decrypt mails using your browser and not the Protonmail serveurs, which in fact allows more security by not giving protonmail any access to your private key/passphrase.

      Before crying when people worked hard for a product and distribute it for free, without you being the product (as oposed to gmail/etc), please use your dumb brain and thanks the team.

  • Well done, Protonmail ! We’d been looking forward to “Prot-on-ionmail” ! Long live protonirockerxow.onion !

    Curious, what agreagate amount of CPU time did it take to generate the nice onion domain name ?

  • Thank you so much for doing this! I’m glad I started supporting ProtonMail last year. This is fantastic. Could Torified mobile apps be far behind?

  • Wonderful, you guys keep getting better and better.
    Trump gets sworn at as President…. (at = in)
    Protonmail gets Tor, just in time.

  • Hello ProtonMail,
    please consider to also allow registration over the HS. Currently it redirects to the standard web page. If thats not acceptable to you at least remove the function to register from the hidden service page as it somehow tricks the user to leave the HS without being noticed.
    Best regards!

    • I agree. I read that exit node MITM attacks are possible when you use TLS/SSL over TOR while browsing the clearnet sites so it is not safe to register on clearnet ProtonMail site via TOR. Please remove this vulnerability in your onion site or fix that it would be possible to register via ProtonMail TOR darknet.

  • WOW.
    Congratulations, you are improving your project as no one I know does. I’m proud to have been one of your beta-tester, your service keeps to be one of my favourite

  • I find it difficult to imagine the situations where TOR would actually increase or atleast not decrease user privacy and anonymity when using Protonmail with TOR. US/UK agencies have fairly strong grip on TOR network, and US has been and still is the largest funder of the project

    Maybe if you’re on a country other than Five Eyes participant, where Internet access is known to be monitored and/or censored and you’d like to access Protonmail, TOR might help you reach the site. But relying on TOR against government level surveillance is I think useless, because of the mechanisms of network analysis available for intelligence agencies capable of running number of nodes of their own. There also might be know. vulnerabilities in the protocol that are not in public knowledge, but are actively being used by law enforcement.

    • A)Tor (us product made by corrupted people for us guys which the blog is censored) allows you to be a fish in a sea , as long as you are in a group , you cannot be shown as an individual , a target (of course killing all the fishes for only catch one alive is an easy task and they do it).
      But it should be not fair to imagine that a sponsor (government) command a project (free) or is the owner of an unknown part (node). U.S is sponsoring Tor because it is his duty and it is bringing to them tax/reputation advantage. Any one can participate and become an actor running a node by example.
      B)In the 14 eyes , all is censored but you know it and when you loose someone or something (including your dignity or your life) ; you stay alone in front of their invisible power.; in the other part of the world -outside the 14 eyes- , you do not know that but it is the same and you stay without power in front of their visible force.
      Law enforcement does not exist like vulnerability is not a bug … they survey in the purpose to be the boss of internet , deciding that at least 90% of this one be attributed for commercial registered usage (business).
      Tor is a piece of freedom in this struggle – more you are on this side more you will have free space..
      C)Now, saying that it is useless is more a matter of point of view than a technical argument.
      On the both side , they earn money and follow their own way.
      *afaik Tor is not a part of microsoft or apple or cia:nsa hidden project.

  • Thanks. I found this extremely educational as I was not familiar with the intricacies of a Tor network. I do have a few questions though, why not a VPN? What is the difference between Tor and VPN? Does Proton plan on offering a VPN at some point?

    Thank you!

  • The new onion site works well. Only thing is that the ‘change layout’ icons and main ProtonMail logo image top left don’t work, because Tor doesn’t like certain image types.

    • True, this was already the case when accessing the non-onion site using Tor. It’s fixed by changing the security level from “High” to “Medium”, but of course you may not want to do that.

  • WHAT did you people do in the last 24 hours to wipe out my custom theme?

    I do hope you can RESTORE it.

    Why would you ever muck with user’s personal themes? With no warning?


    • Sorry about that, we have been refactoring to standardize our CSS. We are also working on a new system to avoid breaking changes and better notifications to theme developers.

  • Well, pretty useless since you ask(force) to make a donation or to use your MOBILE PHONE number to register the account.

    • I noticed there is an “email” option too, now. Anyway if you don’t have one outside protonmail you can’t create a new one, and some domains are not accepted.

  • Interesting headline “Donald Trump will control the NSA,… etc.” Do you know what it meant for your privacy when Barack Obama was in charge of the NSA? If you get your news from television, I’m sure you don’t, because BO had the media at his back, creating a public relations image of a progressive president, a liberal, a Democrat, and so on. Trump was supposed to lose and pass the butler’s job to Clinton, who served well with Bill in the nineties. Trump lacks finesse, intelligence, and even credibility, and he was certain to lose, thereby fulfilling his destiny in furthering the aims of the people who are, as I write this, planning on how to get rid of this fascist idiot before he brings on a revolution.
    The rest will come in a long email.
    Wake up, folks. The alarm went off 30 years ago.


  • Let me share an interesting VPN implementation method.

    The developer made an Ansible playbook to automate the difficult and tedious task of configuring a VPN server, with many options. The Ansible playbook implements the VPN server on a virtual machine of many of the big cloud services providers. You will have your own VPN on an IP address not associated with a VPN. He used non-standard ports, so it will be difficult to block, without causing collateral trouble.

    A Tor bridge is included.

    The developer seems to be actively developing and maintaining the project.

    From the GitHub site:
    “Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.”

    I have used Streisand VPN to spin-up multiple VPN servers on multiple cloud providers. Very cool. It works on my Android phone and Apple devices.

  • I will install Tor browser once ProtonVPN launches for the mass public (so I can use it). I would rather install Tor on my device via a VPN. If it will let me install via a VPN?

  • Great work, it makes me keep some hope of online privacy being a thing in the future. Was driven to donate after reading this, keep up the good work!

  • This sort of thing is nice to read as it gives me some hope i can maintain online privacy going into the future. Was compelled to donate after reading, keep up the good work!

  • Love reading things like this as it gives me hope of privacy online in the future as goverments get more and more invollved. Was compelled to donate having read this, keep up the good work!

  • CERTIFICATE changed, no announcement
    The certificate for protonirockerxow.onion has changed to one with following sha256 fingerprint: 2F:B7:C4:7D:BF:B1:E9:5F:D6:29:6A:E7:BE:52:EA:C8:12:BE:73:C3:4F:59:2E:68:91:A9:1A:57:9D:AD:0B:91

    Was that you, or someone else?

  • I need an ip address to post a blog text file to link to a YouTube video, but I’d like to post it on Tor through ProtonMail. Is this possible through any accounts PM offers?

  • Why doesn’t the Android client support using the onion address? Why do you still use the privacy-stealing recaptchas?

  • Hi ProtonMail team, can you tell me if it’s safe to create an email on the clearnet then use it over Tor ? Maybe i have to create and use it ONLY over Tor ? Thank you.

    • There are several reasons why you might want to use ProtonMail over Tor. First, routing your traffic to ProtonMail through the Tor network makes it difficult for an adversary wiretapping your internet connection to know that you are using ProtonMail. Tor applies extra encryption layers on top of your connection, making it more difficult for an advanced attacker to perform a man-in-the-middle attack on your connection to us. Tor also makes your connections to ProtonMail anonymous as we will not be able to see the true IP address of your connection to ProtonMail. Please read more info here:

  • “…we have reached the point where it simply not possible to run…”
    Omitted the word “is”

    1st typo I saw in several pages. Impressive. I used to work as a proofreader/’polisher’ for a small publisher, making translated-into-English materials read like native-speaker English material. And your material is high quality native-speaker English; that is, better than most the stuff I see here in my native Canada.

  • I’d be more likely to use an I2P site for protonmail. Than there’s another mailserver on I2P!

  • Is it possible to use “” instead of “”? I want you to be able to use it because I can type it in short.

  • Hello. When I open both the clear url and the onion url on tor in order to create an account, it simply does not allow me to create an account. I click “Create an account” on the login page, and click “free plan”. It will either pop up red error messages where I would place a backup email and the username, or will redirect me directly back to login. Is there a way to fix this? I’ve disabled my add on to allow java script, but no dice. I’ve also lowered security in hopes to get it to work, but still no.

  • Above this comment box:
    “What’s Next” for 2017 could be removed rather than left outdated. Leave it to marketing folks at a high level. Keep secret what’s coming.

    The next Section: “Learn More” is 5 years outdated. Keep it refreshed or remove it. Outdated material equivalent to dog-eared… smudged business cards. It represents You, so let it be known to act on it ASAP.

    Love ya’ll anyway,