Fighting Censorship with ProtonMail Encrypted Email Over Tor

protonmail tor

As part of our efforts to continue protecting user privacy, we are launching a Tor hidden service to combat censorship and surveillance of ProtonMail users.

In the past two years, ProtonMail has grown enormously, especially after the recent US election, and today we are the world’s largest encrypted email service with over 2 million users. We have come a long way since our user community initially crowdfunded the project. ProtonMail today is much larger in scope than what was originally envisioned when our founding team met at CERN in 2013.

As ProtonMail has evolved, the world has also been changing around us. Civil liberties have been increasingly restricted in all corners of the globe. Even Western democracies such as the US have not been immune to this trend, which is most starkly illustrated by the forced enlistment of US tech companies into the US surveillance apparatus. In fact, we have reached the point where it simply not possible to run a privacy and security focused service in the US or in the UK.

At the same time, the stakes are also higher than ever before. As ProtonMail has grown, we have become increasingly aware of our role as a tool for freedom of speech, and in particular for investigative journalism. Last fall, we were invited to the 2nd Asian Investigative Journalism Conference and were able to get a firsthand look at the importance of tools like ProtonMail in the field.

Recently, more and more countries have begun to take active measures to surveil or restrict access to privacy services, cutting off access to these vital tools. We realize that censorship of ProtonMail in certain countries is not a matter of if, but a matter of when. That’s why we have created a Tor hidden service (also known as an onion site) for ProtonMail to provide an alternative access to ProtonMail that is more secure, private, and resistant to censorship.

Tor Hidden Service for Encrypted Email

Starting today, it is also possible to connect to ProtonMail directly through the Tor network using our new onion site. In order to use our onion site, you need to first set up Tor on your computer. Instructions for using ProtonMail encrypted email with Tor can be found here. After Tor is properly set up, ProtonMail’s onion site can be visited at the following URL:


We would like to give a special thanks to Roger Dingledine and the Tor Project for creating the Tor software and also providing insightful comments and suggestions regarding ProtonMail’s onion site implementation.

Tor Email Privacy

There are several reasons why you might want to use ProtonMail over Tor. First, routing your traffic to ProtonMail through the Tor network makes it difficult for an adversary wiretapping your internet connection to know that you are using ProtonMail. Tor applies extra encryption layers on top of your connection, making it more difficult for an advanced attacker to perform a man-in-the-middle attack on your connection to us. Tor also makes your connections to ProtonMail anonymous as we will not be able to see the true IP address of your connection to ProtonMail.

Tor can also help with ProtonMail accessibility. If ProtonMail becomes blocked in your country, it may be possible to reach ProtonMail by going to our onion site. Furthermore, onion sites are “hidden” services in the sense that an adversary cannot easily determine their physical location. Thus, while could be attacked by DDoS attacks, protonirockerxow.onion cannot be attacked in the same way because an attacker will not be able to find a public IP address.

Note, it is also possible to visit ProtonMail via Tor at our regular site,, but there are several advantages to using the onion site. First, onion site connections provide true end-to-end encryption on the Tor level, meaning that the extra encryption that Tor applies is present until your connection reaches our infrastructure, whereas a non-onion Tor connection does not have Tor encryption beyond the last node. Secondly, Tor also provides end-to-end authentication, with helps to mitigate some of the weaknesses with the existing Certificate Authority system that is used to secure most of the Internet (more about this later).

Using Tor does come with some downsides however. Tor connections typically are much slower than a standard internet connection, so performance will suffer as a result. ProtonMail’s onion site is still considered to be experimental, so its reliability may not be as high as our standard site.

Since our onion site is still experimental, we are not making any recommendations yet regarding the use of ProtonMail’s onion site. Even without using Tor, your ProtonMail inbox is still strongly protected with PGP end-to-end encryption, secure authentication (SRP), and optional two-factor authentication. However, ProtonMail definitely has users in sensitive situations where the extra security and anonymity provided by Tor could literally save lives.

ProtonMail’s Onion Site – Technical Details

In implementing ProtonMail’s onion site, we took a few additional precautions to ensure the highest level of security to protect against advanced threats.

HTTPS with Tor

As an added security feature, we have decided to offer our onion site with HTTPS only. To accomplish this, we partnered with SSL Certificate provider Digicert to provide a valid certificate for https://protonirockerxow.onion. Previously, Digicert issued the first-ever onion SSL certificate to Facebook and we’re glad that Digicert was able to do the same for ProtonMail.

tor ssl certificate

ProtonMail’s .onion SSL certificate has Extended Validation so you will get the green bar in your browser, and it provides an additional layer of protection against phishing because you can be certain that the onion site you are connecting to belongs to us. For extra security, you can also manually verify the SSL certificate for protonirockerxow.onion with the following SHA256 hash.


While HTTPS is not strictly necessary for onion sites, we decided to make it mandatory for ProtonMail for several reasons:

First, we will likely take advantage of the ability to keep the location of onion sites secret by hosting protonirockerxow.onion away from our current infrastructure in an undisclosed location and country. In this situation, HTTPS adds an additional encryption layer to protect the traffic between the onion front end and our core infrastucture. HTTPS also allows us to continue enforcing the usage of secure cookies, which improves user security.

Secondly, we believe in security in depth. For this reason, we don’t believe HTTPS is entirely redundant for onion sites. If someday Tor were to be compromised, enforcing HTTPS adds another layer of security for the end user. Similarly, Tor also provides security in case HTTPS is compromised. The notion of HTTPS being compromised is one that we take seriously, considering that there are hundreds of CAs (Certificate Authorities) that are trusted by default, with many of them under direct government control in high risk countries.

Thus, by using our onion site, your emails are protected by three layers of end-to-end encryption, there’s Tor’s encryption on the outer layer, HTTPS in the middle layer, and PGP as the final layer of defense for the emails themselves.

Tor Phishing Resistance

Onion site addresses are 16-character hashes of encryption keys that typically look like this: 3ens52v5u7fei76b.onion. The problem is that there is no good way to differentiate between




as to the human eye, both are equally unrecognizable. This opens up a phishing risk because a phishing site can trivially be created and unless the 16-character random URL is checked carefully each time, users cannot be certain they are visiting the correct onion site. From a usability standpoint, it is not really realistic to expect users to perform this check every single time.

To bypass this problem, we used ProtonMail’s spare CPU capacity to generate millions of encryption keys and then hashed them, using a “brute force” approach to find a more human readable hash for our onion address. The end result, after expending considerable CPU time, is the following address which is much more resistant to phishing:


as it can be easily remembered as:

proton i rocker xow

Thus, to be sure that you are visiting ProtonMail’s official onion site (as opposed to some phishing site), make sure the onion site has the correct domain name, and also has a valid SSL certificate issued to Proton Technologies AG.

What’s Next?

You can find a more simplified and condensed version of all of this on the following webpage we have created to give the 30-second summary of ProtonMail’s Tor support:

In the coming months, we will be hard at work making additional security and privacy enhancements to ProtonMail, including finishing some of the leftover items from our 2016 Security Roadmap. Moving forward in 2017, we will be putting added focus on making ProtonMail more censorship resistant, and providing our user community with the tools required to connect securely to ProtonMail, even from compromised locations.

Best Regards,
The ProtonMail Team


A statement from the Tor Project can be found in the joint press release.

For questions and comment, you can reach us at


ProtonMail is funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!

You can get a free secure email account from ProtonMail here.


About the Author


We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

40 comments on “Fighting Censorship with ProtonMail Encrypted Email Over Tor

    • Evan, if your question is whether you can run a Tor service that will route traffic for other users, but only those trying to contact one specific hidden service, no, you cannot do this — and for good reason.

      When a node needs to contact the hidden service, it will pick a random set of nodes to route traffic through. These intermediate nodes only know the prior and following node. They don’t know the origin or the final destination of the traffic, unless they are the origin or final destination. Therefore, your node cannot filter traffic based on the source or destination of the traffic because your node doesn’t know this information.

      You must either route for all Tor hidden services or none at all (by not running a relay).

  • Great job, thanks, keep the good work! Now that we are dealing with Tor, excuse me a question: is it or will it be possible to route the Android ProtonMail app to Tor using Orbot? If it’s already possible, any instructions from your side? Many thanks.

  • – duckduckgo has its server in the u.s.a.
    – startpage also.
    – blog (tor blog also) are censored & spoiled with corrupted and spam comment coming from their admin/team.
    – policy of some famous site (which mailing-list) are strict and explain clearly that they retain every post : they do not erase it after a weak, users have not the option to delete that they write ; all is recorded and sent to the uk:us spy/police force ( they share the data with any one who request it anyway).
    – most of e-mail provider are not accepted.
    – most of u.k blog/site will in a near future implement a backdoor : their visitors/posters will not be anymore anonymized ( it is certainly yet done … maybe).
    _ reviews are sponsored and the opinions mismatch.
    _ fake news are becoming an aggressive strategy of propaganda .

    * now that you open an onion site , what is the best secure/safe if you are not living in a very censored land (most of countries are under mass surveillance and censorship) :
    a) the normal site or
    b) the onion site (experimental) ?
    c) In which one you trust without any doubt ?

    * i am happy you added the https support and av for the onion site i expected that since a long time.
    ** htlm5 caneva image data are a request from this site if you allow javascript.

    Thanks a lot for your article.

    • Simply using Tor can make you somewhat of a target, Snowden’s leaked training documents on XKeyscore showed that. If you don’t need anonymity for safety reasons, it’s probably better to use I2P instead. It’s designed for countering dragnet surveillance and therefore draws less attention to itself.

      • hello,

        @ Simply using Tor can make you somewhat of a target
        yes and if you drive an alpha-romeo or a plane too lol
        @ If you don’t need anonymity for safety reasons, it’s probably better to use I2P instead.
        i do not know if you did a mistake or not writing “don’t need anonymity for safety reason” ???

        Tor+Protonmail & -https+onion+Protonmail- are two option and anonymity is > security.(using tor or onion) and security > anonymity.(using ProtonMail).
        I2P is not (like email protocol) designed with privacy or security in mind but for sharing anonymously and in a safe way using encryption and a strict process.
        – Most of hackers and bad guys (whom police force running for their own interest) have infiltrated a lot of I2P platform it is the reason why some ‘nobody’ are behind the bars or in trouble : it means that some users are working on both side destroying the sens of ‘trust’ of the I2P protocol (manning case is a famous example).
        *human factor is a high risk.
        So if i do not need anonymity for safety reason i should use clearly I2P !
        – Experimented users or testers could try some tor service and I2P-otr but , remember , you are a part of a group only if you are invited and only if it is accepted by the other members because i2P runs as group-sharing
        So if i do need anonymity for safety reason i should use clearly I2P !
        *trust is a high risk.

        + But if i need anonymity (in the purpose that my privacy be my own business & respected as is ; and be safe when i receive and send message) and communicating/sharing using the basics rights like freedom of speech or to be informed and not abused by false information or disturbed minds ; i , i should use clearly an secure e-mail provider like ProtonMail with Tor.
        All is secure & safe to use and you can also using pgp to be certain of the integrity & the identity of your messages/correspondents.
        *human factor is in this configuration reduced.
        *trust is in this configuration improved.

        I should conclude that you must use the tool according on your projects and not because this one (e-mail e.g.) is more or less safe in the case of death or life (urban legend) or because the other (I2P e.g.) should be built in a closed/virtual/invisible network and should not be more or less infiltrated by a third actor (urban legend).

        thank you.

        • That kinda proves my point. People are discovered on i2p if they’re directly targeted, the same is true of Tor. However, Tor is an explicit target of intelligence agencies and simply searching for it on a search engine raises a red flag, the same isn’t true of i2p. Unless you suspect that you could be a direct target of a 3rd party (government or othewise), using i2p is preferable to Tor.

  • I’ve been thinking about the need for encrypted email companies (and even others) to route emails between them encrypted (incl headers). Would using TOR hidden services for email routing across hosts ensure email encryption by itself? Even if using current email protocols underneath? And even if the TOR network were de-anonimized again?

  • First, thank you for providing this! I love ProtonMail, and with each new update it gets better and better!

    When using your Tor location, your site says:

    “ProtonMail requires Javascript. Enable Javascript and reload this page to continue.”

    couldn’t this provide a vulnerability when using your new service? What settings do you recommend?

    • Javascript (not java) is used on protonmail to encrypt/decrypt mails using your browser and not the Protonmail serveurs, which in fact allows more security by not giving protonmail any access to your private key/passphrase.

      Before crying when people worked hard for a product and distribute it for free, without you being the product (as oposed to gmail/etc), please use your dumb brain and thanks the team.

  • Well done, Protonmail ! We’d been looking forward to “Prot-on-ionmail” ! Long live protonirockerxow.onion !

    Curious, what agreagate amount of CPU time did it take to generate the nice onion domain name ?

  • Wonderful, you guys keep getting better and better.
    Trump gets sworn at as President…. (at = in)
    Protonmail gets Tor, just in time.

  • Hello ProtonMail,
    please consider to also allow registration over the HS. Currently it redirects to the standard web page. If thats not acceptable to you at least remove the function to register from the hidden service page as it somehow tricks the user to leave the HS without being noticed.
    Best regards!

  • WOW.
    Congratulations, you are improving your project as no one I know does. I’m proud to have been one of your beta-tester, your service keeps to be one of my favourite

  • I find it difficult to imagine the situations where TOR would actually increase or atleast not decrease user privacy and anonymity when using Protonmail with TOR. US/UK agencies have fairly strong grip on TOR network, and US has been and still is the largest funder of the project

    Maybe if you’re on a country other than Five Eyes participant, where Internet access is known to be monitored and/or censored and you’d like to access Protonmail, TOR might help you reach the site. But relying on TOR against government level surveillance is I think useless, because of the mechanisms of network analysis available for intelligence agencies capable of running number of nodes of their own. There also might be know. vulnerabilities in the protocol that are not in public knowledge, but are actively being used by law enforcement.

    • A)Tor (us product made by corrupted people for us guys which the blog is censored) allows you to be a fish in a sea , as long as you are in a group , you cannot be shown as an individual , a target (of course killing all the fishes for only catch one alive is an easy task and they do it).
      But it should be not fair to imagine that a sponsor (government) command a project (free) or is the owner of an unknown part (node). U.S is sponsoring Tor because it is his duty and it is bringing to them tax/reputation advantage. Any one can participate and become an actor running a node by example.
      B)In the 14 eyes , all is censored but you know it and when you loose someone or something (including your dignity or your life) ; you stay alone in front of their invisible power.; in the other part of the world -outside the 14 eyes- , you do not know that but it is the same and you stay without power in front of their visible force.
      Law enforcement does not exist like vulnerability is not a bug … they survey in the purpose to be the boss of internet , deciding that at least 90% of this one be attributed for commercial registered usage (business).
      Tor is a piece of freedom in this struggle – more you are on this side more you will have free space..
      C)Now, saying that it is useless is more a matter of point of view than a technical argument.
      On the both side , they earn money and follow their own way.
      *afaik Tor is not a part of microsoft or apple or cia:nsa hidden project.

  • Thanks. I found this extremely educational as I was not familiar with the intricacies of a Tor network. I do have a few questions though, why not a VPN? What is the difference between Tor and VPN? Does Proton plan on offering a VPN at some point?

    Thank you!

  • Браво! Много сте добри момчета. Още веднъж показахте, че защитавате свободният интернет и човешките права. Ето защо ви обичам! С тази услуга Protonmail считам, че ще стане още по-използван и предпочитан от потребителите. Особенно ми хареса, че имаш възможност да влезеш в любимия си мейл клиент чрез Tor. Това е още една бариера пред NSA, CIA и правителствата. Браво! Браво! Браво!

    Продължавайте в същия дух помчета, ние сме зад вас! Подкрепяме ви с две ръце! 🙂

    • Well done! You’re very good boys. Once again showed that defend free internet and human rights. That’s why I love you! With this service Protonmail think that will become even more used and preferred by consumers. Especially I liked that you get a chance to get into your favorite mail client via Tor. This is another barrier to the NSA, CIA and governments. Well done! Well done! Well done!

      Keep’em pomcheta, we’re behind you! We support you with both hands!

      (i did not success the translation of the term “pomcheta” maybe something like ‘keep them down’)
      /translated from russian to english/

  • The new onion site works well. Only thing is that the ‘change layout’ icons and main ProtonMail logo image top left don’t work, because Tor doesn’t like certain image types.

    • True, this was already the case when accessing the non-onion site using Tor. It’s fixed by changing the security level from “High” to “Medium”, but of course you may not want to do that.

  • WHAT did you people do in the last 24 hours to wipe out my custom theme?

    I do hope you can RESTORE it.

    Why would you ever muck with user’s personal themes? With no warning?


    • Sorry about that, we have been refactoring to standardize our CSS. We are also working on a new system to avoid breaking changes and better notifications to theme developers.