ProtonMail’s SSL Certificate

NOTE: ProtonMail may use different SSL/TLS certificates for our subdomains. The information below pertains only to our main site protonmail.com.

ProtonMail is all about privacy, and we want to do our best to protect everyone’s data and communication. When accessing protonmail.com, the transmission of information between your browser and our servers in Switzerland is always encrypted and protected by HTTPS. While this is not the same as the end-to-end encryption concept of PGP, it is nevertheless important for protecting you from man-in-the-middle attacks and other forms of communication eavesdropping.

For HTTPS to work, each website must have an SSL/TLS certificate that is verified by a trusted certificate authority. The certificate authority that vouches for ProtonMail is SwissSign AG. A modern browser should automatically check the validity of the certificate of an HTTPS-protected website and alert you if it detects something untrustworthy. For the uber-security-conscious users who want to check manually, the fingerprints of our certificate are:

SHA-256: 23:00:B8:54:21:8A:3D:4F:4F:E7:8B:58:9E:ED:FA:BB:16:65:51:89:D8:71:00:85:A5:67:D0:33:AA:60:3B:CC

SHA-1: 42:65:80:E0:43:5A:08:9C:1D:26:14:7F:58:A1:6A:40:94:F2:59:A0

If this matches what you see in your browser, then you know you are communicating with the real ProtonMail website and using the correct public key to encrypt your sensitive information, and only ProtonMail can decrypt it.

To check the thumbprint in Chrome:

  1. Click on the menu (⋮) displayed on the top right corner after the browser address bar.
  2. Click More tools > Developer Tools.
  3. Select the Security tab. Click on View Certificate and go to Details. You will find the certificate details with fingerprints at the bottom.

In Details, show All and verify the Thumbprint matches the one above (make sure you are looking at the certificate for protonmail.com, not SwissSign AG).

Screenshot of how to check ProtonMail certificate in Chrome

To check the fingerprint in Firefox:

Click on the lock button in front of the URL and click on More Information.

Go to Security and click on View Certificate.

screenshot of how to check ProtonMail certificate in Firefox

To check the fingerprint in Safari:

Click on the Green Bar stating: “Proton Technologies AG”.

Select Show Certificate. In Details, scroll to the bottom of the page to see the SHA1 Fingerprint.

screenshot of how to check ProtonMail certificate in Safari

We will continue to improve our security protocols and roll out more security features as we scale up. Thanks for all the interest and help from the community!

Rate This Article

(72 out of 138 people found this article helpful)
Post Comment

9 comments

  1. Heyom

    An awesome update!

    Are you planning to implement DANE besides of the already implemented DNSSEC in the near future?

  2. Bean

    For those of you perhaps less saavy, make sure you are checking the thumbprint above when you are accessing the main Protonmail site, not the subdomains. If you do it from this page for example, the thumbprint is different.

  3. Steve

    @Heyom – You are 100% correct! I forgot to go to their homepage when I checked the fingerpint & received the above information. Obviously I need more coffee 🙂

  4. Virgil

    Hey guys, how about to include Safari in the above list. And maybe to take into account the Mac OSX?

  5. ProtonMail Support

    Thank you for the suggestion. We have updated the post to include Safari.

  6. fab

    please, please do not use any wildcard *.tld.ch certificates – go for EV instead ie the main mailing interface and use dedicated ssl certs for each site. thx

  7. Israel

    What about the certificate for v2.protonmail.com? I logged in to download my PGP key and it’s taking forever to decrypt the inbox…is that normal, having very few e-mails? Or am I being man-in-the-middle’d?

  8. ProtonMail Support

    That should not happen. Please contact us on contact@protonmail.ch or via the report bug button.

  9. Raj

    Most confusions happen because people do not know What are SSL certificates and How do they work.

Leave A Comment?