Response to analysis of Proton Mail’s cryptographic architecture

Proton Team

Share this page

Recently, a self-published paper(new window) that was not peer reviewed claimed weaknesses in Proton Mail’s cryptographic architecture. The document is rather dense, and the casual reader is unlikely to be able to understand much beyond the alarming conclusion that there are allegedly “serious shortcomings in Proton Mail’s cryptographic architecture.” Below, we analyze these allegations one by one, so the average reader can judge the merits of these claims on their own.

The summary is that the claims made in this paper are not inherent to Proton Mail’s architecture. Its central assertion can also be made against practically every other end-to-end encrypted service in existence today. We do not believe the paper’s arguments constitute “serious shortcomings,” as we explain below.

Claim 1 – Web applications provide fewer security guarantees

This claim is made in section 5.1.1 of the document. While the author cites Proton Mail specifically, the claim covers all web apps in general. The central claim is essentially the following:

Because the user doesn’t have control over the web server that is providing the web app, any web service provider can change the application that is delivered to end users. This includes potentially providing a malicious application that could compromise the encryption. Because of this, Proton Mail should not provide a web application.

This issue is not specific to Proton Mail, of course, but applies to any web app in existence today. That includes all end-to-end encrypted services which provide a web app (practically all of them). The author’s claims would, therefore, apply equally well to WhatsApp, Telegram, Wire, Tresorit, Threema, etc.

The fact that web apps provide fewer security guarantees is well known and has been known since before Proton Mail was created, and it is also discussed in our published threat model(new window). Where we disagree with the author is that we don’t believe the threat model of web apps is so fundamentally flawed that we need to take the step of not offering a web app at all.

The fact that practically every other end-to-end encrypted service also provides a web app is the surest sign that the modern Internet user requires a web app. Generally speaking, we think calling the differences between web and mobile app threat models a serious flaw in Proton Mail’s cryptography is highly misleading to the casual observer.

At Proton Mail, we have done two things to address the weakness of the web as a platform. First, we also provide native apps on every single platform. Second, we are closely following the work being done in the web standards community to introduce some form of code signing for web apps and will implement these solutions as soon as they mature.

Claim 2 – Encrypt-to-Outside doesn’t protect against a malicious recipient

This claim is made in section 5.1.2 of the document. Proton Mail has an Password-protected Email feature(new window) that lets you encrypt messages sent to Gmail or other insecure email services by protecting it with a password. The recipient of this message receives a link which takes them to a website where they enter a pre-shared password to decrypt the message.

The argument made by the author is that if Google was acting maliciously, Gmail could compromise this communication by replacing the link in the email with a phishing link. Using this malicious link, Google could capture the password entered by the recipient and use it to decrypt the message at the original link.

This is technically true, but it is akin to saying “sending an email to a malicious email service can lead to the malicious service reading your emails.” This is always true, and is true for email in general, and not Proton Mail in particular. So while troubling to contemplate, this is not a Proton Mail flaw, but a flaw of any federated protocol, such as email.

If the recipient’s email service is the probable attacker in your threat model, then you probably shouldn’t email them at that address. However, there is a solution to this problem. If you and your contact both use Proton Mail, then all communications will be automatically protected by end-to-end encryption(new window).

Claim 3 – Weak passwords are weak

This claim is made in section 5.1.3 of the document. The argument is that because Proton Mail stores encrypted copies of the keys, we could potentially launch brute force attacks against these keys (although this is made rather difficult by the bcrypt slow hash that we utilize), and if the passwords are simple, they could potentially be guessed relatively quickly.

It is impossible to deny that weak passwords are weak. Our philosophy is to recommend best practices to users (like using 2FA), but not to force them. From past experience, we know that users prefer to make their own security decisions. That’s why we don’t force a minimum password strength, although we do strongly recommend that users use strong passwords. We don’t agree that this decision constitutes a serious cryptographic shortcoming in Proton Mail however. In future releases of Proton Mail, we will indeed do more to encourage the use of strong passwords.

Claim 4 – Proton Mail authentication doesn’t use zero-knowledge password proofs (ZKPP)

We will not address this claim in depth because the author has removed this claim (Section 5.2 in the document) in later versions of the paper. Proton Mail does, in fact, use the Secure Remote Password (SRP) protocol. However, there are a few things worth mentioning.

First, Proton Mail does provide a two password mode for user authentication(new window), which provides additional security against offline oracle attacks. As TLS would need to be broken first to execute this attack, we do not feel the marginal increase in security is worth the tradeoff in usability, so one password mode remains the default.

Second, our threat model today generally assumes the integrity of TLS. There is a growing body of evidence that suggests it might be time to question this assumption, which poses a serious problem for all online services in existence today. Because of this, many security companies (including us) are actively working on ways to reduce the need to rely on TLS integrity.

Conclusion

Deciding whether these points constitute “serious shortcomings in Proton Mail’s cryptographic architecture” is an exercise best left to the reader. We don’t think they are.

Having said that, we fully believe that security is a moving target. Whether it is introducing stronger cryptography to OpenPGP(new window), following the latest developments in browser code signing, working on combating TLS compromises or introducing advanced security features like Address Verification(new window), we are committed to staying at the forefront of security and cryptography and providing the most secure email service(new window) possible.

This video analysis (published by a third party) also responds to the claimed Proton Mail weaknesses:

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.

P.S. Proton Mail always welcomes comments and engagement with the security community, whether directly through our open-source software projects(new window), or our bug bounty program(new window). While we do not agree with the conclusions, we still appreciate the author’s comments, which led to us addressing a non-critical bug where the SRP modulus signature was not verified by the Proton Mail web client(new window).

Protect your privacy with Proton
Get a free account

Share this page

Proton Team

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Related articles

From having too many inboxes to manage to switching to a new email provider, there are many reasons why you’d want to delete your Gmail account. You might even be concerned that Google is abusing your privacy. Thankfully, you can delete your Gmail a
The first month of 2023 has brought brutal layoffs from Big Tech, a potential ban of TikTok in the US, and another Twitter breach. But the biggest development of this new year has to be the ascent of ChatGPT.  The chatbot can produce remarkably huma
Hackers were able to steal account details from over 200 million Twitter users and posted the database on a hacking forum in early January 2023. These details include users’ email addresses and Twitter handles, allowing people to potentially identify
From your online shopping receipts to financial statements, your emails contain a great deal of sensitive information about your life, interests, and daily schedule. If you’re concerned about your online privacy, it’s therefore vital to keep your inb
At Proton, we’re committed to building privacy-focused products that are convenient to use and improve your productivity. Last year, we released the new mobile apps for Proton Calendar and Proton Drive, letting you manage your schedule and upload imp
Most email services aren’t secure and limit attachment file sizes, but there are ways to send large files securely. If you’ve ever tried attaching multiple images or video files to an email, you’ll know that it doesn’t always work. We explain ways t