ProtonBlog(new window)

Response to analysis of Proton Mail’s cryptographic architecture

Share this page

Recently, a self-published paper(new window) that was not peer reviewed claimed weaknesses in Proton Mail’s cryptographic architecture. The document is rather dense, and the casual reader is unlikely to be able to understand much beyond the alarming conclusion that there are allegedly “serious shortcomings in Proton Mail’s cryptographic architecture.” Below, we analyze these allegations one by one, so the average reader can judge the merits of these claims on their own.

The summary is that the claims made in this paper are not inherent to Proton Mail’s architecture. Its central assertion can also be made against practically every other end-to-end encrypted service in existence today. We do not believe the paper’s arguments constitute “serious shortcomings,” as we explain below.

Claim 1 – Web applications provide fewer security guarantees

This claim is made in section 5.1.1 of the document. While the author cites Proton Mail specifically, the claim covers all web apps in general. The central claim is essentially the following:

Because the user doesn’t have control over the web server that is providing the web app, any web service provider can change the application that is delivered to end users. This includes potentially providing a malicious application that could compromise the encryption. Because of this, Proton Mail should not provide a web application.

This issue is not specific to Proton Mail, of course, but applies to any web app in existence today. That includes all end-to-end encrypted services which provide a web app (practically all of them). The author’s claims would, therefore, apply equally well to WhatsApp, Telegram, Wire, Tresorit, Threema, etc.

The fact that web apps provide fewer security guarantees is well known and has been known since before Proton Mail was created, and it is also discussed in our published threat model(new window). Where we disagree with the author is that we don’t believe the threat model of web apps is so fundamentally flawed that we need to take the step of not offering a web app at all.

The fact that practically every other end-to-end encrypted service also provides a web app is the surest sign that the modern Internet user requires a web app. Generally speaking, we think calling the differences between web and mobile app threat models a serious flaw in Proton Mail’s cryptography is highly misleading to the casual observer.

At Proton Mail, we have done two things to address the weakness of the web as a platform. First, we also provide native apps on every single platform. Second, we are closely following the work being done in the web standards community to introduce some form of code signing for web apps and will implement these solutions as soon as they mature.

Claim 2 – Encrypt-to-Outside doesn’t protect against a malicious recipient

This claim is made in section 5.1.2 of the document. Proton Mail has an Password-protected Email feature(new window) that lets you encrypt messages sent to Gmail or other insecure email services by protecting it with a password. The recipient of this message receives a link which takes them to a website where they enter a pre-shared password to decrypt the message.

The argument made by the author is that if Google was acting maliciously, Gmail could compromise this communication by replacing the link in the email with a phishing link. Using this malicious link, Google could capture the password entered by the recipient and use it to decrypt the message at the original link.

This is technically true, but it is akin to saying “sending an email to a malicious email service can lead to the malicious service reading your emails.” This is always true, and is true for email in general, and not Proton Mail in particular. So while troubling to contemplate, this is not a Proton Mail flaw, but a flaw of any federated protocol, such as email.

If the recipient’s email service is the probable attacker in your threat model, then you probably shouldn’t email them at that address. However, there is a solution to this problem. If you and your contact both use Proton Mail, then all communications will be automatically protected by end-to-end encryption(new window).

Claim 3 – Weak passwords are weak

This claim is made in section 5.1.3 of the document. The argument is that because Proton Mail stores encrypted copies of the keys, we could potentially launch brute force attacks against these keys (although this is made rather difficult by the bcrypt slow hash that we utilize), and if the passwords are simple, they could potentially be guessed relatively quickly.

It is impossible to deny that weak passwords are weak. Our philosophy is to recommend best practices to users (like using 2FA), but not to force them. From past experience, we know that users prefer to make their own security decisions. That’s why we don’t force a minimum password strength, although we do strongly recommend that users use strong passwords. We don’t agree that this decision constitutes a serious cryptographic shortcoming in Proton Mail however. In future releases of Proton Mail, we will indeed do more to encourage the use of strong passwords.

Claim 4 – Proton Mail authentication doesn’t use zero-knowledge password proofs (ZKPP)

We will not address this claim in depth because the author has removed this claim (Section 5.2 in the document) in later versions of the paper. Proton Mail does, in fact, use the Secure Remote Password (SRP) protocol. However, there are a few things worth mentioning.

First, Proton Mail does provide a two password mode for user authentication(new window), which provides additional security against offline oracle attacks. As TLS would need to be broken first to execute this attack, we do not feel the marginal increase in security is worth the tradeoff in usability, so one password mode remains the default.

Second, our threat model today generally assumes the integrity of TLS. There is a growing body of evidence that suggests it might be time to question this assumption, which poses a serious problem for all online services in existence today. Because of this, many security companies (including us) are actively working on ways to reduce the need to rely on TLS integrity.


Deciding whether these points constitute “serious shortcomings in Proton Mail’s cryptographic architecture” is an exercise best left to the reader. We don’t think they are.

Having said that, we fully believe that security is a moving target. Whether it is introducing stronger cryptography to OpenPGP(new window), following the latest developments in browser code signing, working on combating TLS compromises or introducing advanced security features like Address Verification(new window), we are committed to staying at the forefront of security and cryptography and providing the most secure email service(new window) possible.

This video analysis (published by a third party) also responds to the claimed Proton Mail weaknesses:

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.

P.S. Proton Mail always welcomes comments and engagement with the security community, whether directly through our open-source software projects(new window), or our bug bounty program(new window). While we do not agree with the conclusions, we still appreciate the author’s comments, which led to us addressing a non-critical bug where the SRP modulus signature was not verified by the Proton Mail web client(new window).

Protect your privacy with Proton
Create a free account

Share this page

Proton Team(new window)

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Related articles

Your passwords are some of your most sensitive personal information. They’re the keys that allow you to access your online accounts, be it your cloud storage, email inbox, or banking accounts. Proton Pass helps millions of people safeguard their pass
In recent months, we’ve brought a lot of big additions to the Proton ecosystem, such as Proton VPN for Business, Proton Sentinel, Password Sharing in Proton Pass, and Proton Drive photo backups in beta. By comparison, we haven’t said a lot about Prot
Most email addresses use the default domain provided by their email service. For Proton Mail accounts, it’s For Gmail, it’s These are usually free and work just fine for most people. But there are situations where it makes sens
Proton Drive MacOS launch
Cloud storage is a critical piece of our mission to build an internet that protects your privacy and secures your data. It’s where you keep your most sensitive files, from personal photos to identity documents. Unfortunately, the leading cloud storag
How to password protect a folder
Putting a password on your folders is a great way to protect sensitive files while they’re on your system. It’s pretty easy to do regardless of your operating system, and this article will take you through each step. Note though, that password prote
What is encryption?
Encryption is a way to hide information so private data is kept that way. Without encryption, anybody could access your communications. In this article, we go over how it works and some of the different types of encryption there are. The short expla