Our Encrypted Email Service is Safe Against Linux TCP Vulnerability

Share this page

Proton Mail is not vulnerable to the recently announced Linux TCP Vulnerability

Earlier this week, a rather serious Linux TCP Vulnerability was disclosed (CVE-2016-5696(new window)) by security researchers in the US(new window). As a result, Proton Mail’s security team did an analysis of this bug to see if it compromises the integrity of Proton Mail’s encrypted email service. Our analysis shows that this bug did not pose a threat to users of our encrypted email service. Nevertheless, we have taken additional action to further harden Proton Mail’s servers.

Linux TCP Vulnerability

The vulnerability which was discovered has been present in the Linux kernel since 2012 and did impact the kernel version that Proton Mail is running. In order to exploit this vulnerability, an attacker only needs to have the IP addresses of the client and the server, which are not to difficult for a sophisticated attacker to obtain. Due to a rate limit enforced by Linux on TCP challenge ACK packets, it is possible to hijack the TCP connection between server and client. This can be used for example, to hijack HTTP (web) connections to insert malicious code and data into the communications stream.

More critically, this vulnerability can be exploited without needing to have man-in-the-middle (MITM) capabilities. Thus, the attack can also be performed “off-path” without the ability to eavesdrop on the network between server and client, significantly lowering the difficulty of the attack. Additional details can be found in the original research paper(new window).

Protecting our Encrypted Email Service

While this vulnerability sounds severe, its impacted on Proton Mail’s secure email service is quite limited because of the encryption that we utilize. In particular, we enforce HSTS on all of our web servers so all connections must go through HTTPS instead of HTTP. This means that during the period in which Proton Mail was vulnerable, the worst that could be done with this attack is to break the connection. The connection could not be hijacked or have malicious code inserted. You can learn more about HSTS from the following blog post made by Proton Mail Security Contributor Mazin Ahmed: Summary of HSTS Support in Modern Browsers

For your protection, Proton Mail uses Swiss SSL certificates with the highest strength ciphers. Our SSL certificates are issued by Swiss SSL certificate provider(new window) QuoVadis Trustlink Schweiz AG and in addition to HSTS, we also use Extended Validation (EV)(new window), 4096-bit RSA, SHA-256 hash, and Certificate Transparency (CT)(new window) with our SSL certificate. For security reasons, we utilize a very select group of SSL ciphers and use those with Perfect Forward Secrecy as often as possible.

SSL is only one security layer for securing our email service. Along with SSL, we also implement end-to-end encryption(new window) with PGP, and we are also the maintainers of OpenPGPjs, the world’s most widely used open source PGP library(new window). This combination of factors means that we are highly confident that no Proton Mail accounts were compromised as a result of this Linux TCP vulnerability.

Security Improvements

Because CVE-2016-5696(new window) has only just been reported, official security patches for the vulnerability have not yet been officially released upstream. However, we take a very proactive approach to security so our Security Team manually modified the running Linux kernel on all of our servers in order to make them immune to this security flaw. In order to make Proton Mail the world’s most secure email service, our team monitors security developments 24/7 so we can move quickly to mitigate any issues that may come up. For the additional security news and updates, you can also follow us on Twitter(new window).

Secure your emails, protect your privacy
Get Proton Mail free

Share this page

Proton Team

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Related articles

Whether it’s personal documents such as your birth certificate or confidential business files like work contracts, we all have sensitive documents we need to store securely. With so many storage options available, it’s important to understand the dif
At Proton Mail, your security is our number one priority. Normally, this means protecting your inbox from unauthorized outside access. However, rather than trying to hack your software, phishing emails try to hack you. By spoofing emails from trusted
Learn all about email clients and why you might use one instead of webmail. If you’ve used an app like Gmail on your mobile phone or Outlook on your computer, you’ve used an email client. We explain how an email client works and the pros and cons of
No email service is completely anonymous. Learn how to send an email as anonymously as possible using private email, aliases, and a VPN or Tor. Do you need to send an email without revealing who you are? Unfortunately, you can’t just sign up for a f
Today, we’re introducing Proton Family, our all-in-one plan to protect your family’s privacy.  When you’re a parent, you do everything you can to prepare for the unexpected and keep your family safe. But extending this protection online is difficult
Starting last year, Google began to increase the number of ads displayed in Gmail. It started with more ads in the Promotions tab on mobile. And now it has grown to include advertising messages between regular emails on Gmail’s desktop site. Gmail u