Proton

Proton Mail SSL certificates and DarkMatter

UPDATE 4 November 2019: We are now using SwissSign AG(yeni pencere) as the certificate authority to issue our SSL/TLS certificate. Learn more about how to verify proton.me’s SSL certificate(yeni pencere).

UPDATE 11 October 2021: We are now using Let’s Encrypt(yeni pencere) as the Certificate Authority that verifies the SSL certificates used to secure the Proton Mail and Proton VPN web sites. For more information on this, and for instructions on how to check the validity of our certificate, please see Proton Mail’s TLS/SSL Certificate(yeni pencere).

Earlier today, the Electronic Frontier Foundation reported(yeni pencere) that the Emirati cybersecurity firm DarkMatter had applied to become a top-level certificate authority. Certificate authorities (CA) issue digital certificates which certify who owns a site, that the connection with a site is secure, and that a third party cannot intercept traffic. If a malignant actor were to become a CA, it could hand out fake certificates and potentially intercept HTTPS traffic.

The EFF article primarily focused on what would take place if DarkMatter, which has been accused of carrying out government surveillance by The Intercept,(yeni pencere) became a top-level CA that is trusted by browsers (which has not happened yet, and is unlikely to happen).

The connection to Proton Mail (and Proton VPN) arose because the Swiss company QuoVadis issued an intermediate certificate to DarkMatter and QuoVadis has also issued a certificate to Proton Mail. The fact that QuoVadis has issued a certificate to DarkMatter has led some people to call for everyone to delete QuoVadis certificates from their browser. This rash action is unwarranted and could lead to many websites not working, including Proton Mail and Proton VPN.

These rumors and allegations are mostly arising from people who do not understand how the CA system works or have incorrect information. Below, we will explain why none of this impacts Proton Mail’s security.

QuoVadis is not DarkMatter

Contrary to what some people have alleged, QuoVadis is not owned or controlled by DarkMatter. QuoVadis is owned by DigiCert, another independent CA. DigiCert is the Internet’s fifth largest CA and one of the largest Internet security companies in the world. It handles certificates and cybersecurity for some of the world’s best-known corporations, including PayPal and Cloudflare.

An intermediate certificate is not a root certificate

DarkMatter has an intermediate certificate issued by QuoVadis, and not a root certificate. This means that ultimately, DigiCert has oversight over all of the certificates which are issued using the intermediate certificate in question. Furthermore, using the Certificate Transparency system, Proton Mail routinely monitors the new certificates that are created. We will know if a new SSL certificate for proton.me is issued without our authorization.

QuoVadis’s certificates remain secure

Just because QuoVadis issued a certificate to DarkMatter, that does not imply that there is a problem with any of the certificates that QuoVadis has previously issued. Users of QuoVadis (in addition to Proton Mail) include switch.ch, the Swiss institution governing the .ch domain, as well as the Swiss federal government, the Canton of Zurich, ETH Zurich, and the Swiss bank Raiffeisen. While we don’t agree with the activities that DarkMatter has been involved in, and we believe that QuoVadis should revoke that certificate, it has no impact on the other certificates that QuoVadis has issued.

There is no reason to delete QuoVadis certificates, and doing so will impair your ability to access the Proton Mail and Proton VPN websites. Proton Mail does not rely on a single root CA to certify our sites, and QuoVadis/DigiCert is just one of the many CAs that we use. We use several CAs to ensure that we can rotate certificates rapidly if there is ever a compromise in the CA system. However, the fact that DarkMatter has been issued a certificate by QuoVadis does not imply that the CA system is compromised.

We routinely evaluate and check which CAs we do business with, and we will express to DigiCert our view that the certificate issued to DarkMatter should be revoked. The actions they take (or a lack of action) will certainly factor into our decision about whether or not we continue working with DigiCert in the future, even though there is no security issue with either Proton Mail or Proton VPN as a result of this certificate.

Best Regards,
The Proton Mail Team

Sign up and get a free secure email(yeni pencere) account from Proton Mail.

We also provide a free VPN service(yeni pencere) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(yeni pencere). Thank you for your support.


İlgili makaleler

Proton Mail and Proton Calendar winter product roadmap
en
  • Ürün güncellemeleri
  • Proton Calendar
  • Proton Mail
Preview upcoming updates to Proton Mail and Proton Calendar, including performance boosts, new features, and enhanced privacy tools.
Gantt chart displaying Proton Drive plans and development of new features
en
  • Ürün güncellemeleri
  • Proton Drive
Discover the tools, features, and improvements coming to Proton Drive’s secure cloud storage and document editor this winter and spring.
laptop showing Bitcoin price climbing
en
  • Gizlilik yol göstericileri
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
en
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.
A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
en
  • Ürün güncellemeleri
  • Proton Pass
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
en
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.