ProtonBlog(new window)

Introducing Address Verification and Full PGP Support

Compartir esta página

Starting with the latest release of Proton Mail on web (v3.14)(new window), iOS and Android (v1.9), and the latest versions of the Proton Mail IMAP/SMTP Bridge(new window), Proton Mail now supports Address Verification, along with full PGP interoperability and support. In this article, we’ll discuss these two new features in detail, and how they can dramatically improve email security and privacy.

Address Verification

When Proton Mail first launched in 2014, our goal was to make email encryption ubiquitous by making it easy enough for anybody to use. This is no easy feat(new window), and that’s probably why it had never been done before. Our guiding philosophy is that the most secure systems in the world don’t actually benefit society if nobody can use them, and because of this, we made a number of design decisions for the sake of better usability.

One of these decisions was to make encryption key management automatic and invisible to the user. While this made it possible for millions of people around the world to start using encrypted email without any understanding of what an encryption key is, the resulting architecture required a certain level of trust in Proton Mail.

While a certain level of trust is always necessary when you use online services, our goal is to minimize the amount of trust required so that a compromise of Proton Mail doesn’t lead to a compromise of user communications. This is the philosophy behind our use of end-to-end encryption(new window) and zero-access encryption(new window), and it is also the philosophy behind Address Verification(new window).

Prior to the introduction of Address Verification, if Proton Mail was compromised, it would be possible to compromise user communications by sending to the user a fake public encryption key. This could cause email communications to be encrypted in a way that an attacker, holding the corresponding fake private key, could intercept and decrypt the messages (this is also known as a Man-in-the Middle attack, or MITM), despite the fact that the encryption takes place client side.

Address Verification provides an elegant solution to this problem. We consider this to be an advanced security feature and probably not necessary for the casual user, but as there are journalists and activists using Proton Mail for highly sensitive communications, we have made adding Address Verification a priority.

How Address Verification works

Address Verification works by leveraging the Encrypted Contacts(new window) feature that we released previously. Starting with the latest version of Proton Mail, when you receive a message from a Proton Mail contact, you now have the option (in the Proton Mail web app) to Trust Public Keys for this contact. Doing so saves the public key for this contact into the digitally signed contacts, so it is not possible to tamper with the public encryption key once it has been trusted.

This means that when sending emails to this contact, it is no longer possible for a malicious third party (even Proton Mail) to trick you into using a malicious public key that is different from the one you have trusted. This allows for a much higher level of security between two parties than is possible with any other encrypted email service. You can learn more about using Address Verification(new window) in our knowledge base article.

PGP Support

At the same time as Address Verification, we are also launching full support for PGP email encryption. As some of you may know, Proton Mail’s cryptography is already based upon PGP, and we maintain one of the world’s most widely used open source PGP libraries(new window). PGP support is also an advanced feature that we don’t expect most users to use. If you need secure email, the easiest and most secure way to get it is still to get both you and your contact on Proton Mail, or if you are an enterprise, to migrate your business to Proton Mail(new window).

However, for the many out there who still use PGP, the launch of full PGP support will make your life a lot easier. First, any Proton Mail user can now send PGP encrypted emails to non-Proton Mail users by importing the PGP public keys of those contacts. Second, it is also possible to receive PGP email at your Proton Mail account from any other PGP user in the world. You can now export your public key and share it with them.

Therefore, your Proton Mail account can in fact fully replace your existing PGP client. Instead of sharing your existing PGP public key, you can now share the PGP public key associated with your Proton Mail account and receive PGP encrypted emails directly in your Proton Mail account.

If you are an existing PGP user and you would like to keep your existing custom email address (e.g. john@mydomain.com), we’ve got you covered there, too. It is possible to move your email hosting to Proton Mail and import your existing PGP keys for your address, so you don’t need to share new keys and a new email address with your contacts.

If you are using PGP for sensitive purposes, this might actually be preferable to continuing to use your existing PGP client. For one, PGP is fully integrated into Proton Mail, encryption/decryption is fully automated, and the new Address Verification feature is used to protect you against MITM attacks. More importantly though, Proton Mail is not susceptible to the eFail class of vulnerabilities(new window), which have impacted many PGP clients, and our PGP implementations are being actively maintained.

You can find more details about using PGP with Proton Mail here(new window).

Introducing Proton Mail’s public key server

Finally, we are formally launching a public key server to make key discovery easier than ever. If your contact is already using Proton Mail, then key discovery is automatic (and you can use Address Verification to make it even more secure if you want). But if a non-Proton Mail user (like a PGP user) wants to email you securely at your Proton Mail account, they need a way to discover your public encryption key. If they don’t get it from your public profile or website, they are generally out of luck.

Our public key server solves this problem by providing a centralized place to look up the public key of any Proton Mail address (and non-Proton Mail addresses hosted at Proton Mail).

Our public key server can be found at hkps://mail-api.proton.me. This link is used for HKP requests and cannot be accessed with a browser. However, if you want to download the public key of a Proton Mail user, copy and paste the following link into your browser — https://mail-api.proton.me/pks/lookup?op=get&search=username@proton.me — and replace the “username@proton.me” with the address you’re looking for.

Concluding thoughts on open standards and federation

Today, Proton Mail is the world’s most widely used email encryption system(new window), and for most of our users the addition of Address Verification and PGP support will not change how you use Proton Mail. In particular, setting up PGP (generating encryption keys, sharing them, and getting your contacts to do the same) is simply too complicated, and it is far easier for most people to simply create a Proton Mail account and benefit from end-to-end encryption and zero-access encryption without worrying about details like key management.

Still, launching PGP support is important to us. The beauty of email is that it is federated, meaning that anybody can implement it. It is not controlled by any single entity, it is not centralized, and there is not a single point of failure. While this does constrain email in many ways, it has also made email the most widespread and most successful communication system ever devised.

PGP, because it is built on top of email, is therefore also a federated encryption system. Unlike other encrypted communications systems, such as Signal or Telegram, PGP doesn’t belong to anybody, there is no single central server, and you aren’t forced to use one service over another. We believe encrypted communications should be open and not a walled garden. Proton Mail is now interoperable with practically ANY other past, present, or future email system that supports the OpenPGP standard, and our implementation of this standard is also itself open source(new window).

We still have a long way to go before we can make privacy accessible to everyone, and in the coming months and years we will be releasing many more features and products to make this possible. If you would like to support our mission, you can always upgrade to a paid plan(new window).

Thank you for your continued support!

Sign up and get a free secure email account from Proton Mail. 

We also provide a free VPN service(new window) to protect your privacy.

Proteja su privacidad con Proton
Crear una cuenta gratuita

Compartir esta página

Andy Yen(new window)

Andy is the founder and CEO of Proton. He is a long-time advocate for privacy rights and has spoken at TED, Web Summit, and the United Nations about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in particle physics from Harvard University.

Artículos relacionados

en
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
en
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
en
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
en
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail
what is a digital footprint
en
  • Lo básico sobre privacidad
What you do online isn’t private. Everything you do leaves behind some kind of mark. This trail is often referred to as a digital footprint, and it’s used to track you in many different ways. In this article, we go over what a digital footprint is, h
en
In February 2024, media reported that Indian authorities may decide to block Proton Mail. Proton Mail is still available in India despite any reports suggesting otherwise.  In response to hoax bomb threats that were sent through Proton Mail, some me