ProtonMail

ProtonMail Demystified

10 min readJul 29, 2014

The history of ProtonMail, a secure webmail service, began in the summer of 2013, when a group of scientists from CERN (The European Organization for Nuclear Research) joined forces to work on improving privacy on the Internet. Their startup, ProtonMail, went to the semifinals of the 2014 MIT 100K Entrepreneurship Competition.

That achievement was a key step in getting others to notice them and start talking about ProtonMail around the world. From that moment on, the project developed very rapidly.

History of development

On May 15th, 2014, open beta-testing of ProtonMail began. However, there were so many people wishing to register and get an account that administrators had to close registration and post a subscription form to collect applications for an account. The company plans to send invitations for future registrations gradually, once they have increased their server capacity.

On June 17th, the ProtonMail team launched a campaign to raise funds for the development of the project on indiegogo.com — https://www.indiegogo.com/projects/protonmail/. The aim of the campaign was to get US $100,000, which would be used for the purchase of servers and to allow the team to work full-time on the development of the service. Letters with invitations to support their project were sent to users waiting for their accounts. In just a few days, the goal was achieved. At the time of this writing (July 30, 2014), the total amount raised was US $ 538,130 (more than 5 times the set goal!). The main incentive offered for supporting the project was gaining priority access to the ProtonMail service.

Obtaining access to ProtonMail

It was very interesting for me to learn what ProtonMail actually is and how it works. Unfortunately, I could not get an account when the registration opened, so I submitted a request for one. Once I learned that they had launched an indiegogo campaign, I was more than happy to support it and get priority access to ProtonMail.

In six hours, I received an email with a link to activate my new ProtonMail account. Registration was simple, and took about a minute.

Creating a ProtonMail account

To create an account, two passwords are required: one to log in to your account, and another so-called “mail password” to encrypt and decrypt emails.

The password to access your account is used by ProtonMail for authentication, just like other websites on the Internet, including webmail services. This password can be changed in your account settings.

The “mail password” is never transmitted outside the user’s computer, and is used to generate a key for message encryption. This password cannot be recovered; if it gets lost, access to the mailbox contents will also be lost. Note also that this password cannot be changed, as explained on the ProtonMail FAQ page:

Can I change or reset my Mailbox password?
No. Your MailBox Password is tied to all of your emails because it is used to encrypt all of your messages. If you were allowed to change this, then all of your current and past messages would be undecryptable and unreadable.

To log in, a user uses his account password, then enters the mail password used to decrypt the contents of messages directly on his computer. This ensures that no access to the contents of the messages can be obtained by anyone but the user ̶ at least in theory. In reality, there are still risks if the ProtonMail system is compromised (see below).

What does ProtonMail look like and how does it work?

ProtonMail is a webmail-only service. There is no support for POP3/IMAP/SMTP, as all cryptographic functions are implemented in JavaScript code running in the user’s web-browser.

After logging into your account for the first time, you will see a welcome message from the ProtonMail team. It briefly explains what data gets encrypted, the main features and how it is possible to use ProtonMail to communicate with users of other mail services like Gmail, Hotmail, etc.

The core features of ProtonMail include:

Emails interchanged between the users of ProtonMail are always encrypted automatically and users don’t need to do anything for that. It’s all done seamlessly.
Attached files are not encrypted, as noted in the welcome email. However, it is also noted that this feature is planned for future implementation.
Ability to send encrypted email to a recipient not using ProtonMail. In this case, the recipient receives an email with a link. Clicking the link leads to a webpage on ProtonMail with a request to enter a password to access the contents of the encrypted message. This password is set by the ProtonMail customer before sending an encrypted message to a non-ProtonMail user.

Ability to specify message expiry time. This option is available when sending email both to other ProtonMail users and to third-party e-mail services. At the expiration time set by the customer, the email message is deleted and disappears from the mailbox, and the link sent to non-ProtonMail users stops working.
Ability to receive messages from third-party services. In this case, the contents of the messages are unencrypted, as with any standard webmail service.

User Interface

All basic formatting options are supported: bold & italic fonts, headings, lists and the ability to edit messages in raw HTML.

All emails are kept in folders: Inbox, Sent, and Drafts. You can view only one message at a time. Displaying the full conversation as a thread is not implemented.

When you create a new email message, you can specify the addresses of copy recipients using CC (everyone can see to whom the copies were sent) or BCC (recipients cannot be seen by other recipients in the address list).

Service Cost

The ProtonMail service is free, but there are limitations. The available storage is limited to 100 MB and the allowed number of emails is restricted to 500 messages per month. The company plans to offer paid business accounts in the future, with 1 GB of storage available for emails and no limit to the number of messages you can send. There will also be an option to use your own domain name with business accounts.

Integration with other services and applications

Integration with other services and applications is not currently available. There is no open API. All cryptographic functionality is implemented in JavaScript and runs in user’s web browser.

Storing messages

All messages sent and received between ProtonMail users are stored on ProtonMail servers in encrypted form. Nothing is cached or stored on the client side.

When an unencrypted message is received from a third-party email service, even after it’s read it remains unencrypted in the Inbox and is not saved in encrypted form. It would be great if ProtonMail could add a feature to save these messages in encrypted form and delete the unencrypted messages!

When a message is sent to a third-party service in unencrypted form, it is also saved in the user’s Sent folder in encrypted form.

There is currently no option available to export (download) an archive of all the customer’s emails.

Search

Emails may be searched by sender name, by subject, and by the text of the message, if it is stored in unencrypted form. Remember that unencrypted emails are only those received from third-party services.

Encryption keys storage

The private encryption key is stored on ProtonMail servers but it is protected by your mail password. That is what the mail password is used for: to decrypt your private key. This system is necessary to allow encryption to work when you use different devices or web browsers to access ProtonMail. The private key is not saved to Local Storage of the user’s web browser, unlike many other secure webmail services (see below). The option to import or export the private key is not available.

Technical Implementation

OpenPGPjs (http://openpgpjs.org) is used for message encryption. During the user session, the mail password is stored in a fully unencrypted state (without obfuscation) in the Session Storage of the web browser (http://en.wikipedia.org/wiki/Web_Storage).

ProtonMail uses asymmetric encryption (also known as public-key cryptography) implemented in JavaScript running in a web browser.

For more information, see this Wikipedia article about public-key cryptography: http://en.wikipedia.org/wiki/Public-key_cryptography Unfortunately, the subject may be quite difficult to understand for a non-tech-savvy average Joe.

Security

There are countless online discussions about the security of client-side cryptographic systems like ProtonMail, where executable code is given to a user by the service itself at the time of accessing the service. For example, there is an excellent article in English by Matasano Security at http://matasano.com/articles/javascript-cryptography/ which should answer almost any technical question the reader may have.

To briefly summarize these discussions, at any time the encryption service could pass a modified version of its executable code (for example, at the request of law enforcement agencies), which could capture the user’s mail password or send all emails in unencrypted form.

Note that the ProtonMail team is based in Switzerland, where they claim they cannot be legally obligated to create a backdoor in the service. The full text of their explanation is available at https://protonmail.ch/blog/switzerland/. However, this is somewhat speculative, as there are no well-known precedents available to the public.

In any case, the service’s ability to change the executable code at any time is a serious drawback and concern, since these changes can be targeted at a specific user. When cryptographic functionality is implemented in a stand-alone application or, even better, on the operating system level, such targeted updates are much less likely to occur and much more difficult to implement and execute. Of course, there are no bulletproof solutions, but developers should always strive to implement the best possible option.

The executable Javascript code running browser-side may be subject to XSS attacks. With ProtonMail, as with any other webmail service, an attacker can send a specially crafted email that bypasses the built-in protection against XSS attacks and executes the malicious code to gain access to the user’s mail password (in ProtonMail’s case) or simply intercepts the decrypted contents of messages. ProtonMail relies on the js-xss library (https:// github.com/leizongmin/js-xss) for protection against XSS attacks.

Besides filtering the content of messages, one should not forget that mail headers used to carry extra information like the sender’s email address, the message subject and so on, can also be malformed in a special way when receiving emails from third-party services. All ProtonMail accounts have the ability to receive messages from third-party services, and it is not possible to disable it in account settings.

At the beginning of June, a vulnerability in ProtonMail was discovered which allowed it to execute an arbitrary JavaScript code on the computer of an unsuspecting user to gain full access to his mailbox. This vulnerability was discovered by Mike Cardwell and reported to the ProtonMail team. After the vulnerability was fixed, he disclosed the information at https://news.ycombinator.com/item?id=7850953. ProtonMail gave him credit on their web site at https://protonmail.ch/blog/protonmail-security-contributors/, confirming Cardwell’s finding.

So this particular security issue was fixed, but do we know if any other vulnerabilities exist in ProtonMail’s JavaScript code running browser-side? How many more are there, just waiting to be found and exploited by hackers or law enforcement officers?

Similar projects

Mailpile (https://www.mailpile.is) — an open-source project under active development. It’s a webmail application only, with no dedicated email services. Like ProtonMail, it runs in a web browser and is implemented in JavaScript. The goal of the project is to make cryptography available to non-tech-savvy users.

A unique feature of this project is the ability to search the content of encrypted messages. As explained at https://www.mailpile.is/faq/, an index is created to make it possible to search, but the actual content of the index is stored in a hashed (one-way encrypted) form.

It is not specified whether MD5/SHA or MAC hash functions are used. In case of MD5/SHA hashes, such an implementation is extremely unsafe because of the possibility of determining keywords that appear in the original encrypted content. All an attacker has to do is calculate hashes for dictionary words and compare the lists. The correct implementation of the search functionality is crucial to security.

Lavaboom (https://lavaboom.com/en/) — a secure webmail service similar to ProtonMail. The cryptography is implemented in JavaScript and the code is executed in a web browser.

Scramble (http://dcposch.github.com/scramble) — an open-source project utilizing OpenPGPjs, just like ProtonMail. This is a relatively young project and is not in active development. I included it in the list to give a broad picture of the services available on the market.

OpenMailBox (https://openmailbox.org) — encryption is implemented in JavaScript using the OpenPGP plugin for Roundcube webmail client software. The user’s private key is stored in the browser’s Local Storage.

Unseen (https://unseen.is) — another secure webmail service; instant messaging and voice calling services are also available. There are clients for mobile and desktop platforms. Unseen also uses Roundcube with OpenPGP plugin.

The desktop version of Unseen is available on Windows, Mac OS and Linux (Ubuntu). It is a native application acting as a wrapper and contains an embedded version of their website.

What’s the solution?

Using a stand-alone application for encrypted content, well-known implementations of cryptography (no custom-built in-house solutions) and certain restrictions for the sake of safety (such as restricting the ability to receive emails from third-party services to minimize the possibility of successful attacks) is the best solution for secure email services.

Developers who successfully implement public-key cryptography as an easy-to-use feature for non-tech-savvy users, compatible with popular email clients like Apple Mail, Microsoft Outlook or any other stand-alone or built-in email software, will win the loyalty of their customers and become a huge success!