Software:ProtonMail

From HandWiki
Short description: End-to-end encrypted email service
Proton Mail
ProtonMail logo.svg
ProtonMail screenshot.png
Screenshot of the Proton Mail website, showing the conversation view of a message in a user's inbox
Available inEnglish, Catalan, Chinese, Dutch, French, German, Hungarian, Italian, Japanese, Polish, Romanian, Russian, Spanish, Turkish, Portuguese, Ukrainian
Headquarters
Switzerland
OwnerProton AG, Geneva, Switzerland
Websiteproton.me/mail
CommercialYes
RegistrationRequired
LaunchedMay 16, 2014; 9 years ago (2014-05-16)
Current statusOnline
Web Client
Repositorygithub.com/ProtonMail
Written inJavaScript and PHP
License
Website

Proton Mail (previously written as ProtonMail) is an end-to-end encrypted email service founded in 2013 in Geneva, Switzerland .[5] It uses client-side encryption to protect email content and user data before they are sent to Proton Mail servers, unlike other common email providers such as Gmail and Outlook.com.[6] The service can be accessed through a webmail client, the Tor network, or dedicated iOS and Android apps.[7]

Proton Mail is run by Proton AG (formerly Proton Technologies), which is based in the Canton of Geneva, Switzerland.[8] The company also operates Proton VPN, Proton Drive and Proton Calendar. Proton Mail received initial funding through a crowdfunding campaign. Although the default account setup is free, the service is sustained by optional paid services. Initial membership was by invitation only; however, beginning in March 2016, Proton Mail was opened to the public. Acquiring more than 2 million users by 2017,[9] membership grew to almost 70 million by 2022.[10]

History

On May 16, 2014, Proton Mail entered into public beta.[11] It was met with enough response that after three days they needed to temporarily suspend beta signups to expand server capacity.[12] Two months later, Proton Mail received US$550,377 from 10,576 donors through a crowdfunding campaign on Indiegogo, while aiming for US$100,000.[13] During the campaign, PayPal froze Proton Mail's PayPal account, thereby preventing the withdrawal of US$251,721 worth of donations. PayPal stated that the account was frozen due to doubts of the legality of encryption, statements that opponents said were unfounded.[14][15] The restrictions were lifted the following day.[16]

On March 18, 2015, Proton Mail received US$2 million from the non-profit Fondation Genevoise pour l'Innovation Technologique (FONGIT) and Charles River Ventures, although by 2022, the company no longer had venture capital investors.[17][18] On 14 August 2015, Proton Mail released major version 2.0, which included a rewritten codebase for its web interface. On 17 March 2016, Proton Mail released major version 3.0, which saw the official launch of Proton Mail out of beta. With a new interface for the web client, version 3.0 also included the public launch of Proton Mail's iOS and Android beta applications.[19]

On January 19, 2017, Proton Mail announced a Tor onion site.[20] On November 21, 2017, Proton Mail introduced Proton Mail Contacts, a zero-access encryption contacts manager. Proton Mail Contacts also utilizes digital signatures to verify the integrity of contacts data.[21] On 6 December 2017, Proton Mail launched Proton Mail Bridge, an application that provides end-to-end email encryption to any desktop client that supports IMAP and SMTP, such as Microsoft Outlook, Mozilla Thunderbird, and Apple Mail, for Windows and MacOS.[22]

On July 25, 2018, Proton Mail introduced address verification and Pretty Good Privacy (PGP) support, making Proton Mail interoperable with other PGP clients.[23]

The source code for the back-end remains closed source.[24][25] However, Proton Mail released the source code for the web interface under an open-source license.[26] Proton Mail also open sourced their mobile clients for iOS and Android,[27][28] as well the Proton Mail Bridge app.[29]

In September 2020, Proton Mail helped found the Coalition for App Fairness, which aims to gain better conditions for the inclusion of their apps in app stores.[30] Proton also founded the Coalition for Competitive Digital Markets, which brings together 50+ European tech companies supporting open, interoperable and competitive digital markets.[31]

In May 2022, Proton AG updated the visuals, user interface, and logos of all its products, including Proton Mail, to achieve a consistent design throughout its software. Proton Mail's subscription now includes access to all Proton VPN, Proton Calendar, and Proton Drive.[32]

Encryption

Proton Mail uses a combination of public-key cryptography and symmetric encryption protocols to offer end-to-end encryption. When a user creates a Proton Mail account, their browser generates a pair of public and private RSA keys:

  • The public key is used to encrypt the user's emails and other user data.
  • The private key capable of decrypting the user's data is symmetrically encrypted with the user's mailbox password.

This symmetrical encryption happens in the user's web browser using AES-256. Upon account registration, the user is asked to provide a login password for their account.

Proton Mail also offers users an option to log in with a two-password mode that requires a login password and a mailbox password.

  • The login password is used for authentication.
  • The mailbox password encrypts the user's mailbox that contains received emails, contacts, and user information as well as a private encryption key.

Upon logging in, the user has to provide both passwords. This is to access the account and the encrypted mailbox and its private encryption key. The decryption takes place client-side either in a web browser or in one of the apps. The public key and the encrypted private key are both stored on Proton Mail servers. Thus Proton Mail stores decryption keys only in their encrypted form so Proton Mail developers are unable to retrieve user emails or reset user mailbox passwords.[33] This system absolves Proton Mail from:

  • Storing either the unencrypted data or the mailbox password.
  • Divulging the contents of past emails but not future emails.
  • Decrypting the mailbox if requested or compelled by a court order.[34]

Proton Mail exclusively supports HTTPS and uses TLS with ephemeral key exchange to encrypt all Internet traffic between users and Proton Mail servers.

In September 2015, Proton Mail added native support to their web interface and mobile app for PGP. This allows a user to export their Proton Mail PGP-encoded public key to others outside of Proton Mail, enabling them to use the key for email encryption. The Proton Mail also supports PGP encryption from Proton Mail to outside users.[35]

Email sending

An email message sent from one Proton Mail account to another is automatically encrypted with the public key of the recipient. Once encrypted, only the private key of the recipient can decrypt the message. When the recipient logs in, their mailbox password decrypts their private key and unlocks their inbox.

Email messages sent from Proton Mail to non-Proton Mail email addresses may optionally be sent in plain text or with end-to-end encryption. With encryption, the message is encrypted with AES under a user-supplied password. The recipient receives a link to the Proton Mail website on which they can enter the password and read the decrypted message. Proton Mail assumes that the sender and the recipient have exchanged this password through a backchannel.[33] Such email messages can be set to self-destruct after a period of time.[36]

Location and security

Both Proton Mail and Proton VPN are located in Switzerland to avoid any surveillance or information requests from countries under the Fourteen Eyes,[37] and/or under government surveillance laws such as the United States' Patriot Act or outside the bounds of law.[38] The company claims that it is also located in Switzerland because of its strict privacy laws.[39]

As of October 2022 Proton Mail currently supports two-factor authentication with TOTP tokens or U2F for its login process.[40][41]

In 2018 Nadim Kobeissi published an article arguing that as Proton Mail was generally accessed through a web client, "no end-to-end encryption guarantees have ever been provided by the Proton Mail service."[42]

In 2021, Proton Mail's security and cryptographic architecture were both independently audited by Securitum, a leading European security auditing company, who uncovered no major issues or security vulnerabilities, and the audit results were publicly published.[43]

Data portability

Proton Mail limits data portability by locking support for external email client software through IMAP and POP3 protocols behind a paywall. As of 2021, users are unable to back up their email account locally without paying.[44]

Data centers

Proton Mail maintains two data centers, one in Lausanne and another in Attinghausen (in the former K7 military bunker under 1,000 meters (3,300 ft) of granite) as a backup. Since the servers are located in Switzerland , they are legally outside of the jurisdiction of the European Union, United States, and other countries. Under Swiss law, all surveillance requests from foreign countries must go through a Swiss court and are subject to international treaties. Prospective surveillance targets are promptly notified and can appeal the request in court.[45]

Each data center uses load balancing across web, mail, and SQL servers, redundant power supply, hard drives with full disk encryption, and exclusive use of Linux and other open-source software. In December 2014, Proton Mail joined the RIPE NCC in an effort to have more direct control over the surrounding Internet infrastructure.[46]

DDoS attacks

From November 3-7, 2015, Proton Mail was under several DDoS attacks that made the service largely unavailable to users.[47] During the attacks, the company stated on Twitter that it was looking for a new data center in Switzerland, saying, "many are afraid due to the magnitude of the attack against us".[48]

In July 2018, Proton Mail reported it was once more suffering from DDoS attacks. CEO Andy Yen claimed that the attackers had been paid by an unknown party to launch the attacks.[49] In September 2018, one of the suspected Proton Mail attackers was arrested by British law enforcement and charged in connection with a series of other high-profile cyberattacks against schools and airlines.[50]

Blocks

Belarus

On November 15, 2019, Proton confirmed that the government of the Belarus had issued a block across the country of Proton Mail and Proton VPN IP addresses. The block was no longer in place four days later. No explanation was given to Proton Mail for the block, nor for the block being lifted.[51]

Russia

On January 29, 2020, the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media reported that it had implemented a complete block of Proton Mail services within the Russia .[52] As a reason for the block, it cited Proton Mail's refusal to give up information relating to accounts that allegedly sent out spam with terror threats.[53][54] However, Proton Mail claimed that it did not receive any requests from Russian authorities regarding any such accounts.[55][56] In response to the block, the Proton Mail Twitter account recommended legitimate users circumvent the block via VPNs or Tor.

In March 2020, the company announced that even though the Russia ban was not particularly successful, and the service continues to be largely available in Russia without using a VPN, Proton Mail will be releasing new anti-censorship features in both Proton Mail and Proton VPN desktop and mobile apps which will allow more block attempts to be automatically circumvented.[57]

Compliance with Swiss court orders

According to Proton Mail's transparency report, it is legally obligated to follow Swiss court orders if Swiss law is broken, and in 2020 Proton Mail received 3,572 orders from Swiss authorities and contested 750 of them.[58] Due to the encryption utilized, Proton Mail is unable to hand over the contents of encrypted emails under any circumstances, but according to Proton's privacy policy, Proton Mail can be legally compelled to log IP addresses as part of a Swiss criminal investigation.[59] For this reason, the company strongly suggests that users who need to hide their identity from the Swiss government use their Tor hidden service/onion site. In May 2022, Proton updated its privacy policy and made explicit a separate privacy policy for its Proton VPN service, which has a different treatment under Swiss law and has a strict no-logs policy which was also confirmed by an external audit.[60]

Notable cases involving Swiss court orders include a case involving death threats made against well-known immunologist Anthony Fauci and a case against French citizens charged with theft and destruction of property.[61][62] After these cases, in October 2021, Proton Mail won an important Swiss court victory that confirmed that email services cannot be considered telecommunications providers, and consequently are not subject to the data retention requirements imposed on telecommunications providers.[63]

Account types

As of February 20, 2023, Proton Mail offers the following account types for individuals:[64]

Account type Messages per day Storage Aliases Custom domains Price Support
Proton Free 150 1 GB 1 Address - Free Limited Support
Proton Unlimited Unlimited 500 GB 15 Addresses 3 €11.99 /mo or €119.88 /yr Priority Support

As of February 20, 2023, Proton Mail offers the following account types for businesses:[65]

Account type Storage Aliases Custom domains Price Hide My Email aliases
Mail Essentials 15 GB 10 Address 3 €6.99 /mo -
Business 500 GB 15 Addresses 10 €10.99 /mo Unlimited
Enterprise Customizable Customizable Customizable Customizable Customizable

See also

References

  1. "iOS mobile app repository". github.com/ProtonMail/ios-mail. Proton AG. 11 December 2019. https://github.com/ProtonMail/ios-mail. 
  2. "Android mobile app repository". github.com/ProtonMail/proton-mail-android. Proton A.G.. 24 April 2020. https://github.com/ProtonMail/proton-mail-android. 
  3. "Proton bridge repository". github.com/ProtonMail/proton-bridge. Proton AG. 24 April 2020. https://github.com/ProtonMail/proton-bridge. 
  4. "LICENSE". github.com/ProtonMail/WebClient. Proton AG. 25 December 2021. https://github.com/ProtonMail/WebClients/blob/main/LICENSE. 
  5. O'Luanaigh, Cian (23 May 2014). "CERN inspires entrepreneurs for email encryption". https://home.cern/news/news/computing/cern-inspires-entrepreneurs-email-encryption. 
  6. Saxena, Kumkum, Dev Rajdev, Divesh Bhatia, and Manav Bahl. "ProtonMail: Advance Encryption and Security". 2021 International Conference on Communication Information and Computing Technology (ICCICT). 
  7. "ProtonMail, the Easy-to-Use Encrypted Email Service, Opens Up to the Public". 17 March 2016. http://motherboard.vice.com/en_ca/read/protonmail-the-easy-to-use-encrypted-email-service-opens-up-to-the-public. 
  8. "Registre du Commerce du Canton de Genève". République et canton de Genève. 18 July 2014. https://ge.ch/hrcintapp/externalCompanyReport.action?companyOfrcId13=CH-660-1995014-1&ofrcLanguage=4. 
  9. "Fighting Censorship with Proton Mail Encrypted Email Over Tor". 19 January 2017. https://proton.me/news/tor-encrypted-email. 
  10. Edelman, Gilad (25 May 2022). "Proton Is Trying to Become Google—Without Your Data" (in en-US). Wired. ISSN 1059-1028. https://www.wired.com/story/proton-mail-calendar-drive-vpn/. Retrieved 2022-05-27. 
  11. "Proton Mail Unveils an Overdue Makeover and New Features" (in en-us). 8 June 2021. https://gizmodo.com/protonmail-unveils-an-overdue-makeover-and-new-features-1847054759. 
  12. "Über-Secure ProtonMail Beta Maxes Out Servers in Just 60 Hours". 22 May 2014. https://www.infosecurity-magazine.com/news/uber-secure-protonmail-beta-maxes-out-servers-in/. 
  13. Yen, Andy (31 July 2014). "Proton Mail". https://www.indiegogo.com/projects/protonmail/#/. 
  14. Halfacree, Gareth (1 July 2014). "ProtonMail hit by PayPal account freeze". https://www.bit-tech.net/news/tech/software/protonmail-paypal/1/. 
  15. Howell O'Neill, Patrick (1 July 2014). "PayPal freezes account of email encryption startup Proton Mail [Update"]. https://www.dailydot.com/layer8/paypal-protonmail-freeze/. 
  16. Yen, Andy (30 June 2014). "Paypal Freezes Proton Mail Campaign Funds". https://proton.me/news/paypal-freezes-protonmail-campaign-funds. 
  17. "Proton Mail has raised $2M USD". 18 March 2015. https://www.startupticker.ch/en/news/march-2015/protonmail-has-raised-2m-usd. 
  18. "Meet the Proton team". 25 May 2022. https://proton.me/about/team. 
  19. "Announcement: Proton Mail has launched worldwide!". 17 March 2016. https://proton.me/news/protonmail-launch-worldwide. 
  20. Martin, Alexander J. (19 January 2017). "Proton Mail launches Tor hidden service to dodge totalitarian censorship". https://www.theregister.co.uk/2017/01/19/protonmail_launches_tor_hidden_service/. 
  21. "Introducing Proton Mail Contacts – the world's first encrypted contacts manager". 21 November 2017. https://proton.me/news/encrypted-contacts-manager. 
  22. M., Irina (6 December 2017). "Introducing Proton Mail Bridge, email encryption for Outlook, Thunderbird, and Apple Mail". Proton Mail Blog. https://proton.me/news/thunderbird-outlook-encrypted-email. 
  23. "Introducing Address Verification and Full PGP Support - Proton Mail Blog" (in en-US). Proton Mail Blog. 25 July 2018. https://proton.me/news/address-verification-pgp-support. 
  24. Proton Mail [@Protonmail] (25 September 2020). "@TheEvanCarroll That is correct. We don't have a stand-alone back-end that can be installed for small deployment, because our backend software is optimized for large deployments with millions of users and distributed infrastructure." (in en). https://twitter.com/Protonmail/status/1309380464118030342. 
  25. "Proton Mail responds on Reddit". 2 April 2019. https://www.reddit.com/r/ProtonMail/comments/b847n7/it_has_been_7_months_since_protonmail_said_we_are/ejysilb/. "We don't plan to open source the back-end code, because it doesn't add trust (users can't verify what code is running on the backend) and doing so would given away information about how we do anti-spam and anti-abuse." 
  26. "Proton Mail goes Open Source with version 2.0". 13 August 2015. https://proton.me/news/protonmail-secure-email-open-source. 
  27. "Proton Mail iOS app is open source" (in en-US). 2019-10-30. https://proton.me/news/ios-open-source. 
  28. "The Proton Mail Android app is open source" (in en-US). 2020-04-23. https://proton.me/news/android-open-source. 
  29. "Proton Mail Bridge is open source on macOS, Windows, and Linux" (in en-US). 2020-04-15. https://proton.me/news/bridge-open-source. 
  30. Amadeo, Ron (2020-09-24). "Epic, Spotify, and others take on Apple with "Coalition for App Fairness"" (in en-us). https://arstechnica.com/gadgets/2020/09/epic-spotify-and-others-take-on-apple-with-coalition-for-app-fairness/. 
  31. "Coalition for Competitive Digital Markets" (in en-US). 2021-10-21. https://competitivedigitalmarkets.eu/. 
  32. Khalili, Joel (25 May 2022). "Proton Mail rebrands as Proton: VPN, email and cloud storage now available under one bundle". https://www.techradar.com/news/protonmail-rebrands-as-proton-vpn-email-and-cloud-storage-now-available-under-one-bundle. 
  33. 33.0 33.1 Stockman, Jason (22 May 2014). "How are Proton Mail keys distributed?". https://security.stackexchange.com/questions/58541/how-are-protonmail-keys-distributed/58552#58552. 
  34. Khandelwal, Swati (26 May 2014). "Proton Mail: 'NSA-Proof' End-to-End Encrypted Email Service". https://thehackernews.com/2014/05/protonmail-nsa-proof-end-to-end.html. 
  35. Yen, Andy (22 September 2015). "Proton Mail adds Facebook PGP integration". https://proton.me/news/protonmail-facebook-pgp. 
  36. "Proton Mail Security Details". 31 January 2016. https://proton.me/mail/security. 
  37. Koch, Richie (2018-08-30). "The Five, Nine, and Fourteen Eyes agreements (Explained)" (in en-US). https://protonvpn.com/blog/5-eyes-global-surveillance/. 
  38. Koch, Richie (2020-05-18). "Congress renewed the Patriot Act. Here's how to avoid surveillance." (in en-US). https://protonvpn.com/blog/patriot-act-surveillance/. 
  39. "Why Proton Mail is in Switzerland" (in en). 19 May 2014. https://proton.me/news/switzerland. 
  40. "Two Factor Authentication (2FA)". https://proton.me/support/two-factor-authentication-2fa. 
  41. "Protect your Proton Account with YubiKey and other security keys". October 13, 2022. https://proton.me/blog/security-keys. 
  42. Kobeissi, Nadim (September 6, 2021). "An Analysis of the ProtonMail Cryptographic Architecture". https://eprint.iacr.org/2018/1121.pdf. 
  43. "Securitum Security Report". https://protonmail.com/blog/wp-content/uploads/2021/07/securitum-protonmail-security-audit.pdf. 
  44. "How to import and export emails - Proton.me". https://proton.me/support/export-import-emails. 
  45. "Process of Proton Mail" (in en). 2022-03-30. https://emailsdesk.com/protonmail-com-login/. 
  46. Yen, Andy (2014-12-17). "Proton Mail RIPE announcement" (in en). https://proton.me/news/protonmail-joins-reseaux-ip-europeens-ripe-ncc. 
  47. Leyden, John (5 November 2015). "Proton Mail still under attack by DDoS bombardment". https://www.theregister.co.uk/2015/11/05/protonmail_ddos_attack/. 
  48. @ProtonMail (5 November 2015). "We are seeking a datacenter in Switzerland brave enough to host ProtonMail, many are afraid due to the magnitude of the attack against us.". https://twitter.com/ProtonMail/status/662212032368889856. 
  49. Lynch, Justin (2 July 2018). "Proton Mail CEO: 'The attacks are continuing'". Sightline Media Group. https://www.fifthdomain.com/critical-infrastructure/2018/07/02/protonmail-ceo-the-attacks-are-continuing/. 
  50. "Apophis Squad member responsible for attacks against Proton Mail has been arrested - Proton Mail Blog" (in en-US). Proton Mail Blog. 6 September 2018. https://proton.me/blog/apophis-squad-arrest/. 
  51. "Is Proton Mail blocked in Belarus?". 15 November 2019. https://proton.me/blog/blocked-belarus/. 
  52. Tsydenova, Nadezhda; Ivanova, Polina (January 29, 2020). "Russia blocks encrypted email service Proton Mail". Reuters. https://www.reuters.com/article/us-russia-protonmail/russia-blocks-encrypted-email-service-protonmail-idUSKBN1ZS1K8. 
  53. "Почтовый сервис Proton Mail заблокировали в России из-за сообщений о минированиях" (in ru). 2020-01-29. https://www.kommersant.ru/doc/4234867. 
  54. "Russia Blocks Encrypted Swiss Email Service Proton Mail" (in en). 2020-01-29. https://www.themoscowtimes.com/2020/01/29/russia-blocks-encrypted-swiss-email-service-protonmail-a69088. 
  55. "Proton Mail не получала просьб о помощи в поисках лжеминеров" (in ru). https://www.interfax.ru/world/693178. 
  56. "Россия не обращалась за информацией о "минерах", заявили в Proton Mail" (in ru). 2020-01-29. https://ria.ru/20200129/1564015317.html. 
  57. "We are rolling out technologies which will help us better overcome attempts to block Proton Mail." (in en). 2020-03-13. https://www.reddit.com/r/ProtonMail/comments/fhig4f/we_are_rolling_out_technologies_which_will_help/. 
  58. "Transparency Report". 2021-09-10. https://proton.me/legal/transparency. 
  59. "Proton Privacy Policy". 2022-05-25. https://proton.me/legal/privacy. 
  60. "Proton VPN Passes Its Latest No-Logs Audit". 2022-04-21. https://www.cnet.com/news/privacy/protonvpn-clears-its-latest-no-logs-audit/. 
  61. Silva, Gioia da (2021-08-04). ""If you say the word compulsory vaccination again, I'll knock your and your wife's teeth out": The Swiss service Proton Mail is repeatedly misused for threats". Neue Zürcher Zeitung. https://www.nzz.ch/technologie/wie-weit-geht-die-privatsphaere-beim-schweizer-service-protonmail-ld.1638648?reduced=true. 
  62. "Important clarifications regarding arrest of climate activist". 2021-09-06. https://proton.me/news/climate-activist-arrest. 
  63. Shields, Michael (2021-10-22). "Secure email group Proton wins Swiss appeal over surveillance rules" (in en). Reuters. https://www.reuters.com/technology/proton-wins-swiss-court-appeal-over-surveillance-rules-2021-10-22/. 
  64. "Proton - Pricing". https://proton.me/pricing. 
  65. "Proton for Business plans and pricing". https://proton.me/business/plans. 

External links




Retrieved from "https://handwiki.org/wiki/index.php?title=Software:ProtonMail&oldid=3471487"