Sparks's Journal

A review of ProtonMail

Update (2018-07-25)

Shortly after publishing this original post, many of my concerns were addressed. ProtonMail now supports sending mail that is signed and/or encrypted using OpenPGP. This is a huge benefit to the secure-email community. It is also possible to use your own key which allows me to use a trusted key that is already known to the community. There were other features added which are important to securing the overall infrastructure. ProtonMail seems to continue to make strides to make a more secure world for those of us that care about our privacy.

Original Post

There are several "private" email providers that advertise encrypted email storage as well as other security services to help protect your privacy and data online. ProtonMail may be one of the unique providers that actually hides their servers inside a mountain in Switzerland affording them both physical and political (legal) protections beyond what other providers can offer. While some of the features offered by ProtonMail are truly unique in the arena of even private-email providers and should be lauded by the information security community, several implementations of these features, and some policies, are down right confusing and break traditional functionality that many are used to.

As a user of the service over the past few months, there have been times when I’ve both wanted to shake the hands of the developers as well as shout in frustration at how a feature was implemented. Today, I’ll try to document some of the pros and cons that I would have wanted to know before moving my email over to the service.

OpenPGP integration

The ProtonMail website and blog both discuss the storage of email on their servers as being encrypted with OpenPGP. This prevents ProtonMail admins, attackers, and anyone else trying to gain access to the email stored on the server, from gaining access to the contents of your messages. It should be stressed that like using OpenPGP elsewhere, only the contents of your message is encrypted and the metadata is stored as clear text.

Example message showing headers and encrypted message content.

Message headers
Return-Path: <b064692dc3aeric=xxxxx.xxx@bounce.twitter.com>
X-Original-To: eric@xxxxx.xxx
Delivered-To: eric@xxxxx.xxx
Received: from spring-chicken-ay.twitter.com (spring-chicken-ay.twitter.com
 [199.16.156.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested) by mail7i.protonmail.ch (Postfix) with ESMTPS id
 EF8879A for <eric@aehe.us>; Wed, 25 Apr 2018 13:25:48 -0400 (EDT)
Authentication-Results: mail7i.protonmail.ch; dmarc=pass (p=reject dis=none)
 header.from=twitter.com
Authentication-Results: mail7i.protonmail.ch; spf=pass
 smtp.mailfrom=b064692dc3aeric=aehe.us@bounce.twitter.com
Authentication-Results: mail7i.protonmail.ch; dkim=pass (2048-bit key)
 header.d=twitter.com header.i=@twitter.com header.b="H/vMx/GD"
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=twitter.com; s=dkim-201406;
 t=1524677147; bh=4NeEOW9arAfrKKWvbk9bnhcwwDTKYhfDutmOK5OPhYw=;
 h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:
  Message-ID; b=H/vMx/GDy8+VZZ0eKryrypRl3XrBEy6lTe/cigpg2ZU2snGvDAhaMgoyTCsOObtEv
  m4DEt+65Ppveo2Vg89KHP2n0MofYrNcaYYcsHZ8xo+Su493KXN5ISQ+0bkxYo/YVW1
  4v3wypNoidcH6ZDv7/omk1izHF3uVGPyAyv13MZVihEoi94op5PYJhhAy2gz1pAP+8
  dmifS879PRvONdLMm0dVeXNHs5ipv2wuTDcuV2Oyx5gWuz/OHPO0oVedbLA11YmlZM
  nl+yd1TkifymWmIXgk48UyFidWi199HchGGVp6gRoVBnkHL95T3o7RReB9bzXPZUs/
  jBi0M7NK/uzAQ==
X-Msfbl: prnBZH2LJPOZNGLnvH+vormIocunIZh2f4jqKVkU6iU=|eyJnIjoiQnVsayIsImI
 iOiJhdGxhLWFwcC0zMS1zcjEtQnVsay4xODQiLCJ1IjoiZXJpY0BhZWhlLnVzQGl
 pZCMjNGUzYzBmNzc4ZjQ0NGIyMmI0ZjEwOGI1ZjkxMmJhYTVAdXNiIyMyNEAyNDR
 AMTQ1NzI4OTQyQDBAOGVjMDc5ZGRkNjJhNzlhYzE2NDhlOWFiNzFlMDhkYjY0Mzk
 4NDdjZiIsInIiOiJlcmljQGFlaGUudXMifQ==
Date: Wed, 25 Apr 2018 17:25:47 +0000
From: Twitter <info@twitter.com>
To: Eric Christensen <eric@xxxxx.xxx>
Subject: Updates to our Terms of Service and Privacy Policy
Mime-Version: 1.0
Content-Type: text/html
Precedence: Bulk
Message-Id: <34.41.29484.B1AB0EA5@twitter.com>
X-Spam-Status: No, score=-0.1 required=4.0 tests=DKIM_SIGNED,DKIM_VALID,
 DKIM_VALID_AU,HTML_MESSAGE,SPF_PASS,T_DKIMWL_WL_HIGH,T_KAM_HTML_FONT_INVALID
 autolearn=ham autolearn_force=no version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on maili.protonmail.ch
X-Pm-Origin: external
X-Pm-Content-Encryption: on-delivery
X-Pm-Transfer-Encryption: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

-----BEGIN PGP MESSAGE-----
Version: ProtonMail
Comment: https://protonmail.com

wcFMA+sbho89QNYoAQ//erXt5x50TA3FpejptOumiUEukB8HcGvpqJd23ykH
nJ9HR1edbfOfB7GY1OsMWkfnRZWxJc22x5VQ0wT5UVkpSABy6FegQuLEJCIO
x123n0VqxUuSENaLM6ZPO++Pb+NNpbzEm3MSAqcyQ54LZorrYg8YPAe7m3m0
czVHdxFTMn5F8GH05vCDn8dKTla2IMC7lmUJqNmHoggT7IE7VV1RSH+ewmlw
XVmpZCkA0l7gPas5KBNp/HhrME6BsWDB1S8frlmqMOPmcHT5EuQKDd2RVCfW
rNLPQg427/XjJKTWDB2MPYFmx+nm2u4rPfiOSIqefGVkDwvg/rRudYylbCK6
stoxhnefiCghZiaRXd27wCBaeWJiO5iGIBAkvCPlou26tVyXsByvryPXYidM
EJWmB3kDev+V1Y8L7C89FNnD3daG/awDBzauw5bK6JX3UJZUCbYaPbJGnUQV
qDxVq5Zj+w7c+t///GDI100v1yq2dBH2Xh96Yw0qp2eQX/cqxf87sy3lhZAo
UwVGLhfDZOPweYHUTtcTru7JmeP4cFBR0M7wuNVA8PUmK1xTxBglX0degPQe
vvmCbyvKJQ2O+olk8Zm2B01StAG+zUUo0swsmVkQ/VH1GPT/F7tk2CFhIU03
se94pR0wzcY9OMWTj15/L+vPnALnoTlcP6pXrQRez9TSzDEB64MSH7dvrY7P
n9J4jEU6DYClMxRC9Wtwkjuo9ZBJs9mRPlZMG2M31agkH2916CvsIAkHFYYh
HEkuQ72/hQaabLTho6PekJRVbJmHwUthhaTo3C6z1/CHOzftx8g3gqRixY65
MDOb4D0MiJIYLO4bbq+hJVCPdqKX9GNHx+yfgUhjPdkCjteTEaRBhYUczaEC
BEvjjp/NCoM/PEBZI3DbtJrpr3n3sLqOMiH4auOAEkw2Sn/i0Yyi/ZV8aVuN
pCo4wWfJraMxGLmjmML3IXgmMdEF2ZifhxeQBqv15XH9zDOatpa5hQjWtO+F
RQ/EW9fThlRPAxJ+TrQSZVOoOXhoAmkbQVy9MRg1rSuvTw+J5f1ZjrQAD1Fy
g85Fq9CBr7GqQx16JEfshrZSlr6jgSldo4L/YGp5odXb+H4u5UHBAGSEWbZP
WiH5pEV1De7axaPmV5VlEt9JoiX35h7thrwYl+Bkzq+l8bTuRKMCm+u89Q/G
e9grt9H3pUs4rCCLpFC97ahhLQ0Sn4HgPhifS4Wc9YU+3RW3P+1TEDPXH1dT
4F2GWPu/M40RiXV2stHIh7pvLI/ngSDDXPu3Z9ptolc4kAB9SH5lf+X7gb7p
Xn11fObxUKgS0kv5HR5tQ1LrdVOvfZq80D2P2+eZnc02ba0Somzzc3DnKLEK
melC9Fi+bRE2t0FhHVphKBBbIfFtXIfYFwiPr+yYD/mEY2jTSjw7aJYgHixd
iSWCgk5z7GJg/uw+0ZmuDXPLZD//hOA1V++mo/9Jruk6saek3z7XT80pEorM
1Kx8+wysTJhinHnPUPngKaLlr82C8nrxY7kNViKfz7igq39HiaeaYyu8oWLU
4SrsuMifk9G0qtrLcbMSsf/Em/GQUpPobvUudzGi3CmVigBVkcJT+U+lfVGl
dM88ue/kmXmE87zOqVY3ZaZc8QZK2GQ1DlrS7cUR+vh5rJkyqG9oBJaVqoeE
0gliaUeprBaD8tzOuGcgE2wNWN4ilC3tyC97TtYsVFCExis2iq/hL6L0hNcC
U6Lw53DsHczZpDxvNFKUAmG1ehJMsfwS2BycEmTc30MMK1UuJFFZrc6dj2ps
M+g66m5amTfub6Hwli3/lrr83cLB6MR09Hh5NQpKFeFjPX/IWY19OHD2FwwT
TLKx3mQdrFdbYPJc7iCp85xmZgHA8856EN3E/xc0u+HI4Ol+Yw0GXygib+bY
j0ast/dt7qHMk6gKf/uroW7gxsJ0g5gPx09c2Yg1R5pH7mk8b4j/Zpvv2/Nc
vygf1LxjPbKEEt5wUH96xoVQPOblGesuut9AzCxxxc+otufTmKzXq4x6Q79a
2LNAYLZZeXPhVzx1xJ89zTXvKo0vJQhxrqDT53IT3YJmZlVKqYyw9CWSa+rD
rhibwwI8w5cRtCWDXSSKxbH1jsFtsWHezssu1l4mrielDquTOHfPWNGANnJC
uzwuvQXBIwfmsIePMJObqlw4oUIrST5tk2KzEV1h7sxTW8tDdtQ2vlTwZKv8
l+PlPMDk8eur0qNm9XawePdXbIzOZ2XI/LePtl40oESa3tZbux3s+/BuJfuY
fWEUG1exXTAPBPOOO67lrBNjuD/VOhr+frG3M4isSeUuaBdgTKzcubdy8LkC
ckTuiMoPV+UO7b80fDZP5yUFyurTE+O2BHU65mWOMes1+WjpcFgAlIGLZH37
Rc5WwW0X7HHrCiHcJQgnpCkafdnNe+ChcoSNXuH+MDzULljSX046kTK/t3Xf
LcTO0xAE8jrJj1oWdKn1zdNnPvtK/HaKmS/HEvKcFMqa8/WobB3HlqkO2FVS
ATiDW4vgGS2jlBkDgWcmigh+Sv5SGyQAG6zj8xl8/NRxJ3e+cXMSdkdXcpq4
HGc8wQxpJA4o7mHgVdj1QB2KA1CfIjDKnovKnZdzuVG9M/DuBtZ8BIfxiFCV
F8D9pClVBq1N/gv2xpS32wRWqkCalYAjQXCHFlYWbbhAQnXBLeruTELvNv1A
3sz/xvRQrmrm8+d72yXQB2QsW4mAZpqBF82YqyVkyKyGK5jUMrZdi4T9PwTL
bNfleyYc40IEP63EjC9CUsrJCuQuNxc/zkNz11UyFiDedf0mIMF/YReIm2/P
FikAMlET3z7sqpuqRXYPc2LqmbWKm0yL6gwSmX7nodVQuPg6BQEijC7CwXPw
GjqDoqepchb3t0/txIwXW6T313Rm7wqAFuNUCYX/j1Sl+UZLahPgoBhENd/E
Cal9O5udE+m/HCf1gh18MiDsTZE8uqsHjsXioAJfF256RXaiOanoD4AHty5J
rmbiT6rX85AZ2qoxb7acLWLGljpJ7TFx+ZGdfEDpXtCU/37Ye7gNOyfsmbTb
lZH9a+sFdpIbSE06MVxyQ10BJ6WzbwX+FY7MWLA4eZ/TVo2WA/JuOCcOHwgR
Cf+OpLQxXqoc19wV4WC+BRYNo5/VwrHH+9kFzUPU0i1YldrJ3Nz0EaD31OxY
W9DJSdnWuZOs0tdwDXp1T27o/2i9I5JNqmJYHeJ8LtdRBCzv0my3pSOZrHOv
sBe6w+yTEgyIXRmF0Acp9R9CoLjKdFsC11kgbZsQmY6JU9p+OKrQpMzZ1/9g
/XeUrndjpO1G3LWENLCyA/W31GFravGFCJiDGGv2Eedi0hKOY3hS222T9uWB
a2PcG5olLb1kXgUSXpcHOlsRR4CKXoLIMYMMvhvjihx3gsK54WSzqwolfN9Z
TwOrMFkun56qFTQY1sYSSvMh9iwtt7kOIu5bziJ6F/2/mybV1BTj444v0OVY
J5TNNjIJcVtTj/qYMU0832i6Lye4DrwmUyKDKoPlH/9gD1qO95gezXDh7Sa3
qItnNj5iCapfU3BPv6hbw39x/gpXx2Qj2+dBh2x4F1SjLcou5ZpxckaxPLWj
eGa4fW0J1HjAAo7KUFJuVoWgpHLbSTcEbJxqCEELLWjtykVL8fFsoGn+fk+D
ie7WdqZKVyEUb4g8c6JRDTexQGxAOnATp+BsGTVcGoW1mgPEVjQkeusfWBaE
n7yaGnoqkycEPxqpHMbpq/aITYqWTU09I5EDZyG3gCxlMk4S4oDJgbSYYn1A
x7OMfq/Zu+vrOUp9yobk84FFX+Qr7+Khbx88814K50BdH2HgXIen7XZ7sW5i
aytN//5McfWY+Y+UrhJ+eRK2XoUqERw4JIP28qbkMYLAGR20dyCAJXUy1Avx
vn6KudjRowMdob+0Lrc/scisUUxBTHHcSfbuaOWjFwn6V09VWUtQLv169nzQ
uKzhPVpgeU7h4ZlaOCA6Ns92v3dn6bQv4G6V1IWwYUuG28mscoVqRFbVviq/
wvkY9FQBhgbGottqyuNQD/FIlvMz7yRD58BVZokvHMx8ZqTYIdj+nc5RVBAa
nE90IBCt0Iqy6zDdWCpUpLI+ZALzzzZE/govoB/GLUSF3G1xCOPcFGNpxPB8
pNHr5qqKD3kWoTVbLDIQYpxzwzHYq6OViwZ+y6d+9dpaaCML8Y5aAircBi8J
n72AodmXfEfCajupgjvh29Ft1r/RWh18JfxuM6pBvdMGekchSKkHpHu1RCNn
KplMIjurt1IVMuM5QlqgcugjckElXNuUATLxfiqMI1swDX6ARq5m30q5SFB6
V6vxBBKBavO4kNP/s3qJpMpodWyDaU0lso+Y36ALr3Ll+Yxke0Wl3trRPxGB
R3OsxDwrNBDakLntL+zntu99A4lAdd1FgouQ+112U7p53pkdpf4ELFCgU7nh
qCMg1spqpA0Kmm72QzOrVZVdaGdpkKZkduOjnG+CRLgpPbfxnE6QOlsSewj/
Mu/PNxfrMZbJwZ36locA+iVsMaqL9i1jSEtR9eTogqZNH6gd4Nbq6VydWNVd
axetcgw81CSOfC1im32yeVL/felFUeeUQhVCtc5EF7ESwENKbe7JOyqYcEAb
5dSwdzPbaITsKQG4hbkNZhtuKw/TTezD4soKQzdZACDQjSrsTKhh5eXZZRzI
nyKxrQx+ecNBNRDVyNJk1dhiKj2vELJFCple/8Rd+AqRZi0YfsXE8cHVBM1U
qNH6lLxlAku+/5YgmLu/ZF3dUDNa/WP7Tp7LYzhVoXJUQP7I1KpSebseEq3V
pPKpnOEucYYQjZBCkq7KQdaufF0rvCCCdoT7kzqsux7LXB5p6qxhgFN17FP2
/u9NxZYHVbT6Xw/wu/DkKyPlzxH3JN3ZnoRgGYzoDX4PzGQaMJvEG4kf/Y/1
xoQQqk8duBKKpVVTyWcf2cPSjynDyOqCKdXUwWBrsY5TE3mfQVuDZvKFQGNP
p1FaNtZJ04VcCIvl1/A7FUafQurAq+kyQWDzVJUXkCznOFtBaTWdGD0ozVUM
JeUA7uRuTzS2i/cPKgGsdOLNSjcUxviN5wdRELPWth21wSFJEOOeJxM3BtQd
TXeqy/MVDIRfZCw7odrqsRpX
=RxF7
-----END PGP MESSAGE-----

One feature that may not be immediately apparent is that because an OpenPGP key pair has to be created for each account in order to store messages encrypted, this key pair can also be used by external users to send encrypted messages to you. This provides a real end-to-end encryption (E2EE) solution for users. The private key, necessary for decrypting the messages, is stored encrypted on the server and is decrypted with your ProtonMail password. Also, any message sent to or received from a ProtonMail user is automatically encrypted.

One problem that has been found in this process is if you try to use your own OpenPGP keys on top of, or in lieu of, the ProtonMail encryption, bad things happen. One might take a standard PGP-encrypted message, and try to insert it as plain-text in the email content field. ProtonMail will take this message and munge it to the point that what actually gets sent may or may not be decipherable. Similar things happen when someone sends a message to a ProtonMail user using a different key than what ProtonMail is expecting. This is unfortunate as someone wanting to provide an additional layer of security, by using a key pair that they physically control, is unable to do so.

Another problem in this system is the lack of sending messages encrypted with OpenPGP. If a ProtonMail user is sending a message to an external-to-ProtonMail user, they cannot encrypt the message with OpenPGP. This can be a confusing bug as the opposite is possible.

The solution, by the way, provided by ProtonMail is to provide a password (OpenPGP being used to do symmetric encryption?) that can then be passed to the external user by a separate means, for them to be able to open the message using a special URL. The problem, of course, is getting the password to the external-user in a secure method.

Lastly, at this time it is impossible to rekey your account so if, some how, the OpenPGP keys needed to be superseded it could not be done.

Webmail and IMAP/SMTP

ProtonMail’s webmail is nice and feature-rich but not overly confusing to use. There is also a security benefit to having one’s messages physically stored on the server with no real way to export them. Because everything was always on the server, there would never be a local copy that could be stolen (encrypted or not). Of course this also limited the ability of people to be able to move away from ProtonMail, if they chose to do in the future, as their data would be forever locked away and they couldn’t bring it with them.

I frown on vendor lock-in on every level and this was a big lock-in. The developers kept talking about the forthcoming ProtonMail Bridge which was to provide local decryption of messages and a local IMAP and SMTP server that would allow local clients to connect to the ProtonMail email servers and download their messages (along with sending and receiving messages outside of the webmail GUI). When the official release came I was extremely disappointed to see that while Windows and macOS were both supported, the Linux version was still marked as "Coming Soon" (and still is as of this writing). It was only much later that I happened to find an utterance of a beta program for the Linux Bridge that I could join to get early access. As I’m not shy about beta testing software, I submitted my request and was rewarded with a download URL link. Since then I’ve been using the webmail instance, Thunderbird, and the mobile app and haven’t found any issues with the Bridge causing problems. This does solve my vendor lock-in fear as I can pull my messages out and move to a different provider at any time.

SMTP limits

Here’s the one big issue that is not technical in nature and is causing me some major headaches: limits to the number of addressees on an outgoing message.

ProtonMail doesn’t explicitly tell you what the limit is for the number of people you can send a message to but may mention that there is a limit. That number, by the way, is 25. Sure, how often do I send a message to twenty-five individual addresses? Not often! But when I do, I really need to… R I G H T N O W!

Here’s my use-case: I am on a search and rescue team that uses email for disseminating information quickly to a large number of email addresses. The last mission I was on I found myself as first on scene and needed to convey where the incident command post was setting up. If only I could do something simple like replying-to-all on the message I had just received to let everyone know to meet me at the intersection I’m standing in. Nope, could not do it.

ProtonMail support will tell you that this "feature" is in place to protect the reputation of ProtonMail and not allow it to become a haven for spammers. While I can sympathize with their problem, I feel this is not the way to go about fixing the problem. In my case, it has limited the ability of a paying customer to legitimately do work. And this is a unique "feature" among email service providers.

Tor

ProtonMail also supports Tor users with an .onion address to access their services. This means that you can connect to ProtonMail over Tor end-to-end which helps reduce the attack surface of the communications going across the Internet. Overall, this is a positive step for helping people preserve their privacy through anonymity but there is one piece that seems to have been left out: .onion email addresses.

There are some email providers that provide .onion addresses for people to use exclusively on the Tor network. None of the providers have been anyone that I would trust my messages with, long-term, only because I fear they may disappear tomorrow. ProtonMail is different in that regard and it would be very interesting to see them take on this as a challenge.

Overall feel

Overall, I like what ProtonMail is trying to do. For the average person it probably works very well. But as soon as you try to push the system to where you expect it to be, disappointment appears on the horizon.

I was a paying member before I started using the service full-time because I believed in what they were trying to do. I am used to dealing with software bugs and testing software to find flaws so many of the downfalls I’ve spoken about are things that I’m sure will be remedied soon. The sticking point, to me, is the self-imposed limit to addressees in outgoing mail for paying customers. I’m not exactly sure how I want to deal with this bug but it may curtail my funding the project in the end.

Sparks's Journal

Other articles

Securing email to Gmail

RFC: Using video conferencing for GPG key signing events

Signing PGP keys

caff …

PGP Keysigning Event and CACert Assertion at SELF2014

Generating a PGP key using GnuPG

Secure E-mail

Secure GnuPG configuration

Inadvertant data leakage from GnuPG

How PGP actually works...

Hashing Algorithm: Is your GPG configuration secure?

New year, updated keys.

GeekNote: PGP/GnuPG Key Statistics Tools

Protecting your email from disclosure

Expiring OpenPGP keys...