ProtonMail's highly questionable PGP implementation

I recently did some research on how ProtonMail’s PGP encryption works. As an advanced user, I was looking forward to using an email host in Switzerland who is supportive of PGP and has a good record in relation to privacy. I can secure my own PGP keys and wouldn’t trust a web client for anything where security matters.

Unfortunatly I have discovered that their entire system is not usable with any key they do not control. In my opinion, this means:

  • Claim to “Zero Access to User Data” is incorrect. All they need to do is send a specially crafted web page to the target to access the gpg key.
  • Any desktop client must use their closed-source “Bridge”. Bridge can steal the key, etc.
  • The Bridge will reject any properly E2EE email where the user alone controls their key (as they always should!).
  • Support suggested that I upload my private key to resolve the issue – WTF?

A while back, I tried to signup over Tor and found it was basically impossible to do without revealing my real-world identity via credit card (much worse than gmail). Bitcoin payments were not possible via Tor.

Seems like the information on (all green) is not painting an accurate picture.

Am I alone here or should I suggest changes?


More info about PGP + IMAP posted on reddit:

I have discovered that their entire system is not usable with any key they do not control.

You can have more than one OpenPGP key, you could have a keypair which they control and a keypair that they do not (ie you haven’t uploaded). The second keypair would not be able to be used within webmail however.

  • Claim to “Zero Access to User Data” is incorrect. All they need to do is send a specially crafted web page to the target to access the gpg key.

With keys they do control they are symmetrically encrypted with a passphrase. They would need that passphrase to be able to decrypt your email.

The threat model they aim for is providing encryption E2EE for everyone and to have a reasonably easy user experience.

This they do achieve. It’s not new to suggest native OpenPGP implementations are more secure (everyone knows this), but realistically the threat from this vector is rather low. See The ProtonMail Threat Model. Also relevant video Is ProtonMail lying about their encryption?.

Remember ProtonMail could monitor all incoming metadata on their external relays. Email is really only “secure” to a certain degree.

  • Any desktop client must use their closed-source “Bridge”. Bridge can steal the key, etc.

The bridge uses their HTTP API which has been reverse engineered, see hyroxide. I expect source code for the bridge will be available after their audit.

  • Support suggested that I upload my private key to resolve the issue – WTF?

That is the intention for webmail, if you desire higher security then I’d simply have two private keys, one you share and one you don’t.

  1. you not need to use your key inside PM, just do it by your hands (manual)
  2. They encrypt your key (yes i asked their support team)
  3. did not try the Bridge so idk
  4. i remember there was an argue about how PM can access your email because they lied about Zero Knowledge with some stuff and how their web client is bad and easy can get effected and i talked with PM personally and they told me if they want do it they just can do it so it depend on how you trust team out there

Thanks for the response Daniel.

Yes, but there is almost nothing preventing them (or anyone with access to their infrastructure, government order, rogue employee, etc) from retrieving my passphrase. I must enter it into the closed source Bridge, or, for web mail, I must enter it into a web page. The bridge binary or code for that web page can do whatever it likes with my pass phrase – including making copies, decrypting the key, etc. It could do this in a targeted way (to prevent a wider recognition form the community for example).

I understand that UX is challenging. Creating a secure, E2EE webmail platform may be impossible, but any reasonable attempt should start with a trust anchor which can’t be modified by anyone but the user – hardware token, or software outside the web page, etc. They could do this if they really cared, but instead they seem to claim it is “good enough” or “better than gmail”.

Give me access to their servers (to change their source code) and I guarantee I could read people’s email. Their security claims simply rely on trusting them. In the end, this is the same as Gmail, etc – just trust them. OpenPGP was designed so that this “trust” is not necessary – just needs to be used correctly.

Thanks for pointing out hydroxide, I’ll look into whether they allow previously encrypted email to simply pass through.

Yes, I desire higher security. Unfortunatly Bridge will not let me use the key they don’t control. It literally blocks encrypted + signed email. Using it inside web mail would be very awkward (lots of copy + paste, downloads, no search, etc) – so I would not use for web mail.

Thanks @esmailelbob

  1. I don’t see the security of using a key which I must share with another. So, yeah, I want to use standard IMAP+SMTP to send, receive email that is signed + encrypted with Open Source software + hardware they do not control. Unfortunatly they don’t support this and will block such email.
  2. Yes, they encrypt the password and they, (or anyone else with access to their source code, servers, etc) can also decrypt the password, key and everything encrypted with the key.
  3. Bridge (or hydroxide) is the only way to reasonably use your own email client. It should also allow use of your own key I believe.
  4. Not sure what you are saying here, but yes, they can access email if they want to. It is just a bit trickier than with other email providers. This is disappointing and definitely not what is written on their website:

“we don’t have the technical ability to decrypt your messages, and as a result, we are unable to hand your data over to third parties. With ProtonMail, privacy isn’t just a promise, it is mathematically ensured.”

It is not mathematically ensured if they decide to take a copy of the key.

I’m really hoping someone will come along and say I am misunderstanding, but as a web developer and expert PGP user, I don’t see how they can guarantee they have no access with this particular design.

It could be much better and it feels like we should hold them to actually try and implement a system that gives them “Zero Access to User Data”.

That video if you watched it summarizes this argument essentially it comes down to threat model. I highly suggest you watch it, as opposed to repeating the same points which I previously answered.

The intended use of ProtonMail is external threats, ie dragnet surveillance. Using their webmail does achieve this. ProtonMail themselves say that it is not supposed to allow you to be the “next snowden” without any kind of precautions.

Doing something as dangerous as being “the next snowden” would require you to know your way around software, what is safe, what is dangerous etc. People with a threat model such as that would be more than capable of using any email and a GnuPG capable mail client, eg Thunderbird etc.

Don’t be like some people and make it a disingenuous argument aimed specifically at ProtonMail when it is not a specific issue to them.

If your threat model requires safe from an operator, I would suggest throwaway accounts that are in no way tied to you long term.

I would say also if that is genuinely the case then email should be used minimally as it doesn’t matter what provider you use, they can record metadata such as To:/From: as it hits their servers.

Incidentally if you really don’t want to use ProtonMail, there are other options, perhaps would be a better choice

Yeah, I watched the video, thanks. I commented on the YouTube version.

You are correct that ProtonMail is not alone, but I am just calling them out because of the bold claims they make and the genuine fact that I am a customer and I want them to be as good as possible. Other providers may make false claims, etc, but I simply wanted a Swiss email provider (outside 14 eyes, basic legal protections for metadata, etc) and ended up here because of PGP support and bold claims.

I’m clearly not trying to be “the next snowden” – but rather ensure the privacy / security of PGP is actually utilized here. I feel a duty to speak up and share my knowledge here… very few people have the expertise to see the flaws in ProtonMail’s model and challenge them on it.

Sure, this is my intention and the intention of the Bridge. My biggest issue is that Bridge blocks encrypted email and is closed source. The simple answer is that they don’t want to handle email they have no way to read. I hope that is not the case, but any other explanation requires jumping through hoops to explain.

Thanks, unfortunatly no others are in Switzerland.
Germany is definitely not the same from my understanding with regards to basic privacy rights.

Yes, I dislike email and use it as little as possible. Unfortunatly the entire Internet still relies heavily on it for account registration, etc.

Clearly I need to continue looking elsewhere unless I can get hydroxide to do what I need. Most likely I’ll have to host my own email which is extremely complex and time consuming to do right.

Sad though, ProtonMail was one of the few companies I really considered worth working for before all of this. I’m passionate about this subject (have contributed to over 300 privacy-related GitHub projects) and I simply want to help users claw back some security & privacy.

1 Like

Yeah, again it depend on how you trust the services. also i assume its not best place to ask so go to their reddit and hear from their mods/devs then yeah you can see if they lie or not because i’m not actually dev so i not know what behind the codes but i talked with them and asked if they actually can know my emails and they said yes they could but not want and any other provider actually can so it depend on team itself and again if you not trust them you can just use GPA or GnuPG and do it manual

Not through standard clients like Thunderbird + Enigmail + Bridge.
That is the whole point of this thread.

However I just tested copy + paste of encrypted message (ASCII armored) into the web mail client and that kinda works.
Terrible usability though… PM’s web mail doesn’t recognize and decrypt it, but my desktop client will at least.

PM support staff told me they were eventually going to release the Bridge source code and that they will look into options to allow users to use their own keys. Guess we’ll just have to wait.

is that means bridge will be for free ? i mean free users can use it

They will still require you to login to your account, so PM can still restrict “free” accounts from using it to send email.

Likely no, the reason for it only being for paid users is because it is demanding. I would also bet automated abuse is another reason. Paid users are less likely to be spammers.

It’s worth noting the bridge is now open source


When I was signing up with Tor I had the same issue. I ended up just giving them a voip number and that worked.

Great news that Bridge is now Open Source. I am also happy to see they documented the security model.

If it was possible to 100% only use the Bridge, we could have some certainty about how keys / password are handled, but I don’t think that is possible (signups, etc must happen in browser where JavaScript code can change every request).

We still critically need a way to use ProtonMail with private keys outside of their control, especially with regards to hardware tokens like the YubiKey.

Note: I looked into hyroxide and saw that it cannot be used with systems that encrypt before PM gets their hands on the email – the server itself is rejecting encrypted messages. Unfortunately their Bridge can therefore also not be forked / modified to let my encrypted messages pass through as the server will just reject them.