Cryptology ePrint Archive: Report 2018/1121

An Analysis of the ProtonMail Cryptographic Architecture

Nadim Kobeissi

Abstract: ProtonMail is an online email service that claims to offer end-to-end encryption such that "even [ProtonMail] cannot read and decrypt [user] emails." The service, based in Switzerland, offers email access via webmail and smartphone applications to over five million users as of November 2018. In this work, we provide the first independent analysis of ProtonMail's cryptographic architecture. We find that for the majority of ProtonMail users, no end-to-end encryption guarantees have ever been provided by the ProtonMail service and that the "Zero-Knowledge Password Proofs" are negated by the service itself. We also find and document weaknesses in ProtonMail's "Encrypt-to-Outside" feature. We justify our findings against well-defined security goals and conclude with recommendations.

Category / Keywords: applications / public-key cryptography, pgp

Date: received 18 Nov 2018, last revised 26 Nov 2018

Contact author: nadim at symbolic software

Available format(s): PDF | BibTeX Citation

Note: This revision significantly alters the security definition and the subsequent conclusions for the findings related to Zero-Knowledge Password Proofs.

Version: 20181127:061849 (All versions of this report)

Short URL: ia.cr/2018/1121


[ Cryptology ePrint archive ]