ProtonMail is Inherently Insecure, Your Emails Are Likely Compromised Ramiro Romani February 17, 2021 796 EDITOR’S NOTE: Please welcome Ramiro Romani to The Conscious Resistance Network. This is his first piece for TCRN. We welcome his questions regarding the effectiveness of Protonmail and look forward to sharing our dialogue with their team. I’m currently writing this post in a dark room by candelight and it seems fitting. Ever since I got into this space, and even before, people have always been quick to recommend ProtonMail, a ‘private’ email service based in Switzerland. I’ll admit though, I went along with it and used the service, but after a while, seeing its growth gave me an uneasy gut feeling. As I should have done half a year ago, I finally read into it, and my suspicions were validated. If nothing else, take away these three points from this post: 1. ProtonMail is inherently insecure, if you’ve used the Webmail client, ProtonMail has always had the ability to grab your password and private encryption key without you knowing, giving them backdated access to your emails. 2. ProtonMail lies to its supporters and has close ties with intelligence agencies, and world governments. 3. ProtonMail has several points of security failure which can be utilized by many bad actors. History There are two versions of the ProtonMail origin story. There’s the ‘official’ one, on their Wikipedia, which describes Proton Technologies as being started by ‘a group of scientists from CERN’. And then there’s the origin story that has been scrubbed from all of ProtonMail’s marketing material and denied by official representatives that goes as follows: The trio who created ProtonMail were CERN researchers along with a MIT graduate. They were semifinalists at the 2014 MIT 100K startup lunch competition. Why was his involvement scrubbed from the history of the company? We’ll find out later in Part II, which is a short post you can read exclusively at the neo-network. First let’s see how secure ProtonMail really is. Claims ProtonMail has made the following claims since the early days. “We have no access to your messages, and since we cannot decrypt them, we cannot share them with third parties,” There has never been independent verification of these claims until 2018, when Professor Nadim Kobeissi released his own analysis. He responded to the claims made by ProtonMail’s technical specification detailing “security features and infrastructure” in July 2016. Professor Kobeissi found that ProtonMail’s architecture did “not guarantee end to end encryption for the majority of its users” along with a plethora of other concerns. The majority of this article is synthesizing his technical paper into layman language. It won’t take long to realize how blatantly insecure this is, you don’t need to be a cryptographer or computer scientist to understand it. Let’s start by defining ProtonMail’s claims in general security characteristics: 1. Confidentiality: An encrypted email sent from one person to another can only be read by those two people. 2. Authenticity: An email you received from someone must have been sent by them and can’t be spoofed by someone in the middle. Next, let’s understand how ProtonMail’s authentication and encryption schemes work. First, ProtonMail uses a Zero-Knowledge Password Proof to avoid giving anyone else information about your password. ZKPP has a complex explanation, but its purpose is to show someone you have a valid password without providing them any information (zero knowledge) about the value of the password. ProtonMail uses this method for user authentication, to prevent the user from ever sending ProtonMail their password. Why is this important? “The security granted by this protocol extends to the user’s private keys, which are encypted with a salted hash of their password before being sent with the server” Stop right there. Yes, that’s right, the most critical piece to the ‘private’ email service, your private key – is sent to and saved on ProtonMail’s server. PM openly states they have your private key, and it is only a matter of getting access to your password to decrypt the encrypted privacy key. In addition to this, ProtonMail has no password requirements, and the Professor has tested it with passwords like ‘1’, ‘iloveyou’, and ‘password’, which are all trivial to crack in dictionary attacks. Once these can be confirmed, an attacker has your entire email history. That’s still not the main flaw: The Flaw The inherent security flaw is introduced with the ProtonMail WebMail portal, the normal web application that we’ve all visited in the browser. And the flaw is that it is relatively simple for ProtonMail to serve you a modified version of their web application or the underlying PGP implementation. There is no way to cryptographically verify that you are getting the official version of the web client as stored in their repository. If PM decides to act maliciously, they can do so undetected. Unlike the mobile application who’s binaries get cryptographically signed to match the official codebase, there is no method to verify a web application. Once they have your password, they can use it with the private key that they have stored for you to decrypt any communication you’ve ever made through ProtonMail. Additionally, they can spoof email messages to others on your behalf. PM also has a Encrypt-To-Outside feature, which allows you to send encrypted email to other email providers. Not only are PM servers involved in this, but a third party, like Microsoft Outlook. It works by redirecting the recipient to a PM page in which they type a encryption key that they should have previous outside knowledge of, and this key decrypts the message. They also receive the PM sender’s public key so that they can write a reply back. This leaves many open attacks: 1. PM can once again replace the web application or PGP software to recover the original message and passcode. 2. PM can also give the recipient a different public key, one that they have the private key to, retrieving the reply for themselves, which they can once again reencrypt with the sender’s public key – completely undetected. 3. The third party mail server is free to do the same, sending their own URL, pretending to be PM, allowing them to harvest the encryption key, which allows them to get the original message. Once they have the original message, they can use it to derive the private key. Then they are able to encrypt the reply back to the sender using their public key. Conclusions & Recommendations – ProtonMail’s WebMail client cannot be verified to do what it says (this goes for most apps, but since private keys are stored on ProtonMail’s servers – this is especially true). – ProtonMail cannot claim E2E encryption – A larger implication is that any encrypted web application can’t be trusted to encrypt your data. This goes for other mailers and services that offer web-based E2E encryption… the research needs to be done. – If we really want privacy, users should generate their own public & private keys. Postscript Note After writing this first article, I got to verifying the other services I use. First was CTemplar, an email service based in Iceland, which I fully recommend using. CTemplar has been aware of the ProtonMail vulnerability and even links the paper by Professor Kobeissi that we discussed. Although they do use the same client side OpenPGP library maintained by ProtonMail (its likely the only one in the world that works in browsers), they have accounted for the concern and developed a system that allows you to compare the code in your browser with the code that they’ve published. Here’s instructions on how to do so. This is in stark contrast to ProtonMail’s response to Kobeissi’s analysis that tries to frame the vulnerability as ‘his opinion’ and not a real problem with their infrastructure. As you can see, there are people out there who are dedicated to achieving the utmost privacy, instead of pretending to be. Maybe ProtonMail should be open to implementing a similar method, after all – they should have nothing to hide? In the second shorter post, exclusively on the neo-network we will see the troubling origin of ProtonMail and why they shouldn’t be given the benefit of the doubt. From Ramiro: This is my first feature on The Conscious Resistance Network, and I’d like to thank Derrick for having me here. You may have known that I’ve worked alongside Derrick Broze & John Bush this past year, supporting the software engineering efforts to help develop The Freedom Cell Network and The Greater Reset Activation. Its been the adventure of a lifetime and I’m very much looking forward to the next ‘The Greater Reset’ at the end of May. It was at The Greater Reset where I first gave a talk announcing a new venture I’ve been working on. aboveground.market is a crypto-commerce platform that aims to be the first place on the surface web where you can buy & sell goods using crypto with only a wallet and a web browser. If you are interested, go to the site and sign up to our waitlist or apply to join our team. (we are looking for more software engineers) Aside from this, I also write daily at neo-network, which is a Telegram content channel I created to spread awareness of issues on technology, privacy and security. More importantly, it shares new revolutionary technologies, and educates readers on using them to break out of the web of control, creating a neo-network in its place. 8 Responses David M Pelly February 17, 2021 Ramiro, 1> Please tell us how secure mainstream webmail like Gmail, Hotmail, Yahoo, aol, etc, are? 2> Please tell us what you think of this technology? Does it solve the problems of interception and censorship? https://djhjmedia.com/kari/big-tech-disruptor-speaks-patriot-exec-of-peer-to-peer-phone-ap-offers-private-network-away-from-web-for-free/ Reply Fred February 18, 2021 Protonmail responded to this with: “Response to analysis of ProtonMail’s cryptographic architecture” https://protonmail.com/blog/cryptographic-architecture-response/ Reply Devin S. February 19, 2021 Thanks for the heads up, I’ve been using Proton for years now and did not hear about this until it was mentioned here. I may switch to CTemplar eventually. I use Nord VPN too, do you have any thoughts about them? Reply Mikael Cromsjo February 20, 2021 I am developing ideas for decentralized networks. I would love to help you with my knowledge and ideas. My main focus is creating new platforms for sharing truth and organize people in a world that is going towards centralized control. My main project is FractalCircles.org with the Fractal Meet video platform, UniteAwake.com and StayAwake.me, that is focusing on creating activist groups and engaging people. I also work with seeds to incorporate fractal systems in their blockchain. I love to help out to design a fractal blockchain for free open decission making and I also have ideas on how to create autonomous, decentralized cryptos. Reply David M Pelly February 20, 2021 Robert David Steeles is heading a project to develop Web 3.0. He has found financial backing. Reply Adam Jones February 21, 2021 Thanks for the info! Reply Kelly February 21, 2021 Do you know of any other email providers? CTemplar needs an invite code. Or is there a way we can anonymously get invite codes? Is there also a way to read Part 2 of this without signing up to Telegram? Reply jackfruit February 23, 2021 do people only realise what are the Templar and their logo lol!? Reply Leave a Reply Cancel ReplyYour email address will not be published.CommentName Email Website Notify me of follow-up comments by email. Notify me of new posts by email.