The ProtonMail Threat Model
In this article, we will describe both the threats ProtonMail is designed to guard against, and also the threats ProtonMail is NOT designed to counter.
From a high level, our premise is that a service like the now-defunct Lavabit does add value, despite some inherent weaknesses. We designed ProtonMail around many of the same principles, but with some significant improvements. At the very core, email as a secure communication medium is fundamentally flawed. The SMTP protocol was first introduced in the 1980’s well before many of the threats of the modern internet were even envisioned, much less understood. However, despite its age and flaws, SMTP is not going away anytime soon, and email will continue to play a major role in our lives. For truly secure communications, one cannot really recommend email, but for most of us, there is no other option.
Our second philosophy is that security needs to be made easy enough to be usable. The most secure system is simply not useful if it is so complicated nobody is willing to use it. As ProtonMail developers, we will be the first to tell you that there are certainly more secure ways we could have built a service like ProtonMail. The reason we built ProtonMail the way we did is not because we weren’t aware of these other methods, but because we would have had to sacrifice too much usability. There will always be a trade off between security and usability, anybody that tells you otherwise is lying. And just because a system is not 100% secure does not mean you should not use it, the key is understanding the limitations of your security. And for the record, there is no such a thing as a 100% secure system.
At ProtonMail, our goal is to guard against mass surveillance and we feel the best way to do that is to give encryption to everybody. The only way to do that, is to make encryption easy to use. This is why ProtonMail works out of any modern web browser, and why we went to great lengths to make the cryptography completely invisible to the user. However, this approach does come with certain shortcomings.
1. Compromised User – This is the most common type of compromise. Even if you use the world’s most secure electronic communication system, advanced encryption does you no good if there is a keylogger on your computer recording all of your keystrokes. ProtonMail does not and can not guard against a compromise of a user’s machine.
2. Man-in-the-Middle (MITM) Attacks – This is a very rare attack where an adversary will sit between the user and the ProtonMail servers and tamper with the data being relayed between the user and the server. However, because ProtonMail messages are encrypted before they leave the user’s browser, an attacker cannot get message data by simply listening in on the communications. The attacker would have to actually send the user’s browser a modified version of the ProtonMail website which may secretly pass the mailbox password back to the attacker. This is a far more difficult attack that can typically only be executed by a strong adversary (like a government) and is generally a targeted attack. It cannot easily be used on a large scale to perform mass surveillance.
Fortunately, there are several ways to protect against a MITM attack. ProtonMail employs SSL to ensure our encryption codes are properly delivered to user’s browsers and not tampered with en-route. Generally speaking, a successful MITM attack requires breaking SSL, typically by using a forged SSL certificate. There are browser plugins in existence today which can be used to detect forged certificates and greatly reduce the risk of a MITM attack. We recommend Certificate Patrol or Perspectives (although the second one may need more time to mature).
3. Unauthorized backdoor – Another attack vector would be if an attacker somehow gained access to ProtonMail’s servers in Switzerland without us noticing. Such an attacker could conceivably change the ProtonMail software to send bad encryption code to user’s browsers that would somehow allow the attacker to get unencrypted data. ProtonMail has implemented numerous safeguards against this on the server level. We have routines that constantly scan for code changes and will detect them. The attacker would have to gain control of the server, instantly change the behavior of the code scanners, and then modify the software all without anybody at ProtonMail noticing. The odds of this being successfully executed is indeed quite low.
Our risk analysis indicates that ProtonMail offers good (but not perfect) protection for the vast majority of users. There are however some risks for users facing a strong adversary, such as a government focusing all its resources on a very specific target. In such a case, we don’t think crypto would be of much benefit as this XKCD comic would apply.
Below are some examples of recommended, and not recommended use cases for ProtonMail
Edward Snowden – If you are Edward Snowden, or the next Edward Snowden, and have a life and death situation that requires privacy, we would not recommend using ProtonMail. For extremely sensitive situations, it is simply not a good idea to use email as a medium for communications.
Sensitive business communications – You have sensitive business information that you want to make sure is protected from competitors and other malicious parties. For example, you fear a competitor may want to sue you under false pretenses to get access to sensitive data. In this case, ProtonMail offers a great deal of protection. ProtonMail will not release ANY data unless provided with an enforceable Swiss court order. To get such an order, the case must first work its way through the Swiss courts where stricter privacy laws might result in a different ruling. Even if an adversary went through the expensive and time consuming procedure of obtaining such an order, ProtonMail’s zero access cryptography means we would only be able to release data that is encrypted since we do NOT hold the decryption keys.
Private Citizen with Privacy Concerns – ProtonMail is also perfect for an individual (or corporation) that does NOT want the government to have access to all of their emails at any time, and does not like Google or Microsoft constantly scanning and archiving all conversations. With ProtonMail, the barrier of entry for mass surveillance is high enough that mass surveillance simply is not practical. This is an example where ‘good privacy’ can act as a meaningful substitute to ‘perfect privacy’.
We would like to conclude with a few thoughts about privacy and surveillance in general. Some people make the assertion that if you are NOT a criminal, there is no need for privacy. To those critics, we simply ask, does that mean that only criminals have curtains over their windows?
On a more serious note, there are also critics who assert that by building ProtonMail, we are providing a powerful tool for criminals to evade the authorities. There is no denying that ProtonMail provides a high level of security and privacy for criminals, but one has to remember that the world does not consist of just criminals. There are also dissidents, and democracy activists living under authoritarian regimes where freedom of speech is not respected. Then, there are the rest of us, law abiding private citizens who simply want control over our online data. We can either chose to live in a world where everybody is under surveillance, or a world where everybody (criminals included) have privacy. We feel that the right to privacy is a fundamental human right, and we are willing to fight and work towards protecting that right.