ProtonMail is one of the most popular security-focused email providers. Because email is not a particularly secure protocol, things like end-to-end encryption have to be bolted on top. To ensure interoperatiblity, an email provider must be able to send unencrypted messages to recipients who havenât dived into the painful world of PGP.
ProtonMail handles this quite well. Emails are stored encrypted on their servers, and are only decrypted in the client â this way, ProtonMail isnât able to read any of your stored emails. When sending emails to other ProtonMail users, end-to-end encryption is handled transparently. But thereâs an important gotcha: in order to send and receive emails from other providers, ProtonMail has to handle the plaintext. Otherwise, the recipient (e.g. on an @gmail.com address) would receive a garbled mess that they had no idea how to decipher. Thus, ProtonMail could theoretically intercept your emails as they enter or leave their servers.
This isnât a problem with ProtonMailâs technology; itâs a problem with email. Fundamentally, the protocol wasnât built for end-to-end encryption. However, while ProtonMailâs handling of this challenge is reasonable, the way they communicate it isnât. Take this text on their front page:
If you like arguing semantics, you might want to say that this is technically true. All emails are secured with end-to-end encryption once theyâre stored on ProtonMailâs server. But this leaves out the pretty important fact that, like any email provider, ProtonMail has the ability to read your emails as they are received or sent (unless the recipient is also a ProtonMail user, or unless you manually set up a secure PGP channel).
Unless youâre familar with the technical details of how email and encryption works, ProtonMailâs UI is going to make you feel a lot more secure than you really are. Because every email is either end-to-end encrypted with PGP or stored encrypted, the ProtonMail design team decided to throw little padlock indicators on everything:
Itâs in no way clear from the UI, but the first padlock icon (grey) means that the email was sent in plaintext. Itâs stored encrypted on ProtonMailâs side, but the senderâs email provider has full access to the email. The second padlock icon (greyish purple) means that the email was actually end-to-end encrypted. As a user, youâll learn this if you hover over the padlock, but the key gotchas are not mentioned anywhere.
ProtonMail does actually provide the ability to send encrypted emails to other providers if you set a symmetric encryption key. You just have to notice the button with a lock on it and know that you have to manually set it up. Of course, if all youâve read is ProtonMailâs marketing materials and their UI, you probably wonât know that this is necessary to get the advertised security.
I would love to see user studies of ProtonMailâs security. If previous work gives us any indication, we can reasonably guess that a large proportion of users will not be aware that e.g. Google can read their emails when they send them to Gmail users. I would also love to be proven wrong on this: if you know of such research, please let me know!
Iâm not saying that anyone should stop using ProtonMail. But perhaps we should stop making unrealistic claims about what is possible, security-wise, for a protocol that was developed in the 90s for a very different world. Maybe we should look to more modern protocols for our secure communications needs. At the very least, please stop throwing a padlock icon on everything that has some relation to the abstract concept of âsecurityâ.