This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages)(Learn how and when to remove this template message)
Screenshot of the ProtonMail website, showing the user's inbox and a composer window.
Type of site
|Available in||English, Spanish, German, French, Italian, Japanese, Dutch, Polish, Portuguese, Romanian, Russian, Turkish, Ukrainian|
|Owner||Proton Technologies AG, Geneva, Switzerland|
|Users||> 10 Million|
|Launched||16 May 2014|
ProtonMail is an end-to-end encrypted email service founded in 2014 at the CERN research facility by Andy Yen, Jason Stockman, and Wei Sun. ProtonMail uses client-side encryption to protect email contents and user data before they are sent to ProtonMail servers, unlike other common email providers such as Gmail and Outlook.com. The service can be accessed through a webmail client, the Tor network, or dedicated iOS and Android apps.
ProtonMail is run by Proton Technologies AG, a company based in the Canton of Geneva, and its servers are located at two locations in Switzerland, outside of US and EU jurisdiction. The service received initial funding through a crowdfunding campaign. The default account setup is free, and the service is sustained by optional paid services. As of January 2017[update], ProtonMail had over 2 million users, and grew to over 5 million by September 2018 and over 10 million by the end of 2018. Initially invitation-only, ProtonMail opened up to the public in March 2016.
On 31 July 2014, ProtonMail received US$550,377 from 10,576 donors through a crowdfunding campaign on Indiegogo, while aiming for US$100,000. During the campaign, PayPal froze ProtonMail's PayPal account, thereby preventing the withdrawal of US$251,721 worth of donations. PayPal stated that the account was frozen due to doubts of the legality of encryption, statements that opponents said were unfounded. The restrictions were lifted the following day.
On 14 August 2015, ProtonMail released major version 2.0, which included a rewritten codebase for its web interface. The ProtonMail team simultaneously released the source code for the web interface under an open-source license.
On 17 March 2016, ProtonMail released major version 3.0, which saw the official launch of ProtonMail out of beta. With a new interface for the web client, version 3.0 also included the public launch of ProtonMail's iOS and Android beta applications.
On 21 November 2017, ProtonMail introduced ProtonMail Contacts, a zero-access encryption contacts manager. ProtonMail Contacts also utilizes digital signatures to verify the integrity of contacts data.
On 6 December 2017, ProtonMail launched ProtonMail Bridge, an application that provides end-to-end email encryption to any desktop client that supports IMAP and SMTP, such as Microsoft Outlook, Mozilla Thunderbird, and Apple Mail, for Windows and MacOS.
On 25 July 2018, ProtonMail introduced address verification and PGP support, making ProtonMail interoperable with other PGP clients.
On 30 October 2019, ProtonMail open sourced its iOS app, releasing the code on github and publishing its audit results by SEC consulting.
On December 2019, ProtonMail launched ProtonCalendar, a fully encrypted calendar.
From 3 to 7 November 2015, ProtonMail was under several DDoS attacks that made the service largely unavailable to users. During the attacks, the company stated on Twitter that it was looking for a new data center in Switzerland, saying, "many are afraid due to the magnitude of the attack against us".
In July 2018, ProtonMail reported it was once more suffering from DDoS attacks, with CEO Andy Yen claiming that the attackers had been paid by an unknown party to launch the attacks. In September 2018, one of the suspected ProtonMail attackers was arrested by British law enforcement and charged in connection with a series of other high-profile cyberattacks against schools and airlines.
Nation-wide block in Belarus
On 15 November 2019, ProtonMail confirmed that Belarus had issued a nationwide block to ProtonMail and ProtonVPN IP addresses. The block was no longer in place 4 days later. No explanation was given to ProtonMail for the block, nor for the block being lifted.
ProtonMail uses a combination of public-key cryptography and symmetric encryption protocols to offer end-to-end encryption. When a user creates a ProtonMail account, their browser generates a pair of public and private RSA keys:
- The public key is used to encrypt the user's emails and other user data.
- The private key capable of decrypting the user's data is symmetrically encrypted with the user's mailbox password.
This symmetrical encryption happens in the user's web browser using AES-256. Upon account registration, the user is asked to provide a login password for their account. ProtonMail also offers users an option to log in with a two-password mode which requires a login password and a mailbox password.
- The login password is used for authentication.
- The mailbox password encrypts the user's mailbox that contains received emails, contacts, and user information as well as a private encryption key.
Upon logging in, the user has to provide both passwords. This is to access the account and the encrypted mailbox and its private encryption key. The decryption takes place client-side either in a web browser or in one of the apps. The public key and the encrypted private key are both stored on ProtonMail servers. Thus ProtonMail stores decryption keys only in their encrypted form so ProtonMail developers are unable to retrieve user emails or reset user mailbox passwords. This system absolves ProtonMail from:
- Storing either the unencrypted data or the mailbox password.
- Divulging the contents of past emails but not future emails.
- Decrypting the mailbox if requested or compelled by a court order.
ProtonMail exclusively supports HTTPS and uses TLS with ephemeral key exchange to encrypt all Internet traffic between users and ProtonMail servers. Their 4096-bit RSA SSL certificate is signed by QuoVadis Trustlink Schweiz AG and supports Extended Validation, Certificate Transparency, Public Key Pinning, and Strict Transport Security. Protonmail.com holds an "A+" rating from Qualys SSL Labs.
In September 2015, ProtonMail added native support to their web interface and mobile app for Pretty Good Privacy (PGP). This allows a user to export their ProtonMail PGP-encoded public key to others outside of ProtonMail, enabling them to use the key for email encryption. The ProtonMail team plans to support PGP encryption from ProtonMail to outside users.
An email sent from one ProtonMail account to another is automatically encrypted with the public key of the recipient. Once encrypted, only the private key of the recipient can decrypt the email. When the recipient logs in, their mailbox password decrypts their private key and unlocks their inbox.
Emails sent from ProtonMail to non-ProtonMail email addresses may optionally be sent in plain text or with end-to-end encryption. With encryption, the email is encrypted with AES under a user-supplied password. The recipient receives a link to the ProtonMail website on which they can enter the password and read the decrypted email. ProtonMail assumes that the sender and the recipient have exchanged this password through a backchannel. Such emails can be set to self-destruct after a period of time.
ProtonMail currently supports two-factor authentication with TOTP tokens for its login process. According to official ProtonMail feedback site, U2F support for YubiKey and FIDO physical security keys is currently under development and will be available soon.
ProtonMail maintains and owns its server hardware and network in order to avoid trusting a third party. It maintains two data centres in Lausanne and Attinghausen (in the former K7 military bunker under 1,000 meters of granite rock) for redundancy. Since the data centres are located in Switzerland, they are legally outside of US and EU jurisdiction. Under Swiss law, all surveillance requests from foreign countries must go through a Swiss court and are subject to international treaties. Prospective surveillance targets are notified and can appeal the request in court.
Each data centre uses load balancing across web, mail, and SQL servers, redundant power supply, hard drives with full disk encryption, and exclusive use of Linux and other open-source software. In December 2014, ProtonMail joined the RIPE NCC in an effort to have more direct control over the surrounding Internet infrastructure.
|Plan||Messages Per Day||Folders/Labels||Storage||Aliases||Domains||Price||Support|
|Free||150||3/20||500 MB||1 Address||-||Free||Limited Support|
|Plus||1000||200/200||5 GB||5 Addresses||1||$5 /mo or $48 /yr||Support [c 1]|
|Professional||Unlimited||Unlimited/Unlimited||5 GB||5 Addresses/User||2||$8 /mo or $75 /yr||Priority Support [c 1]|
|Visionary||Unlimited||Unlimited/Unlimited||20 GB||50 Addresses||10||$30.00 /mo or $288.00 /yr||Priority Support [c 1][c 2]|
In popular culture
- "ProtonMail - Tor Encrypted Email".
- "license.md". github.com/ProtonMail/WebClient. Proton Technologies A.G. 8 June 2016.
- "iOS mobile app repository". github.com/ProtonMail/ios-mail. Proton Technologies A.G. 11 December 2019.
- "ProtonMail is Open Source!". ProtonMail Blog. 13 August 2015. Retrieved 19 October 2015.
- Biggs, John (23 June 2014). "ProtonMail Is a Swiss Secure Mail Provider That Won't Give You up to the NSA". TechCrunch. Retrieved 19 October 2015.
- "ProtonMail, the Easy-to-Use Encrypted Email Service, Opens Up to the Public". 17 March 2016.
- "Registre du Commerce du Canton de Genève". République et canton de Genève. 18 July 2014. Retrieved 20 February 2018.
- "Why Switzerland?". ProtonMail Blog. 19 May 2014. Retrieved 19 October 2015.
- "Fighting Censorship with ProtonMail Encrypted Email Over Tor". ProtonMail Blog. 19 January 2017. Retrieved 20 January 2017.
- Andy Yen (31 December 2018). "A look back at 2018 and our vision for the future". ProtonMail Blog. Retrieved 25 January 2019.
- "ProtonMail now in Public Beta!!". ProtonMail Blog. 16 May 2014. Retrieved 31 January 2016.
- "Über-Secure ProtonMail Beta Maxes Out Servers in Just 60 Hours". Infosecurity Magazine. 22 May 2014. Retrieved 19 October 2015.
- Yen, Andy (31 July 2014). "ProtonMail". Indiegogo. Retrieved 19 October 2014.
- Halfacree, Gareth (1 July 2014). "ProtonMail hit by PayPal account freeze". bit-tech. Retrieved 19 October 2015.
- Howell O'Neill, Patrick (1 July 2014). "PayPal freezes account of email encryption startup ProtonMail [Update]". The Daily Dot. Retrieved 19 October 2015.
- Yen, Andy (30 June 2014). "Paypal Freezes ProtonMail Campaign Funds". ProtonMail Blog. Retrieved 19 October 2015.
- Yen, Andy (18 March 2015). "ProtonMail has raised $2M USD to protect online privacy". ProtonMail Blog. Retrieved 19 October 2015.
- "ProtonMail goes Open Source with version 2.0". ProtonMail Blog. 13 August 2015. Retrieved 31 January 2016.
- "Announcement: ProtonMail has launched worldwide!". ProtonMail Blog. 17 March 2016. Retrieved 21 July 2016.
- "Fighting Censorship with ProtonMail Encrypted Email Over Tor". ProtonMail Blog. 19 January 2017. Retrieved 27 January 2017.
- Martin, Alexander J. (19 January 2017). "ProtonMail launches Tor hidden service to dodge totalitarian censorship". The Register. Archived from the original on 20 January 2017.
- "Introducing ProtonMail Contacts – the world's first encrypted contacts manager". ProtonMail Blog. 21 November 2017.
- M., Irina (6 December 2017). "Introducing ProtonMail Bridge, email encryption for Outlook, Thunderbird, and Apple Mail". ProtonMail Blog. Retrieved 16 December 2017.
- "Introducing Address Verification and Full PGP Support - ProtonMail Blog". ProtonMail Blog. 25 July 2018. Retrieved 28 September 2018.
- "ProtonMail iOS app is open source". ProtonMail Blog. 30 October 2019. Retrieved 12 December 2019.
- "ProtonMail launches ProtonCalendar, a calendar fully encrypted". PPC Land. 1 January 2020. Retrieved 1 January 2020.
- Leyden, John (5 November 2015). "ProtonMail still under attack by DDoS bombardment". The Register. Retrieved 5 November 2015.
- @ProtonMail (5 November 2015). "We are seeking a datacenter in Switzerland brave enough to host ProtonMail, many are afraid due to the magnitude of the attack against us" (Tweet) – via Twitter.
- Lynch, Justin (2 July 2018). "ProtonMail CEO: 'The attacks are continuing'". Sightline Media Group.
- "Apophis Squad member responsible for attacks against ProtonMail has been arrested - ProtonMail Blog". ProtonMail Blog. 6 September 2018. Retrieved 28 September 2018.
- Stockman, Jason (22 May 2014). "How are ProtonMail keys distributed?". Stack Exchange. Retrieved 19 October 2015.
- Khandelwal, Swati (26 May 2014). "ProtonMail: 'NSA-Proof' End-to-End Encrypted Email Service". The Hacker News. Retrieved 19 October 2015.
- "SSL Certificate Update". Qualys SSL Labs. 19 January 2016. Retrieved 31 January 2016.
- "SSL Report: protonmail.com". Qualys SSL Labs. 7 March 2016. Retrieved 7 March 2016.
- Yen, Andy (22 September 2015). "ProtonMail adds Facebook PGP integration". ProtonMail Blog. Retrieved 19 October 2015.
- "ProtonMail Security Details". ProtonMail Security. 31 January 2016. Retrieved 31 January 2016.
- "Two Factor Authentication (2FA)". ProtonMail Support.
- "Yubikey / FIDO U2F Support for Two Factor Authentication". Customer Feedback for ProtonMail. 22 August 2018. Archived from the original on 29 September 2019. Retrieved 29 September 2019.
- Patterson, Dan (13 November 2015). "Exclusive: Inside the ProtonMail siege: how two small companies fought off one of Europe's largest DDoS attacks". TechRepublic. Retrieved 31 January 2016.
- "Im geheimen Datenbunker von Attinghausen". Schweiz aktuell (video) (in German). SRF. 5 September 2012. Retrieved 20 February 2017.
- Yen, Andy (17 December 2014). "Infrastructure Upgrades". ProtonMail Blog. Retrieved 19 October 2015.
- Yen, Andy (17 December 2014). "ProtonMail joins Réseaux IP Européens (RIPE NCC)". ProtonMail Blog. Retrieved 19 October 2015.
- "ProtonMail Pricing". ProtonMail. Retrieved 21 July 2017.
- "Anti-spoofing for Custom Domains (SPF, DKIM & DMARC)". ProtonMail. 2016.
- Grylls, Bear (2015). Ghost Flight.
- Yen, Andy (25 August 2015). "ProtonMail on Mr. Robot". ProtonMail Blog. Retrieved 18 March 2018.
- @ProtonMail (10 December 2019). "It's the latter. We were just contacted for permission to use our brand in the movie. Not more" (Tweet) – via Twitter.
|Wikimedia Commons has media related to ProtonMail.|