Type of site
|Available in||English, Catalan, Chinese, Dutch, French, German, Hungarian, Italian, Japanese, Polish, Romanian, Russian, Spanish, Turkish, Portuguese, Ukrainian|
|Owner||Proton Technologies AG, Geneva, Switzerland|
|Launched||16 May 2014|
ProtonMail is an end-to-end encrypted email service founded in 2013 in Geneva, Switzerland by scientists who spent time at the CERN research facility.ProtonMail uses client-side encryption to protect email content and user data before they are sent to ProtonMail servers, unlike other common email providers such as Gmail and Outlook.com. The service can be accessed through a webmail client, the Tor network, or dedicated iOS and Android apps.
ProtonMail is run by its parent company Proton Technologies AG, which is based in the Canton of Geneva. 2 million users, and grew to over 5 million by September 2018, 20 million by the end of 2019, and over 50 million in 2020.The company also operates ProtonVPN, a VPN service. ProtonMail received initial funding through a crowdfunding campaign. Although the default account setup is free, the service is sustained by optional paid services. Initially invitation-only, ProtonMail opened up to the public in March 2016. In 2017, ProtonMail had over
On 16 May 2014, ProtonMail entered into public beta. US$550,377 from 10,576 donors through a crowdfunding campaign on Indiegogo, while aiming for US$100,000. During the campaign, PayPal froze ProtonMail's PayPal account, thereby preventing the withdrawal of US$251,721 worth of donations. PayPal stated that the account was frozen due to doubts of the legality of encryption, statements that opponents said were unfounded. The restrictions were lifted the following day.It was met with enough response that after three days they needed to temporarily suspend beta signups to expand server capacity. Two months later, ProtonMail received
On 18 March 2015, ProtonMail received US$2 million from Charles River Ventures and the Fondation Genevoise pour l'Innovation Technologique (Fongit). On 14 August 2015, ProtonMail released major version 2.0, which included a rewritten codebase for its web interface. On 17 March 2016, ProtonMail released major version 3.0, which saw the official launch of ProtonMail out of beta. With a new interface for the web client, version 3.0 also included the public launch of ProtonMail's iOS and Android beta applications.
On 19 January 2017, ProtonMail announced support through Tor, at the hidden service address
protonirockerxow.onion. On 21 November 2017, ProtonMail introduced ProtonMail Contacts, a zero-access encryption contacts manager. ProtonMail Contacts also utilizes digital signatures to verify the integrity of contacts data. On 6 December 2017, ProtonMail launched ProtonMail Bridge, an application that provides end-to-end email encryption to any desktop client that supports IMAP and SMTP, such as Microsoft Outlook, Mozilla Thunderbird, and Apple Mail, for Windows and MacOS.
On 25 July 2018, ProtonMail introduced address verification and Pretty Good Privacy (PGP) support, making ProtonMail interoperable with other PGP clients.In December 2019, ProtonMail launched "ProtonCalendar", a fully encrypted calendar.
The source code for the back-end remains closed source.However, ProtonMail released the source code for the web interface under an open-source license. ProtonMail also open sourced their mobile clients for iOS and Android, as well the ProtonMail Bridge app. All of their source code can be found on GitHub.
In September 2020, it was known that Protonmail has joined the Coalition for App Fairness which aims to gain better conditions for the inclusion of their apps in app stores.
From 3 to 7 November 2015, ProtonMail was under several DDoS attacks that made the service largely unavailable to users.During the attacks, the company stated on Twitter that it was looking for a new data center in Switzerland, saying, "many are afraid due to the magnitude of the attack against us".
In July 2018, ProtonMail reported it was once more suffering from DDoS attacks. CEO Andy Yen claimed that the attackers had been paid by an unknown party to launch the attacks.In September 2018, one of the suspected ProtonMail attackers was arrested by British law enforcement and charged in connection with a series of other high-profile cyberattacks against schools and airlines.
On 15 November 2019, Proton confirmed that government of the Republic of Belarus had issued a block across the country of ProtonMail and ProtonVPN IP addresses. The block was no longer in place 4 days later. No explanation was given to ProtonMail for the block, nor for the block being lifted.
On 29 January 2020, the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media reported that it had implemented a complete block of ProtonMail services within the Russian Federation.As a reason for the block, it cited ProtonMail's refusal to give up information relating to accounts that allegedly sent out spam with terror threats. However, ProtonMail claimed that it did not receive any requests from Russian authorities regarding any such accounts. In response to the block, the ProtonMail Twitter account recommended legitimate users circumvent the block via VPNs or Tor.
In March 2020, the company announced that even though the Russia ban was not particularly successful and the service continues to be largely available in Russia without utilising a VPN, ProtonMail will be releasing new anti-censorship features in both ProtonMail and ProtonVPN desktop and mobile apps which will allow more block attempts to be automatically circumvented.
ProtonMail uses a combination of public-key cryptography and symmetric encryption protocols to offer end-to-end encryption. When a user creates a ProtonMail account, their browser generates a pair of public and private RSA keys:
This symmetrical encryption happens in the user's web browser using AES-256. Upon account registration, the user is asked to provide a login password for their account.
A lost login password can be recovered by sending an e-mail to Protonmail Support. Two of the questions that are asked, in order for Support to provide renewed access to the account are:
This implies that these data are readable by support agents and hence by data analysis services. They constitute meta-data, so that networks of communicating accounts along with subject headers can be charted.
ProtonMail also offers users an option to log in with a two-password mode which requires a login password and a mailbox password.
Upon logging in, the user has to provide both passwords. This is to access the account and the encrypted mailbox and its private encryption key. The decryption takes place client-side either in a web browser or in one of the apps. The public key and the encrypted private key are both stored on ProtonMail servers. Thus ProtonMail stores decryption keys only in their encrypted form so ProtonMail developers are unable to retrieve user emails or reset user mailbox passwords.This system absolves ProtonMail from:
ProtonMail exclusively supports HTTPS and uses TLS with ephemeral key exchange to encrypt all Internet traffic between users and ProtonMail servers. Their 4096-bit RSA SSL certificate is signed by QuoVadis Trustlink Schweiz AG and supports Extended Validation, Certificate Transparency,Public Key Pinning, and Strict Transport Security. Protonmail.com holds an "A+" rating from Qualys SSL Labs.
In September 2015, ProtonMail added native support to their web interface and mobile app for PGP. This allows a user to export their ProtonMail PGP-encoded public key to others outside of ProtonMail, enabling them to use the key for email encryption. The ProtonMail team plans to support PGP encryption from ProtonMail to outside users.
An email message sent from one ProtonMail account to another is automatically encrypted with the public key of the recipient. Once encrypted, only the private key of the recipient can decrypt the message. When the recipient logs in, their mailbox password decrypts their private key and unlocks their inbox.
Email messages sent from ProtonMail to non-ProtonMail email addresses may optionally be sent in plain text or with end-to-end encryption. With encryption, the message is encrypted with AES under a user-supplied password. The recipient receives a link to the ProtonMail website on which they can enter the password and read the decrypted message. ProtonMail assumes that the sender and the recipient have exchanged this password through a backchannel.Such email messages can be set to self-destruct after a period of time.
Both ProtonMail and ProtonVPN are located in Switzerland to avoid any surveillance or information requests from countries under the Fourteen Eyes, and/or under government surveillance laws like the United States' Patriot Act or outside the bounds of law.
The company claims that it is also located in Switzerland because of its strict privacy laws.
ProtonMail maintains and owns its own server hardware and network in order to avoid utilizing a third party. It maintains two data centres, one in Lausanne and another in Attinghausen (in the former K7 military bunker under 1,000 metres (3,300 ft) of granite rock) as a backup. Since the servers are located in Switzerland, they are legally outside of the jurisdiction of the European Union, United States, and other countries. Under Swiss law, all surveillance requests from foreign countries must go through a Swiss court and are subject to international treaties. Prospective surveillance targets are promptly notified and can appeal the request in court.[ citation needed ]
Each data centre uses load balancing across web, mail, and SQL servers, redundant power supply, hard drives with full disk encryption, and exclusive use of Linux and other open-source software. In December 2014, ProtonMail joined the RIPE NCC in an effort to have more direct control over the surrounding Internet infrastructure.
ProtonMail currently supports two-factor authentication with TOTP tokens for its login process.As of October 2019, according to official ProtonMail blog, U2F support for YubiKey and FIDO physical security keys is currently under development and will be available soon after the release of v4.0.
As of 13 March 2021 [update] , ProtonMail offers the following plans:
|Plan||Messages Per Day||Folders/Labels||Storage||Aliases||Custom Domains||Price||Support|
|Free||150||3||500 MB||1 Address||-||Free||Limited Support|
|Plus||1000||200||5 GB||5 Addresses||1||€5 /mo or €48 /yr||Normal Support|
|Professional||Unlimited||Unlimited||5 GB||5 Addresses/User||2||€8 /mo or €75 /yr||Priority Support|
|Visionary||Unlimited||Unlimited||20 GB||50 Addresses||10||€30 /mo or €288 /yr||Priority Support|
ProtonMail was mentioned in the 2015 Bear Grylls novel Ghost Flight.
ProtonMail was featured in seasons 1, 3, and 4 of the American TV drama series Mr. Robot .
ProtonMail was also featured in the 2019 films Sound of Metal and Knives Out .
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.
An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.
Hushmail is an encrypted proprietary web-based email service offering PGP-encrypted e-mail and vanity domain service. Hushmail uses OpenPGP standards. If public encryption keys are available to both recipient and sender, Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password and stored for pickup by the recipient, or the message can be sent in cleartext. In July, 2016, the company launched an iOS app that offers end-to-end encryption and full integration with the webmail settings. The company is located in Vancouver, British Columbia, Canada.
S/MIME is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 3369, 3370, 3850 and 3851. It was originally developed by RSA Data Security and the original specification used the IETF MIME specification with the de facto industry standard PKCS#7 secure message format. Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.
OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.
Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.
End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation.
In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised. For HTTPS, the long-term secret is typically the Private signing key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords. By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. This by itself is not sufficient for forward secrecy which additionally requires that a long-term secret compromise does not affect the security of past session keys.
Email privacy is a broad topic dealing with issues of unauthorized access to, and inspection of, electronic mail, or unauthorized tracking when a user reads an email. This unauthorized access can happen while an email is in transit, as well as when it is stored on email servers or on a user's computer, or when the user reads the message. In countries with a constitutional guarantee of the secrecy of correspondence, whether email can be equated with letters—therefore having legal protection from all forms of eavesdropping—is disputed because of the very nature of email. As more communication occurs via email, as compared to postal mail, this is considered to be an important debate.
The following tables compare general and technical information for a number of notable webmail providers who offer a web interface in English.
Opportunistic TLS refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection to an encrypted connection instead of using a separate port for encrypted communication. Several protocols use a command named "STARTTLS" for this purpose. It is primarily intended as a countermeasure to passive monitoring.
Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.
Secure messaging is a server-based approach to protect sensitive data when sent beyond the corporate borders, and it provides compliance with industry regulations such as HIPAA, GLBA and SOX. Advantages over classical secure e-mail are that confidential and authenticated exchanges can be started immediately by any internet user worldwide since there is no requirement to install any software nor to obtain or to distribute cryptographic keys beforehand. Secure messages provide non-repudiation as the recipients are personally identified and transactions are logged by the secure email platform.
Exchange ActiveSync is a proprietary protocol designed for the synchronization of email, contacts, calendar, tasks, and notes from a messaging server to a smartphone or other mobile devices. The protocol also provides mobile device management and policy controls. The protocol is based on XML. The mobile device communicates over HTTP or HTTPS.
Fastmail is an email hosting company based in Melbourne, Australia. In addition to its Fastmail-branded services, the company also operates Topicbox, a mailing list service, and Pobox, an email service it acquired in 2015.
Peerio was a cross-platform end-to-end encrypted application that provided secure messaging, file sharing, and cloud file storage. Peerio was available as an application for iOS, Android, macOS, Windows, and Linux. Peerio (Legacy) was originally released on 14 January 2015, and was replaced by Peerio 2 on 15 June 2017. The app is discontinued.
Tutanota is an end-to-end encrypted email software and freemium hosted secure email service. Its motto is "einfach.sicher.mailen" in German, meaning "easy.secure.mailing".
Mailfence is an encrypted email service that offers OpenPGP based end-to-end encryption and digital signatures. It was launched in November 2013 by ContactOffice Group, which has been operating an online collaboration suite for universities and other organizations since 1999.
Proton Technologies AG is a Swiss technology company originally founded as ProtonMail on 16 May 2014 by a group of scientists who met at CERN. Proton is headquartered in Geneva, Switzerland.
A virtual private network service, or VPN service, provides a proxy server to users to bypass Internet censorship or more specifically geoblocking or users who want to protect their communications against data profiling or MitM attacks on hostile networks.
We don't have a stand-alone back-end that can be installed for small deployment, because our backend software is optimized for large deployments with millions of users and distributed infrastructure.
We don't plan to open source the back-end code, because it doesn't add trust (users can't verify what code is running on the backend) and doing so would given away information about how we do anti-spam and anti-abuse.
|Wikimedia Commons has media related to ProtonMail .|