
An Analysis of the ProtonMail Cryptographic Architecture [pdf] - zahllos
https://eprint.iacr.org/2018/1121.pdf
======
protonmail
It seems Nadim (the author of this paper) took it really badly when we called
him out for intentionally spreading fake news this weekend. Putting aside the
author's personal biases for a moment, the difference of opinion with Nadim
can be boiled down to a couple elements.

The key question being debated is whether or not web applications can
constitute end to end encryption. Nadim's opinion is that, as he writes, "no
webmail-style application could". His viewpoint is that E2EE is not possible
with web clients, period, end of discussion. This is a rather extreme position
to take as it would also apply to the web versions of Whatsapp or Wire, for
instance.

ProtonMail, like Whatsapp and Wire, offers apps on Linux, Windows, MacOS, iOS,
and Android. Like Whatsapp and Wire, we also offer a web app. The major
opinion Nadim is expressing here is that we should offer all the above, minus
the web-app, because in his opinion, you can't do end-to-end encryption in a
webapp. Obviously Whatspp and Wire do not share this opinion. Signal
coincidentally does share this opinion.

We do understand Nadim's arguments, and agree that web-apps are less secure
than say a native iOS app. Where we differ in opinion is that we don't believe
the threat model of web-apps is so fundamentally different from an iOS app,
that we need to take the step of not offering a web-app at all. When it comes
to mobile apps for instance, the situation is really not so different,
particularly since automatic updates are the norm and recommended for
security.

There are definitely design decisions that we could have taken to make
ProtonMail more secure (no passwords, only passphrases, sync keys between
devices using QR codes, no web app etc), but this could compromise usability
to a large degree, which runs contrary to our goals.

Disagreeing on design decisions however, does not indicate that the
cryptography is unsound or improperly implemented, as this paper seems to
imply. That's why this paper reminds us a bit of the now retracted story in
the Guardian about Whatsapp's "security flaw", which was in fact a design
decision. It is also a bit disingenuous to claim that ProtonMail doesn't meet
it's "self-professed security goals", when we have fundamentally different
interpretations of those security goals.

~~~
tonic-music
Where is this Windows app of which you speak? I don't see it linked on your
website.

~~~
protonmail
protonmail.com/bridge

------
tonic-music
Just sent this bug report (from the Android client, lol). Will post their
response here:

What is the official response to this report?

[https://eprint.iacr.org/2018/1121.pdf](https://eprint.iacr.org/2018/1121.pdf)

I'm not a cryptography expert but I am a web developer and even I can figure
out that typing my password into a web app reveals my private key to you if
you want to steal it.

The author is right in one respect: the online and self- updating nature of
the web app makes it impossible for anyone to verify what code you're really
running.

Reading this report also makes me question your response to the recent
hack/extortion incident. Now, I'm not really convinced about your response.

There's nothing in my PM account that's secret and I don't really care if you
were hacked. I use PM to avoid being tracked for advertising. But I do agree
with the author of this paper that you shouldn't make these security claims
which aren't true.

Thanks in advance for your response.

\-- D

~~~
protonmail
See our response above, hopefully that gives a bit more insight into why we
have decided to continue offering a web-app.

------
tonic-music
Very interesting, especially in light of the recent claimed hacks to
ProtonMail. I've just switched to PM recently and, while I'm no cryptography
expert, it did seem unlikely that typing my password into a browser app could
ever be considered very secure -- certainly not "invisible" to PM since, as
the author points out, you can't see or validate the code running in the
browser.

~~~
trash_panda
You can actually see what code your browser is running, you have view source
and all the developer tools to analyze the JS code.

This is their main defense, they will probably post a link to their GitHub
page where the code of the front end application is hosted.

The thing is, to validate that the code published in GitHub is the same one
that you're running right now while you're logged into ProtonMail, requires a
dynamic analysis challenge that is quite not achievable.

So if ProtonMail decides to go rogue, or if an attacker compromises their
servers, it would be doable to send all users, or some targeted users, a
modified version of the webapp which steals your password, retrieves the
decrypted key, etc, etc, etc.

~~~
tonic-music
I think we all know about view source. The risk lies exactly where you
described it. I've never heard of being able to diff a running web page
against a set of source repositories. Perhaps another HN reader will go invent
that.

