Updates

2022 January 6 update: Since writing this post, I have learned that the mobile apps do not support necessary OpenPGP key management functionality like importing and verifying keys. (The Bridge client does not support this functionality either, by the way.) It seems using a third-party client like ElectronMail (or handling the encryption with a separate application altogether) is the only way to avoid trusting the ProtonMail server.

Intro

Read this paper for more detail. This post is a much shorter version that just addresses what to do about the issues this paper highlights.

What are we doing here?

Premise

ProtonMail's threat model generally assumes that ProtonMail's server is trustworthy. Let's assume instead that it's not.

Goal

The ProtonMail server cannot read your encrypted emails or send encrypted emails successfully pretending to be you.

Out of scope

• non-E2EE messages
• anonymity
• metadata protection (obfuscating who is talking to whom)
• using a better encryption protocol than OpenPGP

1. Don't use webmail

Instead of webmail, use a dedicated app like the iOS or Android app, or ElectronMail.

(Of course, you'll need to ensure that the app you download is authentic and also doesn't contain backdoors...)

Potential impact of using webmail

If you use webmail even once, the ProtonMail server could send a malicious version of the webmail client which steals your keys, allowing ProtonMail to read all your messages (past, present, and future) and send encrypted messages which appear to come from you.

(See What do I do if I think my keys have been compromised?)

2. Use a strong password

(See I Use a Password Manager, and So Should You for advice on passwords.)

Potential impact of using a weak password

If you use a weak password, the ProtonMail server could decrypt your keys, giving it the ability to read all your messages (past, present, and future) and send encrypted messages to other people which appear to come from you.

(See What do I do if I think my keys have been compromised?)

3. Verify your contacts' keys

Compare the keys listed for your contacts with those contacts to ensure they match. Use some trusted channel other than ProtonMail. Comparing in-person is the most secure option.

(See Address verification with trusted keys for how to do this.)

Potential impact of not verifying your contacts' keys

If you don't verify your contacts' keys, then ProtonMail could perform a PITM attack to read (or alter) your encrypted messages to those contacts without you knowing. It could also write or modify encrypted emails which appear to be from those contacts.

4. Don't use "Encrypt-to-Outside"

ProtonMail has a feature that lets you send encrypted emails to people who don't use ProtonMail or OpenPGP, instead using a password you both know. This is implemented by sending them a link for a ProtonMail web client, which is problematic for the same reason discussed above. (As well, the link you send your contact could be manipulated by either person's email server.)

Instead, use ProtonMail's OpenPGP features for all E2EE emails.

Potential impact of using "Encrypt-to-Outside"

Your "Encrypt-to-Outside" conversations could be read or altered by either ProtonMail or your contact's email server.

(Using "Encrypt-to-Outside" is itself insecure but does not harm the security of your other, OpenPGP-encrypted conversations.)

Other stuff

What do I do if I think my keys have been compromised?

If you suspect your keys have been compromised, it's not the end of the world. Just make new ones that your adversary doesn't have and mark the old ones as compromised. Make sure to verify your new keys with your contacts.

(See How do I download my public and private keys? for how to manage your keys.)

Are you saying ProtonMail is bad?

No.

Are you saying ProtonMail is good?

No.

Conclusion

These are the steps you need to take to use ProtonMail with proper end-to-end encryption, i.e. to send and receive emails that ProtonMail technically could not read, even if it wanted to.