Chrome / Firefox add-on
Even the mailbox encrypted, it is possible to subvert the code in your servers - or force ProtonMail to subvert it by court order - to capture users mailbox password and therefore gain access to emails. This is exactly how the HushMail got "busted" some time ago, feeding a specified user a subverted code, that captured the users password to them!
Systems like BlockChain Wallet use browser add-ons to prevent this from happening. Ever. Since the add-on is used to handle ALL communications from and to the servers, and it decrypts the content from the servers, it does not matter whether the server is backdoored (from one reason or another)! It would not matter how you would subvert the code in ProtonMail servers, since add-on would handle all these things inside users computer - and no critical information would ever, never, be sent to ProtonMail servers no matter how bad code would be installed in ProtonMail servers.
Since anyone can download and verify the add-on, there is hardly possibility to install any kind of backdoor there - and absolutely no way to install backdoor there for a specific user.
What happened to the Proton Mail Checker--thing? The Github page is gone and googling doesn't return anything useful.
Also make extension for ProtonVPN too...
Lloyd Ewing commented
I would like to suggest and ask if such an add-on could also be provided for Mozilla Thunderbird. I have to admit that I don't know enough about the operation of the proposed addon to know if that would be feasible.
Do you have a technical article that articulates what happened in the case of HushMail and how code was compromised to capture users' credentials and how a browser plug-in prevents this?
I know that browser plug-ins are a big major problems in many security incidents because they have too much power, too much visibility and, as with anything else, compromising a vulnerability or logic flaw in the plugin compromises mailboxes as well. It's a double-edge sword.
Yes, such approach to enchance the security will be useful,
this is the same way as MEGA.NZ doing (extensions for browsers,
dedicated standalone applications).
Make sure to not distribute it like mega did - via the chrome/chromium's app store!
I'm interested in the description of this secure add-on process... particularly for its potential correlation to other integration possibilities (namely & such as Zapier, Calendly, etc).
As other features come online in the proton suite - Calendar, Doc Drive, etc. The ability to translate content across other platforms will be essentially important for business users.
Please have your add-on turn off WebRTC IP leaking.
Would this feature be available for Safari too? Not everyone wants to use an unsecure Browser like Firefox or get spied on by Google via Chrome.
I second and third all of the above comments. I truly, truly believe the ProtonMail team is committed to our security and keeping our data encrypted and only view-able to us. However, this add on needs to be implemented to bring ProtonMail's actual security in line with their promised security. Does this update have an expected release date?
Well at the moment it's marked as planned meaning that they will at some point make an official addon/extension for browsers. At the moment they're working on other things but they will get around to this eventually. Just remember ProtonMail is being developed by a small team so progress may not be a quick as other providers.
I do believe however this deserves extra priority and should also be compatible with browsers such as Opera as well as Firefox and Chrome.
What is the current status of this?
I would love to see such an add-on available from the linux/firefox users, like me.
Is it possible to implement the same kind of security in the iOS version ? This is a question to the specialists, not a feature request.
Wau! That sound excellent Ray Ben! What have they responded to you? I would assume this kind of software would be exactly what they would want! Since its open source, they could go throught the source code, compline it and sign it with their keys so that all could rely on it.
Keep upvoting this post of mine so it get more attention! :D
In opposition to other extensions it's also completly encrypted, private, including cloud synchronization etc. Theres nothing better right now if you want to keep your privacy to yourself.
It's been developed in contact with ProtonMail officials and it's been offered, yes.
Regarding backdoors, it's open source and doesn't even require your mailbox password.
You can see the source here: https://github.com/JamesCullum/ProtonMail-Checker/tree/master
Is this Add-On made by...Im sorry, who are you? You are not official Protonmail Dev are you?
It is really cool if it really works and doesnt contain backdoors etc. Have you offered it to Protonmail?
Cameron Taylor commented
This is a really good idea, though I'd prefer a desktop application to Firefox add-on.
> But doesn't such an addon need to be updated sometimes
> (for example for new versions of Firefox)? So wouldn't this
> afford Protonmail a hypothetical opportunity to change the
> code in the addon and compromise the encryption? So at
> the end of the day you're still stuck having to trust the
> Protonmail devs and administrators.
1) The addon could/should be open source ofcourse.
2) If the addon is backdoored, then it would be easy to find anyway, since all users a using the same add-on. However compromising a single users inbox code (from the server) would be very hard to find out, since only the user who is being compromised might detect the code he is targetted.
3) Anytime addon would be updated, user could chooce whether to update it or not - you cannot "opt-out" from server-side updates however! Paranoid users would not allow the addon to be updated, ie. they would disable automatic update and only upgrade the addon after many people have examined the add-on to be safe to use.
> I just don't think there's a model in which you get around
> having to trust the people who wrote the code, unless you
> are reviewing all the code yourself or writing it yourself.
Having an addon is not a perfect solution. However, it is very good solution, much much better than "server-side-code-only". And as pointed out, it would make it impossible for the Protonmail to target specific users for backdoors, then all backdoors would have to be pushed to all users, adding a great deal of dangers to be discovered.