Chrome / Firefox add-on
Even the mailbox encrypted, it is possible to subvert the code in your servers - or force ProtonMail to subvert it by court order - to capture users mailbox password and therefore gain access to emails. This is exactly how the HushMail got "busted" some time ago, feeding a specified user a subverted code, that captured the users password to them!
Systems like BlockChain Wallet use browser add-ons to prevent this from happening. Ever. Since the add-on is used to handle ALL communications from and to the servers, and it decrypts the content from the servers, it does not matter whether the server is backdoored (from one reason or another)! It would not matter how you would subvert the code in ProtonMail servers, since add-on would handle all these things inside users computer - and no critical information would ever, never, be sent to ProtonMail servers no matter how bad code would be installed in ProtonMail servers.
Since anyone can download and verify the add-on, there is hardly possibility to install any kind of backdoor there - and absolutely no way to install backdoor there for a specific user.
-
none commented
But doesn't such an addon need to be updated sometimes (for example for new versions of Firefox)? So wouldn't this afford Protonmail a hypothetical opportunity to change the code in the addon and compromise the encryption? So at the end of the day you're still stuck having to trust the Protonmail devs and administrators.
I just don't think there's a model in which you get around having to trust the people who wrote the code, unless you are reviewing all the code yourself or writing it yourself.
-
Tony Tan commented
I think we should the same way mega.co.nz did it. An addon would definitely make a targeted-attack more difficult. It can also increase the cost of MITM attacks.
-
Anonymous commented
mega is an example of how it could look.
-
Markus Jansson commented
...to say the same more exactly:
The browser add-on would have all and it would run all the code required to perform encryption/decryption actions - code would NOT be downloaded from ProtonMail servers to be executed in browser (as currently is the case). Therefore the compromise of ProtonMail servers and its code would not affect the security of the ProtonMail user mail.
Without this add-on, the ProtonMail is in practise no more secure than Gmail or any other email is. All of them can be compromised by court order and/or by adding bad code to the servers.