ProtonMail adds Tor onion site to fight risk of state censorship

Swiss-based PGP end-to-end encrypted email provider, ProtonMail, now has an onion address, allowing users to access its service via a direct connection to the Tor anonymizing network — in what it describes as an active measure aimed at defending against state-sponsored censorship.

The startup, which has amassed more than two million users for its e2e encrypted email service so far, launching out of beta just over a year ago, says it’s worried about an increased risk of state-level blocking of pro-privacy tools — pointing to recent moves such as encryption messaging app Signal being blocked in Egypt, and the UK passing expansive surveillance legislation that mandates tracking of web activity and can also require companies to eschew e2e encryption and backdoor products.

The service also saw a bump in sign ups after the election of Donald Trump as US president, last fall — with web users apparently seeking a non-US based secure email provider in light of the incoming commander-in-chief’s expansive digital surveillance powers.

“Given ProtonMail‘s recent growth, we realize that the censorship of ProtonMail in certain countries is inevitable and we are proactively working to prevent this” says co-founder Andy Yen in a statement on the launch. “Tor provides a way to circumvent certain Internet blocks so improving our compatibility with Tor is a natural first step.”

Users of the Tor browser can now reach ProtonMail directly using its new onion address:

It’s also written instructions on how to set up ProtonMail over Tor here.

Users accessing ProtonMail via Tor will have their connections anonymized — meaning the email service won’t be able to see (and thus couldn’t be forced to divulge) their true IP address.

Of course it’s still possible to browse to ProtonMail’s main website via Tor but it points out the direct onion address has a few advantages — such as providing e2e encryption on the Tor level; meaning the encryption applied by Tor is present until the connection reaches ProtonMail’s infrastructure (vs a non-onion Tor connection not having Tor encryption beyond the last node), thereby making it hard for an attacker to perform a man-in-the-middle attack on a user’s connection.

The onion site also provides end-to-end authentication, which ProtonMail says helps mitigate some of the weaknesses with the existing Certificate Authority (CA) system that’s used across much of the Internet — pointing out that many CAs are trusted by default and some can be under direct government control. For this reason it’s also using an onion site with HTTPS only — also as a backup in case Tor itself is ever compromised.

“If someday Tor were to be compromised, enforcing HTTPS adds another layer of security for the end user. Similarly, Tor also provides security in case HTTPS is compromised. The notion of HTTPS being compromised is one that we take seriously, considering that there are hundreds of CAs that are trusted by default, with many of them under direct government control in high risk countries,” it writes in a blog about the launch.

“Thus, by using our onion site, your emails are protected by three layers of end-to-end encryption, there’s Tor’s encryption on the outer layer, HTTPS in the middle layer, and PGP as the final layer of defense for the emails themselves.”

Another motivating factor it flags for launching the Tor hidden service is to bolster its defenses against DDoS attacks — given it’s harder for attackers to determine the physical location and IP address of the onion site, so it could offer a workaround for accessing ProtonMail in the event of a sustained DDoS attack taking its web address offline.

ProtonMail suffered a major incident on that front back in November 2015, with the email service going down for more than 24 hours. Yen tells TechCrunch it still gets major DDoS attacks “routinely”, although he reckons its defenses and network are now able to withstand them “without user impact”.

“That said, the resistance of Tor to standard DDoS attacks is something that is interesting to us, particularly since DDoS attacks have continually grown in size over the past year,” he adds, although he emphasizes it is still a “secondary motivation compared to the concerns we have about compromises in the certificate authority system and government mandated blocking”.

ProtonMail’s onion site is described as “experimental” at this point, so it’s warning reliability “may not be as high as our standard site” — even above and beyond the typically slower connection Tor users generally get.

“Even without using Tor, your ProtonMail inbox is still strongly protected with PGP end-to-end encryptionsecure authentication (SRP), and optional two-factor authentication. However, ProtonMail definitely has users in sensitive situations where the extra security and anonymity provided by Tor could literally save lives,” it adds.