ProtonBlog(new window)
Suscribirse por RSS
Illustration of the Bridge security model

The Proton Mail Bridge security model

Proton Team(new window)

Compartir esta página

Proton Mail Bridge is a desktop application that runs in the background on your computer and encrypts and decrypts your mail as it enters and leaves your device. It allows for full integration of your Proton Mail account with email clients like Microsoft Outlook, Mozilla Thunderbird, and Apple Mail.

This document discusses how Bridge handles sensitive information, describes its potential attack vectors, and explains the security features that mitigate these attacks. (Note: This security model applies to the Bridge application for Linux, macOS, and Windows.)

This security model is technical in nature, but was written in plain language so that the average user can understand the important takeaways. You can also read more about what Proton Mail is and is not designed to protect you from in the Proton Mail threat model(new window).

You can view Bridge’s open source code on GitHub(new window), review the security audit report(new window) by SEC Consult, and read more about it in our open source Bridge announcement(new window)

Bridge security features

As part of normal, day-to-day operations, Bridge must handle different types of data with varying levels of sensitivity. This data includes (but is not limited to):

  • User credentials and an access token for authentication with the Proton servers
  • Public and private keys for sending and reading messages
  • Encrypted messages, attachments, and metadata

We explain how Bridge secures this sensitive data in greater detail below.

Your passwords never leave your machine
Users log in to Bridge, which in turn authenticates with the Proton Mail API using the Secure Remote Password protocol(new window). This authentication process ensures a user’s password never leaves their machine, and it generates an access token and a refresh token.

The access token is relatively short-lived and is used to authenticate any subsequent API requests; it is stored in the device’s memory. The refresh token is used to generate new access tokens and is stored securely in the operating system’s keychain (Windows Credentials Manager, macOS Keychain, or pass/gnome-keyring on Linux). The user’s hashed and salted mailbox password (used to decrypt their PGP keys) and Bridge password (used to connect an email client to Bridge) are also held in the operating system’s keychain.

Ensuring a secure connection to Proton servers
Bridge communicates with the Proton Mail API over an encrypted TLS connection. It additionally employs TLS certificate public key pinning to ensure it only connects to trusted Proton Mail servers. If Bridge receives an untrusted public key, it will assume an unknown intermediary is pretending to be a Proton server and immediately warn the user.

Bridge never stores or shares a user’s PGP keys
After the user logs in, Bridge downloads their encrypted, private PGP keys from the Proton servers and unlocks them. These keys are held in the device’s memory, never on disk. Whenever a user turns off their device, they wipe its memory. This makes it unlikely an attacker will be able to obtain a copy of a user’s PGP keys, even if they steal the user’s device. These keys are also never shared with other applications on your device and stay within Bridge’s memory space.

Bridge does not store decrypted message data
When an IMAP client requests a message body or attachment, it is downloaded from the Proton servers as an encrypted PGP message, decrypted locally, and then transmitted to the IMAP client. Similar to the user’s PGP keys, Bridge does not permanently store any message bodies or attachments to disk, further reducing the amount of sensitive data available on the device.

Attack mitigation

Here we describe the potential attack vectors of Bridge and how we mitigate these attacks.

Reducing the threat of a MITM attack

As described, Bridge employs TLS certificate pinning, which mitigates the risk of a network-level man-in-the-middle (MITM) attack.

Furthermore, the content of messages sent from Bridge to Proton Mail users or external recipients using PGP has an additional layer of protection thanks to end-to-end encryption. This means Bridge encrypts the user’s message before it leaves their device. The message remains encrypted until it reaches the recipient’s device, which decrypts it. This prevents any third party, including Proton Mail, from accessing the content of a user’s message. Messages sent this way remain inaccessible because a user’s mailbox password never leaves their device and, thus, is never transmitted to an attacker.

Secure updates

Bridge on Windows and macOS includes a feature that allows it to self-update. The update process has additional safeguards in place to verify that only trusted versions of Bridge that are created and signed by Proton Mail are installed.

Bridge recommended use cases

Bridge is a unique tool when compared to the other Proton Mail apps. As such, there are specific cases in which it would be more practical and useful than other Proton Mail apps.

Below are some examples of recommended use cases for Bridge:

Offline editing 
If you find yourself without a stable Internet connection, you can use your favorite email client with Bridge to download emails while you do have good Internet access and then process them offline later. Most email clients will automatically send and receive your drafts once you are back online.

Offline backups of your emails are required
If you need to have offline copies of your messages for whatever reason, Bridge is the easiest way to accomplish this. The Bridge app enables your IMAP/SMTP client to do this automatically if you choose to do so.

Add Proton Mail security to already known email clients
If you or your staff do not feel confident learning how to use a new email service, Bridge lets you add Proton Mail encryption to your messages while continuing to use your favorite IMAP/SMTP email client. These clients include Outlook, Thunderbird, and Apple Mail, all applications that many people are familiar with. This means that once you set up Bridge, using it does not require any new training.

Bridge security model scope

No application is 100% secure, and no piece of software can protect its user against every potential threat. Proton Mail Bridge is engineered to provide additional protection to its users’ data, but certain conditions are outside of the scope of the security model.

User device security
We assume users run the Bridge app in a safe environment. For instance, we assume that Bridge program files are installed to a location where normal (non-admin) users have no write privileges. Furthermore, we expect the user’s device to be free of any malicious software (keyloggers, screen recorders, memory scanners, etc.) that could access the device’s data in memory or on disk. Bridge, unfortunately, cannot secure your data if your device is already compromised.

Additionally, we assume that the IMAP/SMTP ports that the email client connects to are not exposed beyond the device that Bridge is running on. The Bridge application ignores all connections that do not originate from the localhost, and we assume the user will not attempt to circumvent this.

Bridge installer security
We assume that the user securely downloaded the Bridge installer from our server (the server should present a valid and expected SSL certificate). For Windows and macOS, the operating system inspects the signatures on the installer file automatically before installation. It then displays the results to the user, which we assume they properly verify. We recommend Linux users refer to our support article on Verifying the Proton Mail Bridge package(new window) for instructions. If you download the Bridge application from an unauthorized source, we cannot guarantee the safety of the installer. 

Our recommendations for keeping your device secure

We have invested heavily in the security of our Bridge app. You can help maximize the security of your own device by taking a few simple measures: 

  1. Encrypt your device’s hard drive. Windows(new window) and macOS(new window) devices all have built-in encryption systems, but you have to turn them on. Once you have encrypted your drive, write down your recovery code and store it in a secure place.
  2. Enable your operating system’s antivirus protection, if available.
  3. Ensure your network ports are secured by a firewall to prevent outside machines from connecting to them.
  4. Do not install untrusted programs on your device. This includes unknown open source versions of Bridge. Downloading Bridge directly from Proton Mail(new window) is the safest option.
  5. Do not open links or download attachments from untrusted senders.

Conclusion

Our first priority is always our users’ security. Our goal is to make it easy for anyone to protect their privacy by creating tools that apply advanced cryptography to their messages automatically. The Bridge tool was designed to add additional security to already existing IMAP/SMTP email clients. By keeping your device secure, you can use these email clients and still take charge of your data. Thank you for your support!

You can get a free secure email account from Proton Mail here(new window).

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.

Protege tus correos electrónicos y también tu privacidad
Obtén Proton Mail gratis

Compartir esta página

Proton Team(new window)

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Artículos relacionados

Looking into the Dropbox privacy policy
en
Dropbox was the first mainstream cloud storage provider, and still the biggest player on the market, with 700 million users in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions
en
  • Cuestiones profundas de privacidad
What’s your data really worth?(new window)
There’s a saying that data is the new oil because of how valuable it is to the digital economy. But what’s the value of your data, personally? Depending where you live, information about you could be worth at least several hundred dollars a year to F
en
Your organization’s data is only as secure as your employees’ passwords. Hackers often target employees for this reason, and some of the biggest data breaches in history were the result of weak passwords. Having a secure password manager for your wor
en
If there were still doubts over whether Apple is an abusive monopolist, they were emphatically dismissed this week. Apple’s new app store policy that it claims will bring it into compliance with Europe’s Digital Markets Act is a textbook case of mali
How to export passwords from Chrome
en
  • Cuestiones básicas de privacidad
How to export passwords from Chrome(new window)
If you want to leave Google, one of the first things you must do is stop using its proprietary browser, Chrome, and its built-in password manager. A vital first step towards leaving Google is downloading your passwords so you can transition more easi
what is ransomware
en
Ransomware is one of the more common and dangerous forms of cybercrime, but what is ransomware exactly? In this article we’ll explain how it works, and what you can do to prevent becoming the victim of a ransomware attack — and how to recover if you