1. 14

  2. 4

    Important bit about the threat model:

    Since the Bridge decrypts data locally, it’s important to ensure that your computer is safe. If someone breaks into your computer while using the Bridge, the unencrypted data could potentially be viewed as well.

    They downplay it a little, but basically once it has been decrypted in the bridge’s proxy and passed to the traditional client, it is stored and indexed in plaintext. ProtonMail cannot securely wipe it from the client or control access. It opens the contents of your account to all the attack surfaces of a traditional client.

    Before using the bridge, you may have a well-reasoned, locked down threat model that you understand completely, but as soon as you start forwarding things to Outlook or other clients, you have to consider, well, a lot. Also, if you’re a responsible computer user, you are constantly backing up your machines – which in this case means there are additional latent snapshots of your ProtonMail contents resting on disk somewhere. Secure your backups too, folks.

    I understand that they didn’t want to create their own client from scratch; it is hard to get right on many platforms and many people will reject it if it doesn’t work exactly like what they’re used to. But without owning and securing the client, ProtonMail can only expose you to huge, well-exploited attack surfaces. In this regard, their mobile apps are actually pretty good solutions.

    There’s an unofficial cross-platform Electron app that serves up the web interface, but there’s no indication that it’s securely wiping memory or taking steps to avoid leaking data, so I can’t recommend that either.

    1. 1

      That’s quite interesting though it doesn’t seem to have a headless option, I’d love to run this on my server and connect to via VPN (and strict firewall rules) so I can use K9 mail on mobile and thunderbird at home… Probably on their todo list though.