← projects
Proton Mail logo

Proton Mail

Standard

A Swiss end-to-end encrypted email service launched in 2014. Operated by Proton AG (owned by non-profit Proton Foundation), Proton Mail uses OpenPGP-compliant encryption with open-source clients. The company also operates Proton VPN, Proton Drive, Proton Calendar, Proton Pass, and Proton Wallet. As of 2022, Proton Mail had nearly 70 million users.

websitew3p explorer
README

Proton Mail

Description

Proton Mail is a Swiss end-to-end encrypted email service founded in 2014 by scientists from CERN and MIT. Operated by Proton AG (owned by the non-profit Proton Foundation), it provides zero-access encryption meaning even Proton cannot read user emails. As of 2022, Proton Mail had nearly 70 million users worldwide.

Proton has expanded into a full privacy suite including Proton VPN, Proton Drive, Proton Calendar, Proton Pass, and Proton Wallet - all using end-to-end encryption with open-source clients.

Links

  • Website: https://proton.me
  • GitHub: https://github.com/ProtonMail
  • Blog: https://proton.me/blog

Category

Privacy Infrastructure (Encrypted Email / Privacy Suite)

Ecosystem

Non-blockchain (Traditional Privacy Technology)

Key Features

Encryption

  • OpenPGP Standard: Industry-standard email encryption
  • Zero-Access Encryption: Proton cannot read user data
  • End-to-End Encryption: Automatic for Proton-to-Proton
  • Password-Protected Emails: E2E to non-Proton recipients

Privacy

  • Swiss Jurisdiction: Strong privacy laws
  • No IP Logging: (with VPN)
  • Anonymous Signup: Possible without phone/email
  • Open Source: All client apps

Project Status

Status: Production (Active Development)

GitHub Metrics

| Repository | Stars | Language | |------------|-------|----------| | WebClients | 5,199 | TypeScript | | ios-mail | 1,600 | Swift | | proton-bridge | 1,400 | Go | | gopenpgp | 1,208 | Go | | android-mail | 716 | Kotlin | | gluon | 528 | Go |

Open Source Status

  • Web Interface: MIT License
  • iOS App: GPL v3
  • Android App: GPL v3
  • Bridge: Open source
  • Backend: Closed source

Products

| Product | Purpose | |---------|---------| | Proton Mail | Encrypted email | | Proton VPN | Privacy VPN | | Proton Drive | Encrypted cloud storage | | Proton Calendar | Encrypted calendar | | Proton Pass | Password manager | | Proton Wallet | Bitcoin wallet |

Organization

  • Company: Proton AG
  • Parent: Proton Foundation (non-profit)
  • HQ: Geneva, Switzerland
  • Founded: 2014
  • Origins: CERN and MIT scientists

Research completed with Constitutional Research v2.0.0 Last updated: 2026-01-19

OSINT Assessment

ProtonMail OPSEC & Vulnerability Assessment

Project: Proton (ProtonMail, ProtonVPN, Drive, Calendar, Pass) Assessment Date: 2026-01-19 Methodology: Constitutional Research Framework v3 Confidence Score: 0.93

Executive Summary

Proton demonstrates exceptional infrastructure independence, owning their IP allocation, running their own nameservers, and operating from Swiss data centers. With 179 public repositories and comprehensive security headers including HSTS preload and detailed CSP, Proton sets a high standard for privacy-focused services. The self-hosted model eliminates reliance on US cloud providers.

Infrastructure Overview

DNS & Domain Configuration

| Attribute | Value | |-----------|-------| | Primary Domain | proton.me | | DNS Provider | Self-hosted | | Nameservers | ns1.proton.me, ns2.proton.me, ns3.proton.me |

Notable: Running your own authoritative nameservers is uncommon and indicates serious commitment to infrastructure independence.

IP Ownership

| Attribute | Value | |-----------|-------| | IP Range | 185.70.42.0/24 | | Netname | CH-PROTONMAIL-20140915 | | Organization | Proton AG | | Location | Plan-les-Ouates, Switzerland |

Notable: Proton owns their IP allocation outright - they're not renting from a cloud provider.

Service Architecture

Verified Services (DNS Enumeration)

| Service | Subdomain | IP | Purpose | |---------|-----------|----|---------| | ProtonMail | mail.proton.me | 185.70.42.37 | Encrypted email | | Account | account.proton.me | 185.70.42.36 | Account management | | Calendar | calendar.proton.me | 185.70.42.39 | Encrypted calendar | | Drive | drive.proton.me | 185.70.42.40 | Encrypted storage | | VPN | vpn.proton.me | 185.70.42.45 | VPN service | | Pass | pass.proton.me | 185.70.42.63 | Password manager | | Verify | verify.proton.me | 185.70.42.52 | Email verification | | Main | proton.me | 185.70.42.45 | Website |

Product Ecosystem

| Product | Privacy Feature | |---------|----------------| | ProtonMail | E2E encrypted email with PGP | | ProtonVPN | No-logs VPN, Secure Core servers | | Proton Calendar | E2E encrypted calendar | | Proton Drive | E2E encrypted cloud storage | | Proton Pass | E2E encrypted password manager |

Shodan Analysis

Main Services

{
  "ip": "185.70.42.45",
  "ports": [80, 443],
  "cpes": [],
  "vulnerabilities": [],
  "tags": []
}

Assessment: Minimal exposure - only HTTP/HTTPS ports, no unnecessary services.

Attack Surface

| IP | Service | Ports | Status | |----|---------|-------|--------| | 185.70.42.45 | Main/VPN | 80, 443 | ✅ Clean | | 185.70.42.37 | Mail | 80, 443 | ✅ Clean | | 185.70.42.36 | Account | 80, 443 | ✅ Clean | | 185.70.42.39 | Calendar | 80, 443 | ✅ Clean | | 185.70.42.40 | Drive | 80, 443 | ✅ Clean |

Security Headers Analysis

proton.me - EXCELLENT

| Header | Value | Grade | |--------|-------|-------| | Strict-Transport-Security | max-age=31536000; includeSubDomains; preload | A+ | | Content-Security-Policy | Comprehensive with report-uri | A | | X-Content-Type-Options | nosniff | A | | Referrer-Policy | strict-origin-when-cross-origin | A | | X-Permitted-Cross-Domain-Policies | none | A | | X-XSS-Protection | 0 (correctly disabled) | A |

CSP Highlights

default-src 'self';
connect-src 'self' wss: https://account.proton.me https://reports.proton.me...
report-uri https://reports.proton.me/reports/csp;
frame-ancestors 'self' https://*.proton.me;
  • report-uri configured - Proton monitors CSP violations
  • frame-ancestors restricted - Prevents clickjacking
  • strict default-src - Whitelisted sources only

GitHub Organization Analysis

| Metric | Value | |--------|-------| | Organization | ProtonMail | | Public Repos | 179 | | Created | March 14, 2014 |

Key Repositories

| Repository | Purpose | |------------|---------| | WebClients | Web app clients | | proton-mail-android | Android app | | proton-mail-ios | iOS app | | gopenpgp | Go PGP library | | go-proton-api | Go API client |

179 public repositories demonstrates strong commitment to open-source transparency.

Privacy Architecture

Zero-Access Encryption

| Feature | Description | |---------|-------------| | Email Encryption | PGP-based E2E encryption | | Zero-Access | Proton cannot read user emails | | Key Generation | Client-side key generation | | Password | Never sent to servers |

Swiss Jurisdiction

| Aspect | Benefit | |--------|---------| | Privacy Laws | Strong constitutional privacy protections | | Data Requests | Requires Swiss court order | | Transparency | Annual transparency reports published | | No Mass Surveillance | Not part of 14-Eyes alliance |

Risk Assessment

Infrastructure Strengths

| Feature | Status | Notes | |---------|--------|-------| | IP Ownership | ✅ | Own /24 allocation | | DNS Independence | ✅ | Self-hosted nameservers | | Cloud Independence | ✅ | No AWS/GCP/Azure | | Swiss Hosting | ✅ | Strong privacy jurisdiction | | Security Headers | ✅ | HSTS preload, comprehensive CSP | | Open Source | ✅ | 179 public repos | | Port Exposure | ✅ | Only 80/443 | | CVEs | ✅ | None detected |

Centralization Concerns

| Concern | Mitigation | |---------|------------| | Single company | Open-source code allows auditing | | Single location | Swiss law provides legal protection | | No federation | Consistent security model | | No self-hosting | Ensures encryption standards |

Comparison: Infrastructure Models

| Aspect | Proton | Signal | Typical SaaS | |--------|--------|--------|--------------| | IP Ownership | ✅ Own | ❌ Cloudflare | ❌ Cloud | | Nameservers | ✅ Self-hosted | ❌ Cloudflare | ❌ Cloud | | Cloud Provider | ✅ None | ⚠️ Multi-cloud | ❌ AWS/GCP | | Jurisdiction | 🇨🇭 Swiss | 🇺🇸 US | Varies |

Proton has the most independent infrastructure of major privacy services.

Potential Improvements

For Proton (Minor)

  1. Geographic redundancy - Consider backup data center for disaster recovery
  2. Infrastructure transparency - Publish more details about data center security

For Users

  1. Enable 2FA - Use hardware keys for maximum security
  2. Use recovery phrase - Store securely for account recovery
  3. Verify keys - Check PGP keys for high-security contacts
  4. Use ProtonVPN - For network-level privacy

Methodology & Sources

This assessment was conducted using:

  • DNS resolution - Infrastructure mapping
  • Shodan InternetDB - Port/vulnerability scanning
  • HTTP header analysis - Security posture
  • WHOIS lookup - IP ownership verification
  • GitHub API - Repository analysis
  • Proton documentation - Privacy architecture

Note: crt.sh certificate transparency query timed out due to large certificate volume - subdomain enumeration completed via DNS.

Assessment conducted in accordance with Constitutional Research Framework principles.

Report generated: 2026-01-19 Next review recommended: 2026-04-19

Repository Analysis
Analysis performed using cargo audit, semgrep, and direct code inspection on cloned repositories.→ methodology

Code Review: Proton Mail

Last Updated: 2026-01-19

Organization Overview

Organization: ProtonMail Location: Geneva, Switzerland Repositories: 179 Followers: 4,700+

Key Repositories

| Repository | Stars | Language | License | |------------|-------|----------|---------| | WebClients | 5,199 | TypeScript | MIT | | ios-mail | 1,600 | Swift | GPL-3.0 | | proton-bridge | 1,400 | Go | GPL-3.0 | | gopenpgp | 1,208 | Go | MIT | | android-mail | 716 | Kotlin | GPL-3.0 | | gluon | 528 | Go | MIT |

Technology Stack

| Component | Technology | |-----------|------------| | Web | TypeScript, React | | iOS | Swift | | Android | Kotlin | | Bridge | Go | | Crypto | OpenPGP.js, gopenpgp |

Open Source Status

Fully Open

  • All client applications
  • Cryptographic libraries
  • Bridge application

Closed Source

  • Backend server code
  • Infrastructure

Development Health

| Indicator | Status | |-----------|--------| | Activity | Active | | Commits | Regular | | Issues | Responsive | | Documentation | Good |

Constitutional Research Note: Proton demonstrates commitment to open-source for client-side security verification, following their CERN/MIT heritage with MIT licensing for web components.

Team Research

Team Analysis: Proton Mail

Last Updated: 2026-01-19

Organization

Company: Proton AG Parent: Proton Foundation (non-profit) Headquarters: Geneva, Switzerland Founded: 2014

Origins

Proton Mail was founded by scientists from CERN (European Organization for Nuclear Research) and MIT who met at CERN facilities in Geneva. The team sought to create an email service that could protect privacy by design.

Leadership

| Role | Status | |------|--------| | CEO | Andy Yen (co-founder) | | Technical Team | Former CERN/MIT scientists |

Team Size

Proton has grown from a small team to a significant privacy technology company with operations in Geneva and expanding international presence.

Sources

| Source | Type | |--------|------| | Proton Website | Official | | Wikipedia | Reference |

Constitutional Research Note: Proton's academic origins at CERN and MIT provide credibility for their cryptographic claims. The non-profit foundation structure indicates mission-driven rather than purely profit-driven operation.

Security Analysis

Security Analysis: Proton Mail

Last Updated: 2026-01-19

Security Overview

Proton Mail uses OpenPGP-compliant end-to-end encryption, meaning emails between Proton users are automatically encrypted. The service implements "zero-access encryption" where Proton cannot read user data.

Encryption

Email Encryption

| Type | Method | Protection | |------|--------|------------| | Proton-to-Proton | Automatic E2E | Full encryption | | Proton-to-External | Optional password | Sender-controlled | | External-to-Proton | Stored encrypted | At-rest encryption |

Key Management

  • Keys stored encrypted with user password
  • Zero-access architecture
  • PGP key export available

Open Source & Audits

Open Source Components

  • Web Interface: MIT License - full source available
  • iOS App: GPL v3
  • Android App: GPL v3
  • Bridge: Open source
  • gopenpgp: High-level OpenPGP library

Independent Audits

  • Multiple third-party security audits conducted
  • OpenPGP.js library widely reviewed
  • Apps built from auditable source

Closed Source

  • Backend servers remain proprietary
  • Cannot verify server-side claims independently

Jurisdictional Protection

Swiss Law

  • Strong privacy legislation
  • Outside EU/US jurisdiction
  • Strict data protection requirements

Known Legal Actions

  • Some compliance with Swiss court orders
  • IP logging cases when legally required
  • Transparent about legal limitations

2025 Developments

  • AI infrastructure moving to EU (Germany/Norway) due to Swiss privacy law concerns
  • Continued expansion of product suite
  • Block ordered in India (specific case)

Limitations

  1. Backend Closed Source: Cannot verify server claims
  2. Metadata: Email metadata (to/from/subject) may be visible
  3. Legal Compliance: Swiss court orders still apply
  4. External Email: Encryption to non-Proton requires extra steps

Sources

| Source | Type | |--------|------| | Proton Open Source | Official | | Wikipedia | Reference | | GitHub | Official |

Constitutional Research Note: Proton Mail provides strong encryption for client-side operations with open-source, auditable code. The main limitation is closed-source backend, requiring trust in Proton AG's claims about server-side handling.

Explore Related Projects

Click nodes to explore connections. Drag to reposition.

Community research for Web3Privacy