PM's reddit account hinted at help from the community

[thiswillbeyourgithub]

Hi everyone :)

In the last few days Nadim Kobeissi (a french cryptography research) had an exchange with protonmail about the security of its web app (published paper here). In one of the exchange that followed on reddit protonmail's account said this (emphasis mine) :

We think a browser extension is something that the ProtonMail community can start building however, similarly to how the ProtonVPN CLI, and non-official ProtonMail electron app, was built with mostly community contributors.

For those unfamiliar, since the beginning of PM it was a known theoretical issue that IF the servers was compromised then they could serve code that is not the openly accessible code but instead just a plain password catcher. Given that PGP doesn't allow for forward secrecy, this scenario happening once is enough to compromise all of your emails.

Already existing solutions to this are : using Bridge, using this app, using the smartphone version.
Another solution is to create an open source browser plugin that handles the most important part of the code or checks that the code from PM's server is valid.

I have no time whatsoever for any of this but thought that posting this here could maybe be the start of something or at least might be of interest to some of you :)

[kontrollanten]

Thanks for your post! You write

Already existing solutions to this are : using Bridge, using this app, using the smartphone version.

With "this app" I assume you mean our electron app? I'm in no way a crypto expert, but I can't see how this app differs from a web browser in a security perspective. With that said a first step could be to implement a server verification in the electron app.

Even though a browser extension sounds interesting. Right now I have to put my spare time to finish our new version of the electron client, then I'll try to read the outcomes from Kobeissi.

[thiswillbeyourgithub]

I indeed meant the electron app and you are right, I was mistaken by my sleepiness, it actually acts pretty much like the webapp and has the same vulnerability.

a first step could be to implement a server verification in the electron app.

(just to be clear, its not verifying the server or its authenticity but checking the difference between the login code it serves vs the code openly availaible)

I completely agree, if someone ever created a browser extension then your app would be come a "less secure" way of using PM compared to a browser+plugin so I think in both cases implementing a code verification in the electron app would be useful.

My goal by making this post was to spark interest as I am not a professional programmer and can't help in any other way. I have no idea on the feasability of code verification inside the electron framework, no idea how it would/should behave when PM updates its code. Maybe kobeissi (has the reputation of being a bit of a prick though) or PM itself could give you a direction or help a bit?

anyway thanks for taking the time to read this :)

[thiswillbeyourgithub]

Apparently @vladimiry is working on something like this : vladimiry/ElectronMail#79

[kontrollanten]

That looks like a great idea. I tried that a year ago or so, but then I wasn't able to build the ProtonMail webclient locally, but now it seems to be doable.

[vladimiry]

I've enabled the built-in web client feature handling this issue and posted there some details about the implementation which might be helpful for implementing the feature within this project. I confirm it's possible to build the WebClient project locally, but only on Linux/macOS. Will be happy to answer specific questions if any.