In a press release from the Swiss-based, privacy-oriented email provider ProtonMail, the organization acknowledged the growing need for secure communications. But, beyond that, they recognized the increasing need to bypass “state sponsored censorship.” But the announcement served as a much greater purpose than a mere recognition. They announced ProtonMail became Tor-accessible, with its own .onion, both to increase user privacy and to allow users in countries with national censorship to access ProtonMail, even if the government blocked access to the website.
ProtonMail is both private and secure at its core, the service’s co-founder, Andy Yen, explained in a blog post. This evolvement simply expanded upon the pre-existing security features provided by ProtonMail. “We realize that censorship of ProtonMail in certain countries is not a matter of if, but a matter of when,” the announcement explained. (For examples, see the recent Tor ban in Turkey and the Signal update that implemented censorship bypassing mechanisms.)
Tor accessibility enhances the service’s privacy and allows an entire selection of users to access the email service where they once could not.
“Tor applies extra encryption layers on top of your connection, making it more difficult for an advanced attacker to perform a man-in-the-middle attack on your connection to us. Tor also makes your connections to ProtonMail anonymous as we will not be able to see the true IP address of your connection to ProtonMail,” he wrote in the blog post.
ProtonMail also acquired an HTTPS certificate from the certificate authority DigiCert, adding an additional layer of security. Developers explained that despite sounding redundant, the additional layer of security HTTPS provided could prove essential in the right circumstances. For instance, they explained, if the Tor network ever faced a major security vulnerability that a bad actor (or government) exploited, HTTPS served as a failsafe. The inverse situation shared the same argument. If the green indicator in the URL bar ever changed to a color that was not green, HTTPS’s safety no longer existed and then the Tor network served, too, as a fallback security net. Though two years later than the first company (Facebook) that obtained an SSL certificate for a .onion website, the certificate still marked a milestone for ProtonMail.
Additionally, regarding the SSL certificate, the announcement mentioned how the green bar prevented classic phishing attacks. With .onion URLs often being seemingly nonsensical, phishing is often one of the biggest threats to .onion explores. (This is another reason for the DeepDotWeb market list; the links are accurate and up-to-date.)
“ProtonMail’s .onion SSL certificate has Extended Validation so you will get the green bar in your browser, and it provides an additional layer of protection against phishing because you can be certain that the onion site you are connecting to belongs to us.” (ProtonMail)
The post also thanked Roger Dingledine of the Tor project for helping worth the .onion work.
ProtonMail comes recommended by many but the hidden service, according to their announcement, lacked the final touches. But they recommended reading more about the service on their website: ProtonMail.com.