While the architecture is robust, the web environment presents inherent security risks distinct from native applications.
Search. Because your email body text is encrypted on the server, Proton cannot index it. The web app has to download your email headers and search locally. If you have 50,000 emails, searching for a phrase from 2018 can take 20-30 seconds. protonmail web app
| Feature | Proton Mail Web | Gmail Web | | :--- | :--- | :--- | | | Basic (subject, sender, body text) | Full AI-powered predictive search | | Offline Mode | Beta (requires dedicated app/bridge) | Native | | Calendar | Built-in (encrypted, basic) | Deep integration (smart scheduling) | | Filters/Sieve | Advanced (Sieve scripting allowed) | Visual rule builder | | Attachments | 25MB standard (up to 100MB paid) | 25MB (expands to Drive) | While the architecture is robust, the web environment
The Bridge is a local daemon that decrypts your emails on your machine and serves them to your desktop client via IMAP. It is brilliant, but it is only available for (Mail Plus or Unlimited). Free users are web-app only. The web app has to download your email
The server only receives the hash of the password, not the password itself. This hash is used solely for authentication purposes. The user’s private encryption keys are encrypted with a key derived from the user’s actual password. Therefore, the server does not possess the capability to decrypt the user’s private keys. This creates a "Zero-Access" environment where ProtonMail technically cannot read user emails, even if compelled by legal authorities.
The Proton Mail web app is the most secure browser-based email client you can use today. It proves that encryption doesn't have to be ugly or require a computer science degree.