ProtonVPN
DISCUSSION research into the Proton internal encryption
We are happy to answer your questions about the code or discuss technical ideas.
Please complete the following checklist (by adding [x]):
- [x] I have searched open and closed issues for duplicates
- [x] This isn't a feature request
- [x] This is not a report about my app not working as expected
DISCUSSION research into the Proton internal encryption
BUGREPORT ProtonVPN seems to rely on ISRG SSL. Proton support confirmed no need for ISRG SSL yet intermittent connection outages work after enable ISRG SSL. possibility this is MITM interference from Wi-Fi or some hop along the way Example: a wireshark desktop PC capturing all traffic and manipulating encrypted streams to attempt to open them to the wireshark user by presenting any trusted cross-signed certificate from the point of interception possibly ISRG certificate itself. This is broadly part of the broken SSL trust model ( ACME ANVIL https://upload.wikimedia.org/wikipedia/commons/f/ff/Acme_anvil.gif ) bug. Where it is possible to use ACME to generate any certificate which will be trusted by ISRG - idenTrust chain of trust. I went into this before with Proton support with vague statements that Proton encryption is all in-app not relying on the system CA. However it seems to still be affected. More research into the Proton internal encryption is needed.
checklist in progress…
[x] I have searched open and closed issues for duplicates
ACME ANVIL BUG not found.
The ACME ANVIL BUG
is a far reaching bug and important to highlight here in my opening research of a crucial security intensive app Proton VPN.