Proton-mail is using BIP39 for its recovery phrase!

[pooya87]

There appears to be a new option to create a recovery phrase in your Proton-Mail that will give you 12 words to write down. So I got curious and checked the words and surprisingly they are all in BIP39 list and the checksum is valid. Then I went to see the source code and surprisingly enough they seem to have adopted the bitcoin proposal to encode their entropy (for recovering email).
Looks like Proton team has some Bitcoin enthusiasts.
https://github.com/ProtonMail/bip39
https://github.com/ProtonMail/WebClients/blob/main/packages/shared/lib/mnemonic/bip39Wrapper.ts

[1714947557]

1714947557

[1714947557]

1714947557

[ABCbits]

I didn't expect BIP39 is used outside cryptocurrency wallet. Looking at this commit, i found file MnemonicPhraseStep.tsx which state it can be used for both account access and data decryption. I wonder how regular user react to this new backup/restore option.

[dkbit98]

There appears to be a new option to create a recovery phrase in your Proton-Mail that will give you 12 words to write down. So I got curious and checked the words and surprisingly they are all in BIP39 list and the checksum is valid. Then I went to see the source code and surprisingly enough they seem to have adopted the bitcoin proposal to encode their entropy (for recovering email).

This is very cool and it means that you could use your email address and your bitcoin wallet addresses derived from the same BIP39 words.
I don't know how safe that is because proton is probably holding the same recovery words, and I can't find more explanation about this.
Proton does accept Bitcoin (not any shitcoins) payments for their pro features so it's no surprise they have some bitcoiners in their team.

[NeuroticFish]

This is very cool and it means that you could use your email address and your bitcoin wallet addresses derived from the same BIP39 words.
I don't know how safe that is because proton is probably holding the same recovery words, and I can't find more explanation about this.

And if you ever have to recover your mail, you'll expose online the seed of your funds?
It doesn't sound like a good idea to me...
(Am I missing something obvious? I am not a Proton-mail user...)

[Quickseller]

There appears to be a new option to create a recovery phrase in your Proton-Mail that will give you 12 words to write down. So I got curious and checked the words and surprisingly they are all in BIP39 list and the checksum is valid. Then I went to see the source code and surprisingly enough they seem to have adopted the bitcoin proposal to encode their entropy (for recovering email).

This is very cool and it means that you could use your email address and your bitcoin wallet addresses derived from the same BIP39 words.
I don't know how safe that is because proton is probably holding the same recovery words, and I can't find more explanation about this.
Proton does accept Bitcoin (not any shitcoins) payments for their pro features so it's no surprise they have some bitcoiners in their team.

I wouldn't do this. It would be trivial for protonmail to modify their webclient to send the seed to their servers, even on an ad-hoc basis, so unless you check every time, there is the risk you are transmitting your seed over the internet.

It is also generally not a good idea to reuse private keys or seeds.

[DaveF]

It's cool. But it does make you wonder if it's programmers who like BTC. Or, lazy programmers who had to come up with a recovery method and did a copy - paste - edit of something else and poof a known working way of generating something that has been audited every which way and is known to a lot of people.

Think about it BIP39 does not exist in the crypto world, Proton starts using something like it, how much crap are they going to get about it's security....

-Dave

[Charles-Tim]

---snipped---

---snipped---

---snipped---

From what pooya87 posted, I do not think this has any connection to your coins, but only your proton mail account recovery process. So I think the recovery phrase is about recovery words that is needed to recover proton mail account.

[pooya87]

There appears to be a new option to create a recovery phrase in your Proton-Mail that will give you 12 words to write down. So I got curious and checked the words and surprisingly they are all in BIP39 list and the checksum is valid. Then I went to see the source code and surprisingly enough they seem to have adopted the bitcoin proposal to encode their entropy (for recovering email).

This is very cool and it means that you could use your email address and your bitcoin wallet addresses derived from the same BIP39 words.
I don't know how safe that is because proton is probably holding the same recovery words, and I can't find more explanation about this.
Proton does accept Bitcoin (not any shitcoins) payments for their pro features so it's no surprise they have some bitcoiners in their team.

I couldn't find any explanations either, and I can't read JS. I only figured it out since the words looked familiar and the number 12 is obviously familiar to us bitcoiners. But there is a good chance that it is happening on the client side though and only encrypted messages are sent to the server.

In any case it is never a good idea to use a bitcoin key for anything else or vice versa. This was just interesting to see how a bitcoin proposal finds its way to other fields that have nothing to do with bitcoin.
However, if you know what you are doing and if they allowed entering your own entropy you could technically use your bitcoin mnemonic to derive a child key at a certain derivation path (eg. m/1853125232/0' :1853125232 is equal to prtn) and use that as a recoverable entropy from your main mnemonic.

Think about it BIP39 does not exist in the crypto world, Proton starts using something like it, how much crap are they going to get about it's security....

Well to be fair BIP39 is a very compact way of converting entropy to words. The alternative (existing algorithm) would be the PGP word list that encodes 8 bits at a time (BIP39 encodes 11 bits).

[dkbit98]

I couldn't find any explanations either, and I can't read JS. I only figured it out since the words looked familiar and the number 12 is obviously familiar to us bitcoiners. But there is a good chance that it is happening on the client side though and only encrypted messages are sent to the server.

I would never make a connection with real bitcoin address, but I could in theory I could use my twelve seed words from Proton mail and use it as donation address for that specific email address.
This would be a good idea to use as a backup if you are self hosting personal email, so everything could be done offline and no server would hold seed words.

[Quickseller]

I couldn't find any explanations either, and I can't read JS. I only figured it out since the words looked familiar and the number 12 is obviously familiar to us bitcoiners. But there is a good chance that it is happening on the client side though and only encrypted messages are sent to the server.

I would never make a connection with real bitcoin address, but I could in theory I could use my twelve seed words from Proton mail and use it as donation address for that specific email address.
This would be a good idea to use as a backup if you are self hosting personal email, so everything could be done offline and no server would hold seed words.

Although most donation addresses for individuals rarely receive large amounts of bitcoin, for some entities with a "good cause" often will receive larger amounts of donations. For example the EFF, Project Veritas, etc. So using the same seed will still have the same security implications.

[Welsh]

It's cool. But it does make you wonder if it's programmers who like BTC. Or, lazy programmers who had to come up with a recovery method and did a copy - paste - edit of something else and poof a known working way of generating something that has been audited every which way and is known to a lot of people.

Does it matter on the type of person for implementing it? As long as its been implemented properly, and securely, it shouldn't matter. As you probably know, a lot of programmers rely on libraries, and basically copy, and paste code to make a functional product. I find lazy has a negative stigma around it, but in terms of programming, and copying code that has already been proven to work, and of course you're allowed to do so, I don't see that as the negative lazy, but rather efficient.

In any case it is never a good idea to use a bitcoin key for anything else or vice versa. This was just interesting to see how a bitcoin proposal finds its way to other fields that have nothing to do with bitcoin.
However, if you know what you are doing and if they allowed entering your own entropy you could technically use your bitcoin mnemonic to derive a child key at a certain derivation path (eg. m/1853125232/0' :1853125232 is equal to prtn) and use that as a recoverable entropy from your main mnemonic.

This is my takeaway from this. Just because Proton mail uses a similar system to Bitcoin seeds, doesn't mean a user should use the same words as their recovery seed of their wallet. Obviously, this is basic security, but I bet a lot of people aren't going to heed that advice.

Though, I haven't checked whether the words correspond to the words that Bitcoin wallets use, which if they don't is probably a better idea, and was probably purposely implemented that way by the developers to avoid this sort of issue.

[o_e_l_e_o]

This isn't just a password recovery - it is a full account recovery. Currently on ProtonMail if you need to reset your password to recover your account, then all your old emails will remain encrypted and inaccessible unless you can either remember your old password or you have downloaded an account recovery file. With this seed phrase, you will be able to decrypt all your previous emails.

Though, I haven't checked whether the words correspond to the words that Bitcoin wallets use, which if they don't is probably a better idea, and was probably purposely implemented that way by the developers to avoid this sort of issue.

I generated a set of words on three different ProtonMail accounts, and all of them are valid BIP39 seed phrases, with words from the standard word list and a valid checksum.

Obviously you should never use the same seed phrase for both ProtonMail and holding bitcoin, but it does open the door to future plausible deniability. I can keep a seed phrase with an additional passphrase for storing my coins, and if someone finds the seed phrase, I can tell them it's actually the recovery words for my email account or some other service which might implement the same system in the future.

[dkbit98]

Obviously you should never use the same seed phrase for both ProtonMail and holding bitcoin, but it does open the door to future plausible deniability. I can keep a seed phrase with an additional passphrase for storing my coins, and if someone finds the seed phrase, I can tell them it's actually the recovery words for my email account or some other service which might implement the same system in the future.

This is a good idea in case you are using strong longer passphrase, or even better multiple passphrases.
It would be very hard for anyone to steal your coins this way, even if original seed words somehow get compromised.
Only problem with long passphrases is that you would need to enter them for every transaction you make, and that can be a hustle sometimes.
Speaking about email providers, I think that self-hosted emails are much better option than proton or anything else.

[pooya87]

I generated a set of words on three different ProtonMail accounts, and all of them are valid BIP39 seed phrases, with words from the standard word list and a valid checksum.

Though, I haven't checked whether the words correspond to the words that Bitcoin wallets use, which if they don't is probably a better idea, and was probably purposely implemented that way by the developers to avoid this sort of issue.

The beauty of open source: https://github.com/ProtonMail/bip39/blob/main/src/wordlists/english.json == https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

I'd say it would have been better if they used a different word-list but not because of the conflict between  bitcoin and their system that could lead to misuse but because BIP39 English word-list is just terrible. If you check out the conditions for a good list and the criteria that newer lists like the portuguese one have stuck to, you realize how terrible English list is with words like "aim" and "air" or "bind" and "bird" and a lot more that either look the same or differ in one letter.

[buwaytress]

That's a nice find, wonder how I missed that -- I actually use a different mail service but this is something else to consider, given how many of us are now used to the recovery phrase (thanks Bitcoin).

I guess that Bitcoin love certainly goes well with Switzerland's privacy laws =)

[ABCbits]

That's a nice find, wonder how I missed that -- I actually use a different mail service but this is something else to consider, given how many of us are now used to the recovery phrase (thanks Bitcoin).

They don't bother announce it to their blog (https://protonmail.com/blog/) or newsletter, so it's not surprising you don't know about it (especially if you don't use their service).

I guess that Bitcoin love certainly goes well with Switzerland's privacy laws =)

While ProtonMail is better than many email service provider (in terms of privacy), Switzerland's privacy laws might not be as strong as you expected. Check these article,
https://www.techspot.com/news/91126-protonmail-criticized-handing-activist-ip-address-authorities-leading.html
https://protonmail.com/blog/climate-activist-arrest/