DISCUSSION research into the Proton internal encryption

[learningBASh]

We are happy to answer your questions about the code or discuss technical ideas.

Please complete the following checklist (by adding [x]):

• [x] I have searched open and closed issues for duplicates
• [x] This isn't a feature request
• [x] This is not a report about my app not working as expected

---

DISCUSSION research into the Proton internal encryption

BUGREPORT ProtonVPN seems to rely on ISRG SSL. Proton support confirmed no need for ISRG SSL yet intermittent connection outages work after enable ISRG SSL. possibility this is MITM interference from Wi-Fi or some hop along the way Example: a wireshark desktop PC capturing all traffic and manipulating encrypted streams to attempt to open them to the wireshark user by presenting any trusted cross-signed certificate from the point of interception possibly ISRG certificate itself. This is broadly part of the broken SSL trust model ( ACME ANVIL https://upload.wikimedia.org/wikipedia/commons/f/ff/Acme_anvil.gif ) bug. Where it is possible to use ACME to generate any certificate which will be trusted by ISRG - idenTrust chain of trust. I went into this before with Proton support with vague statements that Proton encryption is all in-app not relying on the system CA. However it seems to still be affected. More research into the Proton internal encryption is needed.

[learningBASh]

checklist in progress… [x] I have searched open and closed issues for duplicates ACME ANVIL BUG not found. The ACME ANVIL BUG is a far reaching bug and important to highlight here in my opening research of a crucial security intensive app Proton VPN.

[freedom-foundation]

yeah It seems the vpn connects to nodes as subdomains of proton website and without ISRG Root x1 it reports Trust anchor not found on the debug logs. Heh ACME Anvil bug sound's about right but somebody needs to reproduce the bug.