[trash_panda]

You can actually see what code your browser is running, you have view source and all the developer tools to analyze the JS code.

This is their main defense, they will probably post a link to their GitHub page where the code of the front end application is hosted.

The thing is, to validate that the code published in GitHub is the same one that you're running right now while you're logged into ProtonMail, requires a dynamic analysis challenge that is quite not achievable.

So if ProtonMail decides to go rogue, or if an attacker compromises their servers, it would be doable to send all users, or some targeted users, a modified version of the webapp which steals your password, retrieves the decrypted key, etc, etc, etc.

[tonic-music]

I think we all know about view source. The risk lies exactly where you described it. I've never heard of being able to diff a running web page against a set of source repositories. Perhaps another HN reader will go invent that.