Hi, I note that Protonmail is encrypted, but I don't think it is anonymous. Hence anyone could send spam to the address. Can this be avoided? Can mail be forwarded from Protonmail? I can't find a dedicated Protonmail discussion forum. I didn't notice a 'cancel my account' button. If someone decided not to use it, I suppose one just stops using it.
Anonymous? Email is never anonymous. There are addresses. Some spammers send to every possible Protonmail address and see what they hear back from. Protonmail will alert you about incoming messages.
End-to-end email encryption – A case study on ProtonMail design limits and security flaws https://arno0x0x.wordpress.com/2015/09/16/end2end-encryption-protonmail/
That is bad news The ProtonMail mailbox password can end up stored locally as plaintext So don't use ProtonMail without FDE.
Likewise don't use ProtonMail without TFA. Wait - none of these kinds of providers HAS TFA, it's coming RSN. As mentioned in the article, it's really not that hard. U2F would do the job.
Protonmail team might need to hire a independent third party to carry out security audit on their applications and servers to fix gaps / vulnerabilities in the implementation and code (if any)
Mr. Robot Uses ProtonMail, But It Still Isn’t Fully Secure www.wired.com/2015/10/mr-robot-uses-protonmail-still-isnt-fully-secure/
Funnily enough, the situation for me IS that I want LE to use MLATs because then there's a chance of warranted interception with articulated cause - I want LE to obey the rule of law. But the current situation with mass indiscriminate surveillance forces a reasonable person into additional protection. ProtonMail has issues as all these types of webmail services do, principally in terms of certificate and code verification. I won't use them until they have 2FA as well.
New users flock to ProtonMail in wake of Trump’s victory https://www.helpnetsecurity.com/2016/11/14/new-users-protonmail/
I think you can start now ("ProtonMail supports the OTP protocol") ----- And they introduced a "One-Password Mode" so the user can login with a single password instead of two passwords (login password + mailbox password). More technical details in the blog:
@mood - thanks, good news. It appears to major on smartphones as a second factor, but I'm not sure whether - say - a Linux system with freeOTP - would work. Any feedback on that front would be good if anyone knows. My ideal is to have something like a Yubikey as - apart from not having a smartphone - I do not trust smartphones for anything much.
@deBoetie & @mood From a privacy standpoint I've always been somewhat wary of TFA. I'm a big proponent of compartmentalizing, but obviously there are undeniable security benefits to TFA. I don't know of any feasible alternatives, do you? (@mirimir - if I recall you're a proponent of compartmentalizing as well. If you care to weigh in I'd be interested to get your take on that problem as well.)
Well, there's TFA and TFA. Compartmentalisation is necessary because that's only way to prevent leakage and risk, but that then has to apply to all your TFA systems too - they are "within" that compartment, and must not be reused in other compartments. For many reasons, it seems to me that TFA based on biometrics and smartphones is a privacy disaster, but that's why the corporates are so keen to promote them. As a knowledgeable user: Just Say No. Of course, in the unavoidable "public" persona one must more or less necessarily have if transacting on the internet, it may be you have to accept some of the grottier TFA schemes.
TFA can be implemented in so many ways, that it's impossible to make blanket statements. For pseudonymous personas, as @deBoetie says, "TFA based on biometrics and smartphones is a privacy disaster". But TFA based on GnuPG keys is fine. Or anything else that's not linked to the meatspace compartment. For one's meatspace identity, TFA based on smartphones is fine. Just don't let that stuff leak into pseudonymous compartments. Biometrics is bad for many reasons.
ProtonMail gets own Tor-accessible .Onion Hidden Service https://threatpost.com/protonmail-gets-own-tor-accessible-onion-hidden-service
Don't get me wrong I love the service and have been using it for a long time; I started to take that survey yesterday but when it wanted to know how old I was, what gender I was how much money I made etc... I exited out of it. What does this kind of information have to do with product improvement?