Anyone using ProtonMail?

Discussion in 'privacy technology' started by jaypeecee, Jun 19, 2017.

  1. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,643
    Agreed, I don't feel they made enough explanation. FWIW, WBM have several versions of the HN threads and I looked all of them which ofc increase the number of comments along the timeline, so I think it's not very likely I missed impo comment tho I'm not 100% sure.
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,792
    Hacker Say They Compromised ProtonMail. ProtonMail Says It's BS.
    November 16, 2018
    https://www.bleepingcomputer.com/ne...ompromised-protonmail-protonmail-says-its-bs/
     
  3. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    590
    Location:
    Germany
    Of course, if you leave no trace of this happening, then they wont believe you. Moral of the story: Always leave a message in the log files.
    This also sounds like we will know more in the future, by a sudden spike in data-leaks, either way.
     
  4. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,246
    Location:
    EU
    [PDF] Paper claims Protonmail does not use E2E encryption in webmail.
    The author is the guy who made Cryptocat, Peerio, etc.

    Link:
    https://eprint.iacr.org/2018/1121.pdf
     
  5. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    590
    Location:
    Germany
    That's not really what the paper describes, though. He came up with a somewhat crazy attack scenario in which Protonmail is the malicious attacker. Assuming the provider is malicious is like buying a Google Home Speaker and then wondering why you have no privacy. I chose the provider and wouldn't use it if I don't trust it at least a little bit.
    protonmailPDF.png
    Unfortunately, copying text has been made impossible.

    Later on he states that since it is possible to set weak passwords like "1", "iloveyou" and "password", and that password hashes are saved on the servers, a dictionary attack is viable. I mean, come one! :argh:
    His recommendations sound good though.
     
  6. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    494
    Location:
    Hungary
    protonmail seems to be doing something really well if everyone is trying to take them down lmao
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,792
    More context:
    An Analysis of the ProtonMail Cryptographic Architecture
    November 20, 2018
    https://www.reddit.com/r/ProtonMail/comments/9yqxkh/an_analysis_of_the_protonmail_cryptographic/
     
  8. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    590
    Location:
    Germany
    That's not quite right. The scenario is a compromised server and it pertains every web-application that claim E2EE, not just ProtonMail. Still you need a certain level of trust in whomever you chose a service from.
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,792
    Black Friday: You can get ProtonMail and ProtonVPN with up to 50% off
    November 23, 2018
    https://www.neowin.net/news/black-friday-you-can-get-protonmail-and-protonvpn-with-up-to-50-off
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,650
    -https://eprint.iacr.org/2018/1121.pdf- [PDF]

    Note that this paper is dated Nov. 27, 2018. It's possible that those shortcomings have been fixed in the meantime.
     
    Last edited by a moderator: Feb 15, 2019
  11. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,792
    Protonmail blog entry
    Response to analysis of ProtonMail’s cryptographic architecture
    January 20, 2019
    https://protonmail.com/blog/cryptographic-architecture-response/
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,755
    That's true, and it is arguably a "serious shortcoming". Of all of them.

    I use Thunderbird and Enigmail with my Riseup account. Security of end-to-end encryption does not depend on Riseup, and there's no need to trust them about it. I could just as well be using Google, or some hypothetical free NSA email provider. What I trust are Debian, Enigmail, GnuPG and Thunderbird. And with some extra work, I could just use GnuPG with a script, and Pine or whatever.

    But using a provider that handles encryption in Javascript, such as ProtonMail or Tutanota, I need to trust the provider. That they're doing encryption properly. That they're not secretly adding their own key, to let them decrypt stuff. That they're not secretly uploading my private key, when I haven't enabled that. Or not securing it properly, if I (foolishly) have.

    So anyway, CounterMail, ProtonMail, ScryptMail, Tutanota and so on are great, in that they make end-to-end encryption available to nontechnical users. But they are not as secure as doing the encryption and decryption yourself, locally, with tools of your choosing.
     
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,792
    ProtonMail firm receives €2M from EU to develop its ecosystem
    March 9, 2019
    https://www.neowin.net/news/protonmail-firm-receives-2m-from-eu-to-develop-its-ecosystem
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,792
    ProtonMail is dropping support for Internet Explorer 11
    May 7, 2019
    https://protonmail.com/blog/internet-explorer-support/
     
  15. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,970
    Location:
    Lloegyr
    People actually still run IE? :eek:
     
  16. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,150
    I am now using Protonmail for some "real name" activity while I watch and monitor for how things go. I might note that I could not resist creating my own very long and strong keyset, which I imported easily into PM. Before importing the key I hardened the private key header and made it as tough as I know how to. I am appreciative of PM's support for ASICII characters. Using a password manger its easy to enter 35 characters with 5-6 far out there non-regular characters mixed throughout. Running slick.

    I realize my scope here is outside of all the anonymity, as with my hobby accounts, but its far better than Gmail or similar that scoop up everything. I tend to archive alot via attachments and I really like PM's encrypted attachments. I guard my subject lines since metadata exists on those. For this account I don't use onion, but always a one hop VPN circuit. My real name never touches onion, LOL!
     
    Last edited: Jun 12, 2019
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.