Anyone using ProtonMail?

Discussion in 'privacy technology' started by jaypeecee, Jun 19, 2017.

  1. 142395

    142395 Guest

    Agreed, I don't feel they made enough explanation. FWIW, WBM have several versions of the HN threads and I looked all of them which ofc increase the number of comments along the timeline, so I think it's not very likely I missed impo comment tho I'm not 100% sure.
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,208
    Hacker Say They Compromised ProtonMail. ProtonMail Says It's BS.
    November 16, 2018
    https://www.bleepingcomputer.com/ne...ompromised-protonmail-protonmail-says-its-bs/
     
  3. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    590
    Location:
    Germany
    Of course, if you leave no trace of this happening, then they wont believe you. Moral of the story: Always leave a message in the log files.
    This also sounds like we will know more in the future, by a sudden spike in data-leaks, either way.
     
  4. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,272
    Location:
    EU
    [PDF] Paper claims Protonmail does not use E2E encryption in webmail.
    The author is the guy who made Cryptocat, Peerio, etc.

    Link:
    https://eprint.iacr.org/2018/1121.pdf
     
  5. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    590
    Location:
    Germany
    That's not really what the paper describes, though. He came up with a somewhat crazy attack scenario in which Protonmail is the malicious attacker. Assuming the provider is malicious is like buying a Google Home Speaker and then wondering why you have no privacy. I chose the provider and wouldn't use it if I don't trust it at least a little bit.
    protonmailPDF.png
    Unfortunately, copying text has been made impossible.

    Later on he states that since it is possible to set weak passwords like "1", "iloveyou" and "password", and that password hashes are saved on the servers, a dictionary attack is viable. I mean, come one! :argh:
    His recommendations sound good though.
     
  6. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    514
    Location:
    Hungary
    protonmail seems to be doing something really well if everyone is trying to take them down lmao
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,208
    More context:
    An Analysis of the ProtonMail Cryptographic Architecture
    November 20, 2018
    https://www.reddit.com/r/ProtonMail/comments/9yqxkh/an_analysis_of_the_protonmail_cryptographic/
     
  8. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    590
    Location:
    Germany
    That's not quite right. The scenario is a compromised server and it pertains every web-application that claim E2EE, not just ProtonMail. Still you need a certain level of trust in whomever you chose a service from.
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,208
    Black Friday: You can get ProtonMail and ProtonVPN with up to 50% off
    November 23, 2018
    https://www.neowin.net/news/black-friday-you-can-get-protonmail-and-protonvpn-with-up-to-50-off
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,864
    -https://eprint.iacr.org/2018/1121.pdf- [PDF]

    Note that this paper is dated Nov. 27, 2018. It's possible that those shortcomings have been fixed in the meantime.
     
    Last edited by a moderator: Feb 15, 2019
  11. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,208
    Protonmail blog entry
    Response to analysis of ProtonMail’s cryptographic architecture
    January 20, 2019
    https://protonmail.com/blog/cryptographic-architecture-response/
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,217
    That's true, and it is arguably a "serious shortcoming". Of all of them.

    I use Thunderbird and Enigmail with my Riseup account. Security of end-to-end encryption does not depend on Riseup, and there's no need to trust them about it. I could just as well be using Google, or some hypothetical free NSA email provider. What I trust are Debian, Enigmail, GnuPG and Thunderbird. And with some extra work, I could just use GnuPG with a script, and Pine or whatever.

    But using a provider that handles encryption in Javascript, such as ProtonMail or Tutanota, I need to trust the provider. That they're doing encryption properly. That they're not secretly adding their own key, to let them decrypt stuff. That they're not secretly uploading my private key, when I haven't enabled that. Or not securing it properly, if I (foolishly) have.

    So anyway, CounterMail, ProtonMail, ScryptMail, Tutanota and so on are great, in that they make end-to-end encryption available to nontechnical users. But they are not as secure as doing the encryption and decryption yourself, locally, with tools of your choosing.
     
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,208
    ProtonMail firm receives €2M from EU to develop its ecosystem
    March 9, 2019
    https://www.neowin.net/news/protonmail-firm-receives-2m-from-eu-to-develop-its-ecosystem
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,208
    ProtonMail is dropping support for Internet Explorer 11
    May 7, 2019
    https://protonmail.com/blog/internet-explorer-support/
     
  15. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    9,215
    Location:
    Lloegyr
    People actually still run IE? :eek:
     
  16. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,230
    I am now using Protonmail for some "real name" activity while I watch and monitor for how things go. I might note that I could not resist creating my own very long and strong keyset, which I imported easily into PM. Before importing the key I hardened the private key header and made it as tough as I know how to. I am appreciative of PM's support for ASICII characters. Using a password manger its easy to enter 35 characters with 5-6 far out there non-regular characters mixed throughout. Running slick.

    I realize my scope here is outside of all the anonymity, as with my hobby accounts, but its far better than Gmail or similar that scoop up everything. I tend to archive alot via attachments and I really like PM's encrypted attachments. I guard my subject lines since metadata exists on those. For this account I don't use onion, but always a one hop VPN circuit. My real name never touches onion, LOL!
     
    Last edited: Jun 12, 2019
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,208
    Alternative app stores for ProtonMail’s Android app
    September 5, 2019
    https://protonmail.com/blog/android-expansion/
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,208
    ProtonMail pushes back against claims it is partnering with Huawei
    Publishing in an app store is not a partnership, Swiss email company states
    September 9, 2019

    https://www.zdnet.com/article/protonmail-pushes-back-against-claims-it-is-partnering-with-huawei/
    ProtonMail: Clarifying ProtonMail and Huawei
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,217
    It's almost certain that a device OS can subvert an app, right?
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,208
    ProtonMail is now more secure against sophisticated attacks
    September 9, 2019
    https://protonmail.com/blog/security-updates-2019/
     
  21. 142395

    142395 Guest

    The list of MTS-STS enabled domain (not limited to Protonmail's) is available here.
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,208
    Why should you trust ProtonMail?
    September 24, 2019
    https://protonmail.com/blog/is-protonmail-trustworthy/
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,217
    That's not true, strictly speaking.

    When you register, at least through Tor or some VPNs, you are required to authenticate. And there are three options: 1) via mobile text message; 2) via email; or 3) by payment. Demands for mobile number or email address are not at all privacy-friendly. And they don't accept, for example, temporary anonbox.net addresses. And the payment must be through credit card (or PayPal, maybe).

    They're actually privacy-friendly only if you register through their Tor onion service. Then there's no requirement to authenticate.
     
  24. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,187
    "we collect as little information as possible during user registration"
    Little pieces of information can be collated. If you need 100% trust, you're not going to get it with statements like these.
     
  25. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    1,849
    all true. aamof, what they're saying is "yeah, we collect info during signup and we know who you are, but since "we encrypt your data in a way that does not allow us to decrypt it [sic]" it doesn't matter, be not afraid, your "secrets" are safe."
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.