Protonmail, have people gotten their invitations?

Discussion in 'privacy technology' started by cb474, Jan 16, 2015.

  1. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    297
    @cb474 and of course any other posters privy to Tutanota's feature set---> Protonmail offers this inarguably cool and beneficially sophisticated asset indicated in the attached screen shot derived from their website. I can't seem to pin down if Tutanota offers the same. Thanks in advance for any illuminating comments/advisements regarding the same.

    2015-02-10_051131.jpg

    Edit: In any event, sure would be sweet if the feature additionally applied to unencrypted e-mails. Maybe one of these days...
     
    Last edited: Feb 10, 2015
  2. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    297
    I'll start flirting around with Tutanota if PM doesn't deliver my invite by March 1st. Both services on the surface appear to warrant a strenuous A/B comparison anyway. Remove all the hype associated with PM and I would suspect/hope that at the end of the day, developers on both sides of the fence will being watching over each other's shoulders in the narly spirit of competition.
     
  3. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Self-destructing messages are good, and from my point of view, two-factor authentication is essential. If the basis of your account and encryption is your password, it's really good if that's not as vulnerable as a single static typed secret.

    ProtonMail are saying this will be in their paid-for version, and Tutanta are just considering it as a feature request (as of Dec 2014). We'll see.
     
  4. Lagavulin16

    Lagavulin16 Registered Member

    Joined:
    Nov 26, 2014
    Posts:
    195
    Location:
    Emerald City
    I'm a total newbie to the encryption game and have casually followed the related e-mail options at large. Hypothetical--- I sign-up with PM and generate the two required passwords via LastPass and call it a day. No Tor, no VPN, no other hoops, bells, or whistles. My security requirements pertaining to e-mail? Shooting over a job resume' should I be in the market for another job; a x-mas post card to the family; a reach out to friends in Miami advising them I'll join them over the weekend for a martini (go figure) get-together; and, yes, occasional exchanges to said friends of the hottest bikini shots the web has to offer to date (just to be perfectly transparent here). Nothing else that could be construed as even remotely criminal, shady, or sinister. To rephrase the question, is a LastPass/PM gig good to go by today's standards or will Big Brother laugh at that with a simple "Control S" (as in spy) to monitor my torrid affair with a chiquita in Naples. Surely I jest (well, there are limits to transparency after all). But thanks for any replies anyway. Of course I realize that several years from now Tor, a VPN, monitor tunnels, motherboard worm holes, photon firewalls, and hard drive teleportation will be the minimum to say hello to grandma in private.
     
    Last edited: Feb 10, 2015
  5. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    StillBorn, I don't think Tutanota has a self-destructing message function. You can request it, at the link I provide above.

    To me, that feature is of limited usefulness. Can't my recipient just make a copy? Forward it to another email address? Why am I trying to protect my message from the person I sent it to? I guess it gets the message off the server, so it's not there forever. But isn't the encryption supposed to be what's protecting messages on the server?

    It just seems like if you really have something to say to someone, but you do not want even that person to have a record of it, then you should say it to them in person, in an underground garage, deep throat style.
     
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Sure can - but they have to take the effort to do so (it's not default saved forever), and you have deniability.

    @Lagavulin16 - one of the good features of PM/Tutanota is specifically that they are pretty usable, and have given up some elements of security to get that way. For most things, that's a reasonable trade-off.
     
  7. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    297
    @cb474 and @deBoetie Gentlemen, as always, thank you for the advice. I'm a fan of both of your informative postings and will continue to follow them closely. Bon jour.
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Flattered! Noticing your use of Lastpass, I take it you are aware of its support for two factor authentication using the Yubikey OTP, which would be a half-way house - I use this and am very happy with it. Some people also add a "decoration" to Lastpass passwords manually, which provides a level of protection in case the Lastpass vault is compromised (this means that autologin isn't possible though).
     
  9. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    I take your point. I guess if you could set a message to destroy itself a minute after it's been read, that would be best. I don't quite see how you get deniability out of it. If the person copies the email, headers and all, isn't that just a legitimate as an email sitting on s server that's subpoenaed? I guess you don't have the third party of the email service provider vouching for the autheticity of the message. Still, I think if you have something to say that you are worried you might need plausible deniablity for, email is probably not the way to do it. And I also think that the self-destructing email can lead people into complacency, thinking they are safe and not seeing all the ways around it. But that's just me, I guess.

    Thanks. It's always interesting to dicuss these things. I learn as much from the conversation as anyone. There are people here a lot more knowledgeable than I am.
     
  10. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    297
    Aye, to stand on the shoulders of giants like "mirimir." The sea of knowledge is truly vast.
     
  11. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Ah, there's the thing - there are no independent or 3rd-party copies of what the person claimed was from you (which there certainly are in the case of regular email). I can stoutly deny that I wrote that, it's perfectly possible for anyone to invent screenshots or times and dates, or the person forged the post to frame me. With PM and similar, I do not have a copy, nor does the service provider. If my claimed correspondent chooses to invent these scurrilous lies that they pretend are from me, it's laughable! It was'na me.
     
  12. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    I see what you're saying (since I anticipated that rationale in my own post). But I don't know that it's laughable. I suspect in a court of law it may be more complicated than that. Can your IP address be show to have been connected to the email server at the time the message was sent? Is what's written consistent with other things you have written? I'm sure there is a whole host of correlating data that can be used to argue the email is real. Also, the witness might turn out to be a much more credible person than you (juries and judges are much more likely to believe a law enforcement officer in a he said/she said situation). And even if it doesn't hold up in court, if the investigating agency has reason to believe the email is real, it gives them information to use to further their investigation and know where else to look for whatever they're looking for about you.

    So in the end, deniability seems like a pretty thin pretext to hang one's security on. I still think, anything that you might want to deny is probably something you should not say in an email. I can see self-destructing email saving someone from some sort of embarrassment or something, but I still think the value is pretty limited for anything more serious than that.
     
  13. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Agree with you - and there are a lot of people in Sony for example for whom it would have been of benefit. Thing is, not all threats are of the state-security kind (where they might just as well be tapping into your keystrokes directly!). And at least this way, people have to be knowingly making a specific effort at the time to copy the stuff.

    The model where no information is kept unless you specifically decide you want that, or that you need a CYA token, is a good one. Everything else is a hostage to fortune.
     
  14. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,160
    The problem with both Tutanota and Protonmail is that they both require pretty much state of the art browsers to function properly.
    If you send an encrypted mail to someone, they also need to have a state of the art browser that will allow them to open the protonmail page to use it.
    Not everyone has that ability to use these browsers. So Protonmail and Tutanota are in a way just providing to exclusive groups.

    I contacted Protonmail about this issue some time ago
    ......................

    'One browser that will not load is SeaMonkey version 2.25

    I think unless Protonmail is broadly accessible through a wide range of browsers (older ones as well) then many people will not be able to receive the email.
    If Protonmail only allows access through the latest browsers and operating systems then the many people who need it the most could be disenfranchised because even if my system and browser is 'state of the art' recipients may not be. I then would never be sure if recipients were receiving mail from me so couldn't be secure in the knowledge of the receipt in an emergency situation. I do though, support the concept of private and secure email for all and welcome advances in that direction as long as it's not technologically exclusive (by that I mean that only those people who have the latest software and hardware can access it) .
    To access my Protonmail successfully since my last email to you I had to download a copy of the very up to the moment browser.
    As I said, with other browsers you can login but then do nothing more on the page...no access to your inbox send etc nothing and with other browsers older browsers not be able to login at all.

    Patrick '

    ..........................................

    ' Hello Patrick,

    We are working on the trouble with SeaMonkey. It should be fixed in a few days.

    Unfortunately the technology that we are utilizing to make ProtonMail possible is an advanced technology that only lives within the most modern browsers. These are still the early days of ProtonMail, who knows what innovations will come in the future with our mission to make a more private internet for everyone.

    We appreciate your support thus far.

    Regards' (name removed by me)
    .............................................





    Patrick
     
  15. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    @sdmod 'fraid I'm siding with ProtonMail on the browser issue. I develop code, and one of the very worst platforms/environments I have to do that for is html/dom/javascript/browsers. It's almost like a physical pain every time I descend into those depths. And most of the problems comes from older browsers and browser quirks.

    In my opinion, the older browser can descend into the depths, it's a terrible waste of valuable development time to have to cater for all the absurd variations between the browsers and their lack of capability. Plus, the older browsers and operating systems are - without a lot of work - a security disaster of their very own.

    Really, what's the big deal with running a modern browser? I would include SeaMonkey as modern in that btw!
     
  16. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,160
    deBoetie
    As I said, earlier. It's not a problem for me having a new browser but how am I to know that the person receiving my email has a new browser.
    If they have not got acccess to a new browser then they won't get my email.
    Seamonkey (which my version is fairly new) wouldn't run the Protonmail webpage.
    These sorts of email systems are only useful to people who have the latest technology, good for executives and the like and business but maybe less useful for many others.
    I take your point about old browsers may be should be consigned to the scrap heap and developing to meet the demands of redundant software but in the real world people use all sorts of hardware and software. Not everyone is chasing the very latest browsers around or has the ability to do that.
    People use encryption for various reasons but it's usually something important and if you don't have the ability to just send the e-mail out as any other with the confidence that it will be receivable by your chosen recipient then it is limiting and exclusive. I would suggest that encrypted communication systems should be as inclusive as possible in an attempt to meet all sorts of situations and circumstances.
    Don't get me wrong, I like Protonmail and Tutanota but this is a fundamental flaw in these types of systems.
    In my personal trials of Protonmail many people that I sent e-mails, contacted me in a normal e-mail and said that they couldn't access it.

    Patrick
     
    Last edited: Feb 13, 2015
  17. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    @sdmod thanks for posting your experiences with Protonmail. I basically agree with what you're saying and won't be using it. Protonmail is useless to me, because I don't have the latest browser. As discussed in the thread, "building your own privacy package" the path Ive chosen to have a more secure and private system excludes the "latest and greatest" in browsers and OSes...which are full of feature creep, and what not. In FF they are constantly changing things and it's a nightmare to try and keep up with what they might have tweaked under the bonnet.
     
  18. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    I guess I really disagree about the modern browser issue.

    I think this critique is a misunderstanding of what Protonmail and Tutanota are trying to do. They're trying to bring decent, easy to use, encrypted email to the masses. It must be convenient and work with the systems that most people use. Up to date, modern browsers are not a commodity belonging only to an "exclusive" or "executive" group. They are the predominant software that most mainstream, non-tech savvy, everday, grandma and grandpa type of people use. And they are free. Who doesn't have access to Firefox or Chrome? If you're running Windows, you get IE for free. If you're on Mac you get Safari for free.

    Seriously, a modern up to date browser is freely available to everyone with a computer and connected to the internet. They are probably the single most commonly used piece of software. There's nothing exclusive about it. Even if you're still running XP (which, if you are, that is it's own security nightmare) you still can get up to date Firefox and Chrome for free. If you're still on a PowerPC Mac with an old version of iOS (again its own security nightmare) you have access to TenFourFox (free) based on Firefox ESR. If you're still running OS 9 on a super old Mac there's Classilla (free). If you have incredibly old PC hardware, Debian Linux will probably run on it and is more secure than an up to date Windows or Mac system (and of course it's free).

    It seems to me the exclusive group are those people who deliberately reject the "latest and greatest" software (perhaps for perfectly good reasons). If you are someone with that level of privacy concern, then Protonmail and Tutanota are probably not for you. GPG with Thunderbird or some other way of encrypting your email with GPG on your own machine is a more secure solution. Heck, I'm pretty sure you can use GPG from the command line or with a console based email client like Pine. You are not the masses that Protonmail and Tutanota target.

    I also don't know that rejecting the latest and greatest software is really the best way to privacy and security. If you're that concerned, use an up to date Linux system, I think that's a better solution. Heck, use something like Qubes OS, that doesn't even run a system kernel and isolates each part of the system form the others.

    Another easy option is to use one browser, say Firefox, with all the things disabled in it that you don't like (javascript, flash, cookies, whatever) for your browsing purposes. Then use Chrome only to access Tutanota or Protonmail, so that you can have the features necessary to make them secure and make their encryption work.

    To me there just seem to be better ways to achieve privacy and security, than rejecting up to date modern browsers. And modern up to date browser are a tool of the masses, they are not an exclusive elite piece of software.
     
    Last edited: Feb 13, 2015
  19. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    It's true, people should get in the habit of having electronic communication systems where they read a message and then it disappears. Something that's more ephemeral, like conversation. And also where the sender has more control over the life of the message. I don't know that it will save many people in court (as I've said), but it could save a lot of embarrassment and quell some of the noxious shaming culture that has taken hold of the internet.
     
  20. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,160
    I know very well what Protonmail developers are trying to achieve and I applaude it but not everyone in the world even has a computer of their own.
    To use Protonmail I have to have complete control of a pc of my own and be able to put the latest browser on it, then everyone that I want to recieve email and be able to reply back in the same format and use Protonmail to it's optimum, must also be in the same lucky position. That is what I call, an exclusive group.
    The reason that I cited executives and the corporate world is that they are the people most likely to have employees to keep them abreast with the latest technological innovations. In my experience most people that I know who own computers have the browser that was put on there when they first bought the pc and haven't even a clue what a 'browser' is, or how to update to the latest.
    As I said the flaw is that even if I was lucky enough to be able to use these technologies my recipients might not be and I might never know that they haven't been able to receive my mail.
    I re-iterate that in my own personal experience of trying Protonmail, most of the people that I sent emails to sent me emails by orinary email to say that they couldn't access it.
    An encrypted email is important and often urgent so I need to know that anyone that I send it to has the ability to receive it.
    PGP (Pretty Good Privacy) (for example) was a good system, in that they it did exactly what they said it would do. It functioned well but it failed because it didn't take into consideration the disparity in understanding and technological ability of the projected userbase. It was supposed to be for everyone but it ended up being for an exclusive group. Not by design but by not taking everything into consideration about it's platform of useage.
    Certain people at certain times must have benifitted from the use of PGP but as a broad people's encryption it failed. It was awkward to use and set up to the degree that I hardly know any one, (computer savvy or not) that has ever used it. I liked it but could never get anyone to use it or even attempt to use it to try.
    Protonmail and Tutanota will serve a certain strata of priviliged people very well but like a many of these new technological advances it's 'The Devil take the hindmost' Most people, I suppose, might say, 'Well, That's life!"
    but it's food for thought anyway.
     
    Last edited: Feb 14, 2015
  21. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I agree with your sentiments to a point, and I don't think there's any point of principle here. Thing is though, for $10 you can have a usb stick and pop a modern pendrive linux on it that will have ALL the modern software you want on it for free. It will run well on pretty much any PC (including borrowed ones or old ones). You can buy a ready-to-go stick for not much more. Plus, that is likely to be pretty secure generally as well as being well able to access Protonmail etc.

    I think the browser statistics now show very decent penetration of the modern mainstream browsers, capable of running Html5 with many functions. So I don't think many people are excluded from being able to use the service.

    Finally, I am extremely uncomfortable with calling the latest incarnations "browsers" anymore, because they are clearly smart-terminals in the service of centralised services which want to rule your life - a bit like a mobile phone canary in your desktop machine. The scope creep and level of dangerous functionality in them is scary, and I don't trust them. But they're OK for some things, with a bit of nimble footwork with VMs and so on.

    That the proles are getting screwed over is true. That's emphatically not. my. fault. I've spent my working life helping make a decent internet, not what it's been (illegally) turned into.
     
  22. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    curious about tutanota as I also wait for invitation from protonmail. using chrome went to tutanota, went to registration screen, looked straight forward enough, secure and "private" then realized no reason to provide them with my IP, so I closed browser, cleaned traces as best I know how, put pc in vpn, and went back to tutanota and their home page opens ok, but register page does NOT open, all I see is sending request. first thought their server is busy, I'll come back, and when I returned, same. So to me, it sure seems like tutanota is not private at least not in the sense that I can sign up more or less anonymously. But I'm no expert, and know many of you here are very knowledgeable, so can I get some feedback about this apparent lack of privacy on a privacy service. thanks
     
  23. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    replying to myself... ok, tutanota did eventually allow my to register a new account thru vpn. why did it take so long for this to happen thru vpn, ie, in order to allow the NSA to hack vpn. who knows what "they" can really do?? I don't really think or worry about this stuff, except the occasional times I try to use it :confused:
     
  24. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    @simmerK00L

    Tutanota also works fine with the Tor browser, if you want that level of privacy.
     
  25. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    I still pretty much completely disagree with you. As deBoetie points out, it's trivial to run free up to date browsers from a usb pen if necessary.

    For people who don't have computers, then it would seem by definition they aren't using email at all, so it's beside the point. If they are accessing email from a Library, etc., I'm surprised those locations don't have up to date browsers. If not, again as deBoetie points out, they can cheaply run portable versions of Firefox, etc., from a cheap usb drive. Or people could just ask the librarian to update the browser.

    The truth is that people who really have never had access to computers are mostly having their first computer experience through cell phones. If those phones are not smartphones, then they pretty much have no options for encrypted email, so blaming Protonmail and Tutanota is ridiculous. Once cheap smartphones become more common (which is happening rapidly) people who have never had a computer will have access to services like Tutanota and Protonmail, through their apps and through free up to date mobile browsers.

    But the fact that there are huge economic disparaties in the world is not Protonmail or Tutanota's job to fix. And nonetheless in developed countries people of all economic strata have access to computers and therefore access to free browsers with which they could use Protonmail or Tutanota. There are more than a billion computers in the world. In the U.S. two thirds of the population has a computer. Does this cover everyone in the world or the U.S.? No. Is is the sole province of "executives" and privileged people? Not even close.

    As far as only executives have staffs to keep them up to date on these things, that is also a completely bogus argument to me. I know some executives who make huge amounts of money and are in very high level positions at major global corporations and they and their staff are as ignorant about encryption and private email as my friends and family. Indeed, this sort of ignorance is in my experience equal opportunity, affecting all classes of people. It is only a small niche of us who are interested who are aware of encrypted email services. In the end, it is not Protonmail and Tutanota's job to resolve the ignorance of the masses (elite or working class). And at least they are doing something to make good, encrypted email much more easy to use and available than it has been (via GPG, etc.), which can actually have the affect of educating some people.

    So, I really don't buy a single aspect of your argument. Yes the world is ignorant and way behind the times when it comes to privacy and encrypted email. No it is not impossible for people to use services that are freely available with free software. If people can't figure out how to update their browser, blaming Protonmail or Tutanota makes no sense.

    I do agree that browsers have lots of security issues. But I really don't think the average user cares. Most people aren't going to block javascript and cookies and all sorts of things to have more privacy and security and don't care (it would be inconvenient and they want websites to just work). So if they're using modern browsers anyway, the may as well benefit from something like Tutanota or Protonmail, which are as easy to sign up for as any email service (easier, because they don' t ask for all kinds of personal information). If a desire to use Protonmail or Tutanota prompts people to update their browsers, so much the better, because their old browser is probably a security disaster. Protonmail and Tutanota are working within the confines of what exists, modern browsers, and making them a safer place for email. That's good and to be commended. Blaming them for the general state of browsers, just makes zero sense to me and is way beyond their responsibility.

    It seems like what you want--which amounts to encrypted email for everyone without having to overcome their own ignorance and seamless interoperability with other email services requiring no setup on the part of the user--could only happen if the largest most popular email providers (Gmail, Yahoo, Microsoft) enable encryption according to a generally accepted standard. But we know that is never going to happen, because their business model requires that they be able to scan your email for marketing purposes. So people are going to have to make some choices on their own and learn a few very simple things, if they want more privacy--or get help from their more savvy friends. It's not hard, but it won't happen magically without any initiative on the part of individuals. Protonmail and Tutanota are doing their best to make it as easy as possible. But as they say, you can lead a horse to water....
     
    Last edited: Feb 15, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.