[SUr3na]

I switched to protonmail after losing my gmail password.It was literally impossible to get my account back thanks to gmail "security features". The 500mb free plan is enough for personal usage. I hope other 3rd world countries don't block it following Russia.interestingly this happened not long after EU €2 million award.Probably someone read the news and googled protonmail, saw "encrypted email" in Wikipedia page and decided to block the whole thing.

[pmlnr]

Own domain. That's the most important part of email. If you have that, you can move to wherever you want.

[aljarry]

It's also the weak point - do you trust your domain provider he won't allow a domain move / access based on parts of your personal information, like here [0]?

Also is it only domain block and not ip block?

[0] https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...

[Semaphor]

You shouldn't use the almost-scammers of GoDaddy as an example. Whenever I hear any Domain horror story it's about GoDaddy, it seems like a bad idea to extrapolate from them.

[seszett]

https://twitter.com/n

Apparently he's got his @N account back. I wonder how it happened, I don't see anything about it in the article.

[megous]

Yes, my main domain is locked by the registry and transfer requires some form of state ID validation with the registry to unlock the domain, before a registrar can transfer the domain.

Should be good enough protection against social engineering targeting registrars.

[deadbunny]

Well, that made me activate 2fa on my domain provider. Thanks!

[LinuxBender]

You can take this a step further. You can set up multiple VM's in multiple regions to be your MX relays for your domains and route the traffic to whichever mail provider you want to use. You can then enforce TLS or set up TLS transport rules to require/optionally validate or enforce name+cert validation for specific domains (banks, etc). This also means that you can queue up mail even if that provider goes offline and you can see if the content is being tampered with (message sizes, headers excluded).

If your mail provider runs into problems or you choose to change, then instead of waiting for DNS to propagate, you simply update your relay configuration.

I should add that not all paid mail providers support this. Some lower-end providers require that you point your MX directly to them. Check before setting this up.

[akskos]

I once lost my protonmail password and was able to get my account back by providing only my browser information, display name, rough timestamps of my requests to their servers and that "i preserved the last session for quite long time". Not sure how secure that was :d Of course I didn't get back any of the emails since they were encrypted with the previous password but still if that is their normal protocol, someone with my browser information and name could just mitm me recording the timestamps of requests to protonmail's server and request a password reset.

[gruez]

>someone with my browser information and name could just mitm me recording the timestamps of requests to protonmail's server and request a password reset.

If they can MITM you, why not steal the password directly, or serve malicious js to get your password?

[uponcoffee]

Because https mitigates their attack vectors as a mitm. They can't steal the password since it's not sent in plaintext, and for similar reasons can't deliver/inject malicious Javascript. They could collect timestamps though and scrape header information from http connections to other sites.

[StreamBright]

Not really. It just requires HTTPS mitm. It is harder to have a CA that can create a cert that looks like it was issued by the original website you are trying to achieve but this is standard practice in gov agencies to mitm HTTPS communication. The mitigation of these sort of attacks is called certificate pinning.

https://security.stackexchange.com/questions/29988/what-is-c...

[uponcoffee]

That's a fair point. My reply was more in the context of the root comment - and with an average attacker in mind - where they were describing eavesdropping as opposed an attack carried out by a sophisticated actor.

My point was that MITMing HTTPS and HSTS isn't really necessary to carry out an attack as described by the root comment.

You only need to be in position to eavesdrop and/or MITM http connections to scrape together the necessary information; a much lower bar.

[StreamBright]

True, I guess I was just nitpicking. :)

[gruez]

What you're describing is eavesdropping, not MITM

[akskos]

In that case I meant eavesdropping

[johnisgood]

> I switched to protonmail after losing my gmail password.It was literally impossible to get my account back thanks to gmail "security features"

Same here. I gave them everything there is to identify me yet they refused to help on the same grounds. The only difference was the phone number, because the one associated with the account died. Funny thing is, if it were not for an accidental removal of cookies, I would still be using that account, and I would have been able to login as it only seems to ask for the code sent via SMS is when you lose your cookies and/or change your user agent.

I switched to protonmail for non-serious e-mails.

[0xfaded]

I've been surprised to learn that several of my non-technical friends forget their passwords and rely on cookies, and then reset the password using their phone number whenever the cookies are lost.

[enriquto]

> I've been surprised to learn that several of my non-technical friends forget their passwords and rely on cookies

As a "technical" person, I despise passwords and tend to avoid using them. My preferred way to log-in somewhere is either with ssh keys or with single-usage codes sent by mail.

This has nothing to do with "losing" passwords. For example, I actually have a password for amazon written in a file, but I don't bother looking for it, I prefer to use the single-usage code anytime I want to use the site.

[SUr3na]

If you lose your phone number gmail asks you these: -Last password you remember -Last time when you logged in -Your security questions -Devices connected with your Google account Just to tell you gmail is unable to recover your account. I am not sure but I think the more you try to recover it the worse it gets (which is understanble). So either you have the phone number and you magically get everything else in those questions right(what counts as right is the real question), or you enter a rabbit hole and get further from getting your account back the more you try.I'm not blaming this system entirely but apparently nothing matters except your phone number when it comes to recovering your account.

[kuschku]

Not even getting everything else right works, you need ALL of it right, including the backup email address, when the account was created, last password, location, some captchas, and the backup phone number.

Once one of my Google Accounts was taken over by a hacker (I had reused the password on another site, which was hacked around that time), and even although Google warned me that someone was trying to take over my account, and told me someone was logging in from Russia (I always logged in from the exact same IP address from which I tried to recover it), and even though a friend at Google submitted an internal request to get me the account back, and even though I sent them a photo of my ID (with the Google account having that exact name in it), they refused to help me.

Google support did try to reach out to me, as I later figured out, but they had instead contacted me via the hacked email account, I only found the "thanks for your support chat" mail in the account after I regained access.

Which I was only able to do so by talking to the person who now owned the phone number I had used a decade before for that account (the ISP had long recycled it).

[mikro2nd]

Interested to know how it works if Google don't have your phone no.? Certainly every time they've nagged me for a phone no. I decline the gracious opportunity to give them another identifier. My gmail account long predates the mandatory phone no. step, and so far I think I've managed to dodge it.

Thinking of ditching the ~tracking device~ phone anyway... what then? Have we sleep-walked into a world where people without a mobile phone are the underclass who barely even exist?

[blablabla123]

> but apparently nothing matters except your phone number when it comes to recovering your account.

Kind of legit to be honest. Anything else would make it far too easy to recover accounts. Also Gmail is far too large to have a customer care that could also do things like passport verification or so.

Having said that, Protonmail has no phone number recovery. That's kind of bad. You can enter an old E-Mail address there though but it would be so much better to link this with a phone number. If you loose your sim card, you can always get a new one from the phone company with your passport.

[johnisgood]

> Kind of legit to be honest. Anything else would make it far too easy to recover accounts. Also Gmail is far too large to have a customer care that could also do things like passport verification or so.

Why is being able to recover accounts easily a bad thing when you, and only you have or should have access to, say, the password?

> Protonmail has no phone number recovery. That's kind of bad

I do not use it, so it is fine by me.

> If you loose your sim card, you can always get a new one from the phone company with your passport.

Not necessarily. It is more and more difficult to get a new one, and there are prerequisites that one may not meet, or they decide they do not want to do business with you, or your social credit is too low, etc.

The differences are: one is given to you by a third party, and the other one is made up by you.

I would like to be able to opt out of it, e.g. phone number should not be required.

[gruez]

>Protonmail has no phone number recovery. That's kind of bad. You can enter an old E-Mail address there though but it would be so much better to link this with a phone number. If you loose your sim card, you can always get a new one from the phone company with your passport.

Considering how many high profile bitcoin thefts occured using hijacked phone numbers, it's probably better not to have that as a reset method.

[blablabla123]

But this should be up to the user. I mean if your 1 million BTC account is protected through a phone number, someone might want to still do it that way.

Most users don't even have Bitcoin but normal bank account which are oftentimes protected by different second factors. It would be nice if they would provide different options. For me it would suck if someone hacked my E-Mail but I could reclaim it quickly and the damage would be very limited.

[pampa]

Probably it is better to forget a strong password and reset it, than use a weak password that is easy to remember.

Last year I was working on a service that skipped passwords altogether. We used the phone number and a one time pin code by sms for registration, login and order confirmation all in one step.

[gambler]

Google's security is designed to safeguard accounts from usage that would inconvenience Google. It's not designed to provide security to users. It's extremely easy to get locked out, even if you remember your password.

Simple use case. You create an account while on VPN. You don't provide a phone. Then you clear your cookies. That's it. If your exit point IP changes, Google will not allow you to log back in even if you know the password.

[duchenne]

> I hope other 3rd world countries don't block it following Russia.

Interestingly, the original meaning of "third world" country was: a country that is neither part of the Soviet block nor the US side ( the two first worlds)

[pessimizer]

That's also the current meaning of "third world." A lot of people use it to mean "country I think is backwards."

Ah: https://news.ycombinator.com/item?id=19367437

[westpfelia]

People didnt jump on blocking Telegram after Russia blocked it also. So I dont see people jumping on the bandwagon now. Well except for maybe other countries ran by authoritarians.

[SUr3na]

This is true .I thought Iran followed Russia in blocking telegram but it was not the case.Anyhow higher publicity means higher chance of censorship in certain countries.

[stunt]

Iran also blocked Telegram, but it was before Russia blocking it.

[vectorEQ]

russia isn't a third world country by any definition (second world by the original definition....)

"Probably someone read the news and googled protonmail, saw "encrypted email" in Wikipedia page and decided to block the whole thing." <-- where do you get that? it's complete nonsense

[SUr3na]

I didn't mean to say Russia is a third world country .but I live in a third world country which closely follows Russia's rules.Apology to all Russians misinterpreting my comment :)

As for the complete nonsense you have something working for 5 years suddenly it gets news coverage with no significant usage increase and is blocked . I have no source but this is the exact case where I live. there's something ,like a publicity threshold.It sounds silly and irrational because it is silly and irrational. Or perhaps I am wrong and some experts were analyzing protonmail for 5 years and now came to the rational conclusion to block it.

[towaway1138]

Also ran into this. Even had a Google manager I've known for years go to bat for me internally. No dice. Which is crazy, since web logs would have shown that the account was completely and always under my control.

Like a distant god, Google gives and Google takes away...

[arisAlexis]

if we keep using it (the "free world") then they will be the ones missing out on communication capabilities because we can send them email but they can't.

[aivisol]

If only PM did not have such low limit on number of domains you can have. Messages per day are already good limitation, why limit domains?

[BorRagnarok]

1st, Russia is not a 3rd world country. Second, if you'd read the article, it wasn't a case of someone seeing "encrypted email" in a description of protonmail and blocking it, they were having problems with bomb threats.

[SUr3na]

What Exactly protonmail offers you over any other disposable email if you are sending bomb threats? I think this was just a an excuse made just to have an excuse.

[jsjsjsjsjsjs]

And no SMTP/IMAP for free accounts. Free plan is unusable.