[WhackyIdeas]

I have been with Protonmail since 2014. And I feel that they are essentially now the same as any other company which makes loads of dollar - they give up their values.

Don’t get me wrong, I have multiple ‘Visionary Accounts’ but I have just no expectation of them protecting my data completely.

How do they get peoples passwords / keys? Easy. They just wait for you to log in and they swipe it then. It’s targeted.

They are a perfect example of why you cannot really trust any company selling ‘privacy’, like Apple, Mozilla and whoever else fakes it. Even TOR to a degree is a pile of pish because all the relays can be hosted on mostly American VPS companies… so although the rest of the world would struggle detecting who people are, five eyes are in an excellent position to be able to unmask. It’s intended for the Five Eyes spies to hide among - they need the randomers on there or it’s a useless tool for their global spies to use - I don’t think enough people actually realise that.

[protonmail]

>How do they get peoples passwords / keys? Easy. They just wait for you to log in and they swipe it then. It’s targeted.

Under Swiss law, Proton cannot be compelled to do this. Nor is this "easy" to execute if you are using the open source mobile or desktop apps.

[WhackyIdeas]

Ok, I may have made an incorrect assumption (sorry).

But, do you have a method which results in the data being accessible to anyone other than the account owner?

I don’t know exactly what you provide. Or how you do it. But it does feel secretive, and that in itself makes people think the worst.

But I do know how NDA’s work, so that might be a part of it.

[protonmail]

No, in fact we have no way to decrypt the emails on our servers, nor can we share them in an unencrypted format with any third parties (law enforcement included). All the data requests we comply with only include metadata which needs to remain unencrypted for the services to function properly.

[hombre_fatal]

Besides, none of it really matters when their customer service backdoor lets you into an account if you can enumerate recent emails that account has received. I'd never trust anything serious with Protonmail. (Try it)

[ivan_gammel]

Do you have any evidence for this claim?

Here’s their recovery process: https://proton.me/support/set-account-recovery-methods

I don’t see there customer support call as a recovery method. I‘d expect that for paid accounts you could theoretically verify your identity to CS via payment, but in that case you lose the data anyway.

[roastedpeacock]

Even if the attacker cant decrypt existing e-mail the concern is by hijacking the account they can intercept future e-mail received such as password resets.

Some searching finds this comment. [1] I would be interested if such a password reset were possible against someone who for instance had 2FA enabled, no recovery information and only accessed their account using the Tor onion-service. ;-)

[1] https://news.ycombinator.com/item?id=19367063

[WhackyIdeas]

Tor onion service relays are mostly on VPS. And those VPS are mostly American.

The number of tutorials I have seen about spinning up a tor relay on a VPS is crazy. These tutorials are probably written by three letter agencies - though I have no proof.

Regardless, protonmail doesn’t let people register when connecting with Tor unless you use phone number or card to make a payment. You will have to give up something which identifies you, and so it really doesn’t matter when you connect with Tor after you have already registered - there is a way to connect who you are.

[roastedpeacock]

Traffic of onion-services is encrypted. Traffic correlation to deanonymize the client can still be theoretically performed but ultimately you need to draw the line in the sand somewhere.

> Regardless, protonmail doesn’t let people register when connecting with Tor unless you use phone number or card to make a payment

Actually if you attempt enough times you will get the option to verify the registration with an e-mail. And they are rather liberal with which options they accept. So it is not exactly a circular dependency.

From there is it an exercise to the reader to create an account not linked to any other identity.

[ivan_gammel]

Valid point, however that happened at least 5 years ago. Proton was smaller. I don’t know if this is still the case for today: I would expect that they continuously improve security of user accounts as they grow.

[hombre_fatal]

Your link doesn't apply here. The attacker's recovery process is to just send an email to support@protonmail.zendesk.com and start flapping their gums.

It doesn't matter if you lose data. If you control an email address, you get all future email including forgot-my-password emails.

[protonmail]

Honestly, if you try it, you will find it doesn't really work this way. A lot of heuristics are used for recovery, many which are not visible to the outside for security reasons. Also, data recovery is never possible because of the use of zero access encryption.

[hombre_fatal]

Protonmail's customer service agent CCed my recovery email (me) in the email thread where the attacker was social engineering them. And the attacker was successful until I had to reply to the email chain myself to tell them to stop.

And yes, signing up to Home Depot's email newsletter and other services so that they could tell the customer service agent "my last few emails were from Home Depot and ..." was successful against their customer support system. That's just how amazing it is.

Finally, I don't expect the social media guy running protonmail's HN account to give us much insight into protonmail's customer support security issues, but if you're going to show up, I would've at least expected you to forward my email somewhere for follow up.

[protonmail]

Just providing the information on the most recent correspondents is never enough to provide access to a Proton account. Please share your support ticket number with us so we can see what happened exactly.

[WhackyIdeas]

Thank you. Is there any way you can share the exact things you do or provide when you are forced by a court order to give data about someone?

[protonmail]

You can learn more in our Privacy Policy: https://proton.me/legal/privacy and Transparency Report: https://proton.me/legal/transparency.

[WhackyIdeas]

Can you explain more about this, I am clueless to this? Appreciated!

[drio0]

Are you aware of a better alternative? I am trying to see if I should commit to using Proton or not. I am just a normal users who do not want to be tracked or my data used. Maybe Proton is still very decent for that

[WhackyIdeas]

Not really, no. Unless you want to self-host in your own home hardware.