Hacker News new | ask | show | jobs
by ivan_gammel 732 days ago
Do you have any evidence for this claim?

Here’s their recovery process: https://proton.me/support/set-account-recovery-methods

I don’t see there customer support call as a recovery method. I‘d expect that for paid accounts you could theoretically verify your identity to CS via payment, but in that case you lose the data anyway.
2 comments
roastedpeacock 731 days ago
Even if the attacker cant decrypt existing e-mail the concern is by hijacking the account they can intercept future e-mail received such as password resets.

Some searching finds this comment. [1] I would be interested if such a password reset were possible against someone who for instance had 2FA enabled, no recovery information and only accessed their account using the Tor onion-service. ;-)

[1] https://news.ycombinator.com/item?id=19367063

link
WhackyIdeas 731 days ago
Tor onion service relays are mostly on VPS. And those VPS are mostly American.

The number of tutorials I have seen about spinning up a tor relay on a VPS is crazy. These tutorials are probably written by three letter agencies - though I have no proof.

Regardless, protonmail doesn’t let people register when connecting with Tor unless you use phone number or card to make a payment. You will have to give up something which identifies you, and so it really doesn’t matter when you connect with Tor after you have already registered - there is a way to connect who you are.

link
roastedpeacock 731 days ago
Traffic of onion-services is encrypted. Traffic correlation to deanonymize the client can still be theoretically performed but ultimately you need to draw the line in the sand somewhere.

> Regardless, protonmail doesn’t let people register when connecting with Tor unless you use phone number or card to make a payment

Actually if you attempt enough times you will get the option to verify the registration with an e-mail. And they are rather liberal with which options they accept. So it is not exactly a circular dependency.

From there is it an exercise to the reader to create an account not linked to any other identity.

link
ivan_gammel 730 days ago
Valid point, however that happened at least 5 years ago. Proton was smaller. I don’t know if this is still the case for today: I would expect that they continuously improve security of user accounts as they grow.
link
hombre_fatal 728 days ago
Your link doesn't apply here. The attacker's recovery process is to just send an email to support@protonmail.zendesk.com and start flapping their gums.

It doesn't matter if you lose data. If you control an email address, you get all future email including forgot-my-password emails.

link