[HN Gopher] ProtonMail includes Google Recaptcha for login
___________________________________________________________________
ProtonMail includes Google Recaptcha for login
Author : Hard_Space
Score : 229 points
Date : 2021-05-29 16:22 UTC (6 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| cowpig wrote:
| When I started my company we chose to use Protonmail. My advice
| to anyone who wants secure email: don't use protonmail.
|
| The email search is completely useless. I don't understand how it
| can possibly be so difficult to do a substring search on a corpus
| and rank them in some kind of sane way. Searching for old emails
| based on content is an exercise in futility. After a few years of
| using an email service, search becomes really important.
|
| It is exceedingly difficult to pull data out. You need dev ops
| skills to do it.
|
| They charge for users that are disabled, and you can only stop
| paying for them if all of the associated data is deleted.
|
| So they effectively hold your data hostage (yes, you can get it
| out but it time-consuming and requires technical skills).
|
| I finally bit the bullet and paid a dev ops person (and gave him
| access to all my data) and switched to fastmail (at least it's
| not google) a few months ago. It's been an incredible relief.
| protonmail wrote:
| A few clarifications. There is an export tool that is
| available. The reason we must count disabled addresses towards
| your quota is because if we did not do that, we would be
| susceptible to an attack where a paid user could run through
| our address space by creating and disabling addresses
| continuously, so some limits are required. You can remove
| disabled addresses, but only by contacting support.
| notafraudster wrote:
| This is a sort of weird reply. The person you're replying to
| isn't saying "you need to allow an attacker to create and
| disable millions of addresses to DOS you". They're saying
| "you need to allow medium to longer term clients that de-
| activate very small portions of their overall number of
| accounts to not have to pay for those". You already have a
| system to measure account numbers, so what makes it
| impossible to also measure active account %ages
| Aeolun wrote:
| Why would you not pay for deactivated accounts for which
| they're still storing the data? I don't think the delivery
| of email is what costs most money, it's the storage of
| data.
| protonmail wrote:
| Sorry if our answer wasn't clear. You can de-activate, but
| it must be manually requested through support.
| spiderice wrote:
| You're replies are very frustrating. It's like you're
| completely missing the point of the replies and focusing
| on very tiny, irrelevant details. Nobody is claiming that
| you can't remove deactivated accounts. Only that you
| charge for them until you go through the rather annoying
| process of contacting customer support. And then you make
| some bad excuse that it's in the name of security because
| somebody could potentially make and deactivate millions
| of accounts. Obviously there could be a middle ground of
| allowing someone to deactivate 5 accounts per month or
| something.
|
| I suggest you either stop responding, or actually respond
| to the issues people have, and don't make excuses that
| are paper thin.
| duckfang wrote:
| This line of discussion from Protonmail is making me
| greatly reconsider closing my accounts (plural) there for
| VPN and mail service.
|
| This is embarrassing at minimum, and show negative
| interaction with customers.
| b0tzzzzzzman wrote:
| Completely agree.
| abnercoimbre wrote:
| Their service is so useful to me. But man, I can't deny
| their customer interactions can be problematic (as
| evidenced.)
|
| Is it that the developers 100% defer to a marketing rep
| without in-depth knowledge? Something else?
| duckfang wrote:
| Same here, with their email AND vpn. Its been flawless so
| far, tech wise.
|
| But yeah, they really need to control and focus their
| core message to a tech board. If you whiff that (which
| they did), there's a good chance in running off your core
| users. And that is generally considered a bad idea.
| protonmail wrote:
| > Obviously there could be a middle ground of allowing
| someone to deactivate 5 accounts per month or something.
|
| A improvement like this is indeed in our feature backlog,
| and something we hope to implement in the future.
| rowanG077 wrote:
| Wow this response chain is so layed on thick with half
| answers and marketing speak. I guess you can now "hope"
| that I won't cancel my protonmail subscription.
| [deleted]
| Aeolun wrote:
| I very much assume they wouldn't care (or not more than
| you do anyway).
| jjeaff wrote:
| I think it is unreasonable to think that protonmail
| should not charge you for deactivated accounts that still
| have data in them. If they still have data, then you
| should keep paying.
| zxzax wrote:
| This seems to be assuming bad faith, you've changed a
| complaint of a missing feature into a different request
| for a new feature (because contacting support is
| inconvenient), which are two different things. It would
| be best to not confuse the issue, and to focus on doing
| what you can to support the feature request, if that's
| what you're interested in having.
| Dylan16807 wrote:
| If you have to contact support to stop paying for an
| account you're not using, that's definitely a missing
| feature.
| zxzax wrote:
| That seems like a misreading, the very toplevel post says
| that you can stop paying by deleting all the data. Then
| the response says you can also do that by contacting
| support. Did I miss something?
| Dylan16807 wrote:
| The way I'm reading it, you need support's help to delete
| everything, but I admit I'm not sure if that's the
| correct reading.
| mdoms wrote:
| I don't know how anyone could look at protonmail's
| responses and not assume bad faith. They're obfuscating
| the issue so they can make technically correct but
| effectively useless excuses for crappy behaviour.
| zxzax wrote:
| I'm not sure what you mean -- it makes sense to me that
| if you are paying for an email service, they would
| continue to charge you as long as you store and access
| those emails in their server, and they would have to take
| steps to prevent abuse from people who might try to store
| too much data. Can you be more specific about what the
| behavior is? Maybe you could show a good way that another
| email provider has solved this, and provide a helpful
| guide as to how they could implement that?
| mdoms wrote:
| Can you name another corporate email provider that
| doesn't free up seats when users are deactivated? To my
| knowledge this is how all of Proton Mail's competitors
| charge for seats - at least all the ones I know of.
| dna_polymerase wrote:
| That's what you get for making stupid decisions based on
| ideology instead of facts.
|
| Protonmail says it very clearly that all mail is encrypted on
| their servers. If you expect search functionality from them you
| don't get encryption. You bought into some random surveillance
| state propaganda.
|
| Google isn't interested in the mail of your random startup,
| they are happy expanding their cloud footprint. In return you
| get good search and top notch mail servers.
|
| Make sane decisions instead of ideological ones. Product-wise
| there is not a thing wrong in the world with GMail.
| andrepd wrote:
| "There's nothing wrong with people reading your
| correspondence (and archiving it forever and running
| algorithms on it)! If you say othetwise you're blinded by
| ideology!"
|
| Conform, citizen!
| kmaasrud wrote:
| Choosing something you ideologically do not support is not
| sane
| minitech wrote:
| > If you expect search functionality from them you don't get
| encryption.
|
| It's not as if the client can't maintain an encrypted index,
| they just haven't implemented it.
|
| Also, apart from all of the important advantages of
| encryption, there's always the privacy angle compared to
| Gmail: Google uses mail to target ads and scrape purchases,
| which a lot of people don't want.
| gerash wrote:
| I think a full index of the contents of hundreds or
| thousands of emails and their attachments is soon going to
| take a lot of space and be slow on a mobile device.
|
| Also if you have multiple clients, which one is going to
| update the index and how do they sync up? Building index on
| a mobile device potentially kills its battery esp. if it
| needs to index pdfs and images. So it needs to be done
| while charging over night which means you can only search
| emails from yesterday. If multiple mobile clients build
| their own indices merge conflicts might arise.
|
| So yeah, if you're opting for an encrypted email then your
| search experience will suffer. It's the user's choice
| obviously.
|
| The advertisement on Gmail is for free accounts btw and it
| seems extremely dumb. I get ads for Google Fi in Gmail even
| though I'm a Google Fi subscriber.
| minitech wrote:
| > I think a full index of the contents of hundreds or
| thousands of emails and their attachments is soon going
| to take a lot of space and be slow on a mobile device.
|
| I initially read "hundreds of thousands" and would have
| agreed that it might be a problem for those rare users
| (not even sure about that), but no, "hundreds or
| thousands" is a trivial amount of data. Normal mailbox
| operations already need to synchronize state; you just
| apply index operations along with this. (As for indexing
| PDFs and images, I don't expect that in a basic
| implementation, or maybe ever. Doesn't mean the entire
| feature should be missing.)
|
| Which is why other services (e.g. Tutanota) have already
| implemented it, and also manage encrypt things like
| subject lines, which Protonmail doesn't (!).
| gerash wrote:
| Implementing that is easier said than done.
|
| I'd like to first see a real example of a mail service
| that in addition to e2e encryption is also best in class
| in terms of usability (quality and speed of search, spam
| filtering, auto categorization, ...).
|
| For my use cases, usability comes first and e2e
| encryption comes second or even third (after price)
| Dylan16807 wrote:
| > I think a full index of the contents of hundreds or
| thousands of emails and their attachments is soon going
| to take a lot of space and be slow on a mobile device.
|
| The index doesn't need the attachments, does it? At a
| couple kilobytes per message you can fit a whole lot of
| text into a reasonable amount of phone storage. And
| there's no reason it should be slow.
|
| > Also if you have multiple clients, which one is going
| to update the index and how do they sync up?
|
| Each client can either independently index new emails as
| they come in or upload something like a compressed csv of
| new entries for the index database. A hundred new emails
| should only take milliseconds to process.
|
| > if it needs to index pdfs and images.
|
| How do you index images? Indexing pdfs is much more of a
| nicety than a necessity, and it could be a setting on
| whether you want to spend the data. It shouldn't take
| long though, as far as I know. You don't need to render
| it or anything.
|
| > If multiple mobile clients build their own indices
| syncing them and merge conflicts might arise.
|
| If they build their own then you don't need to sync.
|
| If they share and do sync, I still don't see how you'd
| get merge conflicts. Emails don't change, and index
| updates are just adding and removing entire emails.
| gerash wrote:
| I have a lot of emails that are receipts from various
| businesses where most of the content is in an attached
| pdf. Same for image where you'd need to run OCR and some
| off the shelf object recognition on it but that's less
| common based on my usage.
|
| Building the index independently on each client means if
| you login from a new device you need to wait for the
| index to be built. That said, maybe the index can itself
| be encrypted and uploaded to the server to be downloaded
| by new clients. Also building index is potentially
| expensive on a mobile phone and I don't want to wait for
| my phone to be plugged in to be able to search recent
| emails. The alternative would be to have an always on
| computer at home that decrypts, indexes your emails and
| then your mobile client updates its database from there.
| This whole system feel so fragile though.
|
| I'm no expert in cryptography or syncing databases but
| imagine there are a lot of technical and usability
| issues.
| Dylan16807 wrote:
| > Building the index independently on each client means
| if you login from a new device you need to wait for the
| index to be built. That said, maybe the index can itself
| be encrypted and uploaded to the server to be downloaded
| by new clients.
|
| But how often do you log in from a new phone? And yes it
| could be.
|
| > Also building index is potentially expensive on a
| mobile phone and I don't want to wait for my phone to be
| plugged in to be able to search recent emails.
|
| As I said in more detail before, I don't think it is.
|
| > I'm no expert in cryptography or syncing databases but
| imagine there are a lot of technical and usability
| issues.
|
| There's a few. But making an app is already a process of
| dealing with dozens of technical and usability issues.
| None of these new ones sound like dealbreakers.
| bassdropvroom wrote:
| Note: due to the design of PM, the search is done client-side
| rather than server-side. It's not an excuse but at the very
| least, full-text search is harder.
| alpaca128 wrote:
| Full-text search within the average amount of a single user's
| emails is trivial and fast on any modern PC. Smartphones do
| it for autocompletion suggestions every time you type a
| letter. The only thing taking longer than a few milliseconds
| is the initial indexing.
| texasbigdata wrote:
| This sort of comment is frustrating. How many times has XYZ
| site had broken search? It seems to _not_ be a trivial
| problem still.
| Dylan16807 wrote:
| > This sort of comment is frustrating. How many times has
| XYZ site had broken search?
|
| I can't even think of any? But also search isn't a _core
| feature_ for the vast majority of sites. Something can be
| easy and still break if nobody cares very much.
|
| Edit: Actually I can think of search breaking on one site
| that was notoriously badly run and had 0 to 1 part-time
| devs. That's not a flattering comparison.
|
| Edit 2: So could the people that disagree name some
| notable sites with broken search? I feel like if I don't
| understand what "XYZ" stands for it's probably not
| something I should be blamed for...
| bellyfullofbac wrote:
| Gotta love all the comments here and on the Github issue
| who just throw out casual "This problem is trivial to
| solve!"'s.
| alias_neo wrote:
| Doesn't that assume you _have_ all of the emails on your
| device on order to search them?
|
| I know for a fact, Gmail on my phone doesn't have the ~15
| years of email in my account downloaded. I bet that would
| take significantly longer to download than the actual
| search would would take to perform.
|
| If the things to be searched aren't already on the client,
| a client side search doesn't seem too useful to me,
| regardless of how much compute power you have.
| [deleted]
| snotrockets wrote:
| My own advice re secure email is that there isn't such a beast
| - you just can't apply what is expected from modern secure
| messaging, like having no insecure fallbacks, forward secrecy,
| encrypted metadata, etc.
| essentialoils wrote:
| https://theconsciousresistance.com/protonmail-is-insecure/
|
| https://privacy-watchdog.io/protonmails-creation-with-cia-ns...
|
| https://eprint.iacr.org/2018/1121.pdf
| jjcon wrote:
| I'll second this, I love the idea of proton mail but the
| product isn't anywhere close to ready for daily driving. Great
| for the occasional should it arise however. Encryption should
| be a selling point and it seems like they use it more as an
| excuse.
| cyberpunk wrote:
| Hmm, I use it for everything, but I'm using the bridge with
| apple mail.app, maybe that's a bit of the happy path for
| searching..
|
| No real complaints besides the bridge sometimes pegging a cpu
| until I HUP it..
| wyxuan wrote:
| Apple mail app searching sucks. Might just be my personal
| experience but I find it easier to just search for email on
| gmail
| inamiyar wrote:
| I also use the bridge with Thunderbird with no problems.
| jwally wrote:
| Was literally about to posit that as a solution.
|
| It's way above my pay grade but I wonder if homomorphic
| encryption could be leveraged at scale without
| compromising security.
| brundolf wrote:
| I've been using it for 2.5 years for my personal email (I
| don't do anything super complicated with email; mostly
| service notifications, the occasional correspondence with
| friends or recruiters or such). As far as UX, it's pretty
| mediocre (on both web and mobile) but it gets the job done
| for my purposes.
| amelius wrote:
| It used to be the case that both ProtonMail and FastMail were
| frequently recommended on HN. So, how is FastMail doing in
| comparison?
| fractalf wrote:
| I've used fastmail for 20 years and Im very happy about it.
| Before that I used telnet to a server and running pine. While
| traveling in India I got fed up by the lag so I decided to
| try out this web-mail thing that everyone was talking about.
| I came across an Indian IT magazine that compared all the big
| players at the time, and fastmail came up on top. Easy
| choose, never liked big corp anyway. I've since tried out
| most alternatives, buy nothing could match my need as well as
| fastmail. Thumbs up!
| nightski wrote:
| Long time fastmail user and I love it. Simple and works
| great. Use it for business and personal now.
| vbezhenar wrote:
| I'm not entirely happy with fastmail. Too much of legitimate
| mail ends up in Spam. They even put aliexpress mails to spam,
| that kind of domain surely must be whitelisted. I'd prefer
| more spam in inbox, because right now I have to check spam
| every the time to ensure that nothing is lost.
| hedora wrote:
| Settings -> Filters and Rules -> Spam Protection ->
| Advanced settings -> Custom
|
| Ikea mass marketing emails are ~5.5 for me, and essentially
| all of the "false positives" in my spambox. The real spam
| is all 20+.
|
| It looks like fastmail defaults the threshold to 5. Try
| increasing it to slightly above the score your legitimate
| emails get.
| trulyme wrote:
| A bit off-topic, but I'm constantly surprised that e-mail
| companies are so bad at this. If I, as a user, keep
| corresponding with someone, what kind of brain-dead system
| keeps putting their mails to spam? (answer: gmail) I am
| communicating with them, do you really think they are
| spamming me? It's so frustrating. And yes, their SPF &
| similar headers are correct (or at least they seem to be,
| as G of course doesn't tell me why it went to spam). I know
| I can setup filters, but I thought they had that "smart"
| machine learning thingy? Or at least some simple "if"
| statements? /rant
| neurostimulant wrote:
| To be fair, aliexpress is pretty spammy. If they use simple
| bayesian filter for their spam filter it's pretty
| understandable that aliexpress emails ended up being marked
| as spam.
| Aeolun wrote:
| Really happy with fastmail. It is above anything else, very
| fast.
| loh wrote:
| Check out TricepMail.com. I'm curious to see what HN thinks
| of it.
| aaravchen wrote:
| It looks interesting, it goes the functionality checkboxes,
| but given the thread here the target audience is likey
| interested in privacy and security. Tricepmail seems to
| have little to no information about security, and the
| privacy policy is basically GDPR compliance (specifically:
| we'll tell you what we collect personal info for) with the
| option to sell the data to third parties. Additionally, the
| apps appear to be in beta-stage still. They're functional,
| but still pretty rough in appearance. You're going to be
| hard pressed to convince anyone here to switch to a service
| that retains the right to sell your data, doesn't reveal
| the country of administration, and is relatively new.
| loh wrote:
| Thanks for your feedback. I will touch on all your
| points.
|
| TricepMail is designed specifically for privacy, and not
| only privacy for your data on TricepMail's servers but
| for preventing others from tracking and selling your
| information as well. The privacy policy specifically
| states that there is no collection of your personal
| information. TricepMail is based out of Colorado, US, but
| considering moving to another country which might be
| better for privacy.
|
| The UI is definitely very minimal, but that is on purpose
| by design. No need for a bunch of visual clutter when
| reading/sending email. Improvements can and will be made
| though, of course.
| bellyfullofbac wrote:
| When Zuck says Facebook wasn't sharing our data with
| NSA/Prism, he has his company's and his own reputation on
| the line if he was lying... we don't know who you are and
| what this service is, so, sorry to say, but your 2nd
| paragraph doesn't mean much.
|
| I could promise you I'll send you a legit authentic fancy
| gold Rolex worth $20,000 if you transfer me $15,000, so
| you can re-sell it and make $5,000 in an instant. Would
| you believe me?
| tw04 wrote:
| Are you representing tricepmail? Because it kind of
| sounds like you are. And if you are, it's kinda shady to
| not disclose that in your initial post asking what people
| think of it...
| tweetle_beetle wrote:
| Services like email don't have a high barrier to entry and
| most customers don't have complex technical requirements,
| so much of choosing a provider is based on trust and
| instinct - rightly or wrongly.
|
| I remember a while ago someone promoting a new email
| service that "focused on privacy", etc. A few knowledgeable
| HN users quickly pointed out they were running Mail-in-a-
| Box on a single Digital Ocean droplet.
|
| Your open source link contains nothing, your blog has no
| posts, your Windows app is not found in the store, your
| privacy policy is from a free policy generator tool, there
| are no reviews due to the service being new and there is no
| documentation for how to use custom domains, etc. You may
| offer an excellent service, but there's not a lot to base
| trust on.
| dsissitka wrote:
| I just switched back to Fastmail after a year of testing
| alternatives (mailbox.org, Private Email [a Namecheap
| company], Runbox, and Zoho Mail) and I'm quite happy with it.
| ulimn wrote:
| I think the search doesn't include the message of the email is
| because it's encrypted and it would have to decrypt every
| single email to do it.
|
| // Or something like that, I'm dumb for cryptography :)
| fnord77 wrote:
| aren't all messages encrypted on the server? that would make
| search difficult because no server process could read them. all
| your emails would have to be pulled into the client for
| decryption first.
| navanchauhan wrote:
| Not really, it depends on each service provider.
|
| You can imagine each user as a folder in the /var/mail
| directory, it depends on your implementation to encrypt the
| folder or not. Gmail encrypts all in-transit e-mails but I
| cannot find a reference for encrypting on their servers
| brundolf wrote:
| Their point is that ProtonMail specifically does encrypt
| emails on the server. That's their headlining feature. Only
| clients are supposed to be able to decrypt them.
| navanchauhan wrote:
| Oh, my bad.
|
| I thought when they were referring to the server, it was
| email servers in general.
| buu700 wrote:
| _They charge for users that are disabled_
|
| Took me a second to figure out that you weren't claiming
| accessibility was only supported at an extra cost.
| inamiyar wrote:
| I didn't get it till reading this.
| marmaduke wrote:
| > exceedingly difficult to pull data out
|
| Their "bridge" lets you use a regular imap client, which makes
| it trivial.
| bromquinn wrote:
| Weird. I've been using ProtonMail for years as my primary email,
| and I don't think I've ever seen a captcha. This includes when I
| visit ProtonMail over VPN's or in a private window
| pkw792 wrote:
| Why all the senseless bickering? If you don't like ProtonMail,
| don't use it! Choose whatever else, and go bicker or rave about
| that instead.
| edoceo wrote:
| Another user-hostile. Folks laugh when I say I run my own email
| (FreeBSD/Postfix) and "why build your own mail client"? Because,
| inevitably, all these for profit service providers turn against
| me.
| rantwasp wrote:
| i would not laugh. think it's impressive and must eat a lot of
| time
| ipaddr wrote:
| Setting up dovecot, postfix to receive emails is a fun few
| hours that have continued to work forever.
|
| Sending mail to gmail requires setting up extra processes
| that most times won't work anyways. Sending mail from an
| unknown ip is like sending it from a blacklisted address. To
| avoid this I use my isp to send the mail.
|
| Setup time including thunderbird settings is under an 2 hours
| for many.
| jjav wrote:
| > i would not laugh. think it's impressive and must eat a lot
| of time
|
| It does not.
|
| I set up my latest/current email hosting in about 2011. Very
| minimal work on it since then. There's really nothing to do
| once it's working.
|
| Only work I can think of I've spent on it since 2011 is:
| regular OS updates (which take basically no time), added SPF
| and later DKIM support, added Let's Encrypt cert. That's it
| in ten years.
| edoceo wrote:
| Not really. Once Postfix, Dovecot, DNS stuff, DKIM, it "just
| works". I did lose some time, three years ago fiddling with
| spamassaaain vs rspamd but mail, after the not-really-that-
| hard-at-all setup. I mean, folk handle way more complex stuff
| (k8s) but balk at a bit of time on this old, boring, stable
| set-it-and-forget-it self-hosted wonder.
| inamiyar wrote:
| The problem with running my own email is I don't want the
| hassle of convincing Google I'm not spam.
| rantwasp wrote:
| gonna replace and evil with another one, but you can use
| amazon workmail (they have the spf, dkim, dmarc stuff figured
| out) with your own domain.
|
| it takes 10 minutes to setup. it does not have a flashy web
| ui - but if you do imap it doesn't matter.
|
| cost: 12$/year for the domain, 4$/month for the user,
| 0.5$/month for the route53 zone
|
| so 5.5$/month to kick gmail to the curb. the gov is still
| gonna get your emails if they want them.
| intricatedetail wrote:
| But does it mean Amazon reads your email?
| rantwasp wrote:
| you need to figure that out yourself. Does Amazon look at
| your files in S3? Do they inspect your API traffic? Look
| at the files on your EC2 instances?
|
| Did I mention that Amazon has datacenters in places with
| stronger privacy laws (Germany cough cough)?
| throwawayboise wrote:
| I'm on a few email lists, and nearly without exception the people
| with protonmail accounts are entitled, inconsiderate, abusive, or
| out-and-out trolls. It was so consistent I went so far as to
| killfile any posts from protonmail accounts.
| somedude895 wrote:
| Wow I did not know that. What a blunder. I guess I'll have to
| reconsider my subscription as well then.
| ______- wrote:
| hCaptcha[0] is a better alternative though, and I wouldn't mind
| if Protonmail used that instead of reCaptcha. I never liked the
| carpal tunnel that reCaptcha introduces.
|
| [0] https://www.hcaptcha.com/
| pphysch wrote:
| An email/SaaS provider that explicitly markets themselves as
| "private", complaining that "CAPTCHAs are very hard to build",
| and will therefore sacrifice user privacy is too rich.
|
| What in tarnation are we paying you for?
| Aeolun wrote:
| What I don't understand is how _any_ privacy focused service
| would _ever_ choose Google as their captcha of choice.
|
| It's just flies so flabbergastingly in the face of the entire
| point of the thing that I might as well stop using them.
| protonmail wrote:
| It only appears for a tiny fraction of users. When recaptcha
| was first added in 2014, it was the only captcha service that
| wasn't broken. Today there is also hcaptcha, which we are
| working on implementing and will switch to that shortly.
| boardwaalk wrote:
| I just tried logging into Protonmail in my regular browser and
| with a private mode window and didn't get a captcha in either
| case.
|
| Not saying it may not appear for others but I didn't see it.
| thayne wrote:
| Google's recaptcha does have an invisible mode, where it
| doesn't show you a captcha unless it thinks you are a bot.
| Which it determines by tracking your online activity...
| pbhjpbhj wrote:
| Perhaps they do client fingerprinting across browsers so they
| didn't need to verify you ...
| dathinab wrote:
| Modern google captcha (v3??) doesn't show a captcha if they
| already have enough data about you. E.g. through 3rd party
| cookies, or by fingerprinting anything from your browser to
| your mouse movement and typing pattern. (Not sure what exactly
| they currently use, so this are just examples of what they
| might use).
| sleavey wrote:
| Ok now I'm kinda relieved that I still see reCAPTCHA so
| much... Locked down Firefox user here.
| ______- wrote:
| I can understand requiring a captcha for registering, but not for
| logging in. Also: does anyone know if they have to do this even
| if you have a Protonmail cookie set in your session?
| cloudboogie wrote:
| I wonder if it's a response to the recent incident with Ryanair
| plane got grounded by Belarus. I believe an anonymous email
| with a bomb threat was sent with ProtonMail.
| protonmail wrote:
| This headline is unfortunately misleading. Recaptcha is not used
| on every login (this is verifiable). It only appears in rare
| situations when it is required to prevent abuse.
| Hard_Space wrote:
| I have two PM accounts. Since implementation, every single
| login includes Captcha. I log in twice a day, Captcha is never
| omitted.
| jjcon wrote:
| I'm also seeing it every time
| octopoc wrote:
| Are you using Tor or a VPN? That could be why. Not that
| that makes it any less annoying.
| Hard_Space wrote:
| Neither. Firefox on non-VPN broadband.
| pndy wrote:
| I have 3 accounts which I'm using quite active throughout the
| week and I haven't seen any captcha on any of these, neither
| on Windows nor Linux; I'm using PM since I've moved from
| GMail in 2018.
|
| I'm in Poland, using one of most popular landline ISP
| protonmail wrote:
| If you are using Tor or VPN, this might be the case. Another
| possibility is that you (or somebody on your network, or ISP
| in the case of NAT/shared mobile IP), have installed an app
| that is using an SDK like Luminati [1] or similar, which is
| causing the IP to be abused in the brute force attempts our
| anti-abuse systems are trying to prevent.
|
| [1] https://www.trendmicro.com/vinfo/hk-
| en/security/news/cybercr...
| rantwasp wrote:
| why was implementing captcha a thing you considered and do
| you understand the deep implications it has on your users?
| protonmail wrote:
| There is more information in the Github thread, but in
| short, it was done with extreme reluctance (and we are
| already in the process of implementing hcaptcha) as a
| result of login attacks from millions of residential IP
| addresses.
| Hard_Space wrote:
| Never used HolaVPN (apparently a prerequisite for
| Luminati). Never heard of it. Only turn my VPN on once in a
| blue moon for a few minutes.
| protonmail wrote:
| Luminati, and companies like that, distribute an SDK to
| many app developers. App developers incorporate the SDK,
| and your device is unwittingly turned into a proxy
| network endpoint, and the app developer gets paid for
| this. A surprising number of apps do this, so you could
| have an app installed doing this without even being
| aware, as it would only be disclosed in the app's privacy
| policy, which people don't actually read.
| Hard_Space wrote:
| Perhaps a list of apps would be helpful, otherwise it
| seems kind of a vague deflection.
| celsoazevedo wrote:
| That's not something ProtonMail can provide you with.
| It's like asking them to list you all apps that use the
| Facebook SDK or something like that.
|
| What was described above is correct though. One popular
| app (which had legal troubles recently) made money with
| Luminati:
|
| https://torrentfreak.com/mobdro-luminati-proxy-service-
| suspe...
| octopoc wrote:
| Yeah I can't remember the last time I got a captcha of any
| kind, so it has definitely been rare for me.
| ipaddr wrote:
| I use to get it everytime. Since I logged in from my desktop
| never again.
| Aachen wrote:
| That probably means you have tracking enabled. I'm not a
| protonmail user (I host my own email) but from my general
| experience with recaptcha, try opening it in a private
| navigation window. If recaptcha doesn't ask you to solve
| anything, they've already been tracking you to make up its
| mind. Of course, whether this is fine by you is up to you,
| but it sounds like you might be unaware of this.
| protonmail wrote:
| No, there's no tracking in ProtonMail. Captchas appearing
| is entirely based upon IP reputation and number of recent
| login attempts.
| yorwba wrote:
| Maybe you could also display that information when you
| show a captcha. "We've observed _x_ login attempts from
| your IP in the last _y_ days. "
|
| Usually you wouldn't want to make it easy for botnet
| owners to find out they've been caught, but since
| displaying the captcha already reveals that, having an
| explanation might help regular users who got a low-
| reputation IP assigned.
| Aachen wrote:
| Thanks for clarifying! Showing a captcha, though perhaps
| not Google's, under those conditions sounds sensible. I
| didn't know that as a non-user (I use your VPN, fwiw :)
| ).
| octopoc wrote:
| Thanks, I appreciate it! I still don't see the captcha even
| when I use a private window thought. Browser is Brave on
| Mac. Also outside the private window I have shields up,
| which means trackers, ads, cross-site cookies and
| fingerprinting are all blocked.
|
| Edit: also it says there are 0 items blocked
| jorgBaller wrote:
| germans...
| aboringusername wrote:
| Although it seems to go against the spirit of Protonmail and its
| ethos I'm not exactly sure there are many good options, hcaptcha
| is the lesser of two evils and a fundamental requirement on the
| modern web.
|
| Even HN requires a recaptcha if you fail too many times (and it's
| also based on IP).
|
| If you want to blame anyone blame:
|
| 1: The bad actors spamming logins
|
| 2: Google for essentially monopolizing captcha
|
| hcaptcha proves there's a market/demand for alternatives, this is
| HN, if you dislike it, go build a better alternative than
| Google's and I am sure PM will be only too pleased to switch.
|
| Complaining is easy, actually changing something is more
| difficult.
|
| (P.S I challenge anyone to deploy a system used by tens of
| thousands and not have any abuse/rate limiting systems, you'll
| soon be turning to captcha's at some point)
| nemothekid wrote:
| I wouldn't say Google is monopolizing captcha, its that captcha
| is hard and you essentially need to come up some expensive
| problem that is hard for computers but easy for humans.
|
| Personally, I hate hCaptcha more than recaptcha, Craigslist
| uses it for their contact forms and I hate. hCaptcha is much
| more difficult and tedious than recaptcha.
| nxpnsv wrote:
| Seems there on the case already...
| https://twitter.com/ProtonMail/status/1398657423913668614
| MattGaiser wrote:
| I built a system that had all of a 100 or so users before some
| abuser came along. Limiting web abuse is a huge problem that
| requires solutions.
| disqard wrote:
| Would you be able to share what your solution looked like?
| Thanks in advance!
| msh wrote:
| I don't know if the hn protonmail account is an official account
| or a fan account, but it seems quite unprofessional and really
| scares me off being a protonmail customer.
| protonmail wrote:
| We apologize for that. It's a weekend and we are working on
| giving folks responses as quickly as possible. Therefore, the
| responses are more to the point than usual.
| Mike86534 wrote:
| Don't worry. It's just a minority of princesses complaining.
| This "news" was a waste of time. Non issue.
| keb_ wrote:
| I can recommend Migadu. Worth it if you already pay for a domain
| (which you should, imo, to have a portable e-mail address). I pay
| for the $19 annual plan and find it sufficient, and I _love_ the
| flexibility of the admin panel.
| lioeters wrote:
| Yes, I second your recommendation of Migadu. I've helped set up
| dozens of email accounts for clients there, and we've been
| happy with their service.
| ______- wrote:
| Live link for anyone interested in this:
| https://www.migadu.com/
| lazyload wrote:
| +1 for Migadu! I'd been a paying customer for Protonmail for a
| few years now but stuff like this had slowly been pushing me
| away. A few months ago I set up Migadu with my own domain and
| it's worked without issue ever since. Another plus is that I
| can finally use my own email clients without having to deal
| with proton bridge
| nichos wrote:
| I considered Migadu, but saw their stance on freespeech and
| decided not to go with them: https://www.migadu.com/use/#anti-
| violence-commitment "Hate speech" is too vague and highly
| subjective and just leads to censorship.
| owly wrote:
| While visiting Migadu's site, seems like a good option for some
| but new users should definitely read their drawbacks list
| before committing to it. No 2FA and no encryption. Therefore
| not a replacement for something like ProtonMail or TutaNota.
| https://www.migadu.com/procon/
| alexanderdmitri wrote:
| I was scratching my head this week when they were releasing the
| time the 'Hamas' bomb threat email came in with regard to Belarus
| high-jacking that flight.
|
| It seemed rather fine-grained knowledge of specific
| communications that doesn't serve the narrative of privacy first.
| The articles I read made it sound like ProtonMail had just
| decided to share details on it rather than a more formal, court-
| ordered process.
|
| I know in this situation there aren't too many people who would
| raise questions, but it did strike me as strange given how they
| market their service.
| Jiocus wrote:
| I understand what you mean, but it's important to understand
| the technological side here. Protonmail offers an email
| service, and despite all privacy marketing, very little of that
| applies to emails which enters or leave their own systems. This
| is a requirement if their users are to communicate with a non-
| Protonmail address.
|
| Any message that interface with the standard email network is
| better off regarded as public communication. I can only imagine
| the legal implications that would compel Protonmail to assist
| law enforcement after their Service was misused and complicit
| in an alleged bomb threat.
|
| Their Terms of Service surely outline that illegal activity
| will void their protection _as far as possible_. Keeping
| communications inside their in-house, zero-knowledge email
| service on the other hand, would make it very hard for
| Protonmail to produce any of this information. That is their
| actual privacy offer, as far as I understand.
|
| To Protonmails defense, I haven't heard that this email has
| successfully been linked to any real identity past the phony
| _Sulanov_ alias.
| cookiengineer wrote:
| Last week ProtonMail integrated Google's Recaptcha to their Login
| Page.
|
| As a project that advocates Privacy and Security, and was an
| immediate response to the Snowden Leaks, I find this kinda ironic
| that they now set the Google PREFs cookie for all of their users
| - while they still maintain the same marketing on their website.
|
| And well, I am looking for new options now, I guess.
| neltnerb wrote:
| As much as I appreciate this comment, it is weird that it
| floated to the very top when the article is about location
| tracking built into Android by Google.
|
| Protonmail might have issues, but the threat of some leaked
| information through javascript and/or cookies (hello google
| fonts!) can be attributed to literally every site that uses
| recaptcha whereas the article is talking about a much, much
| worse practice of tracking physical location constantly and
| making it difficult or impossible to use your phone without
| giving that information to Google.
|
| I hope protonmail finds a better way, and agree that it's not
| in keeping with their stance on privacy, but it is distracting
| from what Google is actually doing with _phones_ by talking
| about an entirely unrelated issue.
|
| No offense intended to the parent, the comment is interesting,
| it's just not about the article at all and yet is the top
| comment at the time I write this.
| dmurray wrote:
| Agreed! Proton could do better, but conflating their privacy
| approach (or, say, Apple's or Mozilla's) with Google's is
| exactly what Google would want you to do. "See - everyone
| harvests your data, at least we tend to keep it in house".
|
| Don't let the perfect be the enemy of the good.
| [deleted]
| KMnO4 wrote:
| Have you contacted them? It doesn't take a whole team of people
| to implement recaptcha. Could just be the mistake of one
| engineer who was tasked to "add a captcha to the login form".
|
| I hope you don't assume the worst without investigating
| further.
| cookiengineer wrote:
| Well, if something like this doesn't get caught down the
| production line, they might have bigger issues regarding
| security.
|
| But I agree with you, I think I should give them a chance to
| respond to this. Personally, I think this is a serious issue.
|
| I opened up a GitHub issue for their frontend (as they do not
| have any security disclosure contact possibility as it
| seems): https://github.com/ProtonMail/WebClient/issues/242
| jorvi wrote:
| They could have also just opted for hCaptcha, which is both
| much more private and doesn't excessively punish people who
| reduce their fingerprint.
| dmt0 wrote:
| They use UserVoice for voting on issues (not sure if anyone
| ever looks at it). Here's one for recaptcha, and it's one of
| the most voted on tickets: https://protonmail.uservoice.com/f
| orums/284483-protonmail/su...
| VWWHFSfQ wrote:
| If one single person is allowed to add a privacy compromising
| service to one of the most important pages on their website
| (the login page) then there are deep, fundamental flaws in
| the organization that brings into question the security of
| the entire platform.
| dang wrote:
| This comment was originally posted to a different thread:
|
| _Google made it nearly impossible for users to keep their
| location private_ -
| https://news.ycombinator.com/item?id=27324755
|
| Since it's more on-topic here, I've moved it hither.
| grammers wrote:
| Tutanota uses an open source captcha. I guess their goal is to
| get rid of Google completely:
| https://tutanota.com/blog/posts/open-source-email/
| neurostimulant wrote:
| Someone mentioned about using proof of work as an alternative to
| capthca. Sounds interesting, but will this actually effective in
| real world? I assume even selenium can pass it without a problem
| because all it did was making the client busy for a little while,
| so will it actually effective at reducing brute force rate? Also,
| do botnet operators have capability to deploy selenium-based
| workload to their botnet army?
| efficax wrote:
| proof of work originated to stop spam. But it's a question of
| cost. If it costs less to bypass bot detection than the money
| made by the bot activity, then they'll do it, whether captcha
| farms or doing proof of work calculations.
| prepend wrote:
| Also seems particularly odd to even have recaptcha on the email
| login page. Who cares if robots check email so it doesn't seem
| user friendly to prove humanity to read email or get a login
| error.
| Xylakant wrote:
| Not at all. You want to prevent robots from logging in as other
| users, for example when trying credentials stuffing.
| chrismorgan wrote:
| That's what per-IP and per-user rate limiting is for--by
| themselves, those two are close to sufficient. Any form of
| CAPTCHA would be a _terrible_ sole defence (such things don't
| _block_ bots, they just make it a bit more expensive and help
| a bit with drive-by attacks), and adds very little for
| defence-in-depth, while introducing new problems where you
| inconvenience and block access to your real customers. I find
| the inclusion of reCAPTCHA on a _login_ page of a supposedly
| security-conscious entity very surprising. (Sign up is a
| different matter; there it will have very meaningful benefits
| and lower costs.)
| Xylakant wrote:
| Per user does not help when doing credential stuffing - the
| attacker tries known credentials from a leak, it's not
| random cracking. Per IP blocks can be circumvented by using
| a botnet and slowing your attack.
| wearywanderer wrote:
| What we have here is users who don't re-use passwords
| being inconvenienced to protect those who do. Doubtlessly
| this is very progressive, as those who reuse passwords
| have less _" has a fucking clue"_-privilege. But
| nonetheless this does not sit right with me.
| malinens wrote:
| robots use email systems so they can get "free" way to send
| their stuff. I also work for e-mail company and this is very
| big problem to us. Sadly recaptcha before and cloudflare
| captcha now are one of the irreplaceable tools to fight with
| spammers for us...
| chrismorgan wrote:
| For people _signing up_ , sure. Anything that can send emails
| containing user-generated content will get abuse that way.
| But for logging in, it seems odd; unless you require
| something like it for SMTP access (which I haven't heard of
| anyone ever doing), it's not going to help you block spam-
| senders.
| rolph wrote:
| sadly recaptcha and cloudflare captcha will never recognize
| my input as correct, and i hope this is happening to a lot of
| people in conjunction with a trend of declining traffic as a
| result of using captchas
| ______- wrote:
| > I find this very absurd to see.
|
| This is absurd indeed. hCaptcha[0] is a better alternative
| though, and I wouldn't mind if they used that instead of
| reCaptcha. I never liked the carpal tunnel that reCaptcha
| introduces.
|
| [0] https://www.hcaptcha.com/
| bassdropvroom wrote:
| I don't understand the love for hCaptcha. The only thing it has
| going for it is being outside of the Google brand and that it
| is cheaper. Outside that, we don't know that they don't do the
| same shady shit Google does, they're equally as bad as
| reCaptcha, and they're equally inaccessible.
| onkoe wrote:
| They use the word privacy a lot, so surely they respect it,
| right? :(
| ______- wrote:
| > The only thing it has going for it is being outside of the
| Google brand and that it is cheaper.
|
| I find hCaptchas easier to solve though. My carpal tunnel in
| my wrist doesn't flare up and I don't get RSI[0].
|
| reCaptcha is notoriously complex & difficult to solve if you
| suffer from RSI or joint inflammation.
|
| [0] https://en.wikipedia.org/wiki/Repetitive_strain_injury
| bassdropvroom wrote:
| Really? Because I've had plenty of Cloudflare hCaptcha
| protections where I've had to repeat it 3 or more than,
| with the most being 6.
|
| Maybe I'm just a robot as far as hCaptcha and reCaptcha are
| concerned.
| OminousWeapons wrote:
| If you're script blocking, hcaptcha also only requires one
| reload of the page as opposed to two for Google (enabling
| Google then enabling Gstatic)
| axegon_ wrote:
| Even as recent as 5 years ago I liked the idea of a captchas. I
| still understand the purpose behind them but recently I've
| started getting really annoyed by them(whether that be
| reCaptcha or hcaptcha or anything else). They are just
| everywhere and it gets incredibly tedious to have to solve one
| every odd click or so. And it gets even worse if you use a vpn
| or tunnel or god forbid tor: there's no way to solve them there
| AT ALL. Which is the sad part: despite the tons of innovation
| in ML, captchas seem to rely on recursion of hardcoded rules
| which pile up indefinitely the moment you step outside your
| "start your computer and open up a browser" behavior. Kind of
| sad considering the abundance of information browsers pass on
| with each request.
| abawany wrote:
| In some cases, it seems the companies deploy them to coerce
| and punish: 'logged out, did you? you deserve this captcha
| for trying to thwart our tracking, peasant! work this useless
| problem for us for free!' Looking at you, Meetup.
| lallysingh wrote:
| IIUC, they do help limit some classes of DDOS attacks.
| ______- wrote:
| > Recently I've started getting really annoyed by them
|
| In the end, the services that are using captchas are the
| services that become the least liked, and users will start
| migrating to other services that don't use captchas, so
| there's a business penalty for using them.
|
| On the other hand, if you want to filter out bad actors, then
| captchas are the way to go. The reason I recommended hCaptcha
| is because they're easier to solve, and sometimes Google's
| reCaptcha offering is so complex and hard-to-solve that it
| starts inducing carpal tunnel / RSI symptoms (at least for
| me). I don't get so easily fatigued & inflamed with hCaptcha
| though.
| memco wrote:
| I'm wondering how TOTP compares as a solution here: would
| you be able to filter out bad actors similarly by using
| that instead of a captcha?
| xaduha wrote:
| When you log in with a password server gives you a
| cookie/token so you stay logged in. It can be invalidated
| if your IP changes, it expires or something like that.
| But if you're logged in with 2FA those rules can be
| relaxed, it's a simple as that if you ask me.
| Implementation dependent of course.
|
| I don't think those sites show you a captcha before you
| enter your login and password, but rather on submit. So
| for that username you don't show them a captcha at all,
| if they don't have a proper cookie you ask for 2FA.
| ______- wrote:
| For a list of companies implementing this or U2F, check
| here: https://www.dongleauth.info/
| xaduha wrote:
| https://2fa.directory is another one
| rgj wrote:
| ProtonMail apparently also releases details about their customers
| email sending timestamps to the press. Very strange and not a
| good sign IMHO.
|
| https://www.reuters.com/world/europe/email-bomb-threat-sent-...
| arkadiyt wrote:
| Their response on twitter [1]:
|
| "The recaptcha, when it shows up (in rare situations), is
| sandboxed so that it doesn't send any data to Google. We are also
| in the process of replacing it with hcaptcha."
|
| Not sure what possible sandboxing they could be referring to - if
| they load the captcha in an iframe from a different origin then
| it is true that Google's javascript can't access things on the
| Protonmail origin, but the concern seems to be that your data is
| sent to Google (which is still happening even with sandboxing,
| their tweet cannot be correct), not that Google's recaptcha
| javascript would have done something malicious on the Protonmail
| origin (which seems unlikely).
|
| In any case, at least they're moving to hcaptcha.
|
| [1]: https://twitter.com/ProtonMail/status/1398657423913668614
| OminousWeapons wrote:
| I can't speak to the sandboxing, but their implementation is
| definitely non-standard considering that I don't see Google or
| gstatic appearing in umatrix when I go through the logon
| process and they aren't flagging me for captcha even though I
| am coming out of a known VPN endpoint which trips recaptcha on
| every other site that employs it.
| clairity wrote:
| hcaptcha is not much better than recaptcha, in that its only
| 'improvement' is shifting data extraction from google to
| cloudflare.
|
| also, captcha in general shifts burden onto and penalizes
| legitimate users, especially privacy-conscious ones, in
| addition to malicious ones. that is, false positive rates are
| too high to achieve acceptable false negative rates.
|
| it would be better not to use a centralized captcha service, if
| one must be used at all.
| briefcomment wrote:
| hcaptcha is so much harder than recaptcha. You actually have
| to spend a couple seconds per photo sometimes. Not ideal for
| users.
| raverbashing wrote:
| Really not sure about it, Google lets you do it quickly but
| if you do it, they'll just throw more problems at you it
| seems.
| eatbots wrote:
| This is not actually true: every relevant aspect is different
| from a privacy perspective, both technical and legal.
|
| Looking only at the technical differences, hCaptcha lets
| enterprise users like Proton locally scrub any info like IPs
| prior to sending to hCaptcha. It can be set up so that the
| user makes no direct connection at all to the service, and
| the code runs inside of a sandboxed IFRAME.
|
| As for false positive vs false negative rates, not sure what
| you consider too high. We've been able to demonstrate FP
| rates under 0.005% when measured against known-good/bad
| signals from customers, which is as good as it gets.
|
| (disclosure: work there)
| clairity wrote:
| those things can be true and still not negate the issues
| mentioned, since not enough information is provided to make
| a fair assessment. it can be set up a certain way, but the
| incentives are against that, so is it actually set up that
| way? iframes aren't perfectly isolated either. and without
| a curve of false positive vs. false negative rates, no
| conclusion can be made of the optimality. even 0.005% is
| still likely hundreds of thousands a day for larger sites,
| and being only a demonstration means it's an ideal measure,
| not a practical one.
| ysavir wrote:
| Do you have any suggestions for alternatives?
| clairity wrote:
| write your own? many personal tech blogs do this for
| comment forms and the like. any kind of ambiguity that's
| natural for a human to parse accurately but not obvious for
| a machine is fair game. most bots won't one-off a solution
| for smaller sites, so it doesn't need to be too fancy. for
| larger ones where one-off customizations might be more
| likely, lots of engineering resources go toward security
| and fraud prevention already, so they can afford more
| sophistication.
|
| but more importantly, in the long term, it needs policy and
| legal progress. it needs to be costly and international
| (via treaties/sanctions).
| colesantiago wrote:
| > write your own? many personal tech blogs do this for
| comment forms and the like.
|
| Until they get broken by botnets and we are back to where
| we started by using Google ReCaptcha.
| alisonkisk wrote:
| What data is being sent to Google? Besides the user interacting
| with Google to solve the captcha? Or is that the problem?
| rantwasp wrote:
| the ip, any fingerprinting that the captcha code does.
|
| so in effect google can tie you to this visit later if you
| interact with anything that has a captcha. now these two
| thinks are liked in the borg's memory.
|
| so if you use google (anything while logged in, even once)
| now google knows everything else you do
| otachack wrote:
| That stinks. I'm on Fastmail but its hard point has to do with
| being based in Australia and the recent government efforts of
| forcing entities to comply with police inquiries.
|
| Fastmail's side of the story: https://fastmail.blog/legal-
| policy/aabill-and-fastmail/
| Tarq0n wrote:
| Being subject to state surveillance and surveillance capitalism
| are related but different concerns.
| ocdtrekkie wrote:
| Fastmail rightly points out that the Australian law has no
| meaningful impact on them. They do not offer an end-to-end
| encrypted service, and hence, don't need to backdoor it.
|
| The vast majority of mail services will hand your data to the
| government on court order. Though if your mail is hosted in a
| different country than you live in, it's arguably more
| frustrating for them to do so, since they must use
| international agreements to get it.
|
| If state ordered surveillance is in your threat model, you need
| a very different type of mail service than almost everyone
| else.
| pbhjpbhj wrote:
| >it's arguably more frustrating for them to do so, since they
| must use international agreements to get it. //
|
| Caution, abject speculation:
|
| I thought spooks like this kind of thing because they can do
| illegal things in other jurisdictions that they're restrained
| from doing in their own - or get foreign agents to spy on you
| to avoid getting a warrant. Like they can route traffic to
| another country, then have affects there hack you to avoid
| laws that curtail actions against your own citizens.
|
| I don't know, just seemed like one point of groups like Five-
| eyes.
| laurent92 wrote:
| But in any case, they are not buddies, not even colleagues
| in the same office floor. They at least need to find
| contacts in the remote country and persuade them to spend
| time for their task. Sometimes that's all it takes to
| prevent them from passively collecting signals, unless you
| are an important target.
| IAmGraydon wrote:
| Try to register a new Protonmail email address normally and you
| can do so without supplying too much information. Try to do so
| through Tor, and you will not be able to proceed without
| "verifying" the account with a phone number. This pattern (they
| want either your IP or a phone number) tells me they're likely
| interested in tying accounts to real identities and shouldn't be
| trusted with anything private. I would even go so far as to
| suspect Protonmail of being a honeypot. Oh...I'll just leave this
| here:
|
| https://privacy-watchdog.io/truth-about-protonmail/
| [deleted]
| nexuist wrote:
| > they're likely interested in tying accounts to real
| identities
|
| I don't think it means they're interested in tying accounts to
| a _specific_ identity, just _an_ identity, to prevent bots or
| bad actors from signing up for thousands of accounts. This is a
| necessary reality of being an email provider. If you do not
| police your outbound mail then other mail servers will block or
| auto-junk your users ' messages.
|
| There is no way to preserve privacy while also not becoming a
| festering ground for Viagra spam mail.
| mannerheim wrote:
| Perhaps a way to solve it would be to accept a nominal fee of
| cryptocurrency. Even a one-time fee of e.g. $5 would probably
| put a damper in someone trying to sign up for thousands of
| accounts while preserving privacy for real users.
| caymanjim wrote:
| Alas this is a business-ending barrier. Despite its
| popularity, in the grand scheme of things, not many people
| have a crypto account. It's also only semi-anonymous,
| depending on how you fund it. It'd be nice if more
| businesses accepted crypto, but it isn't viable as a
| requirement or primary payment mechanism.
| a1369209993 wrote:
| The suggestion is to require _either_ a phone number _or_
| a cryptocurrency fee, at the user 's discretion.
| mannerheim wrote:
| I think it would be useful enough in the context of anti-
| spam while preserving anonymity, not necessarily as a
| source of generating revenue. There are cryptocurrencies
| that preserve anonymity as well.
| fvv wrote:
| No mannerheim is correct , you are saying yeah but some
| people can't.. but his solution solve the issue , if you
| want to register under tor over anonymous and secure mail
| system having 5$ Monero is the easiest thing to procure..
| there are communities that trade for cash or you can even
| mine anonymous there may be other alternatives.. but one
| solution to avoid bots doesn't exclude others you as
| subscriber should be able to choose the one that fits to
| you so saying some may find it difficult doesn't say that
| this solution is invalid . Just that maybe must not be
| the only option available
| caymanjim wrote:
| I'm not saying it's hard, I'm saying your potential
| customer base would shrink to an unsustainably-low level
| if you required it.
| fvv wrote:
| Sorry I was updating my answer while you replied ,i think
| I've replied in my previous message to this, what i mean
| is ip or phone or 5$ monero or .. google captcha or
| ...something else ... You choose then you have different
| privacy level and they keep service bot free. Entry
| barrier is not increased because you are free too chose
| what you want..maybe they can even say monero mining in
| your browser for 3 hours.. it's a quite reasonable
| request imo .. and should help vs bots.. yeah in reality
| it.s increased only if you compare to no bot filter..
| colordrops wrote:
| Interestingly, Hashcash was a Proof of Work system that was
| designed to stop email spam, and was a precursor that
| Bitcoin was based on.
| protonmail wrote:
| We don't like the term, but that link is actually fake news,
| and has been refuted before, for example here:
| https://serpentsec.1337.cx/i-was-asked-to-review-an-article-...
| secfirstmd wrote:
| Yep noticed this a long time ago and am very suspicious
| jimmaswell wrote:
| A visitor from TOR is extraordinarily more likely to be
| abusive. It makes total sense to put up extra barriers, which
| is still short of blocking TOR users altogether, which is
| also fair for webmasters who don't want to deal with it.
| cookiengineer wrote:
| > A visitor from TOR is extraordinarily more likely to be
| abusive. It makes total sense to put up extra barriers,
| which is still short of blocking TOR users altogether,
| which is also fair for webmasters who don't want to deal
| with it.
|
| And why is that again? I want to understand that argument.
|
| In case of DDoS scenario: Well, too late, traffic already
| served and server already done the workload.
|
| In case of password brute forcing: Well, then implement a
| latency, or cryptographical challenge to delay it more
| efficiently.
|
| In case of "evil" human: Well, if a human can get past your
| security so easily, then your approach to security through
| obfuscation might be wrong.
|
| So, again, what is the scenario where a captcha helps you
| to avoid being "attacked" by malicious actors?
| darkhorse22 wrote:
| The mindset is basically: Programming is hard so we're
| going to block as many non-paying customers as possible
| to limit the blast radius when we inevitably fuck up. And
| inconvenience those paying users too, because we can't
| figure out how to mitigate DoS attacks at the edge. And
| then we'll give a talk at a Next.js conference or
| something.
| mannerheim wrote:
| What about the case of someone signing up for thousands
| of accounts?
| cookiengineer wrote:
| > What about the case of someone signing up for thousands
| of accounts?
|
| My question is related to the specific /login page, not
| the registration page.
|
| I understand the benefit for blocking spammer signups,
| but not for the current case of the login page where
| users have an account already, were verified that the
| account/password was correct (captcha appears in second
| step), and then have to enter a second decryption
| password manually.
|
| In that scenario there's no argument on the "WHY" a
| captcha helps. It simply doesn't.
| drivebycomment wrote:
| It increases the cost of credential stuffing attack,
| which is very common nowadays.
| ipaddr wrote:
| Why would that be a problem on surface? You have
| thousands of users, why do they need to be unique
| identities?
|
| The only reason I can think of is because they want more
| unique identities. More unique people means a greater
| chance for a purchase. More mail accounts just cost more.
|
| The entire business model of free accounts requires
| someone paying for something extra. By unique identifying
| people they can limit new accounts and increase their
| chances of an upsale.
|
| What if they changed how they operated. Instead of
| looking for more unique identities why not accept
| multiple addresses and include an ad at the end of every
| free email letting the receiver know this came from
| protonmail. That would give a benefit for each email sent
| and provide more advertising and give users a reason to
| upsell?
|
| My guess is having that ad after every mail would bother
| you (the customer) more than having your identity
| uncovered.
| mannerheim wrote:
| I don't think they have a problem with a user creating
| two or three accounts. It's a problem if someone creates
| thousands of email accounts to send spam with.
| vmception wrote:
| I've always found it weird how people jump hoops to be
| apologists for Protonmail
|
| Does anybody else find that weird?
|
| "I completely misunderstood Swiss privacy laws and fell for
| a sales pitch from an email and VPN company that goes out
| of its way to track every user no matter how they sign up!
| Its to avoid email abuse, exclusively!"
| jimmaswell wrote:
| I've never even heard of Protonmail. I just think it's
| silly to fault anyone for blocking/limiting TOR
| connections.
| gloriousternary wrote:
| I'm not saying you're wrong, but that particular source is well
| known for making big claims with insufficient evidence, and it
| reads like it was written by a conspiracy theorist. Many of the
| author's claims have already been (imo, pretty solidly) refuted
| by Proton.
|
| Disclaimer: using protonmail until my current subscription runs
| out, then selfhosting
| plank_time wrote:
| Self hosting these days is almost impossible because most
| email providers like gmail and yahoo mail will automatically
| move your emails to spam. It's all based on IP address and
| how reliable that IP address is. Self hosting guarantees that
| all your sent email will end up in spam folders.
| habibur wrote:
| Not necessarily. Had been self hosting for decades and I
| move the server every two years to a new IP mostly because
| of server/os refresh.
|
| Right now only hotmail bounces mail. Am using DO/Singapore.
| Other centers fare better.
| oblib wrote:
| Same here. I setup a new email server last month and most
| every big email service made it pretty easy to get
| whitelisted, but not Microsoft. They're a total pita to
| deal with. Google made it very easy.
|
| My server is a "Mail-in-a-Box" running on a DigitalOcean
| VPS.
| yhager wrote:
| Same here, been hosting for over a decade now. You do
| need to be on top of all the latest technologies, and
| still some problems will arise once in a while. But all
| in all, it's a pretty smooth operation.
| caymanjim wrote:
| This isn't true at all. I self-host email, with full
| SPF/DKIM/dmarc, ESMTP, and my email isn't rejected
| anywhere. I'm sending and receiving via a Digital Ocean
| VPS. I've had the same IP for six years, and never had a
| problem.
| ipaddr wrote:
| Why not receive all mail on your server and send your mail
| through your isp.
|
| That way no one reads the emails sent to you and the ones
| that you send get through (and outbound privacy is not
| expected if you are sending to gmail or another provider
| anyhow).
|
| That also makes it harder to track conversations and would
| take manual work to recreate the conversation threads.
| beermonster wrote:
| If you use SPF/DKIM/DMARC you can still self host.
| jjav wrote:
| > Self hosting these days is almost impossible because most
| email providers like gmail and yahoo mail will
| automatically move your emails to spam.
|
| This is completely not true. Comes up every time there is a
| thread related to email. Every time many of us who host our
| own email servers will explain how it is not true. You can
| absolutely self-host your email server for your domains,
| configure it correctly and it will work fine.
|
| gmail has a huge false positive spam identification
| problem, but it applies to all emails, even those from
| gmail to gmail.
| antiterra wrote:
| Doesn't self-hosting also have privacy downsides, being that
| all the hardware is tied to you? I'd imagine whatever minor
| resistance to wiretapping a multiuser site gave regarding
| privacy of non-investigated individuals would disappear.
| RussianCow wrote:
| It depends on your threat model. If you're worried about
| big companies like Google harvesting your data, self-
| hosting is a great solution because you remove them from
| the equation entirely. On the other hand, if you're worried
| about three-letter government agencies, you need to go
| through much more extreme measures. Most people aren't as
| concerned with the latter, though.
| caymanjim wrote:
| This is why I self-host. I'm not trying to hide from the
| government, as I know they don't care about me. Sure, in
| principle I don't want them snooping me, but it's not a
| concern. I self-host because I don't want companies
| snooping all my data.
| BostonEnginerd wrote:
| The 1986 electronic privacy act consider emails older than
| 180 days old to be "abandoned" and do not require a warrant
| to access.
|
| Self-hosting at least means that this should not apply, I
| think.
| artificial wrote:
| From what I can see there was a House resolution passed
| in 2017 which protects email.
| https://www.eff.org/deeplinks/2018/05/email-privacy-act-
| come...
| pseudalopex wrote:
| It never passed the Senate.[1]
|
| [1] https://en.wikipedia.org/wiki/Email_Privacy_Act
| eatbots wrote:
| As a fan of ProtonMail, will just add a few points:
|
| Every popular online service today is being continuously
| attacked. Bad actors get a lot of economic value from credential
| stuffing, account takeovers, and fake registrations, especially
| on email services.
|
| This is why CAPTCHAs exist. They are one of the better tools in
| the defender's arsenal to increase the cost of attacks.
|
| Building and maintaining a good CAPTCHA service is both hard and
| requires a high level of continuous development, since every day
| people are waking up and trying to figure out how to break it.
|
| This means almost every company that tried building their own in
| the past has switched to either hCaptcha or Google, since it is
| not practical for even large companies to maintain their own
| solution these days.
|
| Why was ProtonMail originally using Google? Probably because for
| many years it was the only plausible option until hCaptcha came
| around, and they needed to protect their users.
|
| We're working with them now to switch over to the enterprise
| version of hCaptcha, which:
|
| 1) includes privacy-preserving features that let them decide
| exactly what user data hCaptcha sees and when, and 2) guarantees
| what happens to any data received via a data processing
| agreement, and 3) isn't run by an ad network.
|
| hCaptcha doesn't care who you are and ensures all data is
| ephemeral, since unlike Google we're not trying to sell ads
| targeting you.
|
| (disclosure: work there)
| 10000truths wrote:
| > Building and maintaining a good CAPTCHA service is both hard
| and requires a high level of continuous development, since
| every day people are waking up and trying to figure out how to
| break it. This means almost every company that tried building
| their own in the past has switched to either hCaptcha or
| Google, since it is not practical for even large companies to
| maintain their own solution these days.
|
| I'm under the impression that the bottleneck isn't "high level
| of continuous development" so much as it is just having a large
| enough data set of Internet activity to conduct statistical
| analyses on. Cloudflare and Google are obviously in a good
| position for this, since a significant amount of Internet
| traffic goes through them. But I can't create a startup to
| invent the next Captcha unless I magically discover a flash
| drive containing a giant corpus of HTTP requests made by
| billions of modern devices around the planet.
| some_account_ wrote:
| A few weeks ago I noticed that Reddit also started using Google
| Recaptcha for account creation.
|
| Even though I only saw it on creation, and not on login, the
| possibility of associating a strong identifying fingerprint with
| a presumably anonymous throwaway user account was concerning.
| protonmail wrote:
| A few comments about this.
|
| A very small fraction of logins get the CAPTCHA challenge. We,
| and other services, face unrelenting brute force attacks on our
| login endpoints. If you are seeing a CAPTCHA on login, chances
| are that something about your connection is suspicious to our
| system. It's far from perfect, and we continue to improve it, but
| at most a percent or two of users are seeing CAPTCHA at any time.
|
| The CAPTCHA is run in an iframe on a separate domain to sandbox
| it from the Proton login flow prevent it from compromising the
| webapp. Obviously Google still gets some information, but we do
| all we can to limit this.
|
| CAPTCHAs are very hard to build, especially considering Google
| has a habit of clearing the field with it's own captcha-breaking
| code. Most companies do not have the resources to build their
| own. We had an alternative CAPTCHA we were going to use as a
| replacement a few years ago and then the company behind it went
| bankrupt. We are currently looking to replace ReCAPTCHA with
| hcaptcha, which should alleviate some of these problems.
|
| We have other strategies which we are also exploring to try to
| reduce the need for CAPTCHAs entirely, but these are also not
| trivial to build and integrate into all clients.
|
| TL;DR It's a small fraction of users who are affected, it's
| necessary to protect our users from brute force login attacks, we
| don't like it either and are working hard on replacements.
| kossTKR wrote:
| Why / Who is DDOS'ing protonmail? Is it just a consequence of
| having a sass a certain size that you become a target?
| judge2020 wrote:
| I'd be curious as well, but chances are they're experiencing
| credential stuffing attacks or dictionary attacks against
| account passwords.
| gerash wrote:
| What's the problem with using ReCAPTCHA? Is it not the best
| tool for the job?
| takeda wrote:
| Protonmail goal is to preserve privacy, while Google's goal
| is to collect your private data.
| gerash wrote:
| Please be more concrete. What exactly is the risk here?
| That Google can look into the logs and infer a Mac OS
| Bigsur with Chrome v90 is logging into proton mail today at
| x:xx pm?
| abdullahkhalids wrote:
| Google is discovering that this particular user is ripe
| for advertising security related products.
| gerash wrote:
| So the ultimate risk of using ReCAPTCHA on proton mail is
| that Google might find out I'm more tech savvy than the
| average? Fine by me.
| abdullahkhalids wrote:
| Those are your values. Other people have values that they
| don't want to be tracked and profiles made on them as
| they move around on the internet.
| Aeolun wrote:
| No, no. Now Google knows you are using ProtonMail, and by
| extension the NSA knows you are protonmail, the FBI knows
| you are using ProtonMail, and so on.
|
| This may or may not be a problem for you.
| AsianTits wrote:
| You can try https://www.hcaptcha.com as an alternative.
| gruez wrote:
| How are they better? Do they have better privacy policies?
| dang wrote:
| You can't use that sort of username on HN--see https://hn.alg
| olia.com/?sort=byDate&dateRange=all&type=comme.... I've
| banned the account for now, but if you want to use it with a
| different name, you're welcome to email hn@ycombinator.com
| and we'll get you fixed up.
|
| (btw, the GP mentions hcaptcha)
| sygma wrote:
| Not questioning this dang, but would be useful to add
| something about trollish usernames in the guidelines, and
| perhaps clarify what qualifies as trollish.
| infogulch wrote:
| Maybe some basic stats would concretize the problem for some
| commenters.
|
| E.g. What was the ratio of failed logins to successful ones
| before implementing captcha? Now that you've implemented
| captcha, what is that ratio among the population of users not
| presented with captcha, compared to to population that is? How
| many attempts did adding the captcha stop?
| doublejay1999 wrote:
| > concretize
|
| dear god
| protonmail wrote:
| We were a bit surprised by the sudden reaction today. We have
| been using reCaptcha as one tool (among many) to fight abuse
| for years now. For example, here's a thread from 4 years ago
| mentioning it [1]. It is triggered most often for signup, but
| it can also appear for password reset, username lookup,
| sending mail, payments, login, and any other api routes which
| can be abused.
|
| That said, we can also understand the reaction. Back in 2014,
| there were no viable alternatives. Today, there is one
| alternative, and we started the transition to hCaptcha
| earlier this year, and will complete it in the coming weeks.
|
| For security reasons, we can't say too much, but some truly
| massive residential IP botnets have appeared in recent years
| and can make millions of attempts per day. On really bad
| days, Captcha can appear for nearly 1% of legitimate users
| (some who are unwittingly part of the botnet), while blocking
| nearly all of the malicious attempts.
|
| [1] https://www.reddit.com/r/ProtonMail/comments/5z70cd/when_
| sig...
| infogulch wrote:
| > For security reasons, we can't say too much
|
| That's reasonable. Thanks for responding.
| owly wrote:
| Thank you for explaining here, I really appreciate the work
| you're doing and understand the non-trivial work it takes to
| protect users. While l'd love a Google free experience for PM,
| I also love having a near zero chance of a brute force attack.
| I'm a paid PM user and have been using it since the very early
| beta days. I never see the CAPTCHA on any OS, but I only
| connect from about 5 different IPs or while using ProtonVPN.
|
| Off topic: please implement font size adjustment capability on
| iOS!
| totalZero wrote:
| This isn't an explanation, insofar as it's identical to the
| bartbutler post in the submission itself.
| escr0w wrote:
| I feel like they have pretty much cleared the issue up. Any
| coder would agree that a captcha service is actually very
| hard to build. Especially a good one. What they're doing
| isn't exactly 100% wrong, but it isn't 100% right either.
| Either way, they're implementing hCaptcha. I see no issue?
| CoNet wrote:
| This means ProtonMail know who you are if you did not use
| third-party VPN.
| b0tzzzzzzman wrote:
| Yes, but the ussue being pointed out is third party
| google.. Also being made aware. Many users pay proton for
| the services. Should we also be upset about payment
| processors logging this? Last time I tried to make a new
| protonmail, a phone number or non protonmail account was
| required. The limit which emails are valid.
|
| They are not what they were, what they stood against. They
| have been assimilated.
|
| Sad times. But, hey they reply unlike the big G.
| neilv wrote:
| I'm going to put you on a spot a bit, because this seems
| important to ProtonMail's viability, and I want you to keep
| succeeding...
|
| > _Obviously Google still gets some information, but we do all
| we can to limit this._
|
| When you cause a request to be made for ReCaptcha, it seems
| that you're leaking enough information to (in many cases) link
| a possibly-pseudonymous Protonmail account to an identifiable
| individual.
|
| (For example, even if you leak nothing else than _times_ that
| individuals identifiable by Google logged into _unidentified_
| ProtonMail accounts, Google can already see various external
| activity of specific ProtonMail accounts, and you 've given
| them temporal correlations between activity of pseudonymous
| accounts and logins by identifiable individuals. That's not the
| only example, but even that alone seems a significant risk.)
|
| And it's seems to be a real risk: Google is in the business of
| doing things like that, has a track record of doing things like
| that, and presumably is more than capable enough of doing it
| some more.
|
| > _but at most a percent or two of users are seeing CAPTCHA at
| any time._
|
| That sounds like a lot. And the "at any time" sounds like an
| even higher percentage of users are potentially being
| compromised by the use of ReCaptcha.
|
| > _we don 't like it either_
|
| I'm not yet convinced that this is the least of all evils. And
| I don't know how much you have to dislike it before you decide
| not to do it.
|
| For persuasive effect, is it helpful to imagine the reaction of
| your philosophical adversaries, when they heard that ProtonMail
| was using ReCaptcha? I just imagined some of them laughing
| derisively or incredulously. I don't say that to be mean, but I
| don't understand the rationale for using ReCaptcha, and I want
| to emphasize that it seems to be a problem that threatens
| ProtonMail's raison d'etre and/or brand image.
|
| (BTW, I'm assuming this ReCaptcha choice _isn 't_ due to
| legally-compelled cooperation in unmasking specific accounts --
| in which case I wouldn't say anything -- since, in that case, I
| expect you'd find a way to comply without misrepresenting the
| rationale to everyone else. I've seen ProtonMail thinking ahead
| to avoid related conflicting obligations and assurances.)
|
| (BTW, I'm speaking here of Google as an adversary of your
| customers, and therefore of you, only because that seems to be
| how your product is positioned, and why you have customers at
| all, rather than everyone just using GMail. I'm not saying that
| Google is bad; only that I think it should be considered an
| adversary from your perspective.)
| jjav wrote:
| A captcha of any kind on a paid service (or a storefront where
| I'm looking to pay money) is an absolute deal breaker for me. I
| will not be clicking on lights and stopsigns to be able to pay
| money.
| Rastonbury wrote:
| Looks like they feel it's a necessary evil and only hits 1-2
| percent of users
| Aeolun wrote:
| That's no consolation if you are in that 1-2%.
| francoisz wrote:
| posteo.de
___________________________________________________________________
(page generated 2021-05-29 23:01 UTC)