I just noticed that Protonmail now requires e-mail/SMS/cash verification if you attempt to sign up over a VPN or with certain privacy software installed.
Since they obviously want some way to fingerprint new users, is this an indication that the service is suffering some kind of internal compromise? It's a big change from how they used to act like user privacy was all important.
Other urls found in this thread:
news.ycombinator.com
archive.fo
twitter.com
they don't want poojeets making free accounts to spam with.
webmail is always a risky choice.
I'm no convinced.
There are lots of ways to deal with spam that don't involve fingerfucking new users.
They were compromised the moment they distributed their software under a proprietary freeware license.
That just made them vulnerable to compromise.
This is actual canary evidence that their organization is no longer trustworthy.
They have for at least a year now. Your post makes it look better than it is. I just tried right now on Tor and it only provides SMS/donate option. They do have an email option but sometimes it's hidden, like just now.
Unsolvable. The real problem you want to solve is automated sign up, which is traditionally done by a captcha. What they provide instead is just equivalent to government ID and isn't very useful.
They've always required that when trying to register through Tor, which tells you that they've always had 0 interest in the anonymity of their users.
There's a difference between anonymity and privacy. They provide a service which "guarantees" the privacy of your communications. But they want to know who you are. They do not tolerate anonymity.
I say "guarantee" because they store your private key on their servers and serve you the javascript that's used to decrypt it. All they have to do is change a couple of lines of js, and they'll have your key. In spite of the way protonfags like to masturbate about the supposedly strong Swiss privacy laws, Switzerland has MLATs with the US and lots of other countries, and serving you js that will compromise your key and all of your communications is only a court order away.
Not to mention that NSA and/or GCHQ have undoubtedly had an inside person at Protonmail for years now.
Protonmail was always a meme. Email was not designed for private communication, which is why it's so hard to bolt strong privacy solutions on top of it, and solutions either end up being difficult to use (PGP) or have a huge attack surface (Protonmail).
This. Also Protonmeme is not just hosted in .ch, but is hosted in abandoned military bunkers!
Also the PGP solutions for email (like thunderbird and other shit with plugins) are mostly insecure lol. GPG isn't that hard to use properly though if you just ignore the snakeoil part which is the web of trust.
Needs non free JS and is web only.
I prefer posteo
I registered without any of this. Just to confirm, this only affects VPN and Tor users?
Protonmail blocks all Tor IPs from registering the email address from and accept only residential ISP ranges. Can be avoided, use a proxy after Tor, a phone number with internet gateway.
They log all user's IPs and give them even when faced with subpoenas from third world countries like Ukraine, so don't fuck that up and connect only through Tor.
Their half-assed encryption system doesn't allow you to use a client program.
They ship non-free obfuscated javascript for their web mail, it can't be avoided at all. There is no evidence that one day of year they don't send you a modified javascript that sends all your messages back to their servers in plain text. I am not sure if it's possible to download the javascript once and then use the only version, someone should have tried that, but it still might have backdoors from day one.
Open Source is not Free software. By saying Open Source they vaguely say "we have a bunch of binary blobs with node js and python code slapped together, and a github account", that's it. No authenticity and reproducibility.
Switzerland marketed as a very privacy-respecting country is 80's spy/drug war movies meme for boomers. They recently adopted a law that forces all Internet businesses to keep logs and traffic.
They require SMS confirmation, for your own safety or course, customer.
With all this shit above, it is much simpler and safer to use an email server that doesn't require js or real IP to register, like cock mail, or even your own, a client program with GPG, and a diy one-time use password-protected web pastebin.
Every time I check with tor because someone mentions this stupid email service, it has forced sms/donation. Once in a while it also allows email as an option which is still retarded.
Can't you register on public WiFi and then just use tor to access the mailbox?
Posteo at least anonymizes your transaction; and you can pay with cash last I checked. I think they even do bank transfer too.
I like them.
Probably (unless it's a university that's blocked for example) and then they know what country and city you live in as well as can possibly get a photo of your face if they have the right connections.
Lol. you're ages behind gramps.
There's darkmail now and the protonmail today is chink owned.
The darkmail is obviously also compromised.
IF anything, the darkweb should have taught everyone that darksnailmail remains the way of the future.
but why pay for it though?
and why a five eyes country?
/tech has fallen off a fucking cliff
So tox?
It always was.
Use the email swrvice with dicks in anus, it's objectively superiors.
p2p instant messenger is not asynchronous, that's the whole fucking point of email, to be asynchronous.
yes news.ycombinator.com
archive.fo
ProtonMail is a scam, much like Lavabit (although the nature of the scam differs). Lavabit at least had the decency to shut down once they realized their claims were fraudulent, once the government told them how they lied and that they would like to take advantage of those lies please.
They deliver JavaScript to the browser to decrypt messages. While it's true that they don't have access to user messages for as long as they remain honest, that's a profoundly useless property to have. You can just be honest and not try to access messages, which is what Fastmail does. There's no point in handcuffing yourself and holding on to the key.
As soon as a system administrator feels like accessing the messages (either out of curiosity / government order or because an unauthorized user gained administrative control), they can deliver modified JavaScript to the browser that sniffs the password and decrypted content and sends a copy somewhere. This is, very literally, "being able to decrypt data."
The encrypted messages that are sent to non-ProtonMail users require visiting a ProtonMail website to decrypt the message, which has all of the security concerns as above. Furthermore, it's pushing the line of what counts as "email". Fastmail is clearly advertising themselves as an actual email service, where you send content over SMTP and it shows up in the recipient's email client. You can't do that with ProtonMail encrypted messages; the recipient gets a link to the content.
You can build a new protocol that has the properties we'd all want out of a modern messaging system. You might be able to replace email. But it won't _be_ email, and Fastmail is email. If you want Pond, you know where to find it.
And snake oil with a well-designed website, $500,000 of crowdfunding, and a team of PhDs is still snake oil.