
Protonmail Online Security Guide for Journalists - DyslexicAtheist
https://protonmail.com/blog/journalist-online-security-tips/
======
trustnot
Protonmail can't be trusted anymore, especially not by journalists. First they
hack a phishing site:
[https://twitter.com/thel3l/status/962142015109578752](https://twitter.com/thel3l/status/962142015109578752)

And when they get critical reporting for this, they claim the journalist based
his story on 'unsubstantiated rumors':
[https://twitter.com/xFailure/status/962026777743835139](https://twitter.com/xFailure/status/962026777743835139)

------
baxtr
Good idea, regarding this incident (discussed yesterday here, too)

[https://mobile.twitter.com/YuanfenYang/status/96200225940708...](https://mobile.twitter.com/YuanfenYang/status/962002259407089664)

------
dna_polymerase
> Use encrypted services (ProtonMail for email, Signal for chat, etc.)

Also have a look at Briar [0] as they offer P2P communication, and the ability
to route everything via Tor. As an alternative to Mail also BitMessage comes
into mind, which avoids Metadata about who you contacted.

Oh also have a look at drdaeman's comment in here, ProtonMail is far from the
solution for secure email.

[0]: [https://briarproject.org](https://briarproject.org)

------
zebraflask
Is that why it's usually used for cryptocoins?

~~~
binaryanomaly
Protonmail is certainly one of the more secure mail solutions since it's e2e
encrypted not just at rest. On the other hand it doesn't support U2F yet which
doesn't bring it to the top in terms of security. Regarding privacy I would
say it's one of the best available solutions since everything is encrypted
they can and do not read your email content.

~~~
drdaeman
It's still a webapp, fully served from network, without any code signing (not
even SRI to match hashes against), except for the TLS layer. AFAIK they don't
even have a standalone variant except for the _unofficial_ desktop Electron
app, and a beta IMAP bridge for paying customers.

Basically, they still ultimately rely on trust, just like others. While
they're drastically different from e.g. Gmail, trust requirement is still
there.

If one's well-being really depends on security, it's best to err on side of
caution. Meaning, something like MailPile on the client side, very cautious
non-automated key exchange, and, optionally, self-hosted email with at-rest
encryption (e.g. Postfix+Dovecot+GnuPG pipe) is probably much better option
than anything Protonmail can offer in their current state. Or avoiding email
(as it's not yet there and probably never will be) and using something like
Wire or BitMessage or whatever (I'm not a security expert) has both client-
side static and auditable source code and limits metadata leakage.

~~~
binaryanomaly
Bridge is out of beta:
[https://protonmail.com/bridge/](https://protonmail.com/bridge/) and yes for
paying customers. Given they don't sell your data it's natural that advanced
features have a price.

Yes there is of course trust involved as with anything. Still, for the
majority of the folks it's better to trust someone else with their mail over
running their own servers with gaping security holes. Avoiding email is not
really possible yet and in the very near future...

~~~
xfer
No linux client and closed source. I would love to switch my gsuite account
but there is no real benefit.

~~~
binaryanomaly
Coming soon.

Well the end it's only email. You decide whom to trust with.

Personally, I feel better with Protonmail. It's not better nor cheaper than
gsuite it just has a totally different proposition as a product.

------
ryanlol
It is fucking straight up evil to disguise your marketing blog posts as
"security guides" for at risk people. It is really sad that stuff like this is
making it to the HN front page.

The advice given here is largely NOT good.

There are only a few extremely limited scenarios where you might want to
choose Protonmail over Gmail. Do not use Protonmail.

And for gods sake, whatever you do don't follow the advice from this "guide"
and use their "Secure VPN" service.

Here's a much better guide, which wasn't written with the sole intention of
selling you things
[https://techsolidarity.org/resources/basic_security.htm](https://techsolidarity.org/resources/basic_security.htm)

EDIT: This is just way too good to not include in here
[https://protonvpn.com/secure-vpn](https://protonvpn.com/secure-vpn)

>ProtonVPN comes with Tor support built-in. Through our selected Tor servers,
you can route all your traffic through the Tor anonymity network and also
access dark web sites. This provides a convenient way to access Onion sites
with just a single click.

These guys are trying to convince people to access .onion sites through their
VPN using Tor nodes ran by them...

~~~
ComodoHacker
Do you have anything besides unfounded claims?

>The advice given here is largely NOT good

It may be insufficient, I agree, but what's particularly wrong with it?

>don't follow the advice from this "guide" and use their "Secure VPN" service

Again, do you have anything substantial? Known vulnerabilities? Negative
experience?

It's OK to sell things and write marketing blog posts. I'm pretty sure your
company does it as well.

And thanks for the link.

~~~
ryanlol
>Again, do you have anything substantial? Known vulnerabilities? Negative
experience?

Since when is "public VPN services are bad" a claim which needs
substantiating?

As tptacek put it: _VPN services. For when you want coffee-shop wireless
network security, but in the comfort of your own home or hotel room._

But these guys go further than most providers. These guys try to bait you into
ditching Tor and relying on their Tor-as-a-service instead, which is nothing
but malicious.

>It may be insufficient, I agree, but what's particularly wrong with it?

They tell you to use a VPN to avoid "government surveillance agencies.

They try to get you to use their Tor-as-a-service, which is _insane_ and
completely defeats the purpose of using Tor.

They recommend that you use their products instead of objectively better
products by competitors, they don't even bother to mention the competing
products.

They suggest that using Protonmail to talk to non-protonmail users over email
is at least somewhat secure, it is not.

All the advice that doesn't amount to "use our product" is extremely limited.
Key advice such as _Don 't use an Android phone_ is nowhere to be found.

>It's OK to sell things and write marketing blog posts. I'm pretty sure your
company does it as well.

The critical difference is that my marketing blog posts do not pretend to be
security guides for people who could literally get killed for following bad
advice.

We should absolutely be condemning Protonmail for putting this out. They can't
claim to be a great provider for at-risk users while simultaneously putting
them in further danger by giving them bad security advice.

~~~
ComodoHacker
>Since when is "public VPN services are bad" a claim which needs
substantiating?

You assume there are good VPN services. What are they? Private ones, self-
maintained, run by a friend? For journalists, who are mostly not seasoned
sysadmins and crypto experts, self-run VPN is worse.

>But these guys go further than most providers. These guys try to bait you
into ditching Tor and relying on their Tor-as-a-service instead, which is
nothing but malicious.

No, they don't. The say: _" for ultimate anonymity you can also run Tor
locally on your machine"._

>They tell you to use a VPN to avoid "government surveillance agencies.

It's all about your threat model. For many journalists, their adversaries are
not US TLAs, but less competent nation states TLAs. Using a service outside of
their jurisdiction may be acceptable.

>They try to get you to use their Tor-as-a-service, which is insane and
completely defeats the purpose of using Tor.

It's not more insane then trusting your email provider. But yes, you have to
trust Proton, this should have been stressed more.

And let me remind again, this is a guide for journalists, not for crypto-
nerds. "Tor... can be tricky to set up, and can sometimes attract attention to
yourself", which is true.

>They recommend that you use their products instead of objectively better
products by competitors, they don't even bother to mention the competing
products.

This is not a product comparison.

>They suggest that using Protonmail to talk to non-protonmail users over email
is at least somewhat secure, it is not.

It is, for some scenarios. When both parties use providers who protect mail in
transit and one of them also protects mail at rest, an attacker's options are
very limited.

>All the advice that doesn't amount to "use our product" is extremely limited.
Key advice such as Don't use an Android phone is nowhere to be found.

This doesn't make them "bad", but insufficient.

~~~
ryanlol
>You assume there are good VPN services. What are they? Private ones, self-
maintained, run by a friend? For journalists, who are mostly not seasoned
sysadmins and crypto experts, self-run VPN is worse.

I do not assume that there are good public VPN services.

Presumably a journalist would be using one provided by their employer or none
at all.

>No, they don't. The say: "for ultimate anonymity you can also run Tor locally
on your machine".

Yes, they do mention the possibility of running Tor locally. So what? They're
still trying to push people to use their Tor gateway which is simply
indefensible.

>It's all about your threat model. For many journalists, their adversaries are
not US TLAs, but less competent nation states TLAs. Using a service outside of
their jurisdiction may be acceptable.

Remember your username, don't think too little of "less competent nation
states TLAs". :)

Choosing to follow Protonmails advice involves taking stupid risks, you should
not be taking stupid risks if you are worried about any TLAs.

>It's not more insane then trusting your email provider. But yes, you have to
trust Proton, this should have been stressed more.

With email you hardly get a choice. There's no legitimate reason to ever have
someone else run your Tor client for you.

And we can already establish that Protonmail cannot be trusted. A trustworthy
organization would never have released this "SECURITY GUIDE", nor would they
ever try to get you to use their Tor client to access hidden services.

>And let me remind again, this is a guide for journalists, not for crypto-
nerds. "Tor... can be tricky to set up, and can sometimes attract attention to
yourself", which is true.

The first part is not true, Tor browser and Tor messenger are both very easy
to use. The second part is true, but Tor isn't going to draw significantly
more attention than Protonvpn.

>This is not a product comparison.

No, this claims to be a SECURITY GUIDE but is actually an ADVERTISEMENT.

A legitimate SECURITY GUIDE would never recommend Protonmail over Gmail.

A legitimate SECURITY GUIDE would never recommend ProtonVPN.

A legitimate SECURITY GUIDE would never ever suggest taking advantage of
ProtonVPNs "Tor VPN support".

>This doesn't make them "bad", but insufficient.

I strongly disagree with you. Posting this was absolutely unethical on
protonmails part.

