Hacker News new | past | comments | ask | show | jobs | submit login
Introducing ProtonMail's Tor hidden service (protonmail.com)
322 points by vabmit on Jan 19, 2017 | hide | past | web | favorite | 103 comments

For those wondering how to create your own custom Tor onion adress, look no further than: https://timtaubert.de/blog/2014/11/using-the-webcrypto-api-t...

And for those who think Protonmail are the only service with a custom address, think again, because Facebook has one too: https://facebookcorewwwi.onion/

You can find a tonne more at this list:


And staying on topic, Mailpile has their own .onion


For those wondering how to generate vanity Tor onion addresses in a more efficient manner (taking advantage of your GPU): https://github.com/lachesis/scallion

Too bad you have to do it yourself, we can't have a service doing that in the cloud.

Maybe doing that in the cloud would compromise the security of your vanity address. You would not own the private key. Your cloud provider could control your domain.

(Please correct me if I am wrong…)


Vanity addresses are popular in bitcoin, but difficulty rises exponentially with each character. Most people don't want crunch random numbers for 6 months. The solution to 3rd party key generation is split keys.

Essentially the addition of keys to get the desired final key.

Generate key X, give X public address to cloud provider, they search for key Y so that X + Y == YourVanityAddress, when found they send you private Y. Private X + Y is your vanity private key.

Vanity address generated by 3rd party in a trustless environment.

I was not aware of that technique, thanks.

Yeah, that's the reason.

Finding an arbitrary 8 character onion with scallion is easy even on a video card from 2009 (ATI 5770). You don't need fancy hardware for this.

That said you could use an Amazon GPU instance for a handful of cents an hour and run scallion there.

>And for those who think Protonmail are the only service with a custom address, think again, because Facebook has one too

facebook, scryptmail, one bitcoin exchange, one bitcoin walled, dozes on blogs and chans, there is GoG instance in Tor as well as GitLab.

For those curious to see a vanity finder written in Go: https://github.com/wybiral/onions

Why does Facebook have a tor address?

So that you can access Facebook without leaving tor through an exit node.

I guess I don't see the point of using Tor with Facebook. So much of your identity is already tracked. It's like trying to sneak up on somebody while wearing those squeaky clown shoes.

The idea is not to hide from Facebook, the idea is to not unhide for Facebook.

And to enable state surveillance.

When you have a very small subset of users who will go through the trouble of trying out Facebook's onion address, it is much easier to be successful with surveillance tools on that small sample.

Not for the Egyptian government.

No, mainly for Five Eyes and friends

That's the point. It makes you more vulnerable for some threats, less vulnerable for others.

Because not everyone uses their real name on Facebook, especially in a Middle Eastern country, I would imagine. And Facebook isn't just for your family and real friends anymore (and hasn't been for years).

so Facebook can spy on users from China too!

Vanity Onion addresses are a bad idea. They teach users to ignore part of the address instead of treating the whole address like an IP address.

The GNU Name System gets this sort of thing correct though.

> Vanity Onion addresses are a bad idea. They teach users to ignore part of the address instead of treating the whole address like an IP address.

This assumes that users aren't ignoring the address anyway. There is a near 100% success rate in tricking users into visiting fake URLs in laboratory conditions. While trying to explain my research to a tenured professor, she literally typed each domain I was spelling out into Firefox's search box instead of punching it in manually.

This is not quite as good as riseup.net's onion support as it doesn't include SMTP services. See:


  mike@snake:~$ torsocks telnet wy6zk3pmcwiyhiao.onion 25
  Connected to wy6zk3pmcwiyhiao.onion.
  Escape character is ‘^]’.
  220 mx1.riseup.net ESMTP (spam is not appreciated)
So if your mail service supports onion addresses, then you can just replace "@riseup.net" in a users email address with "@wy6zk3pmcwiyhiao.onion".

Alternatively, your mail service could have explicit configuration in place to identify @riseup.net addresses and route them to wy6zk3pmcwiyhiao.onion instead of the normal MX records. I do this with Exim by utilising Tors TransPort+DNSPort functionality and then adding the following Exim router:

    driver = manualroute
    domains = riseup.net
    transport = remote_smtp
    route_data = ${lookup dnsdb{a=wy6zk3pmcwiyhiao.onion}}
Obviously this would be better if there was a way to dynamically advertise the onion address in the DNS instead of having to hardcode it in Exim.

[edit] - If they co-ordinated, Riseup and Protonmail, and potentially other similar privacy respecting mail services could send all their traffic over each other via Tor. If you work for either of these companies, please consider the possibility of looking into this sort of relationship.

Whatever happened to the Riseup canary issue?



Obviously they either 1) lost the PGP key(or other internal issue) or 2) got served with something that won't let them post new canary messages.

something tells me #2 is probably more likely.

ProtonMail won't unite with Tutanota, Roundcube or even GPG over standard for email encryption, why would they setup Tor-Tor messaging?

This is a great idea [your edit]!

And its already being developed by some (not protonmail though). See https://github.com/ehloonion/onionmx

Thanks for pointing this out to me. I have added suitable onionmx DNS SRV records and reconfigured my mail server to utilise them:

  mike@snake:~$ dig +short srv _onion-mx._tcp.grepular.com
  0 5 25 grepularmmmiatj7.onion.

Shouldn't you also add super enforced SSL certificate validation for such a setup? Since SMTP is usually merely opportunistic SSL, any Tor exit node could very easily strip STARTSSL (or just MITM with a fake certificate that doesn't get validated) and you're worse off than running over the normal internet?

Are we talking about using SMTP via the onion service, or just regular SMTP through an exit node? The onion service comes with its own crypto and would not need TLS on top of it (though you're free to use TLS anyway, like Facebook, if it makes sense because of how your infrastructure is set up). There's no exit node for hidden service connections (or any other node that sees the plaintext other than the hidden service itself).

Ah, of course you are right. I forgot about hidden services not passing through an exit node.

There are no exit nodes involved when talking to onion services. The traffic does not leave the Tor network.


> cucked

Can we not do that?


What a boring set of unoriginal behaviors you've taken for yourself.

We've banned this troll account.

If you are so threatened that you feel the need to use a Tor hidden service to reach your email provider, you should know that email --- "encrypted or not" --- provides the worst protection of all possible encryption messaging options. Don't use email for sensitive communication, and certainly don't rely on the security features of any email provider for your own safety.

How so? It seems like it would be just as safe as any type of messaging that uses asymmetric cryptography.

It's not; it's not even close. Every message you send, message by message, HTTP request by HTTP request, depends entirely on the security of Protonmail's servers and relies on PGP, which leaks extensive metadata and has no forward secrecy. Not only that, but because you're using SMTP email, you're always one mistake away from accidentally sending plaintext.

The good secure messaging services --- particularly Signal --- make these things impossible to screw up.

Don't use email for secrets.

What's the problem with tor + PGP?

Metadata, forward secrecy, and the fact that any usable implementation in a web page will have server-dependent security.

What are good alternatives for communicating with somebody then?

A secure messenger like Signal.


Sure, use Signal, and Tor, and others -- if you want your communication to be preferentially screened by every single three-letter agency.

BTW this is not to disparage any four-letter agencies, eg. GCHQ. They do awesome work, which I do appreciate very much.

I hope they enjoy reading my wife and I discussing dinner plans and my reminders to my son to do his homework.

Not sure what you are trying to achieve here. Do you want to stick it to the Man?

The software that is processing your communications will spend extra 0.01 seconds analyzing the data. Is that some kind of victory for you or something?

I started to make a witty post implying that you just signalled for some sort of terrorist attack using an encoded message, then I checked the calendar and posted this instead.

I've been experimenting with Matrix.

From ignorance, why would I (a non-interesting person in a nominally free country, with non-interesting interests that could nevertheless become interesting depending on political shifts and shit) want to use this hidden service, rather than plain old ProtonMail?

There's an argument for providing camouflage in the form of boring traffic on the Tor network to help those that are forced to use it, and whose traffic authoritarian governments and nefarious forces might actually find interesting. Otherwise, all the interesting data is conveniently gathered in one place, any given traffic on Tor is more likely to be interesting, and it makes the bad guys' jobs just a little bit easier.

There's a wide spectrum of personal preference for internet privacy, and if you're the type that doesn't trust your ISP you could potentially use TOR to add an additional layer of anonymity. If you trust your ISP there isn't much point.

There's pretty good evidence that you should not trust your ISP:


While your message contents would still be encrypted when using the regular old ProtonMail site, it would expose your identity and who you are sending messages to.

I'm not trying to argue whether you should or should not you should trust your ISP. It's a personal opinion that differs for every internet user.

Given those constraints, you probably wouldn't. However, the moment your interests become interesting, or the political winds change...

Last I checked, ProtonMail required SMS verification for account creation.

Edit: When using Tor

I made an account this month and can confirm this is false. The only external info they ask for is a recovery email address, which was optional.

Just tried this now. After signup, they seem to have some spam protection.

You can either receive an SMS to your phone number, or donate with your card.

Probably related to me trying to signup via Tor.


Too many ProtonMail accounts have been created from your connection.

Thus, we are requesting additional verification to ensure you are human and not a spam bot.

Because Tor is frequently abused by spammers, this check may be triggered because of the Tor exit node you are using.

IIRC, if you've created an account from your IP address or use a VPN (which virtually guarantees that an account has been created from that VPN's exit node), they force you to go the SMS route. Apparently, there's also a requirement for Tor users.

It's unfortunate because it means there's no way that a ProtonMail account can't be tracked to some static identifier (actual IP or phone number).

So just find a public Wifi spot or the million other ways you can access the internet without your home connection.

That still provides a way to geolocate you. It's incredibly difficult to create a usable Email address that cannot be traced in any way (i.e. purely from a Tor connection without giving any personal information).

I tried signing up a few weeks ago and definitely seemed like I was being forced to either connect SMS or backup email before I could create an account. So I didn't make one. If these things are optional they do not make it clear how to bypass that step.

Seems pretty clear to me...


This is what I see now:


Last time I tried to sign up, "captcha" was not an option, leaving only privacy-invalidating options. It might be dynamic. The criteria for them not displaying "captcha" as an option is unclear.

Fair enough. The form I see has no Step 5 (:

Unrelated note - that Dropbox link exposes what I assume is your email address. Interesting...

Thanks, good to know.

ProtonMail's verification requirements are determined by a complex system of IP reputation and other factors that are analysed in realtime when the sign up page is rendered. As an e-mail service, one of the most challenging things for ProtonMail is preventing abusive accounts from damaging the service's SMTP sending IP addresses' reputation to the point where deliver-ability becomes impossible with other e-mail service providers. This is especially difficult for e-mail providers that work to deliver privacy, and potentially pseudoanonymity, to users.

I wouldn't recommend accessing email over TOR, especially not a paid account.

Infact I would not recommend accessing any public service that requires a unique account authentication over TOR.

This at least is somewhat more useful than facebook over TOR but unless you are accessing only free throwaway accounts (and never use those to communicate with anyone you know) using this somewhat defeats the purpose of TOR.

Could someone expand how an email service over Tor helps when the messages you sent to others still go through SMTP protocol (even with TLS) and is stored/relayed in/to unprotected severs?

The goal of providing a tor gateway is not to protect the contents of the messages from being traced back to a specific ProtonMail account. It's also not to prevent the contents or metadata of those messages from tripping dragnet surveillance programs (such as PRISM). The goal of providing a tor gateway is to protect the individual, through their IP address, from being associated with the ProtonMail account and the metadata and contents of messages sent to and from that account.

For example, say that an individual would face a death sentence for religious preaching activity in the country where they live. They are unconcerned about people discovering the content of their messages or whom is receiving them. But, if they are discovered to be the person responsible for them they would likely be killed. Their sending of the messages through ProtonMail would be protected from observation by ProtonMail's TLS w/ PFS HTTPS encryption. But, their local ISP or government could observe all of their traffic. They could then, through traffic correlation, determine that specific individual was sending encrypted packets to ProtonMail's servers at the exact time various messages were sent. Using Tor would protect this individual's identity. The observers could determine tor traffic and attempt to correlate that with messages if they suspected the individual. But, if he was generating additional tor traffic by running as a relay or browsing other sites with tor the correlation would be extremely difficult.

The reason that ProtonMail set up the .onion site is because accessing ProtonMail over congested exit nodes that may be far from ProtonMail's servers is very slow. The .onion site has dedicated bandwidth directly to ProtonMail's webservers and is located close by in Switzerland. It should be expected that it much faster for users to use the .onion site than exit nodes to access ProtonMail.

In my experience with researching online drug and exploit markets as soon as a reliable Tor-hosted email provider springs up they become the default email provider for almost everybody.

Previously the default provider has been safe-mail.net but they've had a lot of issues. Before that it was TorMail, and the FBI ended up seizing all of those mailboxes since it was hosted at Freedom Hosting (and was an amateur operation) [1]

What it means is that web email providers act more like online dead drops rather than as traditional email providers. PGP use is pretty consistent in these communities - as is rotating keys and email accounts.

[1] I can't recall of the top of my head any indictements that resulted from TorMail being seized.

It doesn't make the messages themselves private, but it may protect the anonymity of the person accessing the email account.

It doesn't.

Can anyone speak to their like/dislike of ProtonMail vs Fastmail. I currently use Fastmail and I'm happy, but always looking for something better.

I finally switched from Gmail to ProtonMail this month as a New Year's resolution to make my privacy better bit by bit. Haven't tested Fastmail, but I like ProtonMail's simple webmail and the Android client a lot. Happily paying them for the service.

What are your experiences with Fastmail? Do they encrypt all your emails and in which country are their servers located?

I'm quite happy with Fastmail. I am making a similar exodus for my privacies well-being. It's a journey.

Servers are located at New York Internet (NYI) in New York City, USA. I'm not sure if server location matters to me at this point.

Emails are not encrypted, but all incoming and outgoing connections are.

Last year I really wanted to use ProtonMail, but the lack of SMTP and (at the time) inability to send plain text email were a big no-no for me.

So I switched from Gmail to Fastmail. I'm loving the service. The web app is pretty snappy and works really well. Even on mobile it is surprisingly responsive.

I find their UI beautiful and quite intuitive (don't read too much into this, as I am someone who really dislikes material design -- one of my grips with Gmail).

Really can't complain. I'd recommend Fastmail to anyone wanting a private mail service.

What other changes have you made or do you intend on making to increase your privacy?

Small steps. I deleted all my posts and pictures in Facebook and then deleted my account. After Facebook I also deleted some irrelevant accounts like LinkedIn. For mobile I just disabled all Google apps and started to use a VPN connection everywhere.

And I don't feel I'm missing anything.

Well Protonmail doesn't offer IMAP or SMTP so it's a non-starter for many.

IMAP is currently in beta for protonmail users.

besides the security component, which i can't comment on, protonmail does not have a calendar application...

I wish ProtonMail would offer more email aliases with its paid plans - credentials reuse is what often allows to snoop on someone's online identity. That would really boost its value in terms of privacy.

I was looking into possibly switching over from Fastmail while I happened upon the 5 alias limit and couldn't help but chuckle. I'd have to have an acute need for encrypted email to overlook that.

How about "compartmentalisation" and "single point of failure" as reasons to use ProtonMail for some contact, a disposable Gmail address for others?

Sure, those seem like good reasons but for a different use case and different from using ProtonMail as your main platform for daily email etc.

I always get the feeling that these kinds of services are NSA honeypots. Whether intentionally or unintentionally.

Isn't that true of all of Tor? An extremely attractive target; arguably anyone with the resources, including most state intelligence agencies, would see high value in finding exploits (and not revealing them).

FYI Scryptmail also supports it https://blog.scryptmail.com/complete-tor-support/

"In addition, your inbox is encrypted with AES-256 which is superior to RSA."



If only ProtonMail could import old mail, I would be giving them money.

If you are using proton for additional "privacy" don't do that, since it would effectively mean that your adversary can now know your new email identity.

If you don't worry about that, then in all honesty it's somewhat redundant.

I use hushmail because it has PGP integrated into their service, including a PGP client in the webmail, yes they have a copy of my key (you can do PGP over JAVA if you want to keep the key on your computer) and yes since they are HIPAA compliant and a Canadian company they will comply with NSL but those aren't threat models i worry about.

I want to be able to use PGP easily and from anyplace and not worrying about having to carry my key with me, having PGP or GPG installed and fussing around with it if I have to access my mail in an emergency from a device that might not have a full setup.

Whilst I am aware that the NSA and other agencies with similar capabilities are technically adversaries I don't fuss about them, I'm more worried about sending my mail to the wrong person than the NSA reading my mails, if they want to they'll be able too regardless of where I host them, and I would never go toe to toe with some one who's likely to use rubber hose cryptography on me.

Hopefully this will be coming soon!

Has anyone thought of DNS for onion addresses?

That's rather impossible or we wouldn't be using weird .onion addresses but just .com (at least before gTLDs became commonplace). Please read up on how they work.

Cool good to know. I guess next best would be done type of trusted directory listing - maybe orgs could somehow sign their entries on a directory page? The directory could put redirects for signed services in their path namespace. Meaning people would need


To access the service.

Or is this also impossible?

Then you might as well use the normal web. DNS is basically a directory listing with IP addresses to connect to, like a phone book; or a "trusted directory listing" as you say. Onion addresses are public keys which somehow find their way to a rendezvous point (I forgot the details).

But having accepted that DNS is impossible I'm now suggesting actual redirects (as in HTTP 301 or 302) rather than DNS.

Why the funny domain name? Is there any technical reason why they cant use protonmail.onion?

> Is there any technical reason why they cant use protonmail.onion?

Sure, there is. You can read about it in the Tor Phishing Resistance section of the article.

> Onion site addresses are 16-character hashes of encryption keys that typically look like this: 3ens52v5u7fei76b.onion. The problem is that there is no good way to differentiate between 3ens52v5u7fei76b.onion and 3lqpblf7bsm532xz.onion, as to the human eye, both are equally unrecognizable. This opens up a phishing risk because a phishing site can trivially be created and unless the 16-character random URL is checked carefully each time, users cannot be certain they are visiting the correct onion site. From a usability standpoint, it is not really realistic to expect users to perform this check every single time.

> To bypass this problem, we used ProtonMail’s spare CPU capacity to generate millions of encryption keys and then hashed them, using a “brute force” approach to find a more human readable hash for our onion address. The end result, after expending considerable CPU time, is the following address which is much more resistant to phishing: protonirockerxow.onion as it can be easily remembered as: proton i rocker xow

Cheers. Thanks for the detailed explanation.

Hidden service addresses are not just regular domain names resolved via DNS, they're actually a hash of the hidden service's private (edit: public, see below) key. The fancy onion addresses out there (like Facebook's) were generated by doing a whole lot of brute-forcing to find a key that looks cool.

Aren't the adresses hashes of the _public_ key? Hashes of the private key doesn't make much sense to me, as clients never come to know them.

Edit: Grammar

Yep, that's right, thanks. The public key is, of course, calculated based on the private key (these are RSA keys), hence why the brute-forcing still involves the private key, but it's not a hash of that key.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact