Even worse, they ordered to __BLACKHOLE__ traffic coming to Protonmail. It means that ISPs were ordered to silently drop all traffic coming to Protonmail addresses. This raises problems not only for Russians, but for potentially for other countries as well.
So, for example, someone connects from Japan to Protonmail (server is located in Europe, for instance). So, if traffic decides to go through Russian channels, for a client in Japan it will be just like Protonmail is not just responding because a Russian ISP in the chain silently drops traffic.
Again. I want to repeat this once again. FSB had problems receiving bomb threats to their addresses. Instead of configuring their mail servers to ignore Protonmail incoming mail, they ordered major ISPs in Russia to block Protonmail for EVERYONE in the country. That's so dumb.
Moreover, another recent leak coming from another Russian ISP indicates that FSB also ordered to block sending and receiving mail for certain mail addresses regardless of their domain. They ordered an ISP to block Email for certain addresses. Like, they ordered to ban all Email going from/coming to Emails starting with "putin666", like firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, any email coming from an email staring with "putin666".
It's so dumb, oh god. They cannot configure their mail servers, but they have power to threat ISPs to ban Email for the entire country.
Most of the time I hear about secret FSB orders, it's from HackerNews.
Right before the IP addresses list, you can find terms "blackhole", "BGP".
The document has a signature of a head of the FSB center that handles this types of requests and orders. Also, you can see a stamp in the right bottom corner on the first page.
Full story, how a Russian internet company has actually found out about blackholing can be found here (in Russian): https://habr.com/ru/company/tm/blog/443222/
In the story, you can find that MTS confirmed that they are blocking traffic and referenced the order in the original article.
Or so they say.
Also is it only domain block and not ip block?
Apparently he's got his @N account back. I wonder how it happened, I don't see anything about it in the article.
Should be good enough protection against social engineering targeting registrars.
If your mail provider runs into problems or you choose to change, then instead of waiting for DNS to propagate, you simply update your relay configuration.
I should add that not all paid mail providers support this. Some lower-end providers require that you point your MX directly to them. Check before setting this up.
If they can MITM you, why not steal the password directly, or serve malicious js to get your password?
My point was that MITMing HTTPS and HSTS isn't really necessary to carry out an attack as described by the root comment.
You only need to be in position to eavesdrop and/or MITM http connections to scrape together the necessary information; a much lower bar.
Same here. I gave them everything there is to identify me yet they refused to help on the same grounds. The only difference was the phone number, because the one associated with the account died. Funny thing is, if it were not for an accidental removal of cookies, I would still be using that account, and I would have been able to login as it only seems to ask for the code sent via SMS is when you lose your cookies and/or change your user agent.
I switched to protonmail for non-serious e-mails.
As a "technical" person, I despise passwords and tend to avoid using them. My preferred way to log-in somewhere is either with ssh keys or with single-usage codes sent by mail.
This has nothing to do with "losing" passwords.
For example, I actually have a password for amazon written in a file, but I don't bother looking for it, I prefer to use the single-usage code anytime I want to use the site.
Once one of my Google Accounts was taken over by a hacker (I had reused the password on another site, which was hacked around that time), and even although Google warned me that someone was trying to take over my account, and told me someone was logging in from Russia (I always logged in from the exact same IP address from which I tried to recover it), and even though a friend at Google submitted an internal request to get me the account back, and even though I sent them a photo of my ID (with the Google account having that exact name in it), they refused to help me.
Google support did try to reach out to me, as I later figured out, but they had instead contacted me via the hacked email account, I only found the "thanks for your support chat" mail in the account after I regained access.
Which I was only able to do so by talking to the person who now owned the phone number I had used a decade before for that account (the ISP had long recycled it).
Thinking of ditching the ~tracking device~ phone anyway... what then? Have we sleep-walked into a world where people without a mobile phone are the underclass who barely even exist?
Kind of legit to be honest. Anything else would make it far too easy to recover accounts. Also Gmail is far too large to have a customer care that could also do things like passport verification or so.
Having said that, Protonmail has no phone number recovery. That's kind of bad. You can enter an old E-Mail address there though but it would be so much better to link this with a phone number. If you loose your sim card, you can always get a new one from the phone company with your passport.
Why is being able to recover accounts easily a bad thing when you, and only you have or should have access to, say, the password?
> Protonmail has no phone number recovery. That's kind of bad
I do not use it, so it is fine by me.
> If you loose your sim card, you can always get a new one from the phone company with your passport.
Not necessarily. It is more and more difficult to get a new one, and there are prerequisites that one may not meet, or they decide they do not want to do business with you, or your social credit is too low, etc.
The differences are: one is given to you by a third party, and the other one is made up by you.
I would like to be able to opt out of it, e.g. phone number should not be required.
Considering how many high profile bitcoin thefts occured using hijacked phone numbers, it's probably better not to have that as a reset method.
Most users don't even have Bitcoin but normal bank account which are oftentimes protected by different second factors. It would be nice if they would provide different options. For me it would suck if someone hacked my E-Mail but I could reclaim it quickly and the damage would be very limited.
Last year I was working on a service that skipped passwords altogether. We used the phone number and a one time pin code by sms for registration, login and order confirmation all in one step.
Simple use case. You create an account while on VPN. You don't provide a phone. Then you clear your cookies. That's it. If your exit point IP changes, Google will not allow you to log back in even if you know the password.
Interestingly, the original meaning of "third world" country was: a country that is neither part of the Soviet block nor the US side ( the two first worlds)
"Probably someone read the news and googled protonmail, saw "encrypted email" in Wikipedia page and decided to block the whole thing." <-- where do you get that? it's complete nonsense
As for the complete nonsense you have something working for 5 years suddenly it gets news coverage with no significant usage increase and is blocked . I have no source but this is the exact case where I live. there's something ,like a publicity threshold.It sounds silly and irrational because it is silly and irrational.
Or perhaps I am wrong and some experts were analyzing protonmail for 5 years and now came to the rational conclusion to block it.
Like a distant god, Google gives and Google takes away...
I pay for my PM account and have had nothing but good experiences with the company and service so far (including with the VPN and with the mobile app before I ditched my iPhone). It took me years to migrate off of Gmail but since I finally managed to do it I've never looked back. Give it a shot.
(And it shows another negative side of federated systems, like E-mail.)
The obvious point of comparison would be with a centralised system, but I can't see any possible way that would be better than federated in a situation like this.
Other Russian email providers would not be able to send you messages though.
Protonmail has its problems but I hope they get over them as a company. Personally, so far I've received nothing but great customer support from them.
On top of that, the mobile app is atrocious. It crashes at a drop of a hat, doesn't autosave drafts, and doesn't even do threading. It also makes terrible use of space, and has a permanent upsell ad in the sidebar, pushing my folders offscreen. Someone actually approved this design...
I guess for those weirdos who can live with a webmail client it's servicable, but it's an embarrassment that they've been at it this long, and this is the state of their offering.
I've never had this problem, but since you mention the IMAP bridge it's worth noting that a) the linux version of the bridge is still an on-request beta rather than a freely available download despite working flawlessly for me for the last year and a half and b) you can only use the IMAP bridge with subscribed accounts. So if you're using a free account you can't use it at all, but if you have a mix of paid and free accounts only the paid accounts can use the bridge.
I find the bridge pretty nice in and of itself, but the way it's managed and monetized is a bit of a trainwreck.
If you want to use the webmail client with javscript PGP (a la ProtonMail), that's supported, but they also allow you manage your own PGP keys and support using Thunderbird or Mailvelope. Additionally you can connect via a Tor Hidden Service if you want and they can PGP encrypt incoming plaintext messages if you want them to.
Free Gmail is essentially spyware. Why would you trust anything important/private to a provider you're not paying?
The only centralized part is the DNS.
What they should be using is either Streisand email with a server in a country that respects their privacy(neitherlands, panama, etc) or lavabit email.
Sorry streisand doesn't in fact have an e-mail server. I thought it did at one point. I guess you can use mail-in-a-box(https://github.com/mail-in-a-box/mailinabox).
Source? I thought ProtonMail were Swiss and E2E encrypted.
I didn’t know they had “support centers in San Francisco, CA, and Skopje, Macedonia” . Thank you.
Still a far cry from proof of being “in the pockets of the US government” . Signal, too, has American nexuses. That doesn’t automatically render it compromised.