A very small fraction of logins get the CAPTCHA challenge. We, and other services, face unrelenting brute force attacks on our login endpoints. If you are seeing a CAPTCHA on login, chances are that something about your connection is suspicious to our system. It's far from perfect, and we continue to improve it, but at most a percent or two of users are seeing CAPTCHA at any time.
The CAPTCHA is run in an iframe on a separate domain to sandbox it from the Proton login flow prevent it from compromising the webapp. Obviously Google still gets some information, but we do all we can to limit this.
CAPTCHAs are very hard to build, especially considering Google has a habit of clearing the field with it's own captcha-breaking code. Most companies do not have the resources to build their own. We had an alternative CAPTCHA we were going to use as a replacement a few years ago and then the company behind it went bankrupt. We are currently looking to replace ReCAPTCHA with hcaptcha, which should alleviate some of these problems.
We have other strategies which we are also exploring to try to reduce the need for CAPTCHAs entirely, but these are also not trivial to build and integrate into all clients.
TL;DR It's a small fraction of users who are affected, it's necessary to protect our users from brute force login attacks, we don't like it either and are working hard on replacements.
I'm going to put you on a spot a bit, because this seems important to ProtonMail's viability, and I want you to keep succeeding...
> Obviously Google still gets some information, but we do all we can to limit this.
When you cause a request to be made for ReCaptcha, it seems that you're leaking enough information to (in many cases) link a possibly-pseudonymous Protonmail account to an identifiable individual.
(For example, even if you leak nothing else than times that individuals identifiable by Google logged into unidentified ProtonMail accounts, Google can already see various external activity of specific ProtonMail accounts, and you've given them temporal correlations between activity of pseudonymous accounts and logins by identifiable individuals. That's not the only example, but even that alone seems a significant risk.)
And it's seems to be a real risk: Google is in the business of doing things like that, has a track record of doing things like that, and presumably is more than capable enough of doing it some more.
> but at most a percent or two of users are seeing CAPTCHA at any time.
That sounds like a lot. And the "at any time" sounds like an even higher percentage of users are potentially being compromised by the use of ReCaptcha.
> we don't like it either
I'm not yet convinced that this is the least of all evils. And I don't know how much you have to dislike it before you decide not to do it.
For persuasive effect, is it helpful to imagine the reaction of your philosophical adversaries, when they heard that ProtonMail was using ReCaptcha? I just imagined some of them laughing derisively or incredulously. I don't say that to be mean, but I don't understand the rationale for using ReCaptcha, and I want to emphasize that it seems to be a problem that threatens ProtonMail's raison d'etre and/or brand image.
(BTW, I'm assuming this ReCaptcha choice isn't due to legally-compelled cooperation in unmasking specific accounts -- in which case I wouldn't say anything -- since, in that case, I expect you'd find a way to comply without misrepresenting the rationale to everyone else. I've seen ProtonMail thinking ahead to avoid related conflicting obligations and assurances.)
(BTW, I'm speaking here of Google as an adversary of your customers, and therefore of you, only because that seems to be how your product is positioned, and why you have customers at all, rather than everyone just using GMail. I'm not saying that Google is bad; only that I think it should be considered an adversary from your perspective.)
The points made in this post mirror my own, and this incident has caused my trust of sound privacy focus design and implementation on the part of Proton to diminish somewhat.
Any small leakage of data/activity/identity is unacceptable to those of us who know how this information can be taken advantage of, and choice Proton specifically to avoid that happening.
As a community driven, open source company, resource allocation is determined through community feedback. As mentioned in another post, reCaptcha has been used for anti-abuse in Proton since 2014. The community cares about this, but it's never been the highest voted item [1].
However, it's something our team cares about. That's why 6 months ago, we started preparing to migrate to hcaptcha, even though removing reCaptcha wasn't the most pressing community demand. This work is on track to be completed in the next few weeks. We are sure that after we switch to hcaptcha, on the community voting forum, there will be a "do not use hcaptcha" suggestion, which will then start to collect votes. When it collects enough votes, we will duly allocate resources towards building our own captcha, because that's what it means to be a community driven company.
That post and the comments seem to not be aware of the privacy/security risks. And the official response seems to miss it:
> In our setup, reCaptcha is served from a sandboxed iframe, which prevents it from being able to interfere with our java script, so it does not pose a privacy or security risk.
You might perceive low user demand for this change because your users assume that you handle the privacy/security risks, and assume that the only issue is annoyance.
This is an irresponsible statement to me. Each time you face such kind of issue, you can claim that community allows me to do that. But Protonmail is a professional company who should take the final responsibility. Please be professional.
It's a perfectly professional and honest response. They're taking responsibility AND giving you a rationale. Your comment is the unprofessional one if anything.
If it’s security or privacy related that should be driven by your own threat-modelling and risk assessment. Not left to the fate of what the community decide. You’re the experts after all and that’s what people using your service pay for and expect.
A captcha of any kind on a paid service (or a storefront where I'm looking to pay money) is an absolute deal breaker for me. I will not be clicking on lights and stopsigns to be able to pay money.
Thank you for explaining here, I really appreciate the work you’re doing and understand the non-trivial work it takes to protect users. While l’d love a Google free experience for PM, I also love having a near zero chance of a brute force attack. I’m a paid PM user and have been using it since the very early beta days. I never see the CAPTCHA on any OS, but I only connect from about 5 different IPs or while using ProtonVPN.
Off topic: please implement font size adjustment capability on iOS!
I feel like they have pretty much cleared the issue up. Any coder would agree that a captcha service is actually very hard to build. Especially a good one. What they're doing isn't exactly 100% wrong, but it isn't 100% right either. Either way, they're implementing hCaptcha. I see no issue?
Yes, but the ussue being pointed out is third party google.. Also being made aware. Many users pay proton for the services. Should we also be upset about payment processors logging this? Last time I tried to make a new protonmail, a phone number or non protonmail account was required. The limit which emails are valid.
They are not what they were, what they stood against. They have been assimilated.
Maybe some basic stats would concretize the problem for some commenters.
E.g. What was the ratio of failed logins to successful ones before implementing captcha? Now that you've implemented captcha, what is that ratio among the population of users not presented with captcha, compared to to population that is? How many attempts did adding the captcha stop?
We were a bit surprised by the sudden reaction today. We have been using reCaptcha as one tool (among many) to fight abuse for years now. For example, here's a thread from 4 years ago mentioning it [1]. It is triggered most often for signup, but it can also appear for password reset, username lookup, sending mail, payments, login, and any other api routes which can be abused.
That said, we can also understand the reaction. Back in 2014, there were no viable alternatives. Today, there is one alternative, and we started the transition to hCaptcha earlier this year, and will complete it in the coming weeks.
For security reasons, we can't say too much, but some truly massive residential IP botnets have appeared in recent years and can make millions of attempts per day. On really bad days, Captcha can appear for nearly 1% of legitimate users (some who are unwittingly part of the botnet), while blocking nearly all of the malicious attempts.
> For security reasons, we can't say too much, but some truly massive residential IP botnets have appeared in recent years and can make millions of attempts per day
Ah yes. All those insecure IoT and unpatched/unpatchable routers that are discoverable on shodan and ultimately end up joining giant botnets. They are a plague not just to ProtonMail.
TBH, I’ve never seen a Captcha. But then I’d tend to use your service via mutt/bridge or the iOS app. And I have MFA enabled.
I don’t think you quite understand what security through obscurity means. It’s not an invitation to help malicious actors pen-test your system by publishing information about it.
I think a part of the problem is many people don't know what CAPTCHA really does and that even smaller numbers of people know exactly how much traffic is abusive in nature.
> A very small fraction of logins get the CAPTCHA challenge. We, and other services, face unrelenting brute force attacks on our login endpoints. If you are seeing a CAPTCHA on login, chances are that something about your connection is suspicious to our system.
IME CAPTCHA will make your internet use unbearable if you a) are from a non-Western geo-location or b) you use a VPN. VPNs like the service you provide, which a fair number of your email users probably avail. It's fair to say a smaller number of "internet users" get CAPTCHA hell (which i also doubt), but I wonder if the ratio of Proton* users actually skews the other way.
This is seriously skirting the issue. OP didn't complain about your use of robot detection. OP complained about your use of GOOGLE's robot detection, which is not privacy preserving. There are many other robot detection services out there, many of which are arguably more effective at detecting robots too.
It's not DDOSing, it's credential stuffing[0]. Hackers find leaked databases which contain username/password pairs. They then try username@protonmail with the password from that database (or they just try the top 1000 most common password). If they get in, they suddenly have control over someone's email. From there they can password reset any of the user's other accounts, some of which might allow them to buy real world items.
The best mitigation as a user is to never reuse a password, however protonmail cannot enforce this. From their side the best option is to slow down the hackers as much as possible so it's less likely their more vulnerable users get compromised.
Please be more concrete. What exactly is the risk here? That Google can look into the logs and infer a Mac OS Bigsur with Chrome v90 is logging into proton mail today at x:xx pm?
No, no. Now Google knows you are using ProtonMail, and by extension the NSA knows you are protonmail, the FBI knows you are using ProtonMail, and so on.
meh, if FBI is truly trying to track you down, they have an easier time accessing your ISP and mobile carrier logs to see what IPs you've been talking to.
Google has history of this user logging to protonmail including ip adresses. Google gives that log to US agency, US agency correlates that log with the log coming from ISP and identifies the user.
It goes against the very reason of Protonmail existing. If you are to accept privacy leaks by design, you have no reason to use what Protonmail claims to offer in the first place, and just stick with gmail.
There actually aren't countless, almost all of them have been broken (many by Google actually), there's just one alternative, hcaptcha, which has been around only the past couple years. Back in 2014 when we first added the captcha for too many api requests, there was no other option.
You can't use that sort of username on HN—see https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme.... I've banned the account for now, but if you want to use it with a different name, you're welcome to email hn@ycombinator.com and we'll get you fixed up.
Not questioning this dang, but would be useful to add something about trollish usernames in the guidelines, and perhaps clarify what qualifies as trollish.
That belongs to a category of subrules or heuristics which are too numerous to list. If we tried to make the guidelines comprehensive that way, they would just get so long (or worse, so bureaucratic) that people wouldn't read them.
There's a limit to how much information one can get across that way, so we err on the side of explaining the spirit of the site and leave the 'case law' to specific moderation comments. One of these years I want to compile those into an extended FAQ or something, which could provide a home for the kind of documentation you're talking about.
Impressive how you’re able to find these quickly and quash. Follows the model of cleaning up graffiti quickly, which causes incidents to reduce over time.
When I started my company we chose to use Protonmail. My advice to anyone who wants secure email: don't use protonmail.
The email search is completely useless. I don't understand how it can possibly be so difficult to do a substring search on a corpus and rank them in some kind of sane way. Searching for old emails based on content is an exercise in futility. After a few years of using an email service, search becomes really important.
It is exceedingly difficult to pull data out. You need dev ops skills to do it.
They charge for users that are disabled, and you can only stop paying for them if all of the associated data is deleted.
So they effectively hold your data hostage (yes, you can get it out but it time-consuming and requires technical skills).
I finally bit the bullet and paid a dev ops person (and gave him access to all my data) and switched to fastmail (at least it's not google) a few months ago. It's been an incredible relief.
A few clarifications. There is an export tool that is available. The reason we must count disabled addresses towards your quota is because if we did not do that, we would be susceptible to an attack where a paid user could run through our address space by creating and disabling addresses continuously, so some limits are required. You can remove disabled addresses, but only by contacting support.
This is a sort of weird reply. The person you're replying to isn't saying "you need to allow an attacker to create and disable millions of addresses to DOS you". They're saying "you need to allow medium to longer term clients that de-activate very small portions of their overall number of accounts to not have to pay for those". You already have a system to measure account numbers, so what makes it impossible to also measure active account %ages
Why would you not pay for deactivated accounts for which they’re still storing the data? I don’t think the delivery of email is what costs most money, it’s the storage of data.
You’re replies are very frustrating. It’s like you’re completely missing the point of the replies and focusing on very tiny, irrelevant details. Nobody is claiming that you can’t remove deactivated accounts. Only that you charge for them until you go through the rather annoying process of contacting customer support. And then you make some bad excuse that it’s in the name of security because somebody could potentially make and deactivate millions of accounts. Obviously there could be a middle ground of allowing someone to deactivate 5 accounts per month or something.
I suggest you either stop responding, or actually respond to the issues people have, and don’t make excuses that are paper thin.
This seems to be assuming bad faith, you've changed a complaint of a missing feature into a different request for a new feature (because contacting support is inconvenient), which are two different things. It would be best to not confuse the issue, and to focus on doing what you can to support the feature request, if that's what you're interested in having.
That seems like a misreading, the very toplevel post says that you can stop paying by deleting all the data. Then the response says you can also do that by contacting support. Did I miss something?
I don't know how anyone could look at protonmail's responses and not assume bad faith. They're obfuscating the issue so they can make technically correct but effectively useless excuses for crappy behaviour.
I'm not sure what you mean -- it makes sense to me that if you are paying for an email service, they would continue to charge you as long as you store and access those emails in their server, and they would have to take steps to prevent abuse from people who might try to store too much data. Can you be more specific about what the behavior is? Maybe you could show a good way that another email provider has solved this, and provide a helpful guide as to how they could implement that?
Can you name another corporate email provider that doesn't free up seats when users are deactivated? To my knowledge this is how all of Proton Mail's competitors charge for seats - at least all the ones I know of.
I haven't used many "corporate email providers", whatever that means, but I've used my fair share of "classic" email providers (standard mail stack + basic webmail) and most of them charge per inbox. If an address is deactivated, but the inbox is still present, it counts towards your quota (depending on your package, this might mean you're paying for it). If you want to reclaim it, the inbox with all its contents must be deleted. Since that is a highly destructive and usually non-reversible action, a few do require you to go through their support.
I personally don't like it and surely there's better ways of doing it, but it is definitely not unheard of.
Wow this response chain is so layed on thick with half answers and marketing speak. I guess you can now "hope" that I won't cancel my protonmail subscription.
I think it is unreasonable to think that protonmail should not charge you for deactivated accounts that still have data in them. If they still have data, then you should keep paying.
Same here, with their email AND vpn. Its been flawless so far, tech wise.
But yeah, they really need to control and focus their core message to a tech board. If you whiff that (which they did), there's a good chance in running off your core users. And that is generally considered a bad idea.
Note: due to the design of PM, the search is done client-side rather than server-side. It's not an excuse but at the very least, full-text search is harder.
Full-text search within the average amount of a single user's emails is trivial and fast on any modern PC. Smartphones do it for autocompletion suggestions every time you type a letter. The only thing taking longer than a few milliseconds is the initial indexing.
Doesn't that assume you _have_ all of the emails on your device on order to search them?
I know for a fact, Gmail on my phone doesn't have the ~15 years of email in my account downloaded. I bet that would take significantly longer to download than the actual search would would take to perform.
If the things to be searched aren't already on the client, a client side search doesn't seem too useful to me, regardless of how much compute power you have.
> This sort of comment is frustrating. How many times has XYZ site had broken search?
I can't even think of any? But also search isn't a core feature for the vast majority of sites. Something can be easy and still break if nobody cares very much.
Edit: Actually I can think of search breaking on one site that was notoriously badly run and had 0 to 1 part-time devs. That's not a flattering comparison.
Edit 2: So could the people that disagree name some notable sites with broken search? I feel like if I don't understand what "XYZ" stands for it's probably not something I should be blamed for...
Not a website, but...Windows 10?? Highest market share OS, billions of $ worth of engineering time behind it and due to recent changes, search is pretty much a core feature of the OS. And I'm not even talking about file search here, which is indeed a hard-ish problem (although `locate ... | grep ...` seems to do well enough on Linux) - this is just a simple word search through a list of programs that's usually under 100 items long. And it's still broken most of the time.
Then there's MDN - a documentation site, whose 2nd most important function should be search. Yet, despite DuckDuckGo (a general-purpose search engine!) consistently finding the exact results I want, MDN's built-in search often misses even titles that are searched for verbatim.
If it weren't almost 2am and I weren't running almost entirely on caffeine, I'd probably be able to think of a few more.
When you can download a freeware tool that will find any file in the system instantly after maybe a minute of indexing you know the file search is not the problem here.
Just a month ago the only reason I could start a recently installed MS Office package on Windows 10 was its tendency to list newly installed programs first in the start menu. It did not show up anywhere else, could not be found by the search and Word could not even be set as default program for a file because the OS didn't seem to know of its existence.
I’ll second this, I love the idea of proton mail but the product isn’t anywhere close to ready for daily driving. Great for the occasional should it arise however. Encryption should be a selling point and it seems like they use it more as an excuse.
I've been using it for 2.5 years for my personal email (I don't do anything super complicated with email; mostly service notifications, the occasional correspondence with friends or recruiters or such). As far as UX, it's pretty mediocre (on both web and mobile) but it gets the job done for my purposes.
I've been using protonmail as my mail email service for probably close to 6 years. Earlier iterations of the UI were obviously basic but it's perfectly functional now and works very well and certainly not for "occasional use". The web client UI is great and has come on leaps and bounds particularly of late.
The mobile app has some way to go but more than adequate for daily use because I'm using it daily.
I'm not entirely happy with fastmail. Too much of legitimate mail ends up in Spam. They even put aliexpress mails to spam, that kind of domain surely must be whitelisted. I'd prefer more spam in inbox, because right now I have to check spam every the time to ensure that nothing is lost.
A bit off-topic, but I'm constantly surprised that e-mail companies are so bad at this. If I, as a user, keep corresponding with someone, what kind of brain-dead system keeps putting their mails to spam? (answer: gmail) I am communicating with them, do you really think they are spamming me? It's so frustrating. And yes, their SPF & similar headers are correct (or at least they seem to be, as G of course doesn't tell me why it went to spam). I know I can setup filters, but I thought they had that "smart" machine learning thingy? Or at least some simple "if" statements? /rant
To be fair, aliexpress is pretty spammy. If they use simple bayesian filter for their spam filter it's pretty understandable that aliexpress emails ended up being marked as spam.
To be fair, 70% of what I get from AliExpress is actually spam, despite having disabled all the email switches I could find. For each order, I get 3-5 near-useless emails and every visit to the site results in a week or two of "abandoned cart recovery" emails.
I've used fastmail for 20 years and Im very happy about it. Before that I used telnet to a server and running pine. While traveling in India I got fed up by the lag so I decided to try out this web-mail thing that everyone was talking about. I came across an Indian IT magazine that compared all the big players at the time, and fastmail came up on top. Easy choose, never liked big corp anyway. I've since tried out most alternatives, buy nothing could match my need as well as fastmail. Thumbs up!
I just switched back to Fastmail after a year of testing alternatives (mailbox.org, Private Email [a Namecheap company], Runbox, and Zoho Mail) and I'm quite happy with it.
Services like email don't have a high barrier to entry and most customers don't have complex technical requirements, so much of choosing a provider is based on trust and instinct - rightly or wrongly.
I remember a while ago someone promoting a new email service that "focused on privacy", etc. A few knowledgeable HN users quickly pointed out they were running Mail-in-a-Box on a single Digital Ocean droplet.
Your open source link contains nothing, your blog has no posts, your Windows app is not found in the store, your privacy policy is from a free policy generator tool, there are no reviews due to the service being new and there is no documentation for how to use custom domains, etc. You may offer an excellent service, but there's not a lot to base trust on.
It is a brand new service still in the early stages of development. Building trust will take time, especially since it's new, but I think competition in the email space is a good thing.
Thanks for your feedback!
Oh, also, the open source repos are coming soon. Only so much time in a day. :)
It looks interesting, it goes the functionality checkboxes, but given the thread here the target audience is likey interested in privacy and security. Tricepmail seems to have little to no information about security, and the privacy policy is basically GDPR compliance (specifically: we'll tell you what we collect personal info for) with the option to sell the data to third parties.
Additionally, the apps appear to be in beta-stage still. They're functional, but still pretty rough in appearance.
You're going to be hard pressed to convince anyone here to switch to a service that retains the right to sell your data, doesn't reveal the country of administration, and is relatively new.
Thanks for your feedback. I will touch on all your points.
TricepMail is designed specifically for privacy, and not only privacy for your data on TricepMail’s servers but for preventing others from tracking and selling your information as well. The privacy policy specifically states that there is no collection of your personal information. TricepMail is based out of Colorado, US, but considering moving to another country which might be better for privacy.
The UI is definitely very minimal, but that is on purpose by design. No need for a bunch of visual clutter when reading/sending email. Improvements can and will be made though, of course.
When Zuck says Facebook wasn't sharing our data with NSA/Prism, he has his company's and his own reputation on the line if he was lying... we don't know who you are and what this service is, so, sorry to say, but your 2nd paragraph doesn't mean much.
I could promise you I'll send you a legit authentic fancy gold Rolex worth $20,000 if you transfer me $15,000, so you can re-sell it and make $5,000 in an instant. Would you believe me?
FWIW, Zuck/Facebook and every other shady company who uses dark patterns and takes advantage of their users disgusts me. It's one of the primary reasons I started TricepMail.
Are you representing tricepmail? Because it kind of sounds like you are. And if you are, it's kinda shady to not disclose that in your initial post asking what people think of it...
aren't all messages encrypted on the server? that would make search difficult because no server process could read them. all your emails would have to be pulled into the client for decryption first.
You can imagine each user as a folder in the /var/mail directory, it depends on your implementation to encrypt the folder or not. Gmail encrypts all in-transit e-mails but I cannot find a reference for encrypting on their servers
Their point is that ProtonMail specifically does encrypt emails on the server. That's their headlining feature. Only clients are supposed to be able to decrypt them.
My own advice re secure email is that there isn't such a beast – you just can't apply what is expected from modern secure messaging, like having no insecure fallbacks, forward secrecy, encrypted metadata, etc.
> Google isn't interested in the mail of your random startup
On the contrary: Google is absolutely interested in your startup's email, just not the content you think. They don't care about Susan writing to HR about vacation days, but they absolutely care about your IT manager's correspondences with that Oracle rep that's trying to sell you their cloud offering. That way, Google can advertise the shit out of their competing offerings to you in order to "steal" you as a customer from their competitors.
> Product-wise there is not a thing wrong in the world with GMail.
I'm guessing you haven't been around HN for long enough to hear the myriad of horros stories about entire GSuite orgs being deleted because of things like a false-positive abuse detection on an employee's private account or one pirated movie uploaded by an employee by accident. And how none of them were able to even reach support without going through personal connections at big G (and even then, few were able to get things fixed).
Google is a faceless corporation, managed more by algorithms than by people. You don't need an ideology to tell you why that's bad.
I don't ideologically support exploitation of workers, using unclean energy sources and the "proof of work" model of education. Yet, I need many modern gadgets, have no carbon-neutral way of crossing the country other than biking for 2 weeks and need a university degree to get a job that allows me to live well.
Blindly choosing ideology over self-preservation is what isn't sane here.
"There's nothing wrong with people reading your correspondence (and archiving it forever and running algorithms on it)! If you say othetwise you're blinded by ideology!"
> If you expect search functionality from them you don't get encryption.
It’s not as if the client can’t maintain an encrypted index, they just haven’t implemented it.
Also, apart from all of the important advantages of encryption, there’s always the privacy angle compared to Gmail: Google uses mail to target ads and scrape purchases, which a lot of people don’t want.
I think a full index of the contents of hundreds or thousands of emails and their attachments is soon going to take a lot of space and be slow on a mobile device.
Also if you have multiple clients, which one is going to update the index and how do they sync up? Building index on a mobile device potentially kills its battery esp. if it needs to index pdfs and images. So it needs to be done while charging over night which means you can only search emails from yesterday.
If multiple mobile clients build their own indices merge conflicts might arise.
So yeah, if you're opting for an encrypted email then your search experience will suffer. It's the user's choice obviously.
The advertisement on Gmail is for free accounts btw and it seems extremely dumb. I get ads for Google Fi in Gmail even though I'm a Google Fi subscriber.
> I think a full index of the contents of hundreds or thousands of emails and their attachments is soon going to take a lot of space and be slow on a mobile device.
I initially read “hundreds of thousands” and would have agreed that it might be a problem for those rare users (not even sure about that), but no, “hundreds or thousands” is a trivial amount of data. Normal mailbox operations already need to synchronize state; you just apply index operations along with this. (As for indexing PDFs and images, I don’t expect that in a basic implementation, or maybe ever. Doesn’t mean the entire feature should be missing.)
Which is why other services (e.g. Tutanota) have already implemented it, and also manage encrypt things like subject lines, which Protonmail doesn’t (!).
I'd like to first see a real example of a mail service that in addition to e2e encryption is also best in class in terms of usability (quality and speed of search, spam filtering, auto categorization, ...).
For my use cases, usability comes first and e2e encryption comes second or even third (after price)
> I think a full index of the contents of hundreds or thousands of emails and their attachments is soon going to take a lot of space and be slow on a mobile device.
The index doesn't need the attachments, does it? At a couple kilobytes per message you can fit a whole lot of text into a reasonable amount of phone storage. And there's no reason it should be slow.
> Also if you have multiple clients, which one is going to update the index and how do they sync up?
Each client can either independently index new emails as they come in or upload something like a compressed csv of new entries for the index database. A hundred new emails should only take milliseconds to process.
> if it needs to index pdfs and images.
How do you index images? Indexing pdfs is much more of a nicety than a necessity, and it could be a setting on whether you want to spend the data. It shouldn't take long though, as far as I know. You don't need to render it or anything.
> If multiple mobile clients build their own indices syncing them and merge conflicts might arise.
If they build their own then you don't need to sync.
If they share and do sync, I still don't see how you'd get merge conflicts. Emails don't change, and index updates are just adding and removing entire emails.
I have a lot of emails that are receipts from various businesses where most of the content is in an attached pdf. Same for image where you'd need to run OCR and some off the shelf object recognition on it but that's less common based on my usage.
Building the index independently on each client means if you login from a new device you need to wait for the index to be built. That said, maybe the index can itself be encrypted and uploaded to the server to be downloaded by new clients. Also building index is potentially expensive on a mobile phone and I don't want to wait for my phone to be plugged in to be able to search recent emails. The alternative would be to have an always on computer at home that decrypts, indexes your emails and then your mobile client updates its database from there. This whole system feel so fragile though.
I'm no expert in cryptography or syncing databases but imagine there are a lot of technical and usability issues.
> Building the index independently on each client means if you login from a new device you need to wait for the index to be built. That said, maybe the index can itself be encrypted and uploaded to the server to be downloaded by new clients.
But how often do you log in from a new phone? And yes it could be.
> Also building index is potentially expensive on a mobile phone and I don't want to wait for my phone to be plugged in to be able to search recent emails.
As I said in more detail before, I don't think it is.
> I'm no expert in cryptography or syncing databases but imagine there are a lot of technical and usability issues.
There's a few. But making an app is already a process of dealing with dozens of technical and usability issues. None of these new ones sound like dealbreakers.
Try to register a new Protonmail email address normally and you can do so without supplying too much information. Try to do so through Tor, and you will not be able to proceed without “verifying” the account with a phone number. This pattern (they want either your IP or a phone number) tells me they’re likely interested in tying accounts to real identities and shouldn’t be trusted with anything private. I would even go so far as to suspect Protonmail of being a honeypot. Oh…I’ll just leave this here:
> they’re likely interested in tying accounts to real identities
I don't think it means they're interested in tying accounts to a specific identity, just an identity, to prevent bots or bad actors from signing up for thousands of accounts. This is a necessary reality of being an email provider. If you do not police your outbound mail then other mail servers will block or auto-junk your users' messages.
There is no way to preserve privacy while also not becoming a festering ground for Viagra spam mail.
Perhaps a way to solve it would be to accept a nominal fee of cryptocurrency. Even a one-time fee of e.g. $5 would probably put a damper in someone trying to sign up for thousands of accounts while preserving privacy for real users.
Alas this is a business-ending barrier. Despite its popularity, in the grand scheme of things, not many people have a crypto account. It's also only semi-anonymous, depending on how you fund it. It'd be nice if more businesses accepted crypto, but it isn't viable as a requirement or primary payment mechanism.
I think it would be useful enough in the context of anti-spam while preserving anonymity, not necessarily as a source of generating revenue. There are cryptocurrencies that preserve anonymity as well.
No mannerheim is correct , you are saying yeah but some people can't.. but his solution solve the issue , if you want to register under tor over anonymous and secure mail system having 5$ Monero is the easiest thing to procure.. there are communities that trade for cash or you can even mine anonymous there may be other alternatives.. but one solution to avoid bots doesn't exclude others you as subscriber should be able to choose the one that fits to you so saying some may find it difficult doesn't say that this solution is invalid . Just that maybe must not be the only option available
Sorry I was updating my answer while you replied ,i think I've replied in my previous message to this, what i mean is ip or phone or 5$ monero or .. google captcha or ...something else ... You choose then you have different privacy level and they keep service bot free. Entry barrier is not increased because you are free too chose what you want..maybe they can even say monero mining in your browser for 3 hours.. it's a quite reasonable request imo .. and should help vs bots.. yeah in reality it.s increased only if you compare to no bot filter..
I'm not saying you're wrong, but that particular source is well known for making big claims with insufficient evidence, and it reads like it was written by a conspiracy theorist. Many of the author's claims have already been (imo, pretty solidly) refuted by Proton.
Disclaimer: using protonmail until my current subscription runs out, then selfhosting
Doesn’t self-hosting also have privacy downsides, being that all the hardware is tied to you? I’d imagine whatever minor resistance to wiretapping a multiuser site gave regarding privacy of non-investigated individuals would disappear.
It depends on your threat model. If you’re worried about big companies like Google harvesting your data, self-hosting is a great solution because you remove them from the equation entirely. On the other hand, if you’re worried about three-letter government agencies, you need to go through much more extreme measures. Most people aren’t as concerned with the latter, though.
This is why I self-host. I'm not trying to hide from the government, as I know they don't care about me. Sure, in principle I don't want them snooping me, but it's not a concern. I self-host because I don't want companies snooping all my data.
> Doesn’t self-hosting also have privacy downsides, being that all the hardware is tied to you?
Sure. But I'm not worried about someone who has an actual warrant for ME getting at stuff.
What I want to stop is some random law enforcement idiot from Dipshitsville, Texas, from sending an electronic request to Google for "every email with the word "abortion" and "protest" in it" who promptly turns over all my email.
If you want my email, you're gonna have to get up off your chair, file a warrant with somebody's name on it in front of a judge, crossfile in some different legal jurisdictions, and have someone come seize my machines.
That will stop most everybody short of NSA.
If your threat is the NSA, you're screwed anyway. If they can't get at your email legitimately, they'll just fabricate the evidence they need against you.
> If your threat is the NSA, you’re screwed anyway. If they can’t get at your email legitimately, they’ll just fabricate the evidence they need against you.
The NSA doesn’t need evidence; you must have them confused with the FBI.
Self hosting these days is almost impossible because most email providers like gmail and yahoo mail will automatically move your emails to spam. It’s all based on IP address and how reliable that IP address is. Self hosting guarantees that all your sent email will end up in spam folders.
Same here. I setup a new email server last month and most every big email service made it pretty easy to get whitelisted, but not Microsoft. They're a total pita to deal with. Google made it very easy.
My server is a "Mail-in-a-Box" running on a DigitalOcean VPS.
Same here, been hosting for over a decade now. You do need to be on top of all the latest technologies, and still some problems will arise once in a while. But all in all, it's a pretty smooth operation.
Why not receive all mail on your server and send your mail through your isp.
That way no one reads the emails sent to you and the ones that you send get through (and outbound privacy is not expected if you are sending to gmail or another provider anyhow).
That also makes it harder to track conversations and would take manual work to recreate the conversation threads.
This isn't true at all. I self-host email, with full SPF/DKIM/dmarc, ESMTP, and my email isn't rejected anywhere. I'm sending and receiving via a Digital Ocean VPS. I've had the same IP for six years, and never had a problem.
The bigger problem is finding a hosting provider that hasn't had their entire space blacklisted.
For that, you're likely going to have to pick a "responsible" provider, have a couple of rounds of back and forth with them to prove you're neither an idiot nor a spammer, and ask them to manually open the port for you. And they're going to demand something that will tie to identity.
> Self hosting these days is almost impossible because most email providers like gmail and yahoo mail will automatically move your emails to spam.
This is completely not true. Comes up every time there is a thread related to email. Every time many of us who host our own email servers will explain how it is not true. You can absolutely self-host your email server for your domains, configure it correctly and it will work fine.
gmail has a huge false positive spam identification problem, but it applies to all emails, even those from gmail to gmail.
That's what I used to think, but it does indeed seem to be possible to build a reputation over time. I've been running my own email server for something like 4 years now and emails seem to get through to gmail and outlook accounts almost always at this point.
From talking to other people who tried the same, my theory is that the main reasons for my success were having everything configured well from the very beginning, running on a single static IP for multiple years, hosted at reputable mid-range server provider (not the cheapest, not the most popular) and not sending any "broadcast" email whatsoever for a very long time.
A visitor from TOR is extraordinarily more likely to be abusive. It makes total sense to put up extra barriers, which is still short of blocking TOR users altogether, which is also fair for webmasters who don't want to deal with it.
> A visitor from TOR is extraordinarily more likely to be abusive. It makes total sense to put up extra barriers, which is still short of blocking TOR users altogether, which is also fair for webmasters who don't want to deal with it.
And why is that again? I want to understand that argument.
In case of DDoS scenario: Well, too late, traffic already served and server already done the workload.
In case of password brute forcing: Well, then implement a latency, or cryptographical challenge to delay it more efficiently.
In case of "evil" human: Well, if a human can get past your security so easily, then your approach to security through obfuscation might be wrong.
So, again, what is the scenario where a captcha helps you to avoid being "attacked" by malicious actors?
> What about the case of someone signing up for thousands of accounts?
My question is related to the specific /login page, not the registration page.
I understand the benefit for blocking spammer signups, but not for the current case of the login page where users have an account already, were verified that the account/password was correct (captcha appears in second step), and then have to enter a second decryption password manually.
In that scenario there's no argument on the "WHY" a captcha helps. It simply doesn't.
Why would that be a problem on surface? You have thousands of users, why do they need to be unique identities?
The only reason I can think of is because they want more unique identities. More unique people means a greater chance for a purchase. More mail accounts just cost more.
The entire business model of free accounts requires someone paying for something extra. By unique identifying people they can limit new accounts and increase their chances of an upsale.
What if they changed how they operated. Instead of looking for more unique identities why not accept multiple addresses and include an ad at the end of every free email letting the receiver know this came from protonmail. That would give a benefit for each email sent and provide more advertising and give users a reason to upsell?
My guess is having that ad after every mail would bother you (the customer) more than having your identity uncovered.
I don't think they have a problem with a user creating two or three accounts. It's a problem if someone creates thousands of email accounts to send spam with.
The mindset is basically: Programming is hard so we're going to block as many non-paying customers as possible to limit the blast radius when we inevitably fuck up. And inconvenience those paying users too, because we can't figure out how to mitigate DoS attacks at the edge. And then we'll give a talk at a Next.js conference or something.
I’ve always found it weird how people jump hoops to be apologists for Protonmail
Does anybody else find that weird?
“I completely misunderstood Swiss privacy laws and fell for a sales pitch from an email and VPN company that goes out of its way to track every user no matter how they sign up! Its to avoid email abuse, exclusively!”
"The recaptcha, when it shows up (in rare situations), is sandboxed so that it doesn't send any data to Google. We are also in the process of replacing it with hcaptcha."
Not sure what possible sandboxing they could be referring to - if they load the captcha in an iframe from a different origin then it is true that Google's javascript can't access things on the Protonmail origin, but the concern seems to be that your data is sent to Google (which is still happening even with sandboxing, their tweet cannot be correct), not that Google's recaptcha javascript would have done something malicious on the Protonmail origin (which seems unlikely).
hcaptcha is not much better than recaptcha, in that its only ‘improvement’ is shifting data extraction from google to cloudflare.
also, captcha in general shifts burden onto and penalizes legitimate users, especially privacy-conscious ones, in addition to malicious ones. that is, false positive rates are too high to achieve acceptable false negative rates.
it would be better not to use a centralized captcha service, if one must be used at all.
This is not actually true: every relevant aspect is different from a privacy perspective, both technical and legal.
Looking only at the technical differences, hCaptcha lets enterprise users like Proton locally scrub any info like IPs prior to sending to hCaptcha. It can be set up so that the user makes no direct connection at all to the service, and the code runs inside of a sandboxed IFRAME.
As for false positive vs false negative rates, not sure what you consider too high. We've been able to demonstrate FP rates under 0.005% when measured against known-good/bad signals from customers, which is as good as it gets.
those things can be true and still not negate the issues mentioned, since not enough information is provided to make a fair assessment. it can be set up a certain way, but the incentives are against that, so is it actually set up that way? iframes aren’t perfectly isolated either. and without a curve of false positive vs. false negative rates, no conclusion can be made of the optimality. even 0.005% is still likely hundreds of thousands a day for larger sites, and being only a demonstration means it’s an ideal measure, not a practical one.
And yet I ge t stuck endless captcha. Without disclosing what a known good/bad signal is, you are essentially trust a black box and a random account on the internet
write your own? many personal tech blogs do this for comment forms and the like. any kind of ambiguity that’s natural for a human to parse accurately but not obvious for a machine is fair game. most bots won’t one-off a solution for smaller sites, so it doesn’t need to be too fancy. for larger ones where one-off customizations might be more likely, lots of engineering resources go toward security and fraud prevention already, so they can afford more sophistication.
but more importantly, in the long term, it needs policy and legal progress. it needs to be costly and international (via treaties/sanctions).
I can't speak to the sandboxing, but their implementation is definitely non-standard considering that I don't see Google or gstatic appearing in umatrix when I go through the logon process and they aren't flagging me for captcha even though I am coming out of a known VPN endpoint which trips recaptcha on every other site that employs it.
the ip, any fingerprinting that the captcha code does.
so in effect google can tie you to this visit later if you interact with anything that has a captcha. now these two thinks are liked in the borg’s memory.
so if you use google (anything while logged in, even once) now google knows everything else you do
As a fan of ProtonMail, will just add a few points:
Every popular online service today is being continuously attacked. Bad actors get a lot of economic value from credential stuffing, account takeovers, and fake registrations, especially on email services.
This is why CAPTCHAs exist. They are one of the better tools in the defender's arsenal to increase the cost of attacks.
Building and maintaining a good CAPTCHA service is both hard and requires a high level of continuous development, since every day people are waking up and trying to figure out how to break it.
This means almost every company that tried building their own in the past has switched to either hCaptcha or Google, since it is not practical for even large companies to maintain their own solution these days.
Why was ProtonMail originally using Google? Probably because for many years it was the only plausible option until hCaptcha came around, and they needed to protect their users.
We're working with them now to switch over to the enterprise version of hCaptcha, which:
1) includes privacy-preserving features that let them decide exactly what user data hCaptcha sees and when, and
2) guarantees what happens to any data received via a data processing agreement, and
3) isn't run by an ad network.
hCaptcha doesn't care who you are and ensures all data is ephemeral, since unlike Google we're not trying to sell ads targeting you.
> Building and maintaining a good CAPTCHA service is both hard and requires a high level of continuous development, since every day people are waking up and trying to figure out how to break it. This means almost every company that tried building their own in the past has switched to either hCaptcha or Google, since it is not practical for even large companies to maintain their own solution these days.
I’m under the impression that the bottleneck isn’t “high level of continuous development” so much as it is just having a large enough data set of Internet activity to conduct statistical analyses on. Cloudflare and Google are obviously in a good position for this, since a significant amount of Internet traffic goes through them. But I can’t create a startup to invent the next Captcha unless I magically discover a flash drive containing a giant corpus of HTTP requests made by billions of modern devices around the planet.
Although it seems to go against the spirit of Protonmail and its ethos I'm not exactly sure there are many good options, hcaptcha is the lesser of two evils and a fundamental requirement on the modern web.
Even HN requires a recaptcha if you fail too many times (and it's also based on IP).
If you want to blame anyone blame:
1: The bad actors spamming logins
2: Google for essentially monopolizing captcha
hcaptcha proves there's a market/demand for alternatives, this is HN, if you dislike it, go build a better alternative than Google's and I am sure PM will be only too pleased to switch.
Complaining is easy, actually changing something is more difficult.
(P.S I challenge anyone to deploy a system used by tens of thousands and not have any abuse/rate limiting systems, you'll soon be turning to captcha's at some point)
I wouldn't say Google is monopolizing captcha, its that captcha is hard and you essentially need to come up some expensive problem that is hard for computers but easy for humans.
Personally, I hate hCaptcha more than recaptcha, Craigslist uses it for their contact forms and I hate. hCaptcha is much more difficult and tedious than recaptcha.
This headline is unfortunately misleading. Recaptcha is not used on every login (this is verifiable). It only appears in rare situations when it is required to prevent abuse.
If you are using Tor or VPN, this might be the case. Another possibility is that you (or somebody on your network, or ISP in the case of NAT/shared mobile IP), have installed an app that is using an SDK like Luminati [1] or similar, which is causing the IP to be abused in the brute force attempts our anti-abuse systems are trying to prevent.
There is more information in the Github thread, but in short, it was done with extreme reluctance (and we are already in the process of implementing hcaptcha) as a result of login attacks from millions of residential IP addresses.
Luminati, and companies like that, distribute an SDK to many app developers. App developers incorporate the SDK, and your device is unwittingly turned into a proxy network endpoint, and the app developer gets paid for this. A surprising number of apps do this, so you could have an app installed doing this without even being aware, as it would only be disclosed in the app's privacy policy, which people don't actually read.
Something is clearly happening server-side, not client-side. The original post cites two weeks since this began, and I confirm. Surely we have not all contracted this problem in this time?
I have 3 accounts which I'm using quite active throughout the week and I haven't seen any captcha on any of these, neither on Windows nor Linux; I'm using PM since I've moved from GMail in 2018.
I'm in Poland, using one of most popular landline ISP
That probably means you have tracking enabled. I'm not a protonmail user (I host my own email) but from my general experience with recaptcha, try opening it in a private navigation window. If recaptcha doesn't ask you to solve anything, they've already been tracking you to make up its mind. Of course, whether this is fine by you is up to you, but it sounds like you might be unaware of this.
Maybe you could also display that information when you show a captcha. "We've observed x login attempts from your IP in the last y days."
Usually you wouldn't want to make it easy for botnet owners to find out they've been caught, but since displaying the captcha already reveals that, having an explanation might help regular users who got a low-reputation IP assigned.
Thanks for clarifying! Showing a captcha, though perhaps not Google's, under those conditions sounds sensible. I didn't know that as a non-user (I use your VPN, fwiw :) ).
Thanks, I appreciate it! I still don't see the captcha even when I use a private window thought. Browser is Brave on Mac. Also outside the private window I have shields up, which means trackers, ads, cross-site cookies and fingerprinting are all blocked.
An email/SaaS provider that explicitly markets themselves as "private", complaining that "CAPTCHAs are very hard to build", and will therefore sacrifice user privacy is too rich.
I can recommend Migadu. Worth it if you already pay for a domain (which you should, imo, to have a portable e-mail address). I pay for the $19 annual plan and find it sufficient, and I love the flexibility of the admin panel.
I considered Migadu, but saw their stance on freespeech and decided not to go with them:
https://www.migadu.com/use/#anti-violence-commitment
"Hate speech" is too vague and highly subjective and just leads to censorship.
While visiting Migadu’s site, seems like a good option for some but new users should definitely read their drawbacks list before committing to it. No 2FA and no encryption. Therefore not a replacement for something like ProtonMail or TutaNota. https://www.migadu.com/procon/
+1 for Migadu! I'd been a paying customer for Protonmail for a few years now but stuff like this had slowly been pushing me away. A few months ago I set up Migadu with my own domain and it's worked without issue ever since. Another plus is that I can finally use my own email clients without having to deal with proton bridge
That stinks. I'm on Fastmail but its hard point has to do with being based in Australia and the recent government efforts of forcing entities to comply with police inquiries.
Fastmail rightly points out that the Australian law has no meaningful impact on them. They do not offer an end-to-end encrypted service, and hence, don't need to backdoor it.
The vast majority of mail services will hand your data to the government on court order. Though if your mail is hosted in a different country than you live in, it's arguably more frustrating for them to do so, since they must use international agreements to get it.
If state ordered surveillance is in your threat model, you need a very different type of mail service than almost everyone else.
>it's arguably more frustrating for them to do so, since they must use international agreements to get it. //
Caution, abject speculation:
I thought spooks like this kind of thing because they can do illegal things in other jurisdictions that they're restrained from doing in their own - or get foreign agents to spy on you to avoid getting a warrant. Like they can route traffic to another country, then have affects there hack you to avoid laws that curtail actions against your own citizens.
I don't know, just seemed like one point of groups like Five-eyes.
But in any case, they are not buddies, not even colleagues in the same office floor. They at least need to find contacts in the remote country and persuade them to spend time for their task. Sometimes that’s all it takes to prevent them from passively collecting signals, unless you are an important target.
This is absurd indeed. hCaptcha[0] is a better alternative though, and I wouldn't mind if they used that instead of reCaptcha. I never liked the carpal tunnel that reCaptcha introduces.
Even as recent as 5 years ago I liked the idea of a captchas. I still understand the purpose behind them but recently I've started getting really annoyed by them(whether that be reCaptcha or hcaptcha or anything else). They are just everywhere and it gets incredibly tedious to have to solve one every odd click or so. And it gets even worse if you use a vpn or tunnel or god forbid tor: there's no way to solve them there AT ALL. Which is the sad part: despite the tons of innovation in ML, captchas seem to rely on recursion of hardcoded rules which pile up indefinitely the moment you step outside your "start your computer and open up a browser" behavior. Kind of sad considering the abundance of information browsers pass on with each request.
In some cases, it seems the companies deploy them to coerce and punish: 'logged out, did you? you deserve this captcha for trying to thwart our tracking, peasant! work this useless problem for us for free!' Looking at you, Meetup.
> Recently I've started getting really annoyed by them
In the end, the services that are using captchas are the services that become the least liked, and users will start migrating to other services that don't use captchas, so there's a business penalty for using them.
On the other hand, if you want to filter out bad actors, then captchas are the way to go. The reason I recommended hCaptcha is because they're easier to solve, and sometimes Google's reCaptcha offering is so complex and hard-to-solve that it starts inducing carpal tunnel / RSI symptoms (at least for me). I don't get so easily fatigued & inflamed with hCaptcha though.
When you log in with a password server gives you a cookie/token so you stay logged in. It can be invalidated if your IP changes, it expires or something like that. But if you're logged in with 2FA those rules can be relaxed, it's a simple as that if you ask me. Implementation dependent of course.
I don't think those sites show you a captcha before you enter your login and password, but rather on submit. So for that username you don't show them a captcha at all, if they don't have a proper cookie you ask for 2FA.
I don't understand the love for hCaptcha. The only thing it has going for it is being outside of the Google brand and that it is cheaper. Outside that, we don't know that they don't do the same shady shit Google does, they're equally as bad as reCaptcha, and they're equally inaccessible.
Another user-hostile. Folks laugh when I say I run my own email (FreeBSD/Postfix) and "why build your own mail client"? Because, inevitably, all these for profit service providers turn against me.
Not really. Once Postfix, Dovecot, DNS stuff, DKIM, it "just works". I did lose some time, three years ago fiddling with spamassaaain vs rspamd but mail, after the not-really-that-hard-at-all setup. I mean, folk handle way more complex stuff (k8s) but balk at a bit of time on this old, boring, stable set-it-and-forget-it self-hosted wonder.
Setting up dovecot, postfix to receive emails is a fun few hours that have continued to work forever.
Sending mail to gmail requires setting up extra processes that most times won't work anyways. Sending mail from an unknown ip is like sending it from a blacklisted address. To avoid this I use my isp to send the mail.
Setup time including thunderbird settings is under an 2 hours for many.
> i would not laugh. think it’s impressive and must eat a lot of time
It does not.
I set up my latest/current email hosting in about 2011. Very minimal work on it since then. There's really nothing to do once it's working.
Only work I can think of I've spent on it since 2011 is: regular OS updates (which take basically no time), added SPF and later DKIM support, added Let's Encrypt cert. That's it in ten years.
I was scratching my head this week when they were releasing the time the 'Hamas' bomb threat email came in with regard to Belarus high-jacking that flight.
It seemed rather fine-grained knowledge of specific communications that doesn't serve the narrative of privacy first. The articles I read made it sound like ProtonMail had just decided to share details on it rather than a more formal, court-ordered process.
I know in this situation there aren't too many people who would raise questions, but it did strike me as strange given how they market their service.
I understand what you mean, but it's important to understand the technological side here. Protonmail offers an email service, and despite all privacy marketing, very little of that applies to emails which enters or leave their own systems. This is a requirement if their users are to communicate with a non-Protonmail address.
Any message that interface with the standard email network is better off regarded as public communication. I can only imagine the legal implications that would compel Protonmail to assist law enforcement after their Service was misused and complicit in an alleged bomb threat.
Their Terms of Service surely outline that illegal activity will void their protection as far as possible. Keeping communications inside their in-house, zero-knowledge email service on the other hand, would make it very hard for Protonmail to produce any of this information. That is their actual privacy offer, as far as I understand.
To Protonmails defense, I haven't heard that this email has successfully been linked to any real identity past the phony Sulanov alias.
Modern google captcha (v3??) doesn't show a captcha if they already have enough data about you. E.g. through 3rd party cookies, or by fingerprinting anything from your browser to your mouse movement and typing pattern. (Not sure what exactly they currently use, so this are just examples of what they might use).
Google's recaptcha does have an invisible mode, where it doesn't show you a captcha unless it thinks you are a bot. Which it determines by tracking your online activity...
> [from a commenter on the OP, in reply to the Protonmail response] If an Incognito Mode Web Browser with a graphical user that actively moves his mouse, types in the password in non-automated manner, key by key - not copy/pasted and not auto-inserted within a millisecond - seems suspicious by your system - then I have to say your ways of identifying or classifying suspicious behaviour is very flawed. There are way better, already solved ways, to do this.
If you know this, then I guarantee that the people making spam bots know this too. this is a very naïve argument
Also seems particularly odd to even have recaptcha on the email login page. Who cares if robots check email so it doesn’t seem user friendly to prove humanity to read email or get a login error.
robots use email systems so they can get "free" way to send their stuff. I also work for e-mail company and this is very big problem to us. Sadly recaptcha before and cloudflare captcha now are one of the irreplaceable tools to fight with spammers for us...
For people signing up, sure. Anything that can send emails containing user-generated content will get abuse that way. But for logging in, it seems odd; unless you require something like it for SMTP access (which I haven’t heard of anyone ever doing), it’s not going to help you block spam-senders.
sadly recaptcha and cloudflare captcha will never recognize my input as correct, and i hope this is happening to a lot of people in conjunction with a trend of declining traffic as a result of using captchas
That’s what per-IP and per-user rate limiting is for—by themselves, those two are close to sufficient. Any form of CAPTCHA would be a terrible sole defence (such things don’t block bots, they just make it a bit more expensive and help a bit with drive-by attacks), and adds very little for defence-in-depth, while introducing new problems where you inconvenience and block access to your real customers. I find the inclusion of reCAPTCHA on a login page of a supposedly security-conscious entity very surprising. (Sign up is a different matter; there it will have very meaningful benefits and lower costs.)
Per user does not help when doing credential stuffing - the attacker tries known credentials from a leak, it’s not random cracking. Per IP blocks can be circumvented by using a botnet and slowing your attack.
Those things are why I said close to sufficient, not sufficient. For best results you will want some other form of behaviour analysis also. But reCAPTCHA suffers from serious problems too; it’s easy to find turn-key reCAPTCHA-solving services at under $1 per thousand. So reCAPTCHA is a deterrent, but far from inviolate, and for most of the kinds of attacks we’re talking about here it’s not even a particularly severe deterrent. (It would be for comment spam, since the value of each attempted submission is negligible, but for credential stuffing the expected value of each attempt is much higher.)
What we have here is users who don't re-use passwords being inconvenienced to protect those who do. Doubtlessly this is very progressive, as those who reuse passwords have less "has a fucking clue"-privilege. But nonetheless this does not sit right with me.
I don't know if the hn protonmail account is an official account or a fan account, but it seems quite unprofessional and really scares me off being a protonmail customer.
We apologize for that. It's a weekend and we are working on giving folks responses as quickly as possible. Therefore, the responses are more to the point than usual.
Someone mentioned about using proof of work as an alternative to capthca. Sounds interesting, but will this actually effective in real world? I assume even selenium can pass it without a problem because all it did was making the client busy for a little while, so will it actually effective at reducing brute force rate? Also, do botnet operators have capability to deploy selenium-based workload to their botnet army?
proof of work originated to stop spam. But it’s a question of cost. If it costs less to bypass bot detection than the money made by the bot activity, then they’ll do it, whether captcha farms or doing proof of work calculations.
Ever since the following ProtonMail tweet about bitcoin, I migrated to Vivaldi Browser's email service. At least Vivaldi's team recognizes that crypto“currencies” are nothing but pyramid Ponzi schemes. https://twitter.com/ProtonMail/status/1395719559215210496
A few weeks ago I noticed that Reddit also started using Google Recaptcha for account creation.
Even though I only saw it on creation, and not on login, the possibility of associating a strong identifying fingerprint with a presumably anonymous throwaway user account was concerning.
Weird. I’ve been using ProtonMail for years as my primary email, and I don’t think I’ve ever seen a captcha. This includes when I visit ProtonMail over VPN’s or in a private window
I can understand requiring a captcha for registering, but not for logging in. Also: does anyone know if they have to do this even if you have a Protonmail cookie set in your session?
I wonder if it's a response to the recent incident with Ryanair plane got grounded by Belarus. I believe an anonymous email with a bomb threat was sent with ProtonMail.
It only appears for a tiny fraction of users. When recaptcha was first added in 2014, it was the only captcha service that wasn't broken. Today there is also hcaptcha, which we are working on implementing and will switch to that shortly.
hCaptcha[0] is a better alternative though, and I wouldn't mind if Protonmail used that instead of reCaptcha. I never liked the carpal tunnel that reCaptcha introduces.
Last week ProtonMail integrated Google's Recaptcha to their Login Page.
As a project that advocates Privacy and Security, and was an immediate response to the Snowden Leaks, I find this kinda ironic that they now set the Google PREFs cookie for all of their users - while they still maintain the same marketing on their website.
And well, I am looking for new options now, I guess.
As much as I appreciate this comment, it is weird that it floated to the very top when the article is about location tracking built into Android by Google.
Protonmail might have issues, but the threat of some leaked information through javascript and/or cookies (hello google fonts!) can be attributed to literally every site that uses recaptcha whereas the article is talking about a much, much worse practice of tracking physical location constantly and making it difficult or impossible to use your phone without giving that information to Google.
I hope protonmail finds a better way, and agree that it's not in keeping with their stance on privacy, but it is distracting from what Google is actually doing with phones by talking about an entirely unrelated issue.
No offense intended to the parent, the comment is interesting, it's just not about the article at all and yet is the top comment at the time I write this.
Agreed! Proton could do better, but conflating their privacy approach (or, say, Apple's or Mozilla's) with Google's is exactly what Google would want you to do. "See - everyone harvests your data, at least we tend to keep it in house".
Have you contacted them? It doesn’t take a whole team of people to implement recaptcha. Could just be the mistake of one engineer who was tasked to “add a captcha to the login form”.
I hope you don’t assume the worst without investigating further.
If one single person is allowed to add a privacy compromising service to one of the most important pages on their website (the login page) then there are deep, fundamental flaws in the organization that brings into question the security of the entire platform.
I'm on a few email lists, and nearly without exception the people with protonmail accounts are entitled, inconsiderate, abusive, or out-and-out trolls. It was so consistent I went so far as to killfile any posts from protonmail accounts.
A very small fraction of logins get the CAPTCHA challenge. We, and other services, face unrelenting brute force attacks on our login endpoints. If you are seeing a CAPTCHA on login, chances are that something about your connection is suspicious to our system. It's far from perfect, and we continue to improve it, but at most a percent or two of users are seeing CAPTCHA at any time.
The CAPTCHA is run in an iframe on a separate domain to sandbox it from the Proton login flow prevent it from compromising the webapp. Obviously Google still gets some information, but we do all we can to limit this.
CAPTCHAs are very hard to build, especially considering Google has a habit of clearing the field with it's own captcha-breaking code. Most companies do not have the resources to build their own. We had an alternative CAPTCHA we were going to use as a replacement a few years ago and then the company behind it went bankrupt. We are currently looking to replace ReCAPTCHA with hcaptcha, which should alleviate some of these problems.
We have other strategies which we are also exploring to try to reduce the need for CAPTCHAs entirely, but these are also not trivial to build and integrate into all clients.
TL;DR It's a small fraction of users who are affected, it's necessary to protect our users from brute force login attacks, we don't like it either and are working hard on replacements.