A very small fraction of logins get the CAPTCHA challenge. We, and other services, face unrelenting brute force attacks on our login endpoints. If you are seeing a CAPTCHA on login, chances are that something about your connection is suspicious to our system. It's far from perfect, and we continue to improve it, but at most a percent or two of users are seeing CAPTCHA at any time.
The CAPTCHA is run in an iframe on a separate domain to sandbox it from the Proton login flow prevent it from compromising the webapp. Obviously Google still gets some information, but we do all we can to limit this.
CAPTCHAs are very hard to build, especially considering Google has a habit of clearing the field with it's own captcha-breaking code. Most companies do not have the resources to build their own. We had an alternative CAPTCHA we were going to use as a replacement a few years ago and then the company behind it went bankrupt. We are currently looking to replace ReCAPTCHA with hcaptcha, which should alleviate some of these problems.
We have other strategies which we are also exploring to try to reduce the need for CAPTCHAs entirely, but these are also not trivial to build and integrate into all clients.
TL;DR It's a small fraction of users who are affected, it's necessary to protect our users from brute force login attacks, we don't like it either and are working hard on replacements.
> Obviously Google still gets some information, but we do all we can to limit this.
When you cause a request to be made for ReCaptcha, it seems that you're leaking enough information to (in many cases) link a possibly-pseudonymous Protonmail account to an identifiable individual.
(For example, even if you leak nothing else than times that individuals identifiable by Google logged into unidentified ProtonMail accounts, Google can already see various external activity of specific ProtonMail accounts, and you've given them temporal correlations between activity of pseudonymous accounts and logins by identifiable individuals. That's not the only example, but even that alone seems a significant risk.)
And it's seems to be a real risk: Google is in the business of doing things like that, has a track record of doing things like that, and presumably is more than capable enough of doing it some more.
> but at most a percent or two of users are seeing CAPTCHA at any time.
That sounds like a lot. And the "at any time" sounds like an even higher percentage of users are potentially being compromised by the use of ReCaptcha.
> we don't like it either
I'm not yet convinced that this is the least of all evils. And I don't know how much you have to dislike it before you decide not to do it.
For persuasive effect, is it helpful to imagine the reaction of your philosophical adversaries, when they heard that ProtonMail was using ReCaptcha? I just imagined some of them laughing derisively or incredulously. I don't say that to be mean, but I don't understand the rationale for using ReCaptcha, and I want to emphasize that it seems to be a problem that threatens ProtonMail's raison d'etre and/or brand image.
(BTW, I'm assuming this ReCaptcha choice isn't due to legally-compelled cooperation in unmasking specific accounts -- in which case I wouldn't say anything -- since, in that case, I expect you'd find a way to comply without misrepresenting the rationale to everyone else. I've seen ProtonMail thinking ahead to avoid related conflicting obligations and assurances.)
(BTW, I'm speaking here of Google as an adversary of your customers, and therefore of you, only because that seems to be how your product is positioned, and why you have customers at all, rather than everyone just using GMail. I'm not saying that Google is bad; only that I think it should be considered an adversary from your perspective.)
Any small leakage of data/activity/identity is unacceptable to those of us who know how this information can be taken advantage of, and choice Proton specifically to avoid that happening.
However, it's something our team cares about. That's why 6 months ago, we started preparing to migrate to hcaptcha, even though removing reCaptcha wasn't the most pressing community demand. This work is on track to be completed in the next few weeks. We are sure that after we switch to hcaptcha, on the community voting forum, there will be a "do not use hcaptcha" suggestion, which will then start to collect votes. When it collects enough votes, we will duly allocate resources towards building our own captcha, because that's what it means to be a community driven company.
> In our setup, reCaptcha is served from a sandboxed iframe, which prevents it from being able to interfere with our java script, so it does not pose a privacy or security risk.
You might perceive low user demand for this change because your users assume that you handle the privacy/security risks, and assume that the only issue is annoyance.
Off topic: please implement font size adjustment capability on iOS!
They are not what they were, what they stood against. They have been assimilated.
Sad times. But, hey they reply unlike the big G.
E.g. What was the ratio of failed logins to successful ones before implementing captcha? Now that you've implemented captcha, what is that ratio among the population of users not presented with captcha, compared to to population that is? How many attempts did adding the captcha stop?
That said, we can also understand the reaction. Back in 2014, there were no viable alternatives. Today, there is one alternative, and we started the transition to hCaptcha earlier this year, and will complete it in the coming weeks.
For security reasons, we can't say too much, but some truly massive residential IP botnets have appeared in recent years and can make millions of attempts per day. On really bad days, Captcha can appear for nearly 1% of legitimate users (some who are unwittingly part of the botnet), while blocking nearly all of the malicious attempts.
That's reasonable. Thanks for responding.
Ah yes. All those insecure IoT and unpatched/unpatchable routers that are discoverable on shodan and ultimately end up joining giant botnets. They are a plague not just to ProtonMail.
TBH, I’ve never seen a Captcha. But then I’d tend to use your service via mutt/bridge or the iOS app. And I have MFA enabled.
Obscuring reasons due to security. Sounds like a security through obscurity type of thing.
Good luck with the fight.
IME CAPTCHA will make your internet use unbearable if you a) are from a non-Western geo-location or b) you use a VPN. VPNs like the service you provide, which a fair number of your email users probably avail. It's fair to say a smaller number of "internet users" get CAPTCHA hell (which i also doubt), but I wonder if the ratio of Proton* users actually skews the other way.
The best mitigation as a user is to never reuse a password, however protonmail cannot enforce this. From their side the best option is to slow down the hackers as much as possible so it's less likely their more vulnerable users get compromised.
This may or may not be a problem for you.
> TL;DR It's a small fraction of users who are affected
Yes, though any of your users can be affected, randomly, without warning.
(btw, the GP mentions hcaptcha)
There's a limit to how much information one can get across that way, so we err on the side of explaining the spirit of the site and leave the 'case law' to specific moderation comments. One of these years I want to compile those into an extended FAQ or something, which could provide a home for the kind of documentation you're talking about.
If anyone is so weird as to want to read an entire 'essay' about this, I wrote one a couple days ago: https://news.ycombinator.com/item?id=27307680. The relevant subthread starts at https://news.ycombinator.com/item?id=27303886.