Hacker News new | past | comments | ask | show | jobs | submit login

A few comments about this.

A very small fraction of logins get the CAPTCHA challenge. We, and other services, face unrelenting brute force attacks on our login endpoints. If you are seeing a CAPTCHA on login, chances are that something about your connection is suspicious to our system. It's far from perfect, and we continue to improve it, but at most a percent or two of users are seeing CAPTCHA at any time.

The CAPTCHA is run in an iframe on a separate domain to sandbox it from the Proton login flow prevent it from compromising the webapp. Obviously Google still gets some information, but we do all we can to limit this.

CAPTCHAs are very hard to build, especially considering Google has a habit of clearing the field with it's own captcha-breaking code. Most companies do not have the resources to build their own. We had an alternative CAPTCHA we were going to use as a replacement a few years ago and then the company behind it went bankrupt. We are currently looking to replace ReCAPTCHA with hcaptcha, which should alleviate some of these problems.

We have other strategies which we are also exploring to try to reduce the need for CAPTCHAs entirely, but these are also not trivial to build and integrate into all clients.

TL;DR It's a small fraction of users who are affected, it's necessary to protect our users from brute force login attacks, we don't like it either and are working hard on replacements.

I'm going to put you on a spot a bit, because this seems important to ProtonMail's viability, and I want you to keep succeeding...

> Obviously Google still gets some information, but we do all we can to limit this.

When you cause a request to be made for ReCaptcha, it seems that you're leaking enough information to (in many cases) link a possibly-pseudonymous Protonmail account to an identifiable individual.

(For example, even if you leak nothing else than times that individuals identifiable by Google logged into unidentified ProtonMail accounts, Google can already see various external activity of specific ProtonMail accounts, and you've given them temporal correlations between activity of pseudonymous accounts and logins by identifiable individuals. That's not the only example, but even that alone seems a significant risk.)

And it's seems to be a real risk: Google is in the business of doing things like that, has a track record of doing things like that, and presumably is more than capable enough of doing it some more.

> but at most a percent or two of users are seeing CAPTCHA at any time.

That sounds like a lot. And the "at any time" sounds like an even higher percentage of users are potentially being compromised by the use of ReCaptcha.

> we don't like it either

I'm not yet convinced that this is the least of all evils. And I don't know how much you have to dislike it before you decide not to do it.

For persuasive effect, is it helpful to imagine the reaction of your philosophical adversaries, when they heard that ProtonMail was using ReCaptcha? I just imagined some of them laughing derisively or incredulously. I don't say that to be mean, but I don't understand the rationale for using ReCaptcha, and I want to emphasize that it seems to be a problem that threatens ProtonMail's raison d'etre and/or brand image.

(BTW, I'm assuming this ReCaptcha choice isn't due to legally-compelled cooperation in unmasking specific accounts -- in which case I wouldn't say anything -- since, in that case, I expect you'd find a way to comply without misrepresenting the rationale to everyone else. I've seen ProtonMail thinking ahead to avoid related conflicting obligations and assurances.)

(BTW, I'm speaking here of Google as an adversary of your customers, and therefore of you, only because that seems to be how your product is positioned, and why you have customers at all, rather than everyone just using GMail. I'm not saying that Google is bad; only that I think it should be considered an adversary from your perspective.)

The points made in this post mirror my own, and this incident has caused my trust of sound privacy focus design and implementation on the part of Proton to diminish somewhat.

Any small leakage of data/activity/identity is unacceptable to those of us who know how this information can be taken advantage of, and choice Proton specifically to avoid that happening.

As a community driven, open source company, resource allocation is determined through community feedback. As mentioned in another post, reCaptcha has been used for anti-abuse in Proton since 2014. The community cares about this, but it's never been the highest voted item [1].

However, it's something our team cares about. That's why 6 months ago, we started preparing to migrate to hcaptcha, even though removing reCaptcha wasn't the most pressing community demand. This work is on track to be completed in the next few weeks. We are sure that after we switch to hcaptcha, on the community voting forum, there will be a "do not use hcaptcha" suggestion, which will then start to collect votes. When it collects enough votes, we will duly allocate resources towards building our own captcha, because that's what it means to be a community driven company.

[1] https://protonmail.uservoice.com/forums/284483-protonmail/su...

That post and the comments seem to not be aware of the privacy/security risks. And the official response seems to miss it:

> In our setup, reCaptcha is served from a sandboxed iframe, which prevents it from being able to interfere with our java script, so it does not pose a privacy or security risk.

You might perceive low user demand for this change because your users assume that you handle the privacy/security risks, and assume that the only issue is annoyance.

This is an irresponsible statement to me. Each time you face such kind of issue, you can claim that community allows me to do that. But Protonmail is a professional company who should take the final responsibility. Please be professional.

It's a perfectly professional and honest response. They're taking responsibility AND giving you a rationale. Your comment is the unprofessional one if anything.

If it’s security or privacy related that should be driven by your own threat-modelling and risk assessment. Not left to the fate of what the community decide. You’re the experts after all and that’s what people using your service pay for and expect.

A captcha of any kind on a paid service (or a storefront where I'm looking to pay money) is an absolute deal breaker for me. I will not be clicking on lights and stopsigns to be able to pay money.

Looks like they feel it's a necessary evil and only hits 1-2 percent of users

That’s no consolation if you are in that 1-2%.

Thank you for explaining here, I really appreciate the work you’re doing and understand the non-trivial work it takes to protect users. While l’d love a Google free experience for PM, I also love having a near zero chance of a brute force attack. I’m a paid PM user and have been using it since the very early beta days. I never see the CAPTCHA on any OS, but I only connect from about 5 different IPs or while using ProtonVPN.

Off topic: please implement font size adjustment capability on iOS!

This isn't an explanation, insofar as it's identical to the bartbutler post in the submission itself.

I feel like they have pretty much cleared the issue up. Any coder would agree that a captcha service is actually very hard to build. Especially a good one. What they're doing isn't exactly 100% wrong, but it isn't 100% right either. Either way, they're implementing hCaptcha. I see no issue?

This means ProtonMail know who you are if you did not use third-party VPN.

Yes, but the ussue being pointed out is third party google.. Also being made aware. Many users pay proton for the services. Should we also be upset about payment processors logging this? Last time I tried to make a new protonmail, a phone number or non protonmail account was required. The limit which emails are valid.

They are not what they were, what they stood against. They have been assimilated.

Sad times. But, hey they reply unlike the big G.

Maybe some basic stats would concretize the problem for some commenters.

E.g. What was the ratio of failed logins to successful ones before implementing captcha? Now that you've implemented captcha, what is that ratio among the population of users not presented with captcha, compared to to population that is? How many attempts did adding the captcha stop?

We were a bit surprised by the sudden reaction today. We have been using reCaptcha as one tool (among many) to fight abuse for years now. For example, here's a thread from 4 years ago mentioning it [1]. It is triggered most often for signup, but it can also appear for password reset, username lookup, sending mail, payments, login, and any other api routes which can be abused.

That said, we can also understand the reaction. Back in 2014, there were no viable alternatives. Today, there is one alternative, and we started the transition to hCaptcha earlier this year, and will complete it in the coming weeks.

For security reasons, we can't say too much, but some truly massive residential IP botnets have appeared in recent years and can make millions of attempts per day. On really bad days, Captcha can appear for nearly 1% of legitimate users (some who are unwittingly part of the botnet), while blocking nearly all of the malicious attempts.

[1] https://www.reddit.com/r/ProtonMail/comments/5z70cd/when_sig...

> For security reasons, we can't say too much

That's reasonable. Thanks for responding.

> For security reasons, we can't say too much, but some truly massive residential IP botnets have appeared in recent years and can make millions of attempts per day

Ah yes. All those insecure IoT and unpatched/unpatchable routers that are discoverable on shodan and ultimately end up joining giant botnets. They are a plague not just to ProtonMail.

TBH, I’ve never seen a Captcha. But then I’d tend to use your service via mutt/bridge or the iOS app. And I have MFA enabled.

> For security reasons, we can't say too much

Obscuring reasons due to security. Sounds like a security through obscurity type of thing.

I don’t think you quite understand what security through obscurity means. It’s not an invitation to help malicious actors pen-test your system by publishing information about it.

> concretize

dear god

I think a part of the problem is many people don't know what CAPTCHA really does and that even smaller numbers of people know exactly how much traffic is abusive in nature.

Good luck with the fight.

> A very small fraction of logins get the CAPTCHA challenge. We, and other services, face unrelenting brute force attacks on our login endpoints. If you are seeing a CAPTCHA on login, chances are that something about your connection is suspicious to our system.

IME CAPTCHA will make your internet use unbearable if you a) are from a non-Western geo-location or b) you use a VPN. VPNs like the service you provide, which a fair number of your email users probably avail. It's fair to say a smaller number of "internet users" get CAPTCHA hell (which i also doubt), but I wonder if the ratio of Proton* users actually skews the other way.

This is seriously skirting the issue. OP didn't complain about your use of robot detection. OP complained about your use of GOOGLE's robot detection, which is not privacy preserving. There are many other robot detection services out there, many of which are arguably more effective at detecting robots too.

Your statement does decrease my confidence with your company...

It's not necessary, as you could use a different captcha or challenge segment. Nobody is forcing you to us Google's solution, that is your choice.

Why / Who is DDOS'ing protonmail? Is it just a consequence of having a sass a certain size that you become a target?

It's not DDOSing, it's credential stuffing[0]. Hackers find leaked databases which contain username/password pairs. They then try username@protonmail with the password from that database (or they just try the top 1000 most common password). If they get in, they suddenly have control over someone's email. From there they can password reset any of the user's other accounts, some of which might allow them to buy real world items.

The best mitigation as a user is to never reuse a password, however protonmail cannot enforce this. From their side the best option is to slow down the hackers as much as possible so it's less likely their more vulnerable users get compromised.

[0]: https://en.wikipedia.org/wiki/Credential_stuffing

I’d be curious as well, but chances are they’re experiencing credential stuffing attacks or dictionary attacks against account passwords.

What's the problem with using ReCAPTCHA? Is it not the best tool for the job?

Protonmail goal is to preserve privacy, while Google's goal is to collect your private data.

Please be more concrete. What exactly is the risk here? That Google can look into the logs and infer a Mac OS Bigsur with Chrome v90 is logging into proton mail today at x:xx pm?

Google is discovering that this particular user is ripe for advertising security related products.

So the ultimate risk of using ReCAPTCHA on proton mail is that Google might find out I'm more tech savvy than the average? Fine by me.

Those are your values. Other people have values that they don't want to be tracked and profiles made on them as they move around on the internet.

No, no. Now Google knows you are using ProtonMail, and by extension the NSA knows you are protonmail, the FBI knows you are using ProtonMail, and so on.

This may or may not be a problem for you.

meh, if FBI is truly trying to track you down, they have an easier time accessing your ISP and mobile carrier logs to see what IPs you've been talking to.

Less likely to do that if you're not appearing in a "people who use protonmail" list.

Maybe yes, maybe no. The more information you leak the more opportunities to find easier ways.

They can correlate your login timestamps with emails you send to gmail users and identify your protonmail account.

Google has history of this user logging to protonmail including ip adresses. Google gives that log to US agency, US agency correlates that log with the log coming from ISP and identifies the user.

It goes against the very reason of Protonmail existing. If you are to accept privacy leaks by design, you have no reason to use what Protonmail claims to offer in the first place, and just stick with gmail.

There are countless alternatives. Why did you choose Google?

> TL;DR It's a small fraction of users who are affected

Yes, though any of your users can be affected, randomly, without warning.

There actually aren't countless, almost all of them have been broken (many by Google actually), there's just one alternative, hcaptcha, which has been around only the past couple years. Back in 2014 when we first added the captcha for too many api requests, there was no other option.


You can't use that sort of username on HN—see https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme.... I've banned the account for now, but if you want to use it with a different name, you're welcome to email hn@ycombinator.com and we'll get you fixed up.

(btw, the GP mentions hcaptcha)

Why is HN against asian passerine birds? https://en.wikipedia.org/wiki/Japanese_tit

Not questioning this dang, but would be useful to add something about trollish usernames in the guidelines, and perhaps clarify what qualifies as trollish.

That belongs to a category of subrules or heuristics which are too numerous to list. If we tried to make the guidelines comprehensive that way, they would just get so long (or worse, so bureaucratic) that people wouldn't read them.

There's a limit to how much information one can get across that way, so we err on the side of explaining the spirit of the site and leave the 'case law' to specific moderation comments. One of these years I want to compile those into an extended FAQ or something, which could provide a home for the kind of documentation you're talking about.

If anyone is so weird as to want to read an entire 'essay' about this, I wrote one a couple days ago: https://news.ycombinator.com/item?id=27307680. The relevant subthread starts at https://news.ycombinator.com/item?id=27303886.

Impressive how you’re able to find these quickly and quash. Follows the model of cleaning up graffiti quickly, which causes incidents to reduce over time.

How are they better? Do they have better privacy policies?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact