ProtonMail Has A Tor Hidden Service now

[zhang888 1066]

You can already use GPG with Protonmail, and they allow you to export the generated keys if you want easier usability.

For better general privacy, the usage of GPG is not limited to any mail provider, and you don't have to store your keys on their servers, you just set up your mail client with a GPG extension.

[OmniNegro 155]

Anyone wanting to learn to use GPG may have to learn to use a totally different approach from the stupid webmail systems most people are accustomed to. If you can use Thunderbird, you can use any service you like. Do a search for GPG e-mail and you will find countless guides on how to do it. Pick any that meet the specifics of what you want. For instance, if you check your e-mail on your phone, you will need a guide for that. GPG is open sourced and free. It has been ported to every OS and every device worth using. Explaining it is too difficult without more specifics on what you want.

 

But to be totally clear, GPG can be used in ANY email service. It does not matter if the service in question has any support for it or not. It is done on your side. Take a look at an example message I received on one of my accounts. (Everything that follows is the message, exactly as it is in the service I use. And this is a very small message.)

-----BEGIN PGP MESSAGE-----
Charset: utf-8
Version: GnuPG v1

hQIMA0UGrHTAhXcPARAAk7GjR+9+ARTBnbQI3P5kRcfebhmXzeJGGH/epJoF+gvK
5THslVJ51Ze14hLU17kmX804Eyyhq9UMEgEfNzAZtTblT192vswbSsYHBkAhs5kZ
IjyRubroTKCytF3He+/OuisieEA3m6vt+CKCHGlbTuuwQDGcLheooGxLCj07Q5c8
kCXjFNxJqR/+hwaoX+I5CsrttVr0mQcjQHDNiEH5NX0bBeYkhsEbG62xHlxkqA8E
8PwNG2Kkt5iqNnGcjpOFHo70pNnagJF4/d/+A1HHULq4B/nWSQ/qXs03ZkBkHXaV
bTNKw1tOsJ4L1BCA6MKzbFNbDtHTDaLxIH59+gaGeSm4T6sb+4N/ZK9XOZnpHvgW
V/WlNmgGnl9ZTokJfbWduOtWiLo6HUQMhU3Tr4R8be7Vss++vSI1/2VKejDYhJVW
OyqVeUin9/Ge/52hWkxMrpPehp7Ztbk/JOztikm3xBXLzu/RHBq6UIXA+WnRXxdI
JsbeMYkzKR7rBnlMMHc5OC6XdjBf0wE6EGwz9r1+Wm5Qh+/br0pYJFBxQWRaQ81s
NiJRzx+tu/kjn7FmhYfhZ0zq1G/uUCuGlAGtOGltB6oQWmuBxJi+U1HE9Ra+hH7N
xgOobpd9c1QbbNrTlxFp/dV9QKzQgaleuznAGHsAJT0IfGR6t6jm5g6RxddkKPuF
AgwDA99kap93tgwBD/4szmcYtIXVjtVAI/rBppqiSiu6mdCdyG542fM3OYff0B/X
Pl3DlVz2wNiUQkXm1SJf9I9ZR0eC1qRYghjpAklSJAt0QFxN12E5aaip+IENv/xB
pZCmI4hZaM9avQ2F8vs2qPyu8bBVAwfauLieRIJYYQY0PFisFWTM1dumkIE4Vmfu
1Ot68Z/KO3wwCD0fEolZtyftHEIPYg87qBKtZQ+zS5QOrKzLdnVugWeMHQagTn/Y
PXO1KMA6mXRhTIfcjegMh4FUbkoDvB8M979sXzE7aCGgC35fJoeoKNqJkUMx1agI
CU5U24vgBQa/qRuRKKODKpHX1RsXYOpRtWi5SfZm66VStNChVnxI9FCw8bLHE0mn
s42CaM+7T+EZJBuAP/eXTZqJGJHvIXH2lY2Us3X61h7pDouPHlDofci9fBUkSQbG
/lOsh5SBFay03nC5UqRjuyz2dIEMVYjVrEdJWUVnMgnyrLUtzghoIVEgg/7tzmZK
i5NTu3uyIM3bm/SJw69ltJY+nYO88Bi+U7niPh5DtBPJ9joj+1jyN6G+xvH/86vP
0QloDRvwFMuL4+jUupV95q08438LekmR4TrihCIQ/f9yXG00G967Cf/PLkerV13D
COTeZWenCFpM/62W5amxvRoHnZaxZC7T4muKhQ+98EdV/jgdgh54IxncvRAYm9Lq
AWyKMH5asGb0Ugu8Tz6ADKczD2Kj17oR0jtkGex1Vw3P7guiyfIZKhwonBUG/l1N
bFMszzFfePhWkuFwEQtfMMzekoCFnqJbpdgKby7YAihaDcsx3Vecx19QnN/bxpwe
yXw1L1LR42WYtcE5I3Q9Swoy6L04EEnYpDVHyGNhzKMApj+HItINpPkEmtIP6/ev
UbBXFCuKeqr5DQh26/yx3A6W9GU5iyWR8veVBsiO3lxya/7yCh+ZR+wuW+Ft40is
Hulqw516YbV1OanrizeR7eLsjZe4wj6/5nxKGVPQRHbIRaOn7deLwpN70O5PY1vz
ubB2GPDlYvtgz3LWgAbLGNmbh7e0VqoXtOtbb8qg0980otNTrngOBJeK2wUEZZEe
UvR8Ke5AR6xqToCtHbPRNLQTb+raS9SH+VgnILCA1NBkBM8SSghsWniEh0y8rIj5
eW0RwotRnuRQIgDp2d/0QSNvttjZIRvcyv4TlS3yMu2wvkJnsB2G0iYhKBFU4MrE
KMVBt9m0l1KD3xtrai7h/Ya5/akAwR1PTAdGcQVA4Y2jIkDrioo6Gg+h75sG9qhO
7cv9rfxVE+Y0XNp/EYQmn1Nt/T2504OWgFeiehKSleeyvbLXNXtG69dLm5QXl2UY
Q3MdvVG+UCd3YkwrKrr8qKvPSOJdCM7gFau7f5BG6VXT5nVe6zQpee53sD1P5qPR
RBpKPXasi6Ur5Gd4RkRLsTltEkOniaAauXZHXqoB52zV7FAzevOuui12ghVDgiRZ
WP5qHy/VR0j79Qd5I/FxNfRkFbhN0oc8QRTS6j22eabCniv7bmkYtTeCqWhnRYAQ
uPw5Ub+5b8BZTmXqe/hyDGjsYVBUDZcBYoEPPwdDAtbuxU70CPjDWi4Yh7SAjDvQ
pxyfRt6rSht4QLRKys1s+jFFOM1zeeFlVRDyxde+b3d2mKhFgTOIGLH8ZLr2vQKC
gDY2rDyquRp7lqbBaTRU2Zz42hOd1myML/7SO3/c/zvpEu47ByAU7kq22fMaROYd
Ec4QduA/Zh5Xt8uVyCVGhisI8UufTCf1wiZulsbuv1rMREnUFJ5+rxfbwQRcqj++
0BvZxaqz5D2u8mjn5bEMDAmSVEFZFdmFzCGeJbkHyGjDr3VWB6NA8nGiZ0b+J269
yhLxN3BK4M5j9G5uc9GhZY5YP9/2R48zPa7ZVdawIQRVsL0mYW2MlYzQAXp9mb+M
TV6M0UAKIooulOS9igUbX+wph696Bo+SqVhnr+KApz3/SFawxXqBe/DhuPwgcwHM
iyx27OVVqPLCFO3luPXCjg14xzG67GKRQlZf1/PAX1WoUkWkaalfFgep7j+aX1wj
BHBsAKc7KbERLLC4TARNj8DZabwkig8Gf4zKoMK+rTUD73bDhppeACJWkcKvfTE4
SAyDfwkdw0Lousg+9LrAifDLfdKV1hoGYWk4ClIdFmnUloVfTfxjFbCNUxvyfD3C
3gjHg7Cg8C4RVRV5++QrYppmUO3YVM45wbRl6ZJJRpa/kdmxp8zxsQD1G4yOxaKU
RtIxV/pDPJmAIAQNaBqbxXxCApmMbSsLHHEfPMov0GfFaUEFgaXJMXGOZy5Ff7j4
KpYiv7mpKQFMa81ACGI69XA9I6GWP7h6jfKB19faM5CticGXPjYxwxBK038ypiKq
A4I+Z+U3e6Awnzh+w184VjqroufK4EeRBVKOu1vtbn5SYzEDnMV8iqAvYMzjj3Hw
nu3Iq+Ab2CUD5ZQvyi2Zg50Dq51ZCbUJo4dkVftSfvurAuGd28wm84bVItFl2Qh2
z4dKEHZlw+WBJJD0bA4ztTqCk2+oPg0I43w0cuu9htbrQrUiDl3kfCLB8ktNKkUR
DDqNXixx+1YjlYwhQ9wzACPnz5QBsQSQlfMIopXW1ZML6m7agmzZRdDkNQ==
=ZTXm
-----END PGP MESSAGE-----

[OpenSourcerer 1435]

No-one has ever broken a truly secure GPG encrypted message in all time in this world. And even the weakest keys are still a hell of a lot of work to break with a supercomputer.

 

What is the best part? GPG is freeware, and works with any mail service you want to use, in any mail client.

 

We don't know that. Maybe someone in this world is always a step ahead of "known science"!?..

.. *light paranoia mode off* ..

-----

I don't remember Outlook being able to do PGP...

[zhang888 1066]

GPG4Win supports Outlook as a plugin, but try to recall the number of Outlook users who put their online privacy as a priority.

[OmniNegro 155]

I actually have used webmail accounts to receive GPG mail and then copied the entire message over to my Thunderbird client to use GPG to decode the message as a workaround since I was too lazy to setup things. But if I cared to have it working, there is not a client you cannot use with GPG. Some of the really uncommon ones may not have support for it, but that just means there is a trivial amount of work to do to use it.

 

Privacy and security are worth the petty expense of time and effort.

[Ricnvolved1956 51]

The TOR browser on my iMac desktop works smooth as silk with the Protonmail TOR address. However, I can NOT log in through the Onion browser for iOS nor with Orfox on my Android tablet. I will be opening a support ticket with Protonmail though I don't think it will do any good. They warned in a blog post that it may not work initially for some users. Not a big deal for me since they will need time to work out the bugs. I really like Protonmail because they seem to take customer email privacy and security more seriously than anyone else out there that I know of. It may seem a bit like overkill to some but I think this is where internet security in general is going and Protonmail is painstakingly doing everything within their power to stay ahead of any privacy/security threats to their customer base. And to me, that makes the $48 annual subscription price very much worth it.

[Keksjdjdke 35]

I'm able to login using onion browser on iOS, here's a photo of the settings I'm using. Warning using the Settings may reduce your security.

[Ricnvolved1956 51]

Keksjdjdke-- Those settings do work. However, you shouldn't have to compromise security to be able to log in. That defeats the whole purpose. Protonmail's tech/security guys really need to figure out what's going on with Onion browser for iOS.

[SDBF 22]

OmniNegro-- So you're saying I can and should GPG with my Protonmail account? Are there any good tutorials that can instruct me how to do that? Protonmail has it's own app; is it safe to use it?

 

I also use Startmail and Posteo. Do you know if they require JavaScript?

 

 

https://www.gpg4usb.org/

[iwih2gk 93]

I decided to give ProtonMail a try.  For now I am using one free account and testing a few things.  I am only on a linux desktop and nothing but onion for everything during my tests.  I like the speed and layout options.  The pages look really nice to me.  I have used pgp/gpg for over a decade now so its all quite familiar.  Being a little paranoid I wish I could have created a stronger key, since they only use a 2048 key.  Wrote personal counter measure comparisons to avoid MITM before credentials get keyed in.  Seems really smooth after a few days now.  I disabled ALL account recovery options and store ZERO in that regard.  If I forget my credentials I am toast.  LOL!

 

[Keksjdjdke 35]

If you use the mobile app when you create your account you can choose a 4096bit key. And make sure you have your recovery options set up properly so that you don't lose access.

[zhang888 1066]

Imo the best setup would be using an email client on your preferred secure workstation environment, not because this is just more convenient and secure,

by the fact that you don't have to store virtually anything on their servers, and that you don't have to authenticate in web forms, this also guarantees you won't lose

your mailbox content in case they will have the same outcome as Tormail/Lavabit/Ghostmail/Sigaint and probably dozens of others who were forced out of business. 

[iwih2gk 93]

If you use the mobile app when you create your account you can choose a 4096bit key. And make sure you have your recovery options set up properly so that you don't lose access.

 

 

Couple of things.  Don't really want recovery options.  That (smaller key) is a surprising restriction for my desktop environment.  I figure the Protonmail desktop application is older and just needs to be updated on their end to conform to their newer android app key size.  During testing I will ONLY use TOR and I never access TOR from my android.  I know I would lose any email stored on my account but I wonder if I could eventually log in and switch to a 4K key?  Might consider that if its an option, and for sure would if it ever becomes available in the desktop environment.  Use high entropy and long passwords either way.

 

 

Imo the best setup would be using an email client on your preferred secure workstation environment, not because this is just more convenient and secure,

by the fact that you don't have to store virtually anything on their servers, and that you don't have to authenticate in web forms, this also guarantees you won't lose

your mailbox content in case they will have the same outcome as Tormail/Lavabit/Ghostmail/Sigaint and probably dozens of others who were forced out of business. 

 

I won't store emails long term on ProtonMail.  In fact I love how I can set them to expire in case I forget to "clean up".  I will securely move anything I want retained over to my FTP.  Of course you may be correct about Protonmail eventually going out of business, but their model appears to be solid.  It may be that the FREE accounts will need to go someday if the load gets high enough.  Does anybody know how many of their accounts are PAID as compared to free (anyone talking)?  Just like AirVpn, which is a great provider, I would have no problem sending BTC to Protonmail for great service.  I don't see a BTC link to them.

[Ricnvolved1956 51]

Just an update using TOR on my Android tablet and iOS devices. I uninstalled Orweb and Orfox for Android and then reinstalled both. Then I went to Protonmail's special TOR address through Orfox and was able to log in with no problem. However.... I still cannot log in with Onion Browser on my iOS devices. I uninstalled and then reinstalled it at least three times. The first time I changed the Onion Browser settings keksjdjdke suggested I successfully logged in. Unfortunately, that's the only time it worked; have not been able to log in again after that one time. Very frustrating. I opened a support ticket with Protonmail and we're playing ping-pong on the issue. I'll re-update at the appropriate time.

[Khariz 109]

There's a lot of things I cannot log into using the Onion Browser on iOS. I can't log into Tutanota either.

[Ricnvolved1956 51]

Khariz-- Do you know if there are any TOR or TOR based browsers for iOS worth investigating?

[Keksjdjdke 35]

Khariz-- Do you know if there are any TOR or TOR based browsers for iOS worth investigating?

I'm not khakis but onionbrowser is currently the browser that torproject posted about on their blog and it's open source and stays up-to-date, red browser does not stay up to date with the latest tor protocol and from what I've checked it looks like it's closed source. Torproject has said that they are working on a iOS app. "Currently, there is no supported way of using Tor on iOS; the Guardian Project is working to make this a reality in the future."

https://www.torproject.org/docs/faq.html.en#Mobile

https://blog.torproject.org/blog/tor-heart-onion-browser-and-more-ios-tor

[Khariz 109]

I'm sure I was asked that question because in the post before the question, I said that there's a lot of stuff I can't do in Onionbrowser.  I'm assuming he was asking about Tor browsers besides the Onionbrowser.  But, no...Onionbrowser is the only one I have.  It works really great as long as you don't need to log into these mail services.  Basic web browsing and .onion browsing works fine with proper bridging and circuiting and all that jazz.

[iwih2gk 93]

I hope they are able to get that iOS thing worked out in an open source fashion.  Fortunately all is working fine at ProtonMail with conventional linux and TOR - duh!

[Ricnvolved1956 51]

Update on Onion Browser for iOS: Protonmail recommended the following settings. Active Content Blocking-- "Allow All (DANGEROUS)"; Cookies-- "Block Third-Party"; User-Agent Spoofing-- "Normalized iPad (iOS Safari)"; Do Not Track (DNT) Header-- "Tell Websites Not To Track"; Minimum SSL/TLS Protocol-- "TLS 1.0+".

 

These settings now allow me to successfully log in to my Protonmail account. But, is there reason for concern that you must set Active Content Blocking to "Allow All (DANGEROUS)"?

[Khariz 109]

As long as it's only a site-by-site setting, I wouldn't worry about it too much.  But if that's a universal setting (I can't remember), it would make me not want to do it.  If it's a universal setting, clicking on a link in an e-mail could result in running unintended content.