Jump to content
Not connected, Your IP: 18.206.194.161
Keksjdjdke

ProtonMail Has A Tor Hidden Service now

Recommended Posts

Posted ... (edited)

Protonmail launched a Tor Hidden Service, any comments or questions?

https://protonmail.com/blog/tor-encrypted-email/

 onion link

https://protonirockerxow.onion

 

Onion server Certificate should be verified before logging in.

Sha256

D6:D5:26:07:F9:5F:41:D3:92:AD:EE:59:CE:29:AB:E0:B3:E8:2F:30:EA:1E:6B:8F:9D:12:09:42:F0:35:BB:65

Edited ... by Keksjdjdke

Share this post


Link to post

Doesn't work for me, unfortunately. Tried it on Orfox browser on my Android tablet and Onion browser on my iPhone and can't get past the second login stage/mailbox decryption.


During times of universal deceit, telling the truth becomes a revolutionary act. —George Orwell

The further society drifts from truth the more it hates those who speak it. —George Orwell

A lie is as good as the truth when everyone believes.

No one ever lost a dime underestimating the intelligence of the amerikan public. {Generally attributed to H.L. Mencken}

THANK YOU: Russia Today; Edward Snowden; Julian Assange; John Kiriakou; Thomas Drake; William Binney; Ray McGovern; Kirk Wiebe; Matt Taibbi; Sputnik News

Share this post


Link to post

Doesn't work for me, unfortunately. Tried it on Orfox browser on my Android tablet and Onion browser on my iPhone and can't get past the second login stage/mailbox decryption.

Have you allowed Noscript addon to use Protonmail?. It doesn´t work without javascript.

Share this post


Link to post

Worked fine for me. Glad to know about this, but if you're already using a vpn it's a bit of overkill. A single password is currently the default for Protonmail, but it's still possible to choose 2 password mode; one to access the account, and a second to decrypt your mail.

Share this post


Link to post

Worked fine for me. Glad to know about this, but if you're already using a vpn it's a bit of overkill. A single password is currently the default for Protonmail, but it's still possible to choose 2 password mode; one to access the account, and a second to decrypt your mail.

 

It never hurts to add another layer of security. Having to wait a little longer for a page to load is always worth retaining as much security as possible. As i understand it, the two password mode protects your mailbox from being opened by 3 letter agencies should they force their way in and demand that ProtonMail open it for them. Since only the end user is capable of decrypting the mailbox, there is nothing ProtonMail can do to help them.

 

That's the theory at least. However i wouldnt be surprised if they forced them to create a fake portal on their webpage to effectively intercept the passwords when the user types them in, giving them both keys to open the mailbox.

Share this post


Link to post

Nope. Protonmail never receives the email decryption key. The emails are sent to you encrypted and are decrypted only on your machine with your password.

Share this post


Link to post

Nope. Protonmail never receives the email decryption key. The emails are sent to you encrypted and are decrypted only on your machine with your password.

 

Right. However a fake web portal could still be implemented by 3 letter agencies to intercept the key. It does not matter how the emails are sent if you give them the password. 

Share this post


Link to post

The whole point is that you don't give them the password. It never leaves your machine...if you choose 2 password mode: one to access the account, and the second to decrypt on your machine.

Share this post


Link to post

The whole point is that you don't give them the password. It never leaves your machine...if you choose 2 password mode: one to access the account, and the second to decrypt on your machine.

 

Yes, and that's how it normally works.

 

That does not mean that a webportal could be designed to, after unlocking and decrypting your email, transmit the key to another party, such as a government agency. 

Share this post


Link to post

Note that the emails arrive to their mailservers in clear text, unless you encrypted them using PGP before.

So they do have the copy of your plaintext emails at some point, at least for the duration it takes to move them to your

virtual mailbox folder in a separate, encrypted form. We don't have the source code of their server part, so you will have to

trust their own implementation regarding crypto, however some forks based on the same model exist, like Neutron:

https://github.com/emersion/neutron


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Only emails from non-Protonmail accounts arrive at their servers unencrypted. Anything sent from a Protonmail account is encrypted before being sent.

Share this post


Link to post

Unless/until someone convinces me otherwise, I'm trusting that Protonmail is doing right by it's customers. How many other email services out there are attempting to keep users' emails private and secure to the level that Protonmail is supposedly doing? Zhang can correct me if I'm wrong but I think he gave his personal endorsement of Protonmail in another thread. That prompted me to purchase the $48 subscription back in November and I really like what I've seen so far. As for not being able to login using their TOR address, I've tried it on my Samsung Android tablet and my iPhone SE. I'm using the 2 password method and I can get past the first password, but after entering the password to decrypt the mailbox itself, it just hangs up. As far as I can tell, JavaScript is enabled on the Orfox browser on my Samsung tablet as it shows the little yellow "JS" icon on the righthand side of the address bar.


During times of universal deceit, telling the truth becomes a revolutionary act. —George Orwell

The further society drifts from truth the more it hates those who speak it. —George Orwell

A lie is as good as the truth when everyone believes.

No one ever lost a dime underestimating the intelligence of the amerikan public. {Generally attributed to H.L. Mencken}

THANK YOU: Russia Today; Edward Snowden; Julian Assange; John Kiriakou; Thomas Drake; William Binney; Ray McGovern; Kirk Wiebe; Matt Taibbi; Sputnik News

Share this post


Link to post

Only emails from non-Protonmail accounts arrive at their servers unencrypted. Anything sent from a Protonmail account is encrypted before being sent.

 

What exactly are you writing about? Emails from non-Protonmail accounts might arrive TLS-encrypted if the sender supports TLS encryption, and I know for sure that Protonmail supports receiving encrypted mail. But in the second sentence I'm not sure what you write about. Not anything sent from a mail account will actually be sent encrypted, there is a great number of mail servers on the internet which don't support TLS, forcing mail providers to send mail unencrypted to ensure compatibility. Some like Posteo implemented the "TLS guarantee" which rejects sending mail to hosts which don't support TLS. Not sure if Protonmail enforces the same policy.


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

Sure TLS is in place as long as the sender/receiver servers support it. In addition, Proton does public key encryption. Anything between proton accounts is public key encrypted end-to-end. All that encryption is done on the user's machines. All data is stored on Proton's servers encrypted and they don't have the decryption keys so they don't have access to the clear text of those emails, only the end users have their respective private keys to decrypt.   Email that arrives from a non-Proton server arrives in clear text. It is encrypted with the destination public key and stored on their servers. They do not thereafter have the private key to decrypt it. In the reverse direction if you are sending to a non-Proton email, the email may be encrypted to the Proton server with their public key for privacy in transit, then decrypted and sent on to the receiver in clear text (not 100% sure about this outgoing direction encryption, but it seems the secure and logical way to operate...if you want that particular bit of detail I suugest you contact Protonmail). Obiously sending/receiving to/from a non-Proton email is not encrypted in transit (except by TLS if its supported). Only Proton to Proton is public key encrypted end to end in additon to TLS. From their website:

 

https://protonmail.com/security-details

 

End-to-End Encryption Messages are encrypted at all times

Messages are stored on ProtonMail servers in encrypted format. They are also transmitted in encrypted format between our servers and user devices. Messages between ProtonMail users are also transmitted in encrypted form within our secure server network. Because data is encrypted at all steps, the risk of message interception is largely eliminated.

 

Zero Access to User Data Your encrypted data is not accessible to us

ProtonMail's zero access architecture means that your data is encrypted in a way that makes it inaccessible to us. Data is encrypted on the client side using an encryption key that we do not have access to. This means we don't have the technical ability to decrypt your messages, and as a result, we are unable to hand your data over to third parties. With ProtonMail, privacy isn't just a promise, it is mathematically ensured. For this reason, we are also unable to do data recovery. If you forget your password, we cannot recover your data.

Share this post


Link to post

Follow up:  all Protonmail accounts used to require two passwords for a higher level of security; one to access the account, then a second one to en/decrypt your emails. They've now gone to a single password as default for ease of use (at the expense of maximum security) similar to Tutanota. But if you want the extra security of two passwords, you can choose that option.

Share this post


Link to post

It does not matter how these emails are sent if ProtonMail is gagged and forced to change their login page so that both passwords are stored when entered, and used by agencies when they feel the need arises. 

 

Making email transmission done with TLS or end to end encrypted does nothing if government agencies have the tools to decrypt the emails with YOUR passwords. 

Share this post


Link to post

Ya that could happen. If you're worried about it you need to be following some much deeper security protocols and not using any web services like Airvpn....you might consider keeping a fully encrypted air gapped machine in an impenetrable vault.

Share this post


Link to post

Ya that could happen. If you're worried about it you need to be following some much deeper security protocols and not using any web services like Airvpn....you might consider keeping a fully encrypted air gapped machine in an impenetrable vault.

 

Nowhere even close to my personal threat model, just something people using ProtonMail should generally be aware of. 

 

For a rare few amount of people, some information is worth having kept on an airgapped machine in an impenetrable vault, probably none of these individuals use a VPN however.

 

Generally, you should never let yourself assume you are 100% protected at any given time using any given service. 

Share this post


Link to post

You have a keen grasp of the obvious

What can I say? I have a deep understanding of that which is obvious.

 

can't compete with you though, you my friend have the ability to turn any conversation point into an acute hostility.

 

Maybe I can learn a thing or two about pissing people off

 

Sent from my Pixel using Tapatalk

Share this post


Link to post

I'd even say, ProtonMail's approach is a slight overkill. Think of email as a toast, and security as jam. Toast is yummy, it's better with jam. Now, too much jam on my toast is not bad, I'm just not sure if I can enjoy the taste of my toast, then.

 

I mean, this is EMAIL we're talking about. If it was my bank account I'd think about all those layers, but moving messages back and forth doesn't compare in any way. Especially this two-password thing is stupid, adding no additional security to the setup, but complicating your life.


Four simple things:
There's a guide to AirVPN. Before you ask questions, take 30 minutes of your time to go through it.

Amazon IPs are not dangerous here. It's the fallback DNS.
Running TOR exits is discouraged. They're subject to restrictions on the internet and harm all AirVPN users.

Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, you'll be unique among the mass again.

 

XMPP: gigan3rd@xmpp.airvpn.org or join our lounge@conference.xmpp.airvpn.org

Share this post


Link to post

Anyone wanting truly secure e-mail should only ever decrypt on their own side, and should never use a site that forces javascript to be used to allow you to do this. As previously mentioned, any of the alphabet soup agencies can make a fake site to do all they want without it ever being revealed to you.

 

GPG people. Learn it, Use it, Love it.

 

No-one has ever broken a truly secure GPG encrypted message in all time in this world. And even the weakest keys are still a hell of a lot of work to break with a supercomputer.

 

What is the best part? GPG is freeware, and works with any mail service you want to use, in any mail client.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

OmniNegro-- So you're saying I can and should GPG with my Protonmail account? Are there any good tutorials that can instruct me how to do that? Protonmail has it's own app; is it safe to use it?

 

I also use Startmail and Posteo. Do you know if they require JavaScript?


During times of universal deceit, telling the truth becomes a revolutionary act. —George Orwell

The further society drifts from truth the more it hates those who speak it. —George Orwell

A lie is as good as the truth when everyone believes.

No one ever lost a dime underestimating the intelligence of the amerikan public. {Generally attributed to H.L. Mencken}

THANK YOU: Russia Today; Edward Snowden; Julian Assange; John Kiriakou; Thomas Drake; William Binney; Ray McGovern; Kirk Wiebe; Matt Taibbi; Sputnik News

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...