Slashdot Mirror

← Back to Stories (view on slashdot.org)

ProtonMail Adds Tor Onion Site To Fight Risk Of State Censorship (techcrunch.com)

Posted by msmash on from the secure-mails dept.

ProtonMail now has a home on the dark web. The encrypted email provider announced Thursday it will allow its users to access the site through the Tor anonymity service. From a report: Swiss-based PGP end-to-end encrypted email provider, ProtonMail, now has an onion address, allowing users to access its service via a direct connection to the Tor anonymizing network -- in what it describes as an active measure aimed at defending against state-sponsored censorship. The startup, which has amassed more than two million users for its e2e encrypted email service so far, launching out of beta just over a year ago, says it's worried about an increased risk of state-level blocking of pro-privacy tools -- pointing to recent moves such as encryption messaging app Signal being blocked in Egypt, and the UK passing expansive surveillance legislation that mandates tracking of web activity and can also require companies to eschew e2e encryption and backdoor products. The service also saw a bump in sign ups after the election of Donald Trump as US president, last fall -- with web users apparently seeking a non-US based secure email provider in light of the incoming commander-in-chief's expansive digital surveillance powers.

26 comments

  1. ProtonMail users by colin_faber · · Score: 4, Informative

    I've been a user since their beta days, and I can say the service generally works well with a few exceptions in the UI. Most notably it's slow, very slow, and the TOR interface seems to be even slower. Combine that with lack of features (like mailbox purge) and mandatory space constraints it makes the service very hard to use for day to day messaging needs. That all said, I really do like the service and find the entire concept of browser based encrypted UI, with encryption handler happing within the browser itself very interesting and a neat way forward (possibly for larger sites like gmail in the future).

    1. Re:ProtonMail users by Anonymous Coward · · Score: 0

      I'd be happy if they would decide to resize images so you can see them in the mobile app without scrollbar Hell.

    2. Re:ProtonMail users by CronoCloud · · Score: 4, Informative

      Why not use PGP with a real e-mail client? ProtonMail doesn't support keyservers or downloading pubkeys to a keyring which adds a few annoyances to the process of sending/recieving ProtonMail with someone using PGP on a real client.

      Also if your pubkey is newer than this one:

      pub   1024D/C9E6D134 1999-09-26
      uid                  Colin Faber <cfaber@fpsn.net>
      sub   3072g/9220F7D1 1999-09-26

      You might want to upload it to the keyservers and at it your Slashdot profile here:

      https://slashdot.org/users.pl?op=edituser

      Then it will be available at http://slashdot.org/~colin_faber/pubkey

    3. Re:ProtonMail users by buchner.johannes · · Score: 1

      PGP with a normal email client does nothing to protect your "metadata", i.e. who you are, who you communicate with, the subject line, date, etc. All you can do is use TLS/SSL and hope that the email servers communicate with each other encrypted without NSA backdoors (i.e. they have a copy of the TLS/SSL private key).

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    4. Re:ProtonMail users by lgw · · Score: 1

      Using TOR might not be the best way to avoid NSA backdoors. Hard to say in this age of parallel construction.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  2. Re:They DIDN'T sign up because of Trump... by srg33 · · Score: 1, Informative

    Time to feed the troll?
    Both the summary and the article clearly state that "The service also saw a bump in sign ups after the election of Donald Trump as US president ..."
    So, AC learn to read and come back later.

  3. Re:They DIDN'T sign up because of Trump... by I'm+New+Around+Here · · Score: 1, Troll

    When I read the summary, I was wondering just what " incoming commander-in-chief's expansive digital surveillance powers" exist, that didn't exist for Obama.

    Maybe the new signups are from Meryl Streep and her Hollywood friends, afraid that Trump will read their emails.

    --
    If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
  4. Re:WRONG! by TFlan91 · · Score: 1, Flamebait

    "Totally wrong. False post. "New Around Here" should pay more attention to his bug-infested computer and less to trolling /. Not funny. UID should be cancelled. Sad!"

    FTFY

  5. Re:WRONG! by I'm+New+Around+Here · · Score: 1

    ???

    --
    If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
  6. Re:They DIDN'T sign up because of Trump... by Anonymous Coward · · Score: 0

    Really, ya'll don't think that maybe a bunch of folks saw what happened to Podesta and the DNC and said, "Wow, my ass is really hanging out all over my email. Maybe I should do something to fix that."?

  7. Re:They DIDN'T sign up because of Trump... by Anonymous Coward · · Score: 0

    Yes I can't imagine why anyone in public office would be dumb enough to use and unencrypted unprotected server. Especially when discussing dark political shenannegins in this day and age.

  8. Some of us know how to use PGP in a real client. by CronoCloud · · Score: 1

    While having a webmail solution support PGP is nice, especially for those in truly repressive regimes, It isn't that hard to use it in a real client. Then you can use whatever e-mail provider you want over POP3 or IMAP, including Gmail.

  9. Re:WRONG! by Anonymous Coward · · Score: 0

    Needs to be cut off at the 140-character limit (just after "UID").

  10. Re:WRONG! by mmell · · Score: 1

    Al, is that you?

  11. Re:Some of us know how to use PGP in a real client by PaulBu · · Score: 1

    That would still leave metadata behind -- depending on how exactly this ProtonMail works, it is plausible that metadata between two recipients both using this service would be obscured as well.

    Paul B.

  12. Re:Some of us know how to use PGP in a real client by Anonymous Coward · · Score: 0

    FALSE.

  13. Re:Some of us know how to use PGP in a real client by CronoCloud · · Score: 1

    https://protonmail.com/support...

    There are two main reasons why Subject lines in ProtonMail messages are not end-to-end encrypted.

    Not Standards Compliant â" ProtonMail adheres to the OpenPGP standard which largely respects the SMTP protocol. In PGP, the subject line is part of the header packet which is not end-to-end encrypted.

    That only applies to ProtonMail e-mail messages. As far as I can tell, their special "ProtonMail messages" between ProtonMail users have their metadata protected.

    Besides, while metadata does show IP addresses, subject and whatnot it still isn't as important as the message body. For example you could have something like this:

    Header
    From: CommodoreChimichanga@pipedash.com
    To: BuckarooNeville@pipedash.com
    Subject: Cat videos

    Message body:

    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v2

    owE9jTEOwjAQBKnp+ME+ILJEQ0+DEiFEB7QXcyQWts/yGVBKPsYH+BRGQnRbzOy8
    X/3s9FzYljPDKcKEzHfHD8gFZWTEOluJPNnsNKGL1iDc1FkkTxNng658RU+BG0TB
    0W1cA8+q0ESW6wtFEA40UC/xbIC1V8H4K6oErk11WiQj5X2sxK4qXuQKKtUXZSzN
    aov9GP6oYhAz/wA=
    =W6m/
    -----END PGP MESSAGE-----

    That's encoded with gpg2 -a --store so it's not really encrypted, it says:

    Here is my review of the new Honeycrisp Inc. music player. It is lame, no WiFi, less space than a Vagabond. Also here is some resistor prOn. Man look at those 1.6K Ohm resistors go.

    See what I mean?

  14. Re:They DIDN'T sign up because of Trump... by ctilsie242 · · Score: 1

    It isn't like encryption is hard. If someone is too afraid of PGP, getting a S/MIME key and using that in Outlook, Thunderbird, or another mail program isn't difficult.

  15. Re:Some of us know how to use PGP in a real client by ctilsie242 · · Score: 1

    I really don't like combining my encryption layer with the transport layer. Too easy for stuff to get compromised. Even if the company has good intentions, an agency like Interpol leaning on them with the choice of putting in a backdoor or everyone in the company going to jail for conspiracy/collusion charges can cause issues.

    My recommendation: Use a PGP reader and a secure transport mechanism. PGP applications are pretty easy to obtain on all platforms. Then, use a trustworthy transport link. The closest analog to this would be sending critical stuff via registered mail. The Post Office uses two keys and signatures every place the message goes, and even then, only the receiver and the sender have/had access to what is inside the envelope.

  16. Link missing by zdzichu · · Score: 3, Informative

    Summary lacks the most important thing: link to the site itself - https://protonirockerxow.onion... .

    --
    :wq
  17. Re:Some of us know how to use PGP in a real client by PaulBu · · Score: 2

    Yep, that was what I was hinting at -- of course one can not securely interoperate with other services using plain old STMP, but I hoped they would add secure link between any two of their internal customers, with plausible deniability that they ever communicated.

    As to "innocence" of metadata, a required (and educational!) read that I am sure you have seen, but others might have not: https://kieranhealy.org/blog/a...

    Paul B.

  18. Javascript required by Anonymous Coward · · Score: 0

    When I go to https://protonirockerxow.onion/, the following message is displayed on the page: "ProtonMail requires Javascript. Enable Javascript and reload this page to continue." Hey ProtonMail, ditch the javascript requirement.

  19. Re:Some of us know how to use PGP in a real client by Anonymous Coward · · Score: 0

    > Then you can use whatever e-mail provider you want over POP3 or IMAP, including Gmail.

    You can also use PGP encryption on just about any webmail service with the Mailvelope plugin ( https://www.mailvelope.com ).

  20. Re:Some of us know how to use PGP in a real client by CronoCloud · · Score: 1

    Well yes if you are living in an oppressive regime and want to have total deniability you DO have to use something like ProtonMail over Tor. And even then they are still vulnerable to the Swiss government requesting what info they have. Not only that, but a US government agency invented Tor in the first place.

    But...even the puissant 3-letter agencies of the US with all their resources are not omnipotent/omniscient. We still have mobsters, fraudsters, drug dealers, car theft rings, etc etc. There's too much metadata to go through. What you'd want to do in most circumstances is not stick out from the pack.

    In the Revolutionary example you linked to, one of the reasons Revere was able to be singled out as a "bridge" was the small membership of the various organizations and the fact it was easy to find out WHO was a member. Part of that was due to class stratification and lack of literacy.

    One thing we can do now is be one of those people who connects to EVERYONE. Be one of those people spamming game invites on Facebook, friending everyone and their cat, joining every social network.

    Also we can vary our communication methods and use unconventional networks.

    For example the virtual world Second Life has in-world items called "Notecards" they can contain any text and you can copy/paste to and from them. One can also script objects to give out Notecards, even to specific people, meaning I don't actually have to directly contact you in Second Life to communicate with you. I can set up a "dead drop"

    Or we could SSH into sdf.org and communicate there. In fact we could e-mail each other using SDF's own pine or mutt clients between SDF.org addresses and not have our e-mails transit to any other mailserver.

    Or one could self host a temporay IRC server with SSL no less.

    People could say, head to a library or starbucks, turn on bluetooth, and send encrypted messages/data to each other. They wouldn't even have to talk to each other or sit near each other.

    Or using the above example they could do the same thing but use steganography to disguise their messages as cat pictures.