Protonmail is an independent email provider with no ads, instead using a traditional monthly subscription business model.
You can follow them at:
➡️ @protonmail
Their website is at https://protonmail.com
They also have Fedi accounts for their VPN service (@protonvpn) and Calendar service (@ProtonCalendar).
#ProtonMail #EMail #Mail #VPN #Calendar #Privacy #E2EE #Encrypted #Encryption
@FediFollows @protonvpn @ProtonCalendar Thank you for recommending our suite of secure products! Your support means a lot to us.
@protonmail @ProtonCalendar @protonvpn @FediFollows I suggest avoiding #ProtonMail until they fix their #CAPTCHA problem. Protonmail is forcing people to solve an #hCAPTCHA. And worse, it's occasional, so users may only encounter the CAPTCHA after they've distributed their @protonmail address to others, at which point users are trapped.
@resist1984 @protonmail @ProtonCalendar @protonvpn
I've been using Protonmail for several years and have never seen a captcha. I have no memory of it happening even once.
I'm not denying it has happened to you, but it probably isn't as widespread as your wording implies?
I have a paid account, maybe this is something related to free accounts?
@FediFollows @protonvpn @ProtonCalendar @protonmail I've also not seen CAPTCHAs for yrs which is likely due to that fact that #Google charges a fee to use #reCAPTCHA. It was very recent (like less than a month) that #Protonmail switched to a CAPTCHA that /generates/ revenue for them (hCAPTCHA), so expect them to become more common. Certainly they've placed the CAPTCHA trigger in a position of high frequency (at login not on sending).
@resist1984 @protonvpn @ProtonCalendar @protonmail
Most of the comments in the github discussion (https://github.com/ProtonMail/WebClient/issues/242) are in favour of hcaptcha over recaptcha.
If there's a problem with hcaptcha and you have a better alternative they should use, please tell them about it in the git thread I have linked to.
Not a developer, but get the impression from quick read of the thread that there is a lack of viable alternatives.
@FediFollows @protonmail @ProtonCalendar @protonvpn That's not what I consider an open discussion platform.. that's exclusive for MS #Github users. Github is not a good venue for FOSS tools with a security/privacy mission. Solving an hCAPTCHA or reCAPTCHA prior to /reading/ email is unacceptible. There are lots of CAPTCHA alternatives, but as users we seek alternatives to bad tools. E.g. Tutanota does not impose CAPTCHA upon login.
@resist1984 @protonmail @ProtonCalendar @protonvpn
I think we all have to make compromises at some point if we are to achieve anything.
I have particularly strong feelings about the slave labour used to make computers and devices, including FOSS ones. But I accept we need to use these unethically made devices in order to encourage projects like @Fairphone
If you want Protonmail to change something, the first step has to be to tell them what needs changing and what it should change to.
@FediFollows @Fairphone @protonvpn @ProtonCalendar @protonmail This Mastodon thread herein serves both purposes: 1) to inform #protonmail of the problem, and 2) to suggest privacy seekers look elsewhere for email until the problem is resolved.
@protonmail @ProtonCalendar @protonvpn @Fairphone @FediFollows I should also mention that there are non-CAPTCHA fixes to the problem of password attacks: When a password is incorrectly entered, the server can force a delay before allowing another attempt on the account that was tried. The delay can be long enough to completely render brute force attacks useless.
@FediFollows @Fairphone @protonvpn @ProtonCalendar @protonmail Both #Protonmail and #Tutanota are increasingly calling for users to make more and more compromizes. I keep teetering back and forth on which gratis ESP I suggest to novice users. It looks like Tutanota may be a better recommendation at the moment. But certainly this race to the bottom of sorts is disturbing as they both services get progressively worse.
@protonmail @ProtonCalendar @protonvpn @Fairphone @FediFollows If anti-features continue to develop, at some point the better recommendation will be something like Thunderbird + Enigmail, which essentially means we'll have to disregard ease of use & pressure novices to increase their tech proficiency.
@resist1984 @protonmail @ProtonCalendar @protonvpn @Fairphone @FediFollows do people use desktop apps for email anymore? Besides businesses using Outlook? Thunderbird + Enigmail is a high level of friction.
@1ll173r47 @FediFollows @Fairphone @protonvpn @ProtonCalendar @protonmail #Protonmail users who are not keen to take on the risks of on-the-fly dynamic javascript absolutely do use #Electronmail. Thunderbird does not work with Protonmail unless the user subscribes to get the bridge service, but TB can serve novice users who use a conventional email service in a way that gives e2ee. Otherwise webmail is risky.
@resist1984 @FediFollows @Fairphone @protonvpn @ProtonCalendar @protonmail I wonder what the numbers are. If someone is conditioned to using webmail on desktop and apps on mobile, electronmail or thunderbird and enigmail requires lots of work. Yeah, protonmail and tutanota aren’t perfect, but they are drop-in replacements. Less cognitive load for people looking to change.
@1ll173r47 @protonmail @ProtonCalendar @protonvpn @Fairphone @FediFollows I don't know what the numbers are, but if we were to survey, we'd have to divide the stats into 2 catorgies: expert-to-novice and novice-to-novice (probably safe to assume expert-to-expert comms excludes webmail). The novice-to-novice case is probably a disaster on par with gmail-to-gmail no crypto, or at best proton_web-to-proton_web.
@FediFollows @Fairphone @protonvpn @ProtonCalendar @protonmail @1ll173r47 For expert-to-novice, if it's long term w/frequent contact, I use mutt & pressure the other user to use electronmail, & I walk them through putting my pubkey in their address book & exporting their key. That's rare though. Most often I can't get away w/imposing that burdon on them, so I have to use electronmail & i'm happy enough just to get them on protonmail.
@1ll173r47 @protonmail @ProtonCalendar @protonvpn @Fairphone @FediFollows It seems to be getting harder to impose #protonmail in any form on the other (novice) party, in which case I generally impose #Wire. And now that #protonmail is pushing CAPTCHAs, i'm somewhat embarrassed to insist that they use protonmail. Wire is going to be filling that gap more going forward. Or #tutanota-to-tutanota, but that's a pain b/c tuta doesn't have msg notification.
Just throwing this out there, why not force people to use a pgp/gpg (whatever people like to call it) key? You definitely can do this on any mail service since like, the age of BBS’s. If the comms are critical why even use a service?
@1ll173r47 @protonmail @Fairphone @FediFollows
@1ll173r47 @Fairphone @FediFollows @protonmail
@seven @Fairphone @seven @protonmail @FediFollows @1ll173r47 If I give them my pubkey & ask for theirs, & they are willing and able to comply, then they are proficient enough to be considered an expert user in this context (which is not the case i'm really talking about). If they can't handle that, they are a novice. Sometimes I have still gotten away with that arrangement but only under circumstances where I personally install GPG for them.
@1ll173r47 @FediFollows @protonmail @Fairphone @seven In one case, I mandated that a new accountant exchange either GPG keys or S/MIME keys. I said I would setup her machine if needed, but she was only comfortable having her own IT guys do the work. I was fine with that but then she came back & said her IT guys are opposed to it because if I send malware in email, it will get past the anti-virus firewall. I didn't hire her over it.
This means their security team is competent. It’s a relatively recent concept that any mail, their information protection can’t see is a potential vector for data loss and/or malware. They are 100% correct to not allow this.
There are secure tools which keep messages onprem for them, and most of the time in my experience, places with a proper standard like that own such tools.
@1ll173r47 @FediFollows @protonmail @Fairphone
@seven @Fairphone @protonmail @FediFollows @1ll173r47 The accountant (like all accountants) ran Windows. This means she not only had an email firewall to check email upon arrival, but she also had realtime scanning of all files that land on her system. So she was protected anyway (nevermind that my linux box was unlikely to get infected and transmit malware to her).
Actually, more Linux boxes transmit malware to windows boxes than most things, it’s not only common, it’s a fairly good vector. Many Linux admins ignore scanning for windows based malware because it doesn’t matter to their system, not considering that, it could definitely spread win systems from a nix source without issue.
When I say they probably have solutions, they possibly have a system that they use which takes mail from her client and puts it on a server inside their infrastructure for which you access from the outside to receive actual content. There are at least a dozen products that are commonly used by the F100 for this kind of communication…
@Fairphone @protonmail @FediFollows @1ll173r47
@seven @Fairphone @protonmail @FediFollows @1ll173r47 If i generate a doc and send it, and it has a malicious payload, then that would in fact require malware that infects linux. If linux is not infected, it's not reproducing within linux either. If you mean that an electronic receipt or gov doc that I receive & forward would be infected, sure that's possible, but IIRC her version of windows included a realtime scanner.
Linux machines can forward, pass on, deliver malicious payload to windows machines, without it needing to affect Linux at all. It happens every day, it’s so common now, though maybe not as common as Mac to Win infection.
A malicious user can definitely craft documents on Linux, that are benign to Linux and malicious on windows.
@Fairphone @protonmail @FediFollows @1ll173r47
@seven @Fairphone @protonmail @FediFollows @1ll173r47 My accountant's threat model did not include deliberate malice from me.
