ProtonMail Adds Tor Onion Site To Fight Risk Of State Censorship

ProtonMail now has a home on the dark web. The encrypted email provider announced Thursday it will allow its users to access the site through the Tor anonymity service. From a report: Swiss-based PGP end-to-end encrypted email provider, ProtonMail, now has an onion address, allowing users to access its service via a direct connection to the Tor anonymizing network -- in what it describes as an active measure aimed at defending against state-sponsored censorship. The startup, which has amassed more than two million users for its e2e encrypted email service so far, launching out of beta just over a year ago, says it's worried about an increased risk of state-level blocking of pro-privacy tools -- pointing to recent moves such as encryption messaging app Signal being blocked in Egypt, and the UK passing expansive surveillance legislation that mandates tracking of web activity and can also require companies to eschew e2e encryption and backdoor products. The service also saw a bump in sign ups after the election of Donald Trump as US president, last fall -- with web users apparently seeking a non-US based secure email provider in light of the incoming commander-in-chief's expansive digital surveillance powers.

ProtonMail users

[colin_faber]

I've been a user since their beta days, and I can say the service generally works well with a few exceptions in the UI. Most notably it's slow, very slow, and the TOR interface seems to be even slower. Combine that with lack of features (like mailbox purge) and mandatory space constraints it makes the service very hard to use for day to day messaging needs. That all said, I really do like the service and find the entire concept of browser based encrypted UI, with encryption handler happing within the browser itself very interesting and a neat way forward (possibly for larger sites like gmail in the future).

Re:ProtonMail users

[CronoCloud]

Why not use PGP with a real e-mail client? ProtonMail doesn't support keyservers or downloading pubkeys to a keyring which adds a few annoyances to the process of sending/recieving ProtonMail with someone using PGP on a real client.

Also if your pubkey is newer than this one:

pub   1024D/C9E6D134 1999-09-26
uid                  Colin Faber <cfaber@fpsn.net>
sub   3072g/9220F7D1 1999-09-26

You might want to upload it to the keyservers and at it your Slashdot profile here:

https://slashdot.org/users.pl?op=edituser

Then it will be available at http://slashdot.org/~colin_faber/pubkey

Re:

[buchner.johannes]

PGP with a normal email client does nothing to protect your "metadata", i.e. who you are, who you communicate with, the subject line, date, etc. All you can do is use TLS/SSL and hope that the email servers communicate with each other encrypted without NSA backdoors (i.e. they have a copy of the TLS/SSL private key).

Re:

[lgw]

Using TOR might not be the best way to avoid NSA backdoors. Hard to say in this age of parallel construction.

Re:

[srg33]

Time to feed the troll?
Both the summary and the article clearly state that "The service also saw a bump in sign ups after the election of Donald Trump as US president ..."
So, AC learn to read and come back later.

Re:

[I'm New Around Here]

When I read the summary, I was wondering just what " incoming commander-in-chief's expansive digital surveillance powers" exist, that didn't exist for Obama.

Maybe the new signups are from Meryl Streep and her Hollywood friends, afraid that Trump will read their emails.

Re:

[TFlan91]

"Totally wrong. False post. "New Around Here" should pay more attention to his bug-infested computer and less to trolling /. Not funny. UID should be cancelled. Sad!"

FTFY

Re:

[I'm New Around Here]

???

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ctilsie242]

It isn't like encryption is hard. If someone is too afraid of PGP, getting a S/MIME key and using that in Outlook, Thunderbird, or another mail program isn't difficult.

Some of us know how to use PGP in a real client.

[CronoCloud]

While having a webmail solution support PGP is nice, especially for those in truly repressive regimes, It isn't that hard to use it in a real client. Then you can use whatever e-mail provider you want over POP3 or IMAP, including Gmail.

Re:

[PaulBu]

That would still leave metadata behind -- depending on how exactly this ProtonMail works, it is plausible that metadata between two recipients both using this service would be obscured as well.

Paul B.

Re:

[CronoCloud]

https://protonmail.com/support... [protonmail.com]

There are two main reasons why Subject lines in ProtonMail messages are not end-to-end encrypted.

Not Standards Compliant â" ProtonMail adheres to the OpenPGP standard which largely respects the SMTP protocol. In PGP, the subject line is part of the header packet which is not end-to-end encrypted.

That only applies to ProtonMail e-mail messages. As far as I can tell, their special "ProtonMail messages" between ProtonMail users have their metadata protected.

Besides, whil

Re:

[PaulBu]

Yep, that was what I was hinting at -- of course one can not securely interoperate with other services using plain old STMP, but I hoped they would add secure link between any two of their internal customers, with plausible deniability that they ever communicated.

As to "innocence" of metadata, a required (and educational!) read that I am sure you have seen, but others might have not: https://kieranhealy.org/blog/a... [kieranhealy.org]

Paul B.

Re:

[CronoCloud]

Well yes if you are living in an oppressive regime and want to have total deniability you DO have to use something like ProtonMail over Tor. And even then they are still vulnerable to the Swiss government requesting what info they have. Not only that, but a US government agency invented Tor in the first place.

But...even the puissant 3-letter agencies of the US with all their resources are not omnipotent/omniscient. We still have mobsters, fraudsters, drug dealers, car theft rings, etc etc. There's too m

Re:

[ctilsie242]

I really don't like combining my encryption layer with the transport layer. Too easy for stuff to get compromised. Even if the company has good intentions, an agency like Interpol leaning on them with the choice of putting in a backdoor or everyone in the company going to jail for conspiracy/collusion charges can cause issues.

My recommendation: Use a PGP reader and a secure transport mechanism. PGP applications are pretty easy to obtain on all platforms. Then, use a trustworthy transport link. The clo

Link missing

[zdzichu]

Summary lacks the most important thing: link to the site itself - https://protonirockerxow.onion... [protonirockerxow.onion] .