tycrek / degoogle

A huge list of alternatives to Google products. Privacy tips, tricks, and links.
https://tycrek.github.io/degoogle/
Creative Commons Attribution Share Alike 4.0 International
7.53k stars 343 forks source link

[FIX] ProtonMail privacy & integrity concerns #258

Closed pipiscrew closed 3 years ago

pipiscrew commented 4 years ago

Read this article from Privacy Watchdog regarding privacy & integrity concerns for ProtonMail. Possibly ammend the entry with a note directing users to the article.

tycrek commented 4 years ago

It would help to link the actual article.

What do you propose we change?

Edit: updated original post
pipiscrew commented 4 years ago

where is the item in your list, strike through it, add a hyperlink called ref redirects to the page^, people have to know.

put a heart on Tutanota product, ;)

tycrek commented 4 years ago

strike through it

I never do this. If something is worth reading, it will be there. If not, it will be removed altogether. "ref" is not a good descriptor. Instead, something like "Note: Read this article regarding potential privacy concerns".

put a heart on Tutanota

As much as I would like to (I use Tutanota as well, Premium + 10GB package), the guide should remain unbiased (if you notice bias elsewhere in the guide, please open an Issue to remove it).

I'll leave this open and add Help Wanted for discussion. I'm not against adding it, but more discussion would be the better way to go.

tiwarys commented 3 years ago

This article also suggests to avoid ProtonMail.

freddy-m commented 3 years ago

Read this article from Privacy Watchdog regarding privacy & integrity concerns for ProtonMail. Possibly ammend the entry with a note directing users to the article.

Privacy Watchdog is not a reliable source. They have slandered PrivacyTools.io (a site for which I am a team member) on the basis that they got angry with one of our moderators, and are known to spread FUD.

As for the ProtonMail claims, they've been covered time and time again. The Hated One made a good video on it.

I'd close this issue, and advise that people check their sources.

danarel commented 3 years ago

Read this article from Privacy Watchdog regarding privacy & integrity concerns for ProtonMail. Possibly ammend the entry with a note directing users to the article.

Privacy Watchdog is not a reliable source. They have slandered PrivacyTools.io (a site for which I am a team member) on the basis that they got angry with one of our moderators, and are known to spread FUD.

As for the ProtonMail claims, they've been covered time and time again. The Hated One made a good video on it.

I'd close this issue, and advise that people check their sources.

I came here to say exactly this, and will close this issue.

onlyjob commented 3 years ago

I recommend to re-open and reconsider based on review brought to our attention by @shivasagarrao. Thanks.

Cristy94 commented 3 years ago

I recommend to re-open and reconsider based on review brought to our attention by @shivasagarrao. Thanks.

I don't understand why this is an issue big enough to unlist ProtonMail. Isn't it already 100x better than using GMail? The list should not be about the "best" tools, but sensible and robust alternatives.

nunesgh commented 3 years ago

I recommend to re-open and reconsider based on review brought to our attention by @shivasagarrao. Thanks.

Probably committing an ad hominem here, but based on other content on that website, this so-called 'review' has no credibility. Take for instance the page full of pandemic-related denialism and conspiracy theories.

onlyjob commented 3 years ago

Wrong. Just because someone is not in perfect agreement with you on everything? By definition, no one but yourself can have perfect credibility, but that's circular reasoning, @nunesgh. We should not dismiss a valid review just because its author also wrote something unrelated that you did not like.

If you care to read the review, you can see that not only author is qualified and competent but also he reviewed many email services thoroughly.

tycrek commented 3 years ago

I recommend to re-open and reconsider based on review brought to our attention by @shivasagarrao. Thanks.

Probably committing an ad hominem here, but based on other content on that website, this so-called 'review' has no credibility. Take for instance the page full of pandemic-related denialism and conspiracy theories.

Other sections or articles from the site should not discredit an article that has nothing to do with the prior ones. I took a (admittedly quick) look at the article and the author does bring up good points (one in particular that stood out was the .onion address redirecting to clearnet on form submission).

If you want to discredit the article, please highlight specific sections you disagree with and provide evidence to support yourself. Pandemic-denialism is concerning but has nothing to do with Degoogle.

Will re-open for discussion.

nunesgh commented 3 years ago

I was clear about my ad hominem fallacy.

Anyway, what are the advantages of using an onion service (.onion address)?

Since our concern here is the user's privacy, I will focus on the end-to-end authentication feature.

ProtonMail currently allows users to login and use their mail services via an onion service [6], but in fact they redirect users to a non-onion service for the signup process. I agree ProtonMail should also use their onion service for their sign-up process, which would add end-to-end authentication to a highly sensitive step in the whole user experience, particularly when it comes to privacy.

But how bad is this redirection to a non-onion service?

Since both onion and non-onion ProtonMail services use SSL/TLS, the connection between the Tor exit node and the non-onion service will still have its traffic encrypted. But now, the user cannot be sure whether the Tor exit node connected to a ProtonMail server or an 'evil' one, since there is no end-to-end authentication anymore. Nevertheless, we still have at least two guarantees here:

This 'honeypot' scenario only makes sense if, and would actually account for, the whole ProtonMail operation to be compromised, which would be far worse than suggested by that 'review'. But then we have arrived at the speculation level, which may suit that 'reviewer', but lacks data and credibility.

On the other 'good points' brought by that 'reviewer':


PS: COVID-19 is a disease.

julianfairfax commented 3 years ago

I recommend to re-open and reconsider based on review brought to our attention by @shivasagarrao. Thanks.

Probably committing an ad hominem here, but based on other content on that website, this so-called 'review' has no credibility. Take for instance the page full of pandemic-related denialism and conspiracy theories.

Other sections or articles from the site should not discredit an article that has nothing to do with the prior ones. I took a (admittedly quick) look at the article and the author does bring up good points (one in particular that stood out was the .onion address redirecting to clearnet on form submission).

While that is a good point, ProtonMail doesn't log IP addresses unless ordered to by a Swiss court, in which case they'll start logging from that point on only. This means that by creating an account with your IP address potentially but not in practice known, but by using the .onion address from then on, they cannot be forced to give up information they don't have, and the information they can legally be forced to collect will not be useful if from the .onion address.

Besides, what's a better alternative?


PS: COVID-19 is a disease.

danarel commented 3 years ago

Purists will always hate any company that has any success in the world of privacy and when they see them work w/ law enforcement will immediately try and dismiss the company. While I am no fan of working with feds, the laws they exist in are the laws and these people are not going to head off to prison to protect your emails.

I am closing this issue because it's a useless argument and Proton should not be delisted.

onlyjob commented 3 years ago

@danarel, do not assume bad intentions. It would have been fair if you'd say that you don't rank certain concerns as high as the reviewer. But to attribute envy?? "Hate any company that has any success" accusation is dishonest. After all, author do not run his own email service so why would you assume prejudice?? He cared to research many services thoroughly. Have you noticed how many email services received much more unfavourable review than Protonmail? Your personal attack and attribution of ill intentions are unwarranted and unfair.

onlyjob commented 3 years ago

PS: COVID-19 is a disease.

@julianfairfax, enough of that please.

Yes it is a disease from the moment of its definition in the ICD-10 classification system but it is a redundant disease with sloppy diagnostic criteria regressing to pre-1950 era due to disregard of differential diagnosis.

Note how Influenza is no longer diagnosed/reported since April 2020: https://apps.who.int/flumart/Default?ReportNo=10

Also note how it was never necessary to define yet another condition for yet another strain of Influenza that cause no new/unique symptoms.

So COVID-19 is a diagnostic anomaly that normally would be called "fraud". Never before it was acceptable to "diagnose" a respiratory illnesses without symptoms.

nunesgh commented 3 years ago

He cared to research many services thoroughly. Have you noticed how many email services received much more unfavourable review than Protonmail? Your personal attack and attribution of ill intentions are unwarranted and unfair.

We are yet to see you stop defending the 'reviewer' and start to address the 'review'.

nunesgh commented 3 years ago

PS: COVID-19 is a disease.

@julianfairfax, enough of that please.

Yes it is a disease from the moment of its definition in the ICD-10 classification system but it is a redundant disease with sloppy diagnostic criteria regressing to pre-1950 era due to disregard of differential diagnosis.

You clearly fail to understand that it is not "redundant". COVID-19, differently from Influenza, can cause --and has caused-- the need of intensive care by crowds of people. Far more people than most cities' or even countries' hospitals were designed to support at the same time. Try at least having a bit of respect for those who have experienced the worse of this pandemic so far, from Italy to NY, from Brazil to India.

Note how Influenza is no longer diagnosed/reported since April 2020: https://apps.who.int/flumart/Default?ReportNo=10

You are never tired of misinterpreting things. It is still being reported, if you care to actually check the data.

Influenza is a seasonal disease, so a huge yearly oscillation is expected, as you can see from the plot below. And before you start spreading more misinformation, just remember that most of the world population lives in the northern hemisphere [1].

Screenshot 2021-09-26 at 07-44-45 WHO FLUMART OUTPUTS

So it is expected that less Influenza cases would be reported from around week 14 until around week 48 of 2020, as in previous years. Were those numbers far below in 2020 than in previous years? Yes. Are we missing the usual peak of Influenza cases at the beginning of 2021? Yes.

But is Influenza "no longer [being] diagnosed/reported since April 2020", as you have stated? No! Just check the plot below.

Screenshot 2021-09-26 at 07-46-23 WHO FLUMART OUTPUTS

But why has it changed so much if compared to previous years? (Rhetoric question. Yep, I do not expect an answer from you.)

By week 14 of 2020, the world had already seen how bad COVID-19 could be from what happened in Italy. Since less people were circulating to avoid being infected by COVID-19, less people were also susceptible of being infected by Influenza. Remember, Influenza is airborne, as is COVID-19.

The same reasoning applies to the missing peak at the beginning of 2021. There is a slight increase, as expected due to the winter in the northern hemisphere. But with lockdowns, curfews, or even just more care by people who can see beyond their own belly buttons, Influenza spread was far more controlled than usual, as was COVID-19 if nothing had been done.

Another interesting information from this second plot (the one you said was nonexistent) is the increase of Influenza being reported during 2021. With more people vaccinated and more people tired of social isolation, Influenza is once again rising. In week 36 of 2021, one thousand cases were reported. In the same week of 2019, there were a bit less than three thousand cases reported, as you can see in the plot below. And if you care to check the data, in the same week of 2018 there were two thousand cases reported.

Screenshot 2021-09-26 at 09-15-53 WHO FLUMART OUTPUTS

For the next years, it is expected that Influenza will return to its usual oscillation in reported cases because people will return to circulate and interact more again. Something similar is also expected from COVID-19, but now without the ICU chaos because vaccines are boosting people's immune systems against the disease and less people will need intensive care.

The rest of your comment just does not deserve appreciation or time at all.


PS: COVID-19 is a disease. PPS: Ignorance, for some, seems to be an option.

puyoxyz commented 2 years ago

(one in particular that stood out was the .onion address redirecting to clearnet on form submission).

Not form submission, it's the link to the form, before you even put any information in. It's not like you're filling out a form on an onion site that gets submitted to a clearnet site (which would be bad), it's just the form is on the clearnet site (which is still bad but not as bad as if it was on form submission)