back to article ProtonMail launches Tor hidden service to dodge totalitarian censorship

ProtonMail, the privacy-focused email business, has launched a Tor hidden service to combat the censorship and surveillance of its users. The move is designed to counter actions "by totalitarian governments around the world to cut off access to privacy tools" and the Swiss company specifically cited "recent events such as the …

  1. Anonymous Coward
    Anonymous Coward

    How long...

    ...before some country mandates that NO encrypted connections be allowed unless they can be decrypted and/or parsed by the state (that should help deal with stego since if they can parse it, they can mangle it, too). After all (this is according to THEM), what legitimate reason would any person need for any amount of gibberish. After all, if they can't trust the State, the State can't trust THEM, with inevitable results.

    1. lglethal Silver badge

      Re: How long...

      Ahh i believe that has already happened in the UK with the Investigatory Powers Act.

      1. paulnick2

        Re: How long...

        to stay safe from the investigatory! people should start using encryption tool like VPNs because it change your location & keep you anonymous. After this law, i also started using purevpn

        1. mwnci

          Re: How long...

          You really think Governments in the 20 years won't control VPN access for the average citizen? Large institutions/ Businesses will still be able to utilise it, but I can rapidly see the point where Governments legislate and control VPN.Commercial entities are already lobbying for it to be heavily controlled, Sky, Amazon, Netflix and others are losing out to KODI. Whether you like it or not, the Internet is about to fracture along the lines that the Internet Society.org highlighted a fair few years back. It's depressing, but inevitable the "Wild West" years of the Internet is over and increasing governance and control, monetisation of the internet is being exerted. Governments are learning, and if you cannot change the habits of the user, then they will shift the controls to the ISP. To be clear I'm neutral in this argument, but I can see that Governments will not stand idly by, and the ISP's are easiest to regulate and cut individuals off. http://www.ispreview.co.uk/index.php/2016/11/uk-isps-send-internet-piracy-warning-letters-early-2017.html

          1. Dabooka

            Re: How long...

            Although somewhat simplified, I think you're right; you can see the direction this is going to go in, and if anyone actually thinks they can't put the genie back in the bottle, they're very much mistaken.

            I have no problem with protecting commercial interests online, but sucking my email and browsing habits in the process? Get bent. And all those Kodi lovers are playing right into the hands of folks like this.

            1. Charles 9

              Re: How long...

              They'll just turn it into an either-or, helped along by the IoT controversy. Eventually, the Internet as it is will become an untraverseable cesspool of anarchy where any unprotected connection is quickly used to hijack and pwn you regardless of the device (everything I've said has existed at some point, some smartypants simply needs to put them all together). Pretty soon SOMEONE will propose the redo the Internet from the beginning: this time with full attestation at all points; no more anonymity.

              It's the same thing with government. The human condition means any "desirable" form of government cannot survive in the really long term. In the end, it will usually degenerate because the system gets too imbalanced; people find ways to cheat and beat the system, creating resentment if not hopelessness which then drives the have-nevers to do anything to survive, resulting in either anarchy or ruthless put-downs and a police state to prevent repeats. Anything in between will just result in one of the two again: ANY freedom can be exploited to produce chaos.

              1. Ken Hagan Gold badge

                Re: How long...

                "Pretty soon SOMEONE will propose the redo the Internet from the beginning: this time with full attestation at all points; no more anonymity."

                I could live with that. The bad governments can already tell (if they want to) if you are connecting to an end-point that lies outside their control, so today's VPN fans are already subject to the sort of traffic analysis that such a proposal would allow. On the other hand, a reliable (or even semi-reliable) method of determining where content had come from would make your average spam filter about a billion times more accurate.

                Anonymity on the internet is like guns in real life. If you have it, you are either already known to the government and doing it within local law, or you are outside the law and they'll come down on you like a ton of shit if they ever find out.

                The solution is to fix your government so that they aren't a bunch of control freaks. Merely using technological band-aids to make it hard for them will just make them angry control freaks.

                1. Charles 9

                  Re: How long...

                  "The solution is to fix your government so that they aren't a bunch of control freaks. Merely using technological band-aids to make it hard for them will just make them angry control freaks."

                  Problem is, you pretty much HAVE to be a control freak to have any real interest in government; otherwise, you'll steer away from it. How do you solve this problem of the human condition?

          2. Anonymous Coward
            Anonymous Coward

            Re: How long...

            I find it funny you said all of that yet the internet piracy warning letters wont cut off someone internet so read the article before you post, in the end the "Wild West" years of the Internet are not over and they will never control VPN,

            1. Charles 9

              Re: How long...

              You bet your life? They'll control VPN and all the other obfuscation avenues simply by controlling encryption as a whole (say by declaring it a munition). If any an all forms of encryption are going to be controlled, even steganography is going to be a stretch, especially for anything of volume.

        2. davemcwish

          Re: How long...

          @paulnick2 Any how long will you be able to trust [VPN Provider] assuming that you can do already and that their 'no logging policy' is real ?

    2. RealBigAl

      Re: How long...

      Didn't India (and possibly others) already do this which almost got Blackberry kicked out of the country, before they faded to irrelevance?

  2. Anonymous Coward
    Joke

    "Freemium"...

    The "mium" is Latin for "not really"...

  3. Roger Kynaston

    Not sure it will fly much

    When they first suffered their DDOS attacks I set up an account as much for fun as anything. Recently with mad Mays actions and the Orange one over the way I started wondering if I would use it in anger. Logging in with good strong passwords and then decrypting the mailbox is not too difficult but I cannot imagine a. n. user being prepared to go through the process of creating strong passwords and storing them in keepass/whatever. Then having to go through the dual process of logging on and decrypting the mailbox.

    I am still glad that they are there. Could email standards be changed so all emails are encrypted by default? Ha!

    1. wolfetone Silver badge

      Re: Not sure it will fly much

      "...I cannot imagine a. n. user being prepared to go through the process of creating strong passwords and storing them in keepass/whatever."

      You can't save everyone, they're going to have to find out how little the state trusts them the hard way.

    2. Palpy

      Re: Not sure it will fly much

      Yes, the dual log-in may put some people off. OTOH, it's good awareness practice-- it demonstrates that security is the user's own responsibility. It isn't something somebody else always does for you.

      I'm not sure how I would use ProtonMail "in anger" -- I just don't have the kind of contacts that throw bombs. But yes. One can do things like use Swiss email, Swedish cloud (but still: encrypt, encrypt, encrypt!), and boot from a privacy-oriented distro on an encrypted thumb drive. If nothing else, it's good to become familiar with the shadowlands when the times threaten to become dark.

    3. cmannett85

      Re: Not sure it will fly much

      "Then having to go through the dual process of logging on and decrypting the mailbox."

      Not true anymore: https://protonmail.com/blog/encrypted_email_authentication/

    4. LewisRage

      Re: Not sure it will fly much

      Just signed up, they've recently moved to a single password system.

  4. Anonymous Coward
    Anonymous Coward

    Additionally, the onion site also has a valid SSL certificate issued to Proton Technologies AG by DigiCert.

    But what's the value of this, when your browser has 100+ other certificate authorities in it - any one of which could be coerced by a nation state to issue another valid certificate for the same hostname?

    1. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    it will happen

    they will block protonmail in the UK, sooner or later, although I don't know how, technically. They will find a good or lame excuse to amend a law. A terror attack will be a good point at which to rush through such legislation. Or just good old "...research has shown that 4 out of 5 known terror groups such as ISIS favour protonmail as their method of communications, and in the light of the latest attack, it has become inevitable that such services, while also use for legitimate purposes, play into the hands of those who, blah blah blah.

    1. Anonymous Coward
      Anonymous Coward

      Re: it will happen

      "I don't know how"... erm... just like how the they blocked the thepiratebay.org they just blocked it, no legalaity required... censorship in the UK is a reality, the government doesn't have to obey the law... the investigatory powers act was simply to legalise what they have been doing for 10 years already... that is why there was a rush to get it in under EVERY government in recent times.

      Its irrelevant if its legal. No government thinks legal is a thing that applies to them.

      1. wolfetone Silver badge

        Re: it will happen

        It'll get to a point where even VPN traffic is blocked by ISP's, unless you produce a certificate to use the software (like you would with buying a gun). If you have no certificate then you get blocked and can't access it.

      2. Anonymous Coward
        Anonymous Coward

        Re: it will happen

        they got a court order to block the thepiratebay.org but no one cared because we all got around it with VPNs

        1. Charles 9

          Re: it will happen

          In this particular case, it would be difficult to attack protonmail the onion service without pinpointing and attacking the actual physical server. That was what it took to take down Silk Road on TOR and KATorrents on the Clearnet.

  6. Alan J. Wylie

    Certificate Transparency Log entry

    https://crt.sh/?id=78086775

  7. Anonymous Coward
    Anonymous Coward

    CERN

    ProtonMail is NOT affiliated with CERN!

    The founders just met there and rhen they hint at the affiliation and the media are buying it hook, line and sinker.

    It's great, but very dishonest, marketing. This is the reason I refuse to use them. If they are dishonest about this, then what else are they dishonest about?

    1. Adrian 4

      Re: CERN

      Well, fine .. so do you have a better suggestion ?

      1. Ken Hagan Gold badge

        Re: CERN

        "Well, fine .. so do you have a better suggestion ?"

        Well, yes, actually. It's called "nothing".

        If I have something to hide then publishing it in the clear amongst general internet traffic is almost certainly safer than using a system that inevitably attracts the attention of the spooks and is run by people about whom all you know is that they are untrustworthy.

        1. Charles 9

          Re: CERN

          The problem being if you have something to hide than someone else probably knows what it is you're trying to hide, meaning posting it in the clear anywhere runs the risk of traffic sniffers picking it up. "Hiding in plain sight" doesn't work well against a Panopticon.

        2. cmannett85

          Re: CERN

          "If I have something to hide then publishing it in the clear amongst general internet traffic is almost certainly safer..."

          Bollocks: XKEYSCORE

    2. julian.smith

      Re: CERN

      Nobody said they were affiliated with CERN.

      Which part of:

      "First launched in 2014 by scientists who met at CERN"

      don't you understand?

      The dishonest one is YOU

      Similarly, your anonymity advice is worthless.

      JERK

  8. alexsapps

    But hidden services don't help censureship?

    Tor already lets users bypass country firewalls, and it lets them connect to regular websites, not limited to hidden services. So why does ProtonMail need a hidden service to get around censureship?

    I thought hidden services only hide the location of the service. Everyone already knows the location of the service is Sweden.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like