Welcome
Subscribe(0/5)
Vote(0/5)
Sign Up()
Welcome to Reddit
Try out Reddit, subscribe to communities and vote on posts
Subscribe to 5 communities
Customize your home feed by subscribing to your favorite communities. Browse r/popular to find more.
Vote on 5 posts
Votes help move posts up the page! Upvote posts you enjoy and more people will see them.
Don't lose your subscriptions! Become a Redditor to get updates from your favorite communities.
Don't believe everything you read online about ProtonMail
As many of you may be aware, earlier today, criminals attempted to extort ProtonMail by alleging a data breach, with zero evidence. An internal investigation turned up two messages from the criminals involved, which again repeated the allegations with zero evidence, and demanded payment. We have no indications of any breach from our internal infrastructure monitoring.
Like any good conspiracy theory, it is impossible to disprove a breach. On the other hand, a breach can be easily proven by providing evidence. The lack of evidence strongly suggests there is no breach, and this is a simple case of online extortion.
Thus, we believe that this is a hoax and failed extortion attempt, and there is zero evidence to suggest otherwise. None of the claim made are true, and many of the claims are also unsound from a technical standpoint.
For instance, the criminals claim that ProtonMail is vulnerable because we do not use SRI (Subresource Integrity), but this claim is nonsense because ProtonMail doesn't use any third party CDNs (content delivery networks) to serve our web app. We only use web servers that we operate and control ourselves, specifically to eliminate this potential attack vector.
We are aware of a small number of ProtonMail accounts which have been compromised as a result of those individual users falling for phishing attacks (this is why we encourage using 2FA). However, we currently have zero evidence of a breach of our infrastructure.
Our present policy is to always resist extortion attempts, and we never make payments in response to third party claims and allegations, unless they fall under the scope and criteria of our bug bounty program, where we always welcome the submission of vulnerabilities.
Upon further investigation, we were able to trace the source of the rumors back to 4chan where they were originally posted by the criminals in question. The claims there include increasingly ridiculous assertions such as:
- CNN employees use ProtonMail and refer to the American people as prostitutes
- Michael Avenatti uses ProtonMail and has a BDSM fetish
- Private military contractors used ProtonMail to discuss circumventing the Geneva convention, underwater drone activities in the Pacific Ocean, and possible international treaty violations in Antarctica
- Rampant pedophilia among high ranking government officials who use ProtonMail
In other words, the allegations appear designed to fuel certain right wing conspiracy theories in order to gain more attention. We don't like to use the term, but this is starting to look very similar to "fake news."
Due to our refusal to give in to the extortion attempt, the criminals involved are now attempting to spread the allegations publicly to harm ProtonMail. The best way to ensure that they do not succeed is to ignore them. Thank you again for your support.
I second this message. It's fairly clear to me that this is an unsubstantiated campaign to discredit the service.
https://archive.4plebs.org/pol/thread/193609833/
This indeed seems to be a bold attempt to cause panic among users and force PM to pay to the “attackers”.
Anyway, just a couple of things to do If you don’t have 2FA enabled:
Change your PM password
Enable 2FA
If the password was reused for other services, make sure to change them there as well
Enable 2FA for each service that supports it
Start using the damn password manager if not already
Seriously.
+1 for Bitwarden, as you can self-host your database, but if you need maximum peace of mind, use Keepass. It's the king of security, but not ease of use in terms of keeping your database synced across multiple devices, at least not in the way Bitwarden is.
Well, I’d say Unix Password Manager can argue with KeePass as well ;)
keep your keepass encrypted file on a cloud service like box.com. easily sync'd across devices.
Yeah, and Syncthing is also an option, but I had too many conflicting datafiles when I did it that way, so I ended up migrating to Bitwarden.
I'm going to give it a try, do they give out anything like reference codes for hyping the service? If so, want to PM me one?
I use encfs encrypted keepass db synced over cloud. The keepass db itself having a password aswell a keyfile. For syncing I use dropsync,drivesync syncing the encfs container to cloud. I open the db through Encdroid local encfs container on android,which opens the keepass db using keepassdroid.
I use passwordstore.org with git and keybase.io as the remote git repo and tomb.
I don't think it's an attempt to get them to pay, I think it's an attempt to get publicity for their trolling by promoting a hoax that demands a response, even if that response is to completely denounce it.
The obviously nonsense demands to pay with no ability to prove anything are likely put in just so that this type of announcement would be released and various media accounts on twitter or whatever would pick it up and hopefully drive it memetically into the mainstream.
4chan loves a good "US government pedophilia ring" conspiracy
Considering it happened to the BBC I wouldn't be particularly surprised, but the evidence is just not there. Humans are great at seeing patterns where there aren't any, especially when those patterns align with their biases.
we certainly do tend to do that, but surely you admit that it must be more than coincidence that pizza is a triangle...and so are pedophiles
Hi,
thank you for the update. I understand this is probably a hoax, but it still raised few questions:
Is there a way for the end users to make sure the JS code that's running in the browser hasn't been tampered with?
How does Protonmail make sure that the code served by the web servers hasn't been compromised?
Would it be possible to improve Protonmail's security model so that end users would not have to trust you in a case similar to this one, but rely on cryptographic proof instead?
Wouldn't using an open-source, cryptographically signed app prevent most of those issues?
Thank you
Is there a way for the end users to make sure the JS code that's running in the browser hasn't been tampered with?
In a trust-less way? No. It's the fundamental problem with browser cryptography. There are a lot of sort-of solutions to it, but no magic bullet.
Wouldn't using an open-source, cryptographically signed app prevent most of those issues?
Yes, which I believe is one of their goals. You shouldn't need to trust the server at all (see: Signal). But PM is spinning a lot of plates and dealing with a lot of growth with a relatively small, under-funded team, so these things take time (to the undeserved ire of the community).
Ninja edit: the problem with an app or extension though, is that not everybody wants to use one. Webmail is extremely convenient. Unless they make the app mandatory (which would be foolish), you are still going to have a collection -- probably a majority -- of users who continue to use browser-based cryptography. See (1). The only way I see this changing is if/when desktop computers become a tiny minority of users, since using an app on a mobile device is undoubtedly easier.
That's what I thought about the JS part. Thanks
It would be nice to have an official answer from protonmail for the other questions. /u/protonmail ?
Is Protonmail more secure using Thunderbird as opposed to webmail?
You aren't vulnerable to any sudden changes in the webapp source code, but other than that it's the same.
I admire what the good folks at Protonmail do. It's crap like this--and the fear-mongering on Twitter that has followed in its wake--that reminds me why I don't run my own email server.
It’s fine to use the term “lies”. Let’s not give that silly fake news term any more traction.
It will be fake news once lies get spread through news sites...
Why don't you like to use the term "fake news"? What's the reasoning behind it?
The term has become politicized and we try always to stay neutral.
You use the term "right wing". That doesn't seem to be neutral. There are conspiracy fringes on both sides of the political spectrum. This comment from a loyal "plus" Paying member of ProtonVPN and ProtonVmail . Keep up the good work.
"Right Wing" is a common term though, like "Left Wing", or "Center of the Isle", etc...
Right-wing is a pretty standard term that isn't skewed. People on all sides of the spectrum can agree with the term.
With fake news, the term has been repurposed as a criticism of mainstream media rather than to refer to the actual fake news spread by politically-motivated individuals and groups - largely to the benefit of right-wing political parties.
Seconded. From reading your post it seems that your personal bias is left leaning, which is fine, but definitely not neutral. Many of PM's users left Gmail due Google's left wing politics and just wanted a politically neutral company that can provide an email service that respects privacy.
The term as used was not political as it was used merely as an objective descriptor. There are also left wing conspiracy theories out there. But as things stand, the extortionists were very clearly going after right wing conspiracies this time, with the references to CNN, Pizzagate, etc. So the use of the term as a descriptor, should not indicate any political ideology or preference.
This. Furthermore, not much is more emotionally/politically charged than "right wing conspiracy". Both sides are pretty good at spinning complete nonsense.
I use it everyday and l didn't experience any issues reported by most of some posts. Either l am lucky, or there is a lot of bad propaganda against PM!
The assertions may be crazy, but they also don't negatively impact the service. Criminals and creeps use legitimate services for nefarious activities all the time. They use cell phones. They use coffee shops. They wear underwear. No one is going solely to mailing letters and brewing coffee naked at home because 'muh criminals'. Proton Mail and the VPN is really awesome and I would imagine criminals would be attracted to it for the same reasons I am, but I'm still using it. And wearing undies.
You can't disprove something if it's non existent :) Like the flying pink elephant above my head right now, oh, yeah, it's real.
a breach can be easily proven by providing evidence.
I'm curious, what kind of evidence would this be?
Hashes of passwords of several users, from the internal password database, for example. Private PGP keys of several users, from the internal database.
Thank you for your statement. Your explanation of why you don't use SRI sounds plausible, but it would be great if you could expand on that a little.
Are there potential disadvantages like overhead, a reduction in usability or an increase in maintenance cost?
Playing devil's advocate with yourself, are there any potential advantages you can think of despite not using third party CDNs? Or would it be purely for a false sense of security?
I'd be happy for anyone else with a good understanding of SRI to jump in and address these points as well.
Hi,
Not sure I have a very good understanding of SRI, but from the documentation I read I understand it's used to verify that what you are served by the CDN is what you expect and that it hasn't been tampered with.
This is achieved by putting a hash of the assets in your code and then making sure the assets you fetch match the hash. This makes sense in a scenario where you trust your servers where your code is hosted and want to mitigate the risk of a CDN (not trusted) serving you modified scripts.
In the case of protonmail, everything is hosted on servers they trust, so SRI doesn't really make sense. If someone could gain access to PMs servers in order to modify the content of the web app, they would also be able to modify the hashes that are used to compare the subresources, making SRI useless, and maybe giving the users a false feeling of security because "they use SRI".
In short, from what I understand, using SRI would not help because everything is hosted on ProtonMail's infrastructure, and gaining write access to ProtonMail's code would mean "Game Over" for ProtonMail anyway.
The issue here is that we have to trust ProtonMail that they have protections in place in order to prevent unauthorized code modification or detect it.
Maybe my understanding of SRI is wrong, but it would be appreciated if /u/ProtonMail could give us more information here, especially on whether or not they have a system in place to make sure the code they host on their servers hasn't been compromised.
This is a correct understanding. We don't use a CDN, so there are no untrusted third parties serving our code.
individual users falling for phishing attacks (this is why we encourage using 2FA)
Curiosity question in general, not specific to ProtonMail: 2FA just imposes a time-constraint on a phishing attack, right ? If I type my login info and TOTP value into a bogus login page, that page/hacker has 30-60 seconds to turn around and use the info to log in to my ProtonMail account, right ? Which is pretty easy to do.
Seems to me that 2FA really is protection against shoulder-surfing (someone seeing my password as I type it) or brute-forcing the password (they'd have to brute-force my TOTP also). True ?
Yep, if phishers know that they are dealing with a site that offers 2FA, they typically forward the request automatically to the actual page to get a valid session. At least if they know what they are doing.
What would really help against phishing is U2F (Yubikey etc), as the U2F standard takes the domain you authenticate to as a parameter, therefore what you send the hackers will always be different as to what will be valid towards the actual service and they will not be able to obtain a valid session.
I have no reason to doubt the ProtonMail team when it comes to transparency. There are many ways to disrupt a service. For instance, you may not be able to poison hamburgers at a particular fast food franchise you dislike, but you can still cause disruption by falsely convincing customers that their hamburgers have already been poisoned. Either way, directly or indirectly, you can negatively impact the company.
They won't get away with this so easily though. The Proton community is pretty smart. These criminals? Not so much. We have uncovered quite a bit of information about them which we will be sharing with law enforcement.
Note that 4chan.com is a web site used by members of the US alt-right. It is those people who executed the second Macron hack just before the French presidential election. Steve Bannon was informed of this by Jack Posobiec who at the time had a White House press pass as being in the employ of the conservative One America News Network (Rebel network). The first hack of then presidential candidate Emmanuel Macron was Russian and defeated with the help of NSA. The second was successful but of no importance as performed only two weeks before the election and immediately the subject of a ban on any publication of content by the Electoral commission.
Note that 4chan.com is a web site used by ...
BRONIES!
Clearly Rainbow Dash is involved somehow!
I absolutely love Protonmail! I've had some FREAK fatal attraction woman hijacking EVERY account I've created EXCEPT PROTONMAIL. I've had my account for over a month now and they can't infiltrate their security. I've been having to buy a new phone every month and no matter what security app I use they've hacked into my Google and Gmail account before I get home. Even after that, they still can't access PROTONMAIL! Keep up the good work guys, and while you're doing such a fine job, why don't you go teach those idiots at Google how it's done. First you'll have to convince them they're vulnerable. They are so ARROGANT IT'S SICKENING.
Honestly, you should get in touch with someone you trust and who knows more about security. Gmail is not easily hacked, Gmail has one of the best security systems in place that one can have from an authentication side. This sounds more like you are falling for something or a device is infected on your side.
There is no question in my mind that this is a targeted disinformation campaign. The fact that ProtonMail is offering robust security and privacy options to the masses is pissing in someone’s Cheerios. I’d say that’s a good thing. You guys are making it hard for these douche bags. Strong work!
Just my opinion but the ‘Right Wing conspiracy' component in the OP implicates a political ideology without offering objective and/or empirical supporting evidence. I’m not sure it adds to the Privacy & InfoSec discussion in all honesty.
We thought the term as used was not political as it was used merely as an objective descriptor. There are also left wing conspiracy theories out there. But as things stand, the extortionists were very clearly going after right wing conspiracies this time, with the references to CNN, Pizzagate, etc. So the use of the term as a descriptor, should not indicate any political ideology or preference.
I'm disheartened to learn that a company I have a very high opinion off is being targeting by extortionist thugs. I will continue to support you guys by maintaining my paid account and sharing the value you offer with anyone who will listen.
As far as the "politics" piece, I'm not questioning ProtonMail's motives behind the wording just that it rubs some people the wrong way as evidenced by some of the other post.
This is something we went back and forth on a few times. The issue we have with leaving it just as "conspiracy theories", is that people naturally will ask, which ones? So in some respects, it's necessary to point out which type of conspiracy theories the criminals are trying to flame. We appreciate your comment though, and will continue to give this more thought and discussion internally
15.4k
Subscribers
146
Online
Official subreddit for ProtonMail, an secure email service based in Switzerland. ProtonMail is privacy-focused, uses end-to-end encryption, and offers a clean user interface and full support for PGP and standalone email clients.
Please limit discussions to ProtonMail or online security/privacy topics. Other discussions can go into sister subreddits linked below.
No low-effort posts.
Please try to avoid political discussions. Exceptions include privacy specific laws that can impact ProtonMail or posts on the official blog.
5,546 subscribers
5,546 subscribers
275,029 subscribers
384,037 subscribers
29,912 subscribers