A very small fraction of logins get the CAPTCHA challenge. We, and other services, face unrelenting brute force attacks on our login endpoints. If you are seeing a CAPTCHA on login, chances are that something about your connection is suspicious to our system. It's far from perfect, and we continue to improve it, but at most a percent or two of users are seeing CAPTCHA at any time.
The CAPTCHA is run in an iframe on a separate domain to sandbox it from the Proton login flow prevent it from compromising the webapp. Obviously Google still gets some information, but we do all we can to limit this.
CAPTCHAs are very hard to build, especially considering Google has a habit of clearing the field with it's own captcha-breaking code. Most companies do not have the resources to build their own. We had an alternative CAPTCHA we were going to use as a replacement a few years ago and then the company behind it went bankrupt. We are currently looking to replace ReCAPTCHA with hcaptcha, which should alleviate some of these problems.
We have other strategies which we are also exploring to try to reduce the need for CAPTCHAs entirely, but these are also not trivial to build and integrate into all clients.
TL;DR It's a small fraction of users who are affected, it's necessary to protect our users from brute force login attacks, we don't like it either and are working hard on replacements.
I'm going to put you on a spot a bit, because this seems important to ProtonMail's viability, and I want you to keep succeeding...
> Obviously Google still gets some information, but we do all we can to limit this.
When you cause a request to be made for ReCaptcha, it seems that you're leaking enough information to (in many cases) link a possibly-pseudonymous Protonmail account to an identifiable individual.
(For example, even if you leak nothing else than times that individuals identifiable by Google logged into unidentified ProtonMail accounts, Google can already see various external activity of specific ProtonMail accounts, and you've given them temporal correlations between activity of pseudonymous accounts and logins by identifiable individuals. That's not the only example, but even that alone seems a significant risk.)
And it's seems to be a real risk: Google is in the business of doing things like that, has a track record of doing things like that, and presumably is more than capable enough of doing it some more.
> but at most a percent or two of users are seeing CAPTCHA at any time.
That sounds like a lot. And the "at any time" sounds like an even higher percentage of users are potentially being compromised by the use of ReCaptcha.
> we don't like it either
I'm not yet convinced that this is the least of all evils. And I don't know how much you have to dislike it before you decide not to do it.
For persuasive effect, is it helpful to imagine the reaction of your philosophical adversaries, when they heard that ProtonMail was using ReCaptcha? I just imagined some of them laughing derisively or incredulously. I don't say that to be mean, but I don't understand the rationale for using ReCaptcha, and I want to emphasize that it seems to be a problem that threatens ProtonMail's raison d'etre and/or brand image.
(BTW, I'm assuming this ReCaptcha choice isn't due to legally-compelled cooperation in unmasking specific accounts -- in which case I wouldn't say anything -- since, in that case, I expect you'd find a way to comply without misrepresenting the rationale to everyone else. I've seen ProtonMail thinking ahead to avoid related conflicting obligations and assurances.)
(BTW, I'm speaking here of Google as an adversary of your customers, and therefore of you, only because that seems to be how your product is positioned, and why you have customers at all, rather than everyone just using GMail. I'm not saying that Google is bad; only that I think it should be considered an adversary from your perspective.)
A captcha of any kind on a paid service (or a storefront where I'm looking to pay money) is an absolute deal breaker for me. I will not be clicking on lights and stopsigns to be able to pay money.
Thank you for explaining here, I really appreciate the work you’re doing and understand the non-trivial work it takes to protect users. While l’d love a Google free experience for PM, I also love having a near zero chance of a brute force attack. I’m a paid PM user and have been using it since the very early beta days. I never see the CAPTCHA on any OS, but I only connect from about 5 different IPs or while using ProtonVPN.
Off topic: please implement font size adjustment capability on iOS!
Maybe some basic stats would concretize the problem for some commenters.
E.g. What was the ratio of failed logins to successful ones before implementing captcha? Now that you've implemented captcha, what is that ratio among the population of users not presented with captcha, compared to to population that is? How many attempts did adding the captcha stop?
I think a part of the problem is many people don't know what CAPTCHA really does and that even smaller numbers of people know exactly how much traffic is abusive in nature.
> A very small fraction of logins get the CAPTCHA challenge. We, and other services, face unrelenting brute force attacks on our login endpoints. If you are seeing a CAPTCHA on login, chances are that something about your connection is suspicious to our system.
IME CAPTCHA will make your internet use unbearable if you a) are from a non-Western geo-location or b) you use a VPN. VPNs like the service you provide, which a fair number of your email users probably avail. It's fair to say a smaller number of "internet users" get CAPTCHA hell (which i also doubt), but I wonder if the ratio of Proton* users actually skews the other way.
This is seriously skirting the issue. OP didn't complain about your use of robot detection. OP complained about your use of GOOGLE's robot detection, which is not privacy preserving. There are many other robot detection services out there, many of which are arguably more effective at detecting robots too.
When I started my company we chose to use Protonmail. My advice to anyone who wants secure email: don't use protonmail.
The email search is completely useless. I don't understand how it can possibly be so difficult to do a substring search on a corpus and rank them in some kind of sane way. Searching for old emails based on content is an exercise in futility. After a few years of using an email service, search becomes really important.
It is exceedingly difficult to pull data out. You need dev ops skills to do it.
They charge for users that are disabled, and you can only stop paying for them if all of the associated data is deleted.
So they effectively hold your data hostage (yes, you can get it out but it time-consuming and requires technical skills).
I finally bit the bullet and paid a dev ops person (and gave him access to all my data) and switched to fastmail (at least it's not google) a few months ago. It's been an incredible relief.
A few clarifications. There is an export tool that is available. The reason we must count disabled addresses towards your quota is because if we did not do that, we would be susceptible to an attack where a paid user could run through our address space by creating and disabling addresses continuously, so some limits are required. You can remove disabled addresses, but only by contacting support.
Note: due to the design of PM, the search is done client-side rather than server-side. It's not an excuse but at the very least, full-text search is harder.
I’ll second this, I love the idea of proton mail but the product isn’t anywhere close to ready for daily driving. Great for the occasional should it arise however. Encryption should be a selling point and it seems like they use it more as an excuse.
aren't all messages encrypted on the server? that would make search difficult because no server process could read them. all your emails would have to be pulled into the client for decryption first.
My own advice re secure email is that there isn't such a beast – you just can't apply what is expected from modern secure messaging, like having no insecure fallbacks, forward secrecy, encrypted metadata, etc.
Try to register a new Protonmail email address normally and you can do so without supplying too much information. Try to do so through Tor, and you will not be able to proceed without “verifying” the account with a phone number. This pattern (they want either your IP or a phone number) tells me they’re likely interested in tying accounts to real identities and shouldn’t be trusted with anything private. I would even go so far as to suspect Protonmail of being a honeypot. Oh…I’ll just leave this here:
> they’re likely interested in tying accounts to real identities
I don't think it means they're interested in tying accounts to a specific identity, just an identity, to prevent bots or bad actors from signing up for thousands of accounts. This is a necessary reality of being an email provider. If you do not police your outbound mail then other mail servers will block or auto-junk your users' messages.
There is no way to preserve privacy while also not becoming a festering ground for Viagra spam mail.
I'm not saying you're wrong, but that particular source is well known for making big claims with insufficient evidence, and it reads like it was written by a conspiracy theorist. Many of the author's claims have already been (imo, pretty solidly) refuted by Proton.
Disclaimer: using protonmail until my current subscription runs out, then selfhosting
"The recaptcha, when it shows up (in rare situations), is sandboxed so that it doesn't send any data to Google. We are also in the process of replacing it with hcaptcha."
Not sure what possible sandboxing they could be referring to - if they load the captcha in an iframe from a different origin then it is true that Google's javascript can't access things on the Protonmail origin, but the concern seems to be that your data is sent to Google (which is still happening even with sandboxing, their tweet cannot be correct), not that Google's recaptcha javascript would have done something malicious on the Protonmail origin (which seems unlikely).
As a fan of ProtonMail, will just add a few points:
Every popular online service today is being continuously attacked. Bad actors get a lot of economic value from credential stuffing, account takeovers, and fake registrations, especially on email services.
This is why CAPTCHAs exist. They are one of the better tools in the defender's arsenal to increase the cost of attacks.
Building and maintaining a good CAPTCHA service is both hard and requires a high level of continuous development, since every day people are waking up and trying to figure out how to break it.
This means almost every company that tried building their own in the past has switched to either hCaptcha or Google, since it is not practical for even large companies to maintain their own solution these days.
Why was ProtonMail originally using Google? Probably because for many years it was the only plausible option until hCaptcha came around, and they needed to protect their users.
We're working with them now to switch over to the enterprise version of hCaptcha, which:
1) includes privacy-preserving features that let them decide exactly what user data hCaptcha sees and when, and
2) guarantees what happens to any data received via a data processing agreement, and
3) isn't run by an ad network.
hCaptcha doesn't care who you are and ensures all data is ephemeral, since unlike Google we're not trying to sell ads targeting you.
Although it seems to go against the spirit of Protonmail and its ethos I'm not exactly sure there are many good options, hcaptcha is the lesser of two evils and a fundamental requirement on the modern web.
Even HN requires a recaptcha if you fail too many times (and it's also based on IP).
If you want to blame anyone blame:
1: The bad actors spamming logins
2: Google for essentially monopolizing captcha
hcaptcha proves there's a market/demand for alternatives, this is HN, if you dislike it, go build a better alternative than Google's and I am sure PM will be only too pleased to switch.
Complaining is easy, actually changing something is more difficult.
(P.S I challenge anyone to deploy a system used by tens of thousands and not have any abuse/rate limiting systems, you'll soon be turning to captcha's at some point)
This headline is unfortunately misleading. Recaptcha is not used on every login (this is verifiable). It only appears in rare situations when it is required to prevent abuse.
An email/SaaS provider that explicitly markets themselves as "private", complaining that "CAPTCHAs are very hard to build", and will therefore sacrifice user privacy is too rich.
I can recommend Migadu. Worth it if you already pay for a domain (which you should, imo, to have a portable e-mail address). I pay for the $19 annual plan and find it sufficient, and I love the flexibility of the admin panel.
That stinks. I'm on Fastmail but its hard point has to do with being based in Australia and the recent government efforts of forcing entities to comply with police inquiries.
This is absurd indeed. hCaptcha[0] is a better alternative though, and I wouldn't mind if they used that instead of reCaptcha. I never liked the carpal tunnel that reCaptcha introduces.
Another user-hostile. Folks laugh when I say I run my own email (FreeBSD/Postfix) and "why build your own mail client"? Because, inevitably, all these for profit service providers turn against me.
I was scratching my head this week when they were releasing the time the 'Hamas' bomb threat email came in with regard to Belarus high-jacking that flight.
It seemed rather fine-grained knowledge of specific communications that doesn't serve the narrative of privacy first. The articles I read made it sound like ProtonMail had just decided to share details on it rather than a more formal, court-ordered process.
I know in this situation there aren't too many people who would raise questions, but it did strike me as strange given how they market their service.
> [from a commenter on the OP, in reply to the Protonmail response] If an Incognito Mode Web Browser with a graphical user that actively moves his mouse, types in the password in non-automated manner, key by key - not copy/pasted and not auto-inserted within a millisecond - seems suspicious by your system - then I have to say your ways of identifying or classifying suspicious behaviour is very flawed. There are way better, already solved ways, to do this.
If you know this, then I guarantee that the people making spam bots know this too. this is a very naïve argument
Also seems particularly odd to even have recaptcha on the email login page. Who cares if robots check email so it doesn’t seem user friendly to prove humanity to read email or get a login error.
I don't know if the hn protonmail account is an official account or a fan account, but it seems quite unprofessional and really scares me off being a protonmail customer.
We apologize for that. It's a weekend and we are working on giving folks responses as quickly as possible. Therefore, the responses are more to the point than usual.
[+] [-] protonmail|4 years ago|reply
A very small fraction of logins get the CAPTCHA challenge. We, and other services, face unrelenting brute force attacks on our login endpoints. If you are seeing a CAPTCHA on login, chances are that something about your connection is suspicious to our system. It's far from perfect, and we continue to improve it, but at most a percent or two of users are seeing CAPTCHA at any time.
The CAPTCHA is run in an iframe on a separate domain to sandbox it from the Proton login flow prevent it from compromising the webapp. Obviously Google still gets some information, but we do all we can to limit this.
CAPTCHAs are very hard to build, especially considering Google has a habit of clearing the field with it's own captcha-breaking code. Most companies do not have the resources to build their own. We had an alternative CAPTCHA we were going to use as a replacement a few years ago and then the company behind it went bankrupt. We are currently looking to replace ReCAPTCHA with hcaptcha, which should alleviate some of these problems.
We have other strategies which we are also exploring to try to reduce the need for CAPTCHAs entirely, but these are also not trivial to build and integrate into all clients.
TL;DR It's a small fraction of users who are affected, it's necessary to protect our users from brute force login attacks, we don't like it either and are working hard on replacements.
[+] [-] neilv|4 years ago|reply
> Obviously Google still gets some information, but we do all we can to limit this.
When you cause a request to be made for ReCaptcha, it seems that you're leaking enough information to (in many cases) link a possibly-pseudonymous Protonmail account to an identifiable individual.
(For example, even if you leak nothing else than times that individuals identifiable by Google logged into unidentified ProtonMail accounts, Google can already see various external activity of specific ProtonMail accounts, and you've given them temporal correlations between activity of pseudonymous accounts and logins by identifiable individuals. That's not the only example, but even that alone seems a significant risk.)
And it's seems to be a real risk: Google is in the business of doing things like that, has a track record of doing things like that, and presumably is more than capable enough of doing it some more.
> but at most a percent or two of users are seeing CAPTCHA at any time.
That sounds like a lot. And the "at any time" sounds like an even higher percentage of users are potentially being compromised by the use of ReCaptcha.
> we don't like it either
I'm not yet convinced that this is the least of all evils. And I don't know how much you have to dislike it before you decide not to do it.
For persuasive effect, is it helpful to imagine the reaction of your philosophical adversaries, when they heard that ProtonMail was using ReCaptcha? I just imagined some of them laughing derisively or incredulously. I don't say that to be mean, but I don't understand the rationale for using ReCaptcha, and I want to emphasize that it seems to be a problem that threatens ProtonMail's raison d'etre and/or brand image.
(BTW, I'm assuming this ReCaptcha choice isn't due to legally-compelled cooperation in unmasking specific accounts -- in which case I wouldn't say anything -- since, in that case, I expect you'd find a way to comply without misrepresenting the rationale to everyone else. I've seen ProtonMail thinking ahead to avoid related conflicting obligations and assurances.)
(BTW, I'm speaking here of Google as an adversary of your customers, and therefore of you, only because that seems to be how your product is positioned, and why you have customers at all, rather than everyone just using GMail. I'm not saying that Google is bad; only that I think it should be considered an adversary from your perspective.)
[+] [-] jjav|4 years ago|reply
[+] [-] owly|4 years ago|reply
Off topic: please implement font size adjustment capability on iOS!
[+] [-] infogulch|4 years ago|reply
E.g. What was the ratio of failed logins to successful ones before implementing captcha? Now that you've implemented captcha, what is that ratio among the population of users not presented with captcha, compared to to population that is? How many attempts did adding the captcha stop?
[+] [-] drdavid|4 years ago|reply
Good luck with the fight.
[+] [-] pull_my_finger|4 years ago|reply
IME CAPTCHA will make your internet use unbearable if you a) are from a non-Western geo-location or b) you use a VPN. VPNs like the service you provide, which a fair number of your email users probably avail. It's fair to say a smaller number of "internet users" get CAPTCHA hell (which i also doubt), but I wonder if the ratio of Proton* users actually skews the other way.
[+] [-] tpoacher|4 years ago|reply
[+] [-] sudoaptget|4 years ago|reply
[+] [-] krageon|4 years ago|reply
[+] [-] kossTKR|4 years ago|reply
[+] [-] gerash|4 years ago|reply
[+] [-] junon|4 years ago|reply
> TL;DR It's a small fraction of users who are affected
Yes, though any of your users can be affected, randomly, without warning.
[+] [-] AsianTits|4 years ago|reply
[deleted]
[+] [-] cowpig|4 years ago|reply
The email search is completely useless. I don't understand how it can possibly be so difficult to do a substring search on a corpus and rank them in some kind of sane way. Searching for old emails based on content is an exercise in futility. After a few years of using an email service, search becomes really important.
It is exceedingly difficult to pull data out. You need dev ops skills to do it.
They charge for users that are disabled, and you can only stop paying for them if all of the associated data is deleted.
So they effectively hold your data hostage (yes, you can get it out but it time-consuming and requires technical skills).
I finally bit the bullet and paid a dev ops person (and gave him access to all my data) and switched to fastmail (at least it's not google) a few months ago. It's been an incredible relief.
[+] [-] protonmail|4 years ago|reply
[+] [-] bassdropvroom|4 years ago|reply
[+] [-] buu700|4 years ago|reply
Took me a second to figure out that you weren't claiming accessibility was only supported at an extra cost.
[+] [-] jjcon|4 years ago|reply
[+] [-] amelius|4 years ago|reply
[+] [-] fnord77|4 years ago|reply
[+] [-] marmaduke|4 years ago|reply
Their “bridge” lets you use a regular imap client, which makes it trivial.
[+] [-] ulimn|4 years ago|reply
// Or something like that, I’m dumb for cryptography :)
[+] [-] snotrockets|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] dna_polymerase|4 years ago|reply
[deleted]
[+] [-] essentialoils|4 years ago|reply
https://privacy-watchdog.io/protonmails-creation-with-cia-ns...
https://eprint.iacr.org/2018/1121.pdf
[+] [-] IAmGraydon|4 years ago|reply
https://privacy-watchdog.io/truth-about-protonmail/
[+] [-] nexuist|4 years ago|reply
I don't think it means they're interested in tying accounts to a specific identity, just an identity, to prevent bots or bad actors from signing up for thousands of accounts. This is a necessary reality of being an email provider. If you do not police your outbound mail then other mail servers will block or auto-junk your users' messages.
There is no way to preserve privacy while also not becoming a festering ground for Viagra spam mail.
[+] [-] gloriousternary|4 years ago|reply
Disclaimer: using protonmail until my current subscription runs out, then selfhosting
[+] [-] protonmail|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] arkadiyt|4 years ago|reply
"The recaptcha, when it shows up (in rare situations), is sandboxed so that it doesn't send any data to Google. We are also in the process of replacing it with hcaptcha."
Not sure what possible sandboxing they could be referring to - if they load the captcha in an iframe from a different origin then it is true that Google's javascript can't access things on the Protonmail origin, but the concern seems to be that your data is sent to Google (which is still happening even with sandboxing, their tweet cannot be correct), not that Google's recaptcha javascript would have done something malicious on the Protonmail origin (which seems unlikely).
In any case, at least they're moving to hcaptcha.
[1]: https://twitter.com/ProtonMail/status/1398657423913668614
[+] [-] eatbots|4 years ago|reply
Every popular online service today is being continuously attacked. Bad actors get a lot of economic value from credential stuffing, account takeovers, and fake registrations, especially on email services.
This is why CAPTCHAs exist. They are one of the better tools in the defender's arsenal to increase the cost of attacks.
Building and maintaining a good CAPTCHA service is both hard and requires a high level of continuous development, since every day people are waking up and trying to figure out how to break it.
This means almost every company that tried building their own in the past has switched to either hCaptcha or Google, since it is not practical for even large companies to maintain their own solution these days.
Why was ProtonMail originally using Google? Probably because for many years it was the only plausible option until hCaptcha came around, and they needed to protect their users.
We're working with them now to switch over to the enterprise version of hCaptcha, which:
1) includes privacy-preserving features that let them decide exactly what user data hCaptcha sees and when, and 2) guarantees what happens to any data received via a data processing agreement, and 3) isn't run by an ad network.
hCaptcha doesn't care who you are and ensures all data is ephemeral, since unlike Google we're not trying to sell ads targeting you.
(disclosure: work there)
[+] [-] aboringusername|4 years ago|reply
Even HN requires a recaptcha if you fail too many times (and it's also based on IP).
If you want to blame anyone blame:
1: The bad actors spamming logins
2: Google for essentially monopolizing captcha
hcaptcha proves there's a market/demand for alternatives, this is HN, if you dislike it, go build a better alternative than Google's and I am sure PM will be only too pleased to switch.
Complaining is easy, actually changing something is more difficult.
(P.S I challenge anyone to deploy a system used by tens of thousands and not have any abuse/rate limiting systems, you'll soon be turning to captcha's at some point)
[+] [-] protonmail|4 years ago|reply
[+] [-] pphysch|4 years ago|reply
What in tarnation are we paying you for?
[+] [-] toastercat|4 years ago|reply
[+] [-] otachack|4 years ago|reply
Fastmail's side of the story: https://fastmail.blog/legal-policy/aabill-and-fastmail/
[+] [-] ______-|4 years ago|reply
This is absurd indeed. hCaptcha[0] is a better alternative though, and I wouldn't mind if they used that instead of reCaptcha. I never liked the carpal tunnel that reCaptcha introduces.
[0] https://www.hcaptcha.com/
[+] [-] edoceo|4 years ago|reply
[+] [-] rgj|4 years ago|reply
https://www.reuters.com/world/europe/email-bomb-threat-sent-...
[+] [-] somedude895|4 years ago|reply
[+] [-] grammers|4 years ago|reply
[+] [-] alexanderdmitri|4 years ago|reply
It seemed rather fine-grained knowledge of specific communications that doesn't serve the narrative of privacy first. The articles I read made it sound like ProtonMail had just decided to share details on it rather than a more formal, court-ordered process.
I know in this situation there aren't too many people who would raise questions, but it did strike me as strange given how they market their service.
[+] [-] boardwaalk|4 years ago|reply
Not saying it may not appear for others but I didn't see it.
[+] [-] permo-w|4 years ago|reply
If you know this, then I guarantee that the people making spam bots know this too. this is a very naïve argument
[+] [-] prepend|4 years ago|reply
[+] [-] msh|4 years ago|reply
[+] [-] protonmail|4 years ago|reply