so now proton completely blocking account creation through their onion adress? I have standard protection, javascript enabled. Time to swith for those who use this service as they are ditching tor and switzerland?
While on dread recently I stumbled across this old post regarding issues with their onion adresses https://encryp.ch/blog/disturbing-facts-about-protonmail/
When a user makes a new account with Protonmail on TOR they are re-directed from Protonmail’s “.onion” to “.com” address. This breaks your secure encrypted connection to their onion address, enabling your identification. There are absolutely no technical reasons for this feature. In fact, the only other websites that operate like this are suspected NSA/CIA Honeypots.
I previously commented I would write the support, now I actually read the docs first and found out why:
If you want to create an account over tor you can, just not via the clearnet URL, probably due to rate limiting by IP adress. However if you use their Onion Link as specified in this article by their support (https://proton.me/support/tor-setup) it works just fine (as far as I just tested). So great! Because using .onion services is far more secure than accessing clearnet over Tor anyway.
Here the url, verify it with the link in the support article tho: https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/
The onion link was used, please see my screenshot first…
Huh, that’s wierd. Because it worked for me… they must be rate limiting Tor.
I checked that (together with the clearnet link) a few times recently, got a nondescript error like “sorry something went wrong” every time.
Change your route, people using tor with the same exit as you are doing too many username checks.
As a said inmyp previous comment onion site was used so they dont have access to info and ip of my exit node, and,anywaty, I have tried to change circuit and access again but without success.
Just tested it, same here. Clearnet works but tor not. I will contact support since part of the reason I like to pay for unlimited is to subsidize free, anonymous accounts.
Edit: here is my other comment:
I previously commented I would write the support, now I actually read the docs first and found out why:
If you want to create an account over tor you can, just not via the clearnet URL, probably due to rate limiting by IP adress. However if you use their Onion Link as specified in this article by their support (https://proton.me/support/tor-setup) it works just fine (as far as I just tested). So great! Because using .onion services is far more secure than accessing clearnet over Tor anyway.
Here the url, verify it with the link in the support article tho: https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/
Have you actually asked proton support about this issue, if so what have they said?
It seems like you got frustrated and instead of trying to get help you decided to complain on lemmy.
Hi, they have average response time 1 month. Probably it’is not useful when you want create account now, yes? “instead of trying to get help you decided to complain on lemmy” and what? proton blocked tor, it is their decision, it is not a bug. I have my other email provider so I do not need to beg proton to unblock tor registration. My objective was to inform lemmy users about this, I did not ask for help in my post as you noticed. If proton company is interested in their customers they can monitor such complaints but since they “cut their presence” on mastodon and opensource media platforms it will not happen.
The average response time is nowhere near a month.
It seems more and more this was a bad faith post. I’m not sure I believe you even use proton.
Look, for me it is not important if you believe me or not. I dont beg yout to ditch protonmail
You say that and yet you feel the need to respond and down vote.
If you didn’t care about what others thought you wouldn’t have made the post.
Just lets dont play Hannibal Lecter’s dialogue and stop conversation.
So odd how this works for everyone else who tries it and support answers them in less then a months time…
Do not believe other, try by yourself.
You are blocked for lack of interest in conversation.
proton blocked tor, it is not a bug
How do you know?
is it joke? please see the pic attached to the post, if you not believe try by yourserf
A lot of push against Proton on here lately. Makes me suspicious.
it should be possible to criticize a mail provider without being flooded by it’s evangelists. Especially proton, their image of privacy does not reflect reality at all
Not saying it’s some sort of conspiracy theory, but it do be kinda sus. People are just quick to hate Proton over anything. It’s like bias confirmation. They seem to be justifying their hatred, or looking for reasons to do so. I mean, “leaving Switzerland”? Really?! I thought that was because Switzerland was considering a privacy-unfriendly law. That’s bad, now?
Valid criticism is suspicious?
OP said they are blocking tor users. I say the error message might just be legit and someone is spamming username existence checks through Tor.
Removed by mod
I am deeply sorry to whichever moderator i offended so much that they needed to delete my comment. Thanks to your guidance I have now learned to hate Proton like a good lemming and will boycott them for the rest of my life as penance for making you cry.
There’s been evidence in their github repo that they’re using LLMs to code their tools now.
It’s making me reconsider using them.
Theres evidence they use the very popular tool cursor that many devs and large companies use.
LLM is avoided by many experienced developers and competent medium and small companies.
Tools like cursor are sometimes ok for small things like people learning, or to generate boilerplate.
But it is seen by some as a warning flag when it’s in source code for larger projects
This comment is meaningless.
What red flags? Why is it a red flag is an be experienced developer used cursor on a larger project? Put it into words.
It’s very time consuming to detect and correct the small mistakes that LLMs make. Beyond one or two lines of code, it becomes much more time consuming to correct the multitude of subtle mistakes vs coding it myself. I use code completion that comes with my IDE, but that is programmatic completion, not LLM, and is much, much more accurate and in smaller chunks that are easy to verify at a glance. I’ve never known any experienced developers who have had a different experience. LLMs can be good for getting a general idea of how to code something in a new language or framework I’ve never touched before and more to help find actual examples rather than use the code directly in the IDE, but if I were to use LLM code directly that would be in a test project, never, ever in production code. I would never write production code in a language I’ve never used before with or without an LLM’s “help”.
When adding code this way, one needs to look it over and read to fix bugs or things that are not quite correct; stats show experienced developers often are faster not using this approach because debugging existing code takes longer than writing it fresh.
The speed is not the issue.
What matters is sometimes subtle bugs are introduced that require several people to catch. If at all. These issues might be unique to the Llm.
Having large sections of generated code offers the possibility of hard to find problems.
Some codes are more sensitive to such issues.
The details of how the code was added, and what it does, may render this issue harmless or very much a problem to be avoided.
This is why it’s a flag and not a condemnation
No wAy something popular and megacorp-embraced could be bad. Asbestos, lead pipes, 2-digit dates, NFTs, opiates, sub-prime lending, algorithmic content, pervasive surveillance, etc must have just been flukes.
No wAy something popular and megacorp-embraced could be bad. Asbestos, lead pipes, 2-digit dates, NFTs, opiates, sub-prime lending, algorithmic content, pervasive surveillance, etc must have just been flukes.
All technology weilds a double edged sword.
Sure, but with all the mistakes I see LLMs making in places where professionals should be quality checking their work (lawyers, judges, internal company email summaries, etc) it gives me pause considering this is a privacy and security focused company.
It’s one thing for AI to hallucinate cases, and another entirely to forget there’s a difference between
=and==when the AI bulk generates code. One slip up and my security and privacy could be compromised.You’re welcome to buy in to the AI hype. I remember the dot com bubble.
You’re welcome to buy in to the AI hype.
We’ve been using ‘AI’ for quite some time now, well before the advent of AI Rice Cookers. It’s really not that new.
I use AI when I master my audio tracks. I am clinically deaf and there are some frequency ranges that I can’t hear well enough to master. So I lean heavily on AI. I use AI for explaining unfamiliar code to me. Now, I don’t run and implement such code in a production environment. You have to do your due diligence. If you searched for the same info in a search engine, you still have to do your due diligence. Search engine results aren’t always authoritative. It’s just that Grok is much faster at searching and in fact, lists the sources it pulled the info from. Again, much faster than engaging a search engine and slogging through site after site.
If you want to trade accuracy for speed, that’s your prerogative.
AI has its uses. Transcribing subtitles, searching images by description, things like that. But too many times, I’ve seen AI summaries that, if you read the article the AI cited, it can be flatly wrong on things.
What’s the point of a summary that doesn’t actually summarize the facts accurately?
As the other guy said, double edged sword. Asbestos was fucking great, and is still used for certain things because it’s great. The poor interaction with human biology was the other side of the sword.
An aside, I just pulled a fuck load of vinyl asbestos tile out of a house a year ago and while it wasn’t actually all that dangerous because I took proper precautions it’s sorta scary anyway cause of the poor interaction thing.
I think you don’t know what “evidence” means. It’s barely a clue.
It’s a single data data point, nothing more, nothing less. But that single data point is evidence of using LLMs in their code generation.
Time will tell if this is a molehill or a mountain. When it comes to data privacy, given that it just takes one mistake and my data can be compromised, I’m going to be picky about who I park my data with.
I’m not necessarily immediately looking to jump ship, but I consider it a red flag that they’re using developer tools centered around using AI to generate code.
Bullshit.
Does anybody know valid alternatives to proton mail, I think they have been enshitified
There is a relatively small number of shared Tor exit node IP addresses.
So it’s more likely using Tor will trigger “too many attempts for IP” throttling for any service with bot protection.
It’s nothing against Tor, but is an expected side-affect of attempting to be anonymous by sharing the same IP address with many people.
Tuta ? But only for mail AFAIK.
Mailbox.org (option if you want custom domain) or Posteo.de
I use posteo.de provider, it costs 1 eur for month, 3 adress, they have inbound encryption of emails as proton, also they dont accept crypto but you can pay by cash and card and “All of our payment methods are anonymised using a payment system developed by Posteo. We do not link payment information with email accounts.” You can learn more about their privacy features on their site https://posteo.de/en/site/features#featuresprivacy
Why are you trying to sign up for Proton if you already use another provider?
i’m sorry can’t you have multiple email accounts anymore? privacy and all that, remember?
Sure you can. Wouldn’t that have been an easy excuse for this guy to reply with instead of all this defensive bullshit?
how this question is relate to my post about proton blocks registration through their onion site? sorry but I only interested in respond questions directly associated with this or other email providers. my decision to try proton as additional service should not be the problem…
Seems a fair question to ask someone who makes a post to direct people away from a service under the presumption that they were trying to use it, only to find in the comments that they already use a different service that they not only enjoy, but are happy to freely advertise for.
Also, your justification for their lack of crypto payments is that they use a payment system they designed themselves, which I find funny since most of the complaints I see about Proton (granted, not yours) is the unverifiability of their operations, leaning on “Just trust me, bro.” which is the same thing as this site’s payment processing system. 🤭
it’s not a fair question people can use multiple email providers, especially a privacy conscious person would know that. proton logs your ip and gives it to the police when they ask, without warrent
They had a warrant.
It’s okay to have privacy concerns regarding that, but don’t make shit up to make it sound worse than it was.
Did you have so much free time to criticise me unstead of doing something important? Such a good decision.
Instead of being so defensive about it you could just answer the question… Did you have so much free time you decided to try signing up for a service you had no intention of using just so you could complain about it?
-
You don’t know if I signed up for posteo after or before tryibg with proton.
-
You are blocked now for offrnsive behaviour and insinuations about me.
Have a good day bro, LOL
-
Is it that maybe someone on your exit node is trying to enumerate valid accounts?
I have tried a new circuite before publish this post - without success. but considering that I use their onion adress they could nit see my tor exit node as far as I now, anyway.
Good point, but also who is enumerating the accounts may have been using many circuits.
Yeah, I’ve had to go through 20 or 30 circuits once to make Google’s captcha allow me through. It just failed with the message “Unusual traffic from your computer network”. Someone was probably running a botnet, as this only happens rarely. If Google wanted to block Tor, they’d have done so by now anyway.
He used the onion address, which doesn’t go through an exit node like regular darknet-to-clearnet traffic.
and what can they apply that limit to, if not to all tor visitors? It’s not like they can distinguish them.
What makes you think this has anything to do with Tor?
Because i can easely create account on clearnet
That’s it?
What else should be tested? I think this guy deserves praise for his methods
Definitely a lot more than that should be tested before declaring they’re “ditching Tor”. If that’s what they were doing this site wouldn’t even exist.
what purpose of the site if you cant use it for registration? regarding your notice reddit has onion site too for example but after I cant login to my account after sign up too… facebook has onion site too but if you sign up through onion site they will restrict your account and ask for id… So maybe its not something that important?
what purpose of the site if you cant use it for registration?
I’m saying the site not working is likely unintentional, and the result of some sort of technical error.
I remember when they had an onion domain and the signup button would redirect you to the clearnet page for signup. Afaik it also did that bullshit at some other places. So I wouldn’t be surprised.
yup, i keep saying it.
A while back I tried to create an account with vpn and got notice that said something about how I couldn’t use it to validate other accounts without validating that account because other companies had threatened to label them as untrustworthy or spam.
Proton always felt like a scam to me. Their claims on privacy and security are questionable at best.
My issue exactly. Their marketing isn’t careful, which I would expect from a security focused business.
to me it’s not that they market their security, I think it’s still meaningful. if they actually dont keep unencrypted messages, that rids them of the need to hand over past data when police comes knocking. but the way they do discounts, the way they publish prices on the pricing page, and things like that that make me question whether do I really want to recommend this to others.
If they still hold the private key, your mails aren’t encrypted. And even if it’s the case you still have to trust them that they don’t save the plaintext email somewhere else before they run tbeir encryption.
you still have to trust them that they don’t save the plaintext email somewhere else before they run tbeir encryption.
and that’s what I do. I trust that they are doing it. what better can I do? the other option is to use a provider that 100% is not doing that, which does not seem to be better. or hosting it for myself, which maybe a small minority of people are capable to do it
Thus this feature is a “nice-to-have” that should not be relied on.
Yeah, thats the issue. At some point you have to trust the provider or host yourself. I know from friends who worked at my email provider that they actually encrypt and not save it but thats a luxury not everyone has.
That’s an inherent issue with email though, not Proton specific
Their software is open source and you can verify it yourself.
You can’t verify that they actually run that on their servers.
So, they operate a repo of open source code as a cover for their internal repo of completely different code?
I’m not saying they do that. But you have to trust them that they don’t do it. You can never proof it.
Are there any non-self-hosted services where that’s not the case?
No. That’s why I wouldn’t trust protections that depend on something serverside, like encryption in the web client.
No. It’s an inherit comoromice you have to deal with. At least with email hosting.
Now with LLMs to provide extra security (not)
I got that same error when I was setting up my account.
that sucks, this means no more hiding metadata. However, they aren’t ditching switzerland (yet) - this only happens if the government applies the new surveillance rules which is not set in stone yet.
I use pgp and host mail myself. It’s not as hard, and it’s by far less problematic than a lot of people make it out to be. Don’t trust hosters.
I generally agree with you but my current threat model allows it
that sucks, this means no more hiding metadata. However, they aren’t ditching switzerland (yet) - this only happens if the government applies the new surveillance rules which is not set in stone yet. I could agree with you but my threat model currently allows me to use third party providers
