Is Proton Mail Really Private, Secure, and Anonymous?

Today we are going to explore a slightly controversial topic that claims that

proton

mail

, one of the most popular

private

e

mail

services, acts as a powered honeypot and if you don't know what a powered honeypot is, it is generally a service that is illegal as a site. of dark web drugs or something that criminals or dissidents may be interested in for their activities, such as encrypted phones, encrypted emails or

anonymous

VPNs, but the service is actually run by the feds to try to catch those criminals or dissidents now before us To begin with, there is no hard evidence that Protonmail is a honeypot.

I'm not going to show you a photo of some CIA agent removing hard drives from one of Protonmail's data centers. There's nothing like that, but there's a lot of suspicious activity. We continue with

proton

mail and in some cases it is the same type of activity that we see with known honeypots, so let's take a look at the claims that protonmail makes about its service. This is their home page, so we see that it is a

secure

email based in Switzerland. Your communications with Protonmail, so Protonmail claims to be

secure

, Swiss privacy, security and data neutrality, it is incorporated in Switzerland and all our servers are located in Switzerland, which means that all user data is protected by laws Swiss privacy policy, end-to-end encryption,

anonymous

email. open source easy to use and they have a calendar and a drive that only talks about their features, so these are a lot of bold claims, especially the ones made here about end-to-end encryption and anonymous email service, as well Compare this to another supposedly

private

email service, cock.li.

You probably don't want to use this service for anything professional because the email domains you get are a little extravagant, but let's take a look at their privacy claims below. where it says how can I trust you? You cannot cock.li does not scan your email to uh here let me zoom in a little bit uh does not scan your email to provide you with targeted ads nor can cock.li read the content of the email unless by legal court order; however, it is 100 possible for me to read the email and imap slash smtp does not provide client-side user-side encryption, so you will have to take my word for it, any encryption implementation will do. technically it still allows me to read email too, this also applies to lavabit.

Well your email was stored encrypted only if you were a paid member which most people forget, email can still technically be intercepted while being received, sent to smtp or read. For your imap mail client for more privacy we recommend encrypting your emails using pgp using a mail client plugin like enigmail or downloading your mail locally with pop and regularly deleting your mail from our server even though you know they have funny domains and all . Actually, this is an honest description of what the so-called private email service can do for you. Nothing about email is inherently private.

It was not designed to be private. Sure you can add encryption to it, but at the end of the day, you still have to trust the service provider. This is the same reason why I recommend VPNs like movad instead of nordvpn because Molved makes honest claims about what their VPNs can do. Now I understand that Protonmail doesn't use this approach because it is trying to attract people. to switch from gmail or hotmail to one of their services, they are trying to become a major email service provider and if they would just come out and say hello, you basically have to trust us not to do creepy things with your email, obviously.

Most people will say, well, why should I switch to you? Why should I trust you over my current provider? I have already built up years of trust with him. So let's start looking at some of these other claims, like the end of -end of encryption, the hater actually has a whole video on this topic, so you can watch it if you want to learn more about this specifically, but essentially about encryption. which protonmail provides in their browser app, what is this here? It's not as reliable as encryption that would be on Android iOS or a desktop app.

It's more vulnerable to man-in-the-middle attacks and it's also easier to check if your version of an app is the same as everyone else's versus the login page you get for protonmail is the same as everyone else's, even the Protonmail themselves admit this on their threat model page that webmail is more vulnerable to man-in-the-middle attacks than apps, but despite this most of their users will still log in via the web app. Then there is also the difference between intra-domain emails and then entering domain emails, so intra-domain would be when one protonmail user sends messages to another proton mail user that can be encrypted. as long as the provider actually implements it because encrypted pop3 and encrypted imap are usually not the default protocols, but let's assume they are doing all that.

If you instead wanted to send an email from protonmail to gmail, that would be a cross-domain exchange and requires two different mail transfer agents, in this case protonmail and gmail, to communicate with each other and this communication between the mtas will use the port smtp 25 which cannot be encrypted, they have to communicate in plain text so anyone who is sniffing the traffic between these mtas will be able to see the plain text or maybe it will be base64 encoded, but decoding that is very trivial. Anyone who knows how to sniff traffic knows how to decode base64.

The metadata of your emails is also not encrypted and this metadata often includes things like your IP addresses, the IP address of the email server, the name of your computer, the timestamps of when the messages were sent, the subject of the email and of course the email address of both the sender and recipient, so with all that in mind, let's reexamine protonmail's claim about end-to-end encryption. We use end-to-end encryption and zero-access encryption to protect emails. This means that we cannot decrypt or read your emails as a result, your encrypted emails cannot be shared with third parties, so the only way to try to interpret this as an objective statement would be when they say that zero access encryption has two secure emails as the only secure email you can use is protonmail. because any domain outside of protonmail, be it tutanota cock.li or gmail, will not be fully encrypted.

It is now possible to encrypt the body and attachments with pgp, which is the separate technology that makes protonmail easy for people to use. We will automatically attempt to perform pgp encryption, but if your threat model includes state surveillance or possibly even private investigators or hackers, they can still glean a lot of information from your unencrypted metadata alone. In fact, we know that this is the primary data that agencies like. The NSA is behind it, and if you think about it, it's pretty common sense, so let's say you sent an email to a known drug dealer on April 20 with the subject line "Whoa," and then you go to the ATM to withdraw some cash.

I know. you use that email to organize a drug deal. It's obvious that I don't need to see the body of the email. I can only infer it from the metadata and your actions of what you are doing. It doesn't take a genius to figure that out. and then speaking of drugs let's take a look at protonmail's onion site, okay they have a dot onion domain on tour and I think the way this site is implemented is one of the biggest proofs that protonmail is a honeypot because Their onion service is designed to anonymize you using similar techniques to other well-known honeypot onion services, so let me show you what I'm talking about.

Go to their onion site. They are using a v3 address, which is good. https for some reason I don't

really

understand it since the traffic to onions is already end-to-end encrypted with multiple layers of encryption along the way, but look what happens when I go to create an account, look I'm not there anymore on an onion site, now I'm on your clearnet site, there is no reason to do this, in fact it is a very bad idea to do so, as browsing clearnet sites on tor provides much less protection from surveillance than browsing onion sites along the route.

You're probably thinking, well, they'll still see an IP address of the tour when I sign up, so I can still sign up in a fairly anonymous way, well, let's see what happens, so let's try to create a free account, let's select a free account. plan I'm just going to close this so it doesn't use any more bandwidth so let's create my um my email account and make a password repeat the password create an account okay so let's add a highly recommended recovery method , so I can use email or phone, obviously if I'm trying to set up an anonymous account on Tor, I'm not going to want to provide any kind of recovery email or phone, so let's skip that, confirm, select a free plan to that now I can see it.

You're forcing me to use an email or phone number for SMS, which you obviously don't want to do if you're trying to create an anonymous account. Now it's understandable why they're doing this because I'm on tour and a lot of times spammers and other types of people just create thousands of accounts on tour and then you know they basically use them for spam and other things like that, but there are other ways. to avoid this, like you can do what two denotations, I mean, they don't even let you use email, I think for 48 hours after you create it, so that's an option, but let's see, okay, let's try to pay them something of money, surely that should be enough to try.

I'm a real person, so let's select the four euro option, but get this, there's no option for you to pay anonymously. You can use credit or debit card or PayPal. They don't accept Monero which is the only type of currency you should

really

use on the darknet or maybe you know mail cash to someone if you want to trust them, they don't even offer bitcoins which usually powered honeypots will at least give you a bitcoin payment option and then we claim that it is anonymous when in fact it is not, if we go back to protonmail and examine the anonymous email claim, no personal information is required to create your secure email account, that is a lie and I just demonstrated that it is a lie by default.

Do not save any IP logs that can be linked to your anonymous email account. Well here's the thing so you know you're saying you don't keep IP logs but the thing is you need to have my IP in order to receive the service. to function it is not as if we were using arpanet or some other exotic network protocol that does not require the use of an IP address like the one you need to have. Not communicating without an IP address would be like trying to mail a letter without putting a mailing address down and instead of me being able to censor my own IP by signing up because you're not giving me that option, you're just telling me oh, we don't keep your IP address. , trust us, so this Anonymous Email claim is completely false and this end-to-end encryption claim is, I guess, somewhat false again if you interpret it to mean that secure emails are just protonmail, then I guess that's true, so these are the biggest concerns I have about it. protonmail there's also an article on the privacy watchdog called The Truth About Protonmail which lists, I think, 11, yeah, so there's another 11 reasons not to trust protonmail, ranging from things about the Swiss government has a large stake in the company and that the Swiss government doesn't.

Actually, being as privacy conscious as you would think, the CIA and NSA are involved in creating protonmail for themselves using a DDOS protection service located in the street of the Israeli Mossad headquarters, now many of the things listed in this article here are debatable, you can actually go to the protonmail subreddit and see some arguments between the author of this article with one of the arbiters of truth , a reddit moderator, and then you can decide for yourself from those arguments and this article whether or not all of that is true, but I'm not going to dwell on this too much because he basically said that she said things and, frankly, I don't even care too much ifProtonmail was created by the NSA.

I use aes all the time and stuff. It was created by the NSA. I care more that protonmail misrepresents claims about their encryption and implements their onion service in such a strange way that it looks like they are trying to anonymize users. Now you're probably wondering if protonmail isn't. as private or anonymous as they claim to be, what private secure anonymous email options exist, here's the black pill my friend, there is no email that isn't designed to be private or anonymous, even if you host your own email server. email in your own home with your own intrusion detection system designed to melt the server with thermite or blow it up with c4 if the feds ever came to take over your server, they will still be able to collect metadata when you use your email and they will still be able to see cross-domain messages, they won't be encrypted, which is what the feds are most interested in collecting anyway, so the moral of the story is don't use email for illegal activity or political dissent, period.