enjolras
Dead are useless if not to love the living more
- Feb 13, 2020
- 1,293
Intro :
Contrary to popular belief, ProtonMail is a sub-optimal email service in terms of privacy and security, and even more so if manipulated awkwardly, without a clue. An overwiew explaining how terrible ProtonMail really is can be read here
digdeeper.neocities.org
ctemplar.com
A suggestion of superior email service is offered.
This will be a more on the surface guide than the CTemplar one, since the detailed reasonings have been provided already with CTemplar, extending into Proton's (& other providers) drawbacks. The focus will be on actions, rather than explanation why.
———————
What if you used ProtonMail in the past, not paying attention (to what will be described on this topic) ?
If your account could still be accessed, on a computer :
- download & install the Brave browser, launch it, open a "Private tab, proxied w/ Tor"
Visit the URL dark.fail, retrieve one active "Tor Project" .onion URL to copy-paste in the address bar of Brave
- download the Tor executable, close Brave, launch Tor, go to the dark.fail URL again, retrieve the ProtonMail .onion URL, copy-paste it into Tor
- login to your Proton's mailbox
- delete messages left hanging around in every folders (Inbox, Sent, Draft, Trach, Archive, etc)
- finally, delete the account permanently
Notwithstanding these actions, according to swiss laws, your data will be held by ProtonMail servers for again 6 months before (supposed) deletion on their part happens, thus exposing to potential prosecution following a meticulous investigation by LE eventually.
For new users, or old ones in need to use Proton again, let's start ALL OVER with better opsec practices.
————————
Mission : register a free ProtonMail account without revealing one's IP address, neither give away a phone number to receive SMS, nor an identifying email, nor make a donation (by PayPal / card) which all could create a trail.
There's not many solution, if at all, at this time of writing, to achieve the goal appropriately. Here we go
UPDATE, new solution : ProtonMail changed its' policy to accept CTemplar emails during the registration stage, finally. Therefore, instead of creating a sub-private (with VPN) email with Tutanota (see the 1-2-3 directions below), CTemplar (with Tor) arguably is a level above (directions here), then resume the tutorial at the step 4
1) Apply the steps of the previous paragraph, to install Brave then Tor confidentially
2) Go get a free VPN demo during 1-2 days. Options :
a) send an email to [email protected] or [email protected], requesting a trial of their VPN
Open a "Private tab with Tor". Load the dark.fail URL, retrieve the .onion URL of Mullvad VPN or cryptostorm and copy-paste it on the address bar of Tor
Once on the website is loaded, download the VPN installer for PC/Mac/Linux, end by installing the software
b) Less stealth : launch Tor, go to www.bolehvpn.net and apply for the Free Trial (top left corner) via their web form. For the purpose, don't use your personal email but a new dedicated fresh one, non disposable (if you have access to RiseUp emails following an invitation, use their alias system, otherwise use any random email, why not www.gmx.com)
3) Once set up with a free VPN, connect to a VPN server. Secondly, launch Brave, open a basic "Private tab" (withOUT Tor). Load the www.tutanota.com website. Sign up for a free Tutanota account. If Tutanota rejects the IP of the VPN, switch of VPN server(s) - or VPN provider - until it works. It's also possible Tutanota will apply a 48h hold period to clear away from abuse, before emails can be received, which will need at the next step, then wait 2 days
4) Once Tutanota is obtained, launch Tor, load dark.fail, retrieve the ProtonMail .onion URL there, load it on Tor.
Now let's try to force an anonymous Tor registration to get a free ProtonMail account.
Enter wanted unique (not ones used frequently online) username and complex password, but NO recovery email, proceed.
At the next page, 2 scenarios can occur. The one we don't want, where Proton doesn't offer to register via email.
In other words, Proton doesn't like our Tor exit node. Blacklisted, it rejects it...
Our parade : we will change the relay of Tor nodes used (therefore the exit one as well), until Proton accepts another Tor IP address, more fresh / not yet burned, whitelisted this time >> hit the "New identity" button of Tor
Tor will restart. Repeat the steps (dark.fail, Proton .onion, start the registration), again and again if needed, until you hit the second scenario. Then, we're good to go
Use the Tutanota email here.
Voilà, now we cracked the many pitfalls of ProtonMail that tries to put down our identity. We've got an account with much better privacy by a mile.
—————————
Routine process :
* From now on, consult ProtonMail's webmail strictly, behind Tor & .onion (+/- Tails OS - following @HelensNepenthe's guide - or VPN if no Tails)
IF tempted by the mobile apps of Proton instead, think twice, or sincerely consider to use a good trusted VPN (like Mullvad, at 5€ per month, paid by cash or Monero indirectly via Bitcoin), connect to it before the app is opened and until it's closed, in order to mask your IP
* NEVER write down a sensitive subject line for emails sent out. ProtonMail does NOT encrypt them.
protonmail.com
It could profile the intent of your communication (encrypted body) and serve as evidence against you.
Instead, title your emails with an innocent approach line...
* Delete all emails in all folders at the left vertical tree, as soon as you don't need them anymore ...since Proton has a data retention period of 6 months, the sooner you delete messages, the wiser.
* Delete the Proton account as soon as it becomes unneeded (refer to the 1st image of this post)
Contrary to popular belief, ProtonMail is a sub-optimal email service in terms of privacy and security, and even more so if manipulated awkwardly, without a clue. An overwiew explaining how terrible ProtonMail really is can be read here
E-mail providers - which one to choose?
Email Comparison Table - CTemplar: Armored Email
Comparison tables are often used to show the differences between services. We respect these services, we have reviewed this table with both services and even recommend to them our users when we are not able to meet demand. This is an analysis of the features we feel are important. Protonmail...
https://sanctioned-suicide.net/thre...email-delayed-missinginaction-ctb-feats.39344
Since CTemplar is a lot less adopted (in May 2020), it's your duty to convince contacts to upgrade, including the merchants subject to sell controversial items, for own futher benefits and ease of use (like with ProtonMail, it's best to connect 2 users of the same email service, to achieve optimal end-to-end encryption by default)This will be a more on the surface guide than the CTemplar one, since the detailed reasonings have been provided already with CTemplar, extending into Proton's (& other providers) drawbacks. The focus will be on actions, rather than explanation why.
———————
What if you used ProtonMail in the past, not paying attention (to what will be described on this topic) ?
If your account could still be accessed, on a computer :
- download & install the Brave browser, launch it, open a "Private tab, proxied w/ Tor"
Visit the URL dark.fail, retrieve one active "Tor Project" .onion URL to copy-paste in the address bar of Brave
- download the Tor executable, close Brave, launch Tor, go to the dark.fail URL again, retrieve the ProtonMail .onion URL, copy-paste it into Tor
- login to your Proton's mailbox
- delete messages left hanging around in every folders (Inbox, Sent, Draft, Trach, Archive, etc)
- finally, delete the account permanently
Notwithstanding these actions, according to swiss laws, your data will be held by ProtonMail servers for again 6 months before (supposed) deletion on their part happens, thus exposing to potential prosecution following a meticulous investigation by LE eventually.
For new users, or old ones in need to use Proton again, let's start ALL OVER with better opsec practices.
————————
Mission : register a free ProtonMail account without revealing one's IP address, neither give away a phone number to receive SMS, nor an identifying email, nor make a donation (by PayPal / card) which all could create a trail.
There's not many solution, if at all, at this time of writing, to achieve the goal appropriately. Here we go
UPDATE, new solution : ProtonMail changed its' policy to accept CTemplar emails during the registration stage, finally. Therefore, instead of creating a sub-private (with VPN) email with Tutanota (see the 1-2-3 directions below), CTemplar (with Tor) arguably is a level above (directions here), then resume the tutorial at the step 4
1) Apply the steps of the previous paragraph, to install Brave then Tor confidentially
2) Go get a free VPN demo during 1-2 days. Options :
a) send an email to [email protected] or [email protected], requesting a trial of their VPN
Open a "Private tab with Tor". Load the dark.fail URL, retrieve the .onion URL of Mullvad VPN or cryptostorm and copy-paste it on the address bar of Tor
Once on the website is loaded, download the VPN installer for PC/Mac/Linux, end by installing the software
b) Less stealth : launch Tor, go to www.bolehvpn.net and apply for the Free Trial (top left corner) via their web form. For the purpose, don't use your personal email but a new dedicated fresh one, non disposable (if you have access to RiseUp emails following an invitation, use their alias system, otherwise use any random email, why not www.gmx.com)
3) Once set up with a free VPN, connect to a VPN server. Secondly, launch Brave, open a basic "Private tab" (withOUT Tor). Load the www.tutanota.com website. Sign up for a free Tutanota account. If Tutanota rejects the IP of the VPN, switch of VPN server(s) - or VPN provider - until it works. It's also possible Tutanota will apply a 48h hold period to clear away from abuse, before emails can be received, which will need at the next step, then wait 2 days
4) Once Tutanota is obtained, launch Tor, load dark.fail, retrieve the ProtonMail .onion URL there, load it on Tor.
Now let's try to force an anonymous Tor registration to get a free ProtonMail account.
Enter wanted unique (not ones used frequently online) username and complex password, but NO recovery email, proceed.
At the next page, 2 scenarios can occur. The one we don't want, where Proton doesn't offer to register via email.
In other words, Proton doesn't like our Tor exit node. Blacklisted, it rejects it...
Our parade : we will change the relay of Tor nodes used (therefore the exit one as well), until Proton accepts another Tor IP address, more fresh / not yet burned, whitelisted this time >> hit the "New identity" button of Tor
Tor will restart. Repeat the steps (dark.fail, Proton .onion, start the registration), again and again if needed, until you hit the second scenario. Then, we're good to go
Use the Tutanota email here.
Voilà, now we cracked the many pitfalls of ProtonMail that tries to put down our identity. We've got an account with much better privacy by a mile.
—————————
Routine process :
* From now on, consult ProtonMail's webmail strictly, behind Tor & .onion (+/- Tails OS - following @HelensNepenthe's guide - or VPN if no Tails)
IF tempted by the mobile apps of Proton instead, think twice, or sincerely consider to use a good trusted VPN (like Mullvad, at 5€ per month, paid by cash or Monero indirectly via Bitcoin), connect to it before the app is opened and until it's closed, in order to mask your IP
* NEVER write down a sensitive subject line for emails sent out. ProtonMail does NOT encrypt them.
Does Proton Mail encrypt email subjects? | Proton
protonmail.com
Instead, title your emails with an innocent approach line...
* Delete all emails in all folders at the left vertical tree, as soon as you don't need them anymore ...since Proton has a data retention period of 6 months, the sooner you delete messages, the wiser.
* Delete the Proton account as soon as it becomes unneeded (refer to the 1st image of this post)
Last edited:
