Follow

Protonmail is an independent email provider with no ads, instead using a traditional monthly subscription business model.

You can follow them at:

➡️ @protonmail

Their website is at protonmail.com

They also have Fedi accounts for their VPN service (@protonvpn) and Calendar service (@ProtonCalendar).

· · Web · 1 · 8 · 13

@FediFollows @protonvpn @ProtonCalendar Thank you for recommending our suite of secure products! Your support means a lot to us.

@protonmail @ProtonCalendar @protonvpn @FediFollows I suggest avoiding #ProtonMail until they fix their #CAPTCHA problem. Protonmail is forcing people to solve an #hCAPTCHA. And worse, it's occasional, so users may only encounter the CAPTCHA after they've distributed their @protonmail address to others, at which point users are trapped.

@FediFollows @protonvpn @ProtonCalendar @protonmail #Protonmail claims the #CAPTCHA is to mitigate abuse, but they push the CAPTCHA to those simply trying to *read* messages (hardly a vector for abuse). The fact that they are using an hCAPTCHA indicates they are doing this for profit. That is, hCAPTCHA pays Protonmail every time a user solves the CAPTCHA.

@protonmail @ProtonCalendar @protonvpn @FediFollows i currently have unread messages that are trapped by #Protonmail's #hCAPTCHA, even though my account is quite old and proven to be a non-abusive account.

@resist1984 @FediFollows @protonvpn @ProtonCalendar @protonmail #Protonmail just became less interesting to #Debian users in particular. The only 3rd-party FOSS desktop app with static js is #Electronmail, and Electronmail cannot be installed on the next Debian release (#Bullseye). This means Debian users will be forced to trust dynamic js from the website.

@SaulRS951 @protonmail @ProtonCalendar @protonvpn @FediFollows @resist1984 I don't know what AUR means. All linux users can install #Electronmail given enough effort. The .deb file does not simply work for #Bullseye users because a dependency has been removed. There is a replacement library but it's not a drop-in replacement (the client src must be adapted).

@resist1984 @protonmail @ProtonCalendar @protonvpn

I've been using Protonmail for several years and have never seen a captcha. I have no memory of it happening even once.

I'm not denying it has happened to you, but it probably isn't as widespread as your wording implies?

I have a paid account, maybe this is something related to free accounts?

@FediFollows @protonvpn @ProtonCalendar @protonmail I've also not seen CAPTCHAs for yrs which is likely due to that fact that #Google charges a fee to use #reCAPTCHA. It was very recent (like less than a month) that #Protonmail switched to a CAPTCHA that /generates/ revenue for them (hCAPTCHA), so expect them to become more common. Certainly they've placed the CAPTCHA trigger in a position of high frequency (at login not on sending).

@resist1984 @protonvpn @ProtonCalendar @protonmail

Most of the comments in the github discussion (github.com/ProtonMail/WebClien) are in favour of hcaptcha over recaptcha.

If there's a problem with hcaptcha and you have a better alternative they should use, please tell them about it in the git thread I have linked to.

Not a developer, but get the impression from quick read of the thread that there is a lack of viable alternatives.

@FediFollows @protonmail @ProtonCalendar @protonvpn That's not what I consider an open discussion platform.. that's exclusive for MS #Github users. Github is not a good venue for FOSS tools with a security/privacy mission. Solving an hCAPTCHA or reCAPTCHA prior to /reading/ email is unacceptible. There are lots of CAPTCHA alternatives, but as users we seek alternatives to bad tools. E.g. Tutanota does not impose CAPTCHA upon login.

@protonvpn @ProtonCalendar @protonmail @FediFollows The CAPTCHA problem is an extension of another #Protonmail problem: there is no POP3 service. If users had pop3 service, there would be no CAPTCHA problem. Paying customers can get a "bridge" which perhaps circumvents the CAPTCHA, but users of gratis accounts do not have that option.

@resist1984 @protonmail @ProtonCalendar @protonvpn

I think we all have to make compromises at some point if we are to achieve anything.

I have particularly strong feelings about the slave labour used to make computers and devices, including FOSS ones. But I accept we need to use these unethically made devices in order to encourage projects like @Fairphone

If you want Protonmail to change something, the first step has to be to tell them what needs changing and what it should change to.

@FediFollows @Fairphone @protonvpn @ProtonCalendar @protonmail This Mastodon thread herein serves both purposes: 1) to inform #protonmail of the problem, and 2) to suggest privacy seekers look elsewhere for email until the problem is resolved.

@protonmail @ProtonCalendar @protonvpn @Fairphone @FediFollows I should also mention that there are non-CAPTCHA fixes to the problem of password attacks: When a password is incorrectly entered, the server can force a delay before allowing another attempt on the account that was tried. The delay can be long enough to completely render brute force attacks useless.

@FediFollows @Fairphone @protonvpn @ProtonCalendar @protonmail Both #Protonmail and #Tutanota are increasingly calling for users to make more and more compromizes. I keep teetering back and forth on which gratis ESP I suggest to novice users. It looks like Tutanota may be a better recommendation at the moment. But certainly this race to the bottom of sorts is disturbing as they both services get progressively worse.

@protonmail @ProtonCalendar @protonvpn @Fairphone @FediFollows If anti-features continue to develop, at some point the better recommendation will be something like Thunderbird + Enigmail, which essentially means we'll have to disregard ease of use & pressure novices to increase their tech proficiency.

@resist1984 @protonmail @ProtonCalendar @protonvpn @Fairphone @FediFollows do people use desktop apps for email anymore? Besides businesses using Outlook? Thunderbird + Enigmail is a high level of friction.

@1ll173r47 @FediFollows @Fairphone @protonvpn @ProtonCalendar @protonmail #Protonmail users who are not keen to take on the risks of on-the-fly dynamic javascript absolutely do use #Electronmail. Thunderbird does not work with Protonmail unless the user subscribes to get the bridge service, but TB can serve novice users who use a conventional email service in a way that gives e2ee. Otherwise webmail is risky.

@resist1984 @FediFollows @Fairphone @protonvpn @ProtonCalendar @protonmail I wonder what the numbers are. If someone is conditioned to using webmail on desktop and apps on mobile, electronmail or thunderbird and enigmail requires lots of work. Yeah, protonmail and tutanota aren’t perfect, but they are drop-in replacements. Less cognitive load for people looking to change.

@1ll173r47 @protonmail @ProtonCalendar @protonvpn @Fairphone @FediFollows I don't know what the numbers are, but if we were to survey, we'd have to divide the stats into 2 catorgies: expert-to-novice and novice-to-novice (probably safe to assume expert-to-expert comms excludes webmail). The novice-to-novice case is probably a disaster on par with gmail-to-gmail no crypto, or at best proton_web-to-proton_web.

@FediFollows @Fairphone @protonvpn @ProtonCalendar @protonmail @1ll173r47 For expert-to-novice, if it's long term w/frequent contact, I use mutt & pressure the other user to use electronmail, & I walk them through putting my pubkey in their address book & exporting their key. That's rare though. Most often I can't get away w/imposing that burdon on them, so I have to use electronmail & i'm happy enough just to get them on protonmail.

@1ll173r47 @protonmail @ProtonCalendar @protonvpn @Fairphone @FediFollows It seems to be getting harder to impose #protonmail in any form on the other (novice) party, in which case I generally impose #Wire. And now that #protonmail is pushing CAPTCHAs, i'm somewhat embarrassed to insist that they use protonmail. Wire is going to be filling that gap more going forward. Or #tutanota-to-tutanota, but that's a pain b/c tuta doesn't have msg notification.

@resist1984

Just throwing this out there, why not force people to use a pgp/gpg (whatever people like to call it) key? You definitely can do this on any mail service since like, the age of BBS’s. If the comms are critical why even use a service?

@1ll173r47 @protonmail @Fairphone @FediFollows
@resist1984 The client isn’t even a factor, you can copy and paste the cypher text in any client web or otherwise no problem…

@1ll173r47 @Fairphone @FediFollows @protonmail
Show newer

@resist1984 @FediFollows Hi, thank you for sharing your thoughts. Please be aware that we switched from reCaptcha to hCaptcha as it is more privacy friendly. We had relied on reCaptcha since 2014 (it appeared on rare occasions, which is why few users noticed it) as it was the only captcha solution that was not broken at the time. We would love to read your suggestions for better captcha alternatives though, and we can share them internally for consideration.

@protonmail @FediFollows A good alternative is github.com/daniel-e/rust-captc --but the bigger problem is when the #CAPTCHA is used. I'm still blocked by it. If my account has really been under attack for several days, why hasn't #Protonmail sent a notice to the notification email address on my account?

@FediFollows @protonmail It's very unlikely that my account would be under attack (the ppl who have my #Protonmail address are not adversarial in the slightest). I do not solve CAPTCHAs & I also will not pressure others to use a platform that pushes CAPTCHAs on them, so I have no choice but to discontinue #protonmail. I often insist that normies reach me via PM but that has become unsustainable.

@FediFollows

Good alternative for captcha services - fosstodon.org/@blueberry/10578

From my experience with lemmy, it seems like a good alternative. Maybe @LemmyDev could give us more insight.

@resist1984 @protonvpn @ProtonCalendar @protonmail

@futureisfoss @protonmail @ProtonCalendar @protonvpn @LemmyDev @FediFollows That's a decent alternative. I also suggest this article (& when reading it, mentally substitute "recaptcha" w/both recaptcha and hcaptcha): nearcyan.com/you-probably-dont

@resist1984 @protonmail @ProtonCalendar @protonvpn

There seems to be a (very, very long) discussion of this topic here:

github.com/ProtonMail/WebClien

There's an interesting back and forth between ProtonMail's rep and others, I think it would be worth reading this if you're interested in what's going on.

It's an open issue too, so you can raise points in the discussion if you think they are missing something important.

Sign in to participate in the conversation
Mastodon

This is a brand new server run by the main developers of the project as a spin-off of mastodon.social 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!