Better than Signal?
MoonshineMidnight And, when I say JS attacks I am talking browser based e2e emails on laptops and desktops. For their apps on an Android/GOS phone their is no JS so they are very secure that way from a targeted guv attack. However, they all leave metadata like who you emailed and received email from. With a court order the guv gets that and will figure out who you are.
router99 I can. France wanted the IP of some environmental terrorist, they went through the Swiss court system, which ordered Proton to give up the IP. Proton does not store IPs, but they can get them. Same with all e2e emails. The guy the guv wanted was stupid not to have signed-up for Proton and used it with an always on VPN with kill switch. That's how I have always used Proton and Tuta.
MoonshineMidnight
https://proton.me/blog/climate-activist-arrest
They handed over an IP address and device information. Anyone talking about this should also mention that no email contents or login passwords were handed over. The alternative would have been a complete shutdown of Proton.
I would be interested to hear what your solution would have been.
- Edited
router99 I mentioned my solution. For Proton only download it and use it with an always on VPN with kill swatch. Only use e2e email providers on Android/GOS as the apps don't use JS. You are subject to a JS attack browser based on a laptop to get your key. Even then all the e2e email providers leave a fair amount of metadata which will bite you on court order.
e2e emails are not for high threat model. Use Signal or Session. No useful metadata and Signal has had the encryption code independently audited and their open source encryption code has been gone over by all sorts of security pros and is rock solid. Plus, not only can Signal not see your phone number, they can't see your IP like the e2e email providers can. Snowden recommends Signal. If the phone number is a prob for anyone, use Session. I'm not very high threat model, and like I posted earlier, I want my contacts to see if I use Signal and I want to see if they are. The more the merrier. You can turn off sharing your phone number (I think it downloads without sharing by default) with contacts on Signal and the number you signed up with is a truncated hash on an encrypted Signal server. Signal can't access it and does not know your number.
Mailbox allow you to use your own private key, but you need to trust them to use your public key first without keep a copy of the messages. Mailbox has an important lack with 2FA.
Yubikey proton's implementation is a joke, i think tutanota did a better work. With Protonmail youcan't disable OTP code and is overpriced.
Posteo hasn't support for own domains, isn't in the top of privacy mails.
Icecube Yeah, I mentioned I use Proton and Tuta. Not perfect but better than the alternatives in my view. Like a posted above, e2e email providers are not for high threat model.
If your threat model involves concerns that Hilldawg level people are interested in you then you shouldn't be using email at all. The highest echelon of perfect opsec 100% of the time in use of supposed private email services will still fall short of what default configurations of newer communication protocols such as Signal and Session offer.
So if Signal asks for captcha identification when creating an account it is like sharing some of your information with e.g. Google? What is captcha identification? Who manages it?
- Edited
Javcek
I tried it last night again. Installed the .apk from Signal's website. They have migrated to hCaptcha. Still unacceptable to me, never really liked Signal, tbh. As for whether Google was getting some information back when Signal was using its captcha, I don't know, but any company that would put this in their app is a no-go in my book.
I'm using Molly-foss no issues here
- Edited
I agree with the general “stay away from email if at all possible” approach.
Proton Mail is only okay if both parties are using it, and even then, I try to shy away.
I have friends who are real troglodytes, do not text, carry a dumb flip phone, leave it in the vehicle, because it’s for emergencies only. Too old and stubborn to change.
beammer335d I would also use molly-FOSS if it wasn't draining the battery. Signal with google services uses 3% of the battery overnight i.e. for 7h. In addition I add 2% of running google services which gives a total of 5 to 6% for 7h of sleep. Without google services Molly was using between 15 and 20% for 7h of sleep for me. I should add that this is all on LTE all the time.
Blastoidea A rigorous approach. Don't use email at all?
AlanZ
What are you doing with Signal that brings up a Captcha? I have been using signal since they merged the two original apps, and have not had this problem.
Nor has anyone with whom I use Signal.
- Edited
Blastoidea Signal usually required captcha when you tried signing up if your IP Address was flagged which happens when you use abused cellular networks or VPN IP's. Not all registrations needed to pass a captcha only flagged IP Addresses or Device strings.
Javcek
WOW thats crazy battery drain...not having that kinda of issues here, What device are you running P6P here