4
0

Protonmail login reCAPTCHA, WTF?


 invite response                
2021 May 17, 7:27am   3,369 views  50 comments

by qroproton   ➕follow (1)   💰tip   ignore  

Comments 1 - 40 of 50       Last »     Search these comments

1   Maga_Chaos_Monkey   2021 May 17, 9:08am  

This is a problem because?
2   Patrick   2021 May 17, 9:42am  

If that's real, it gives Google access to everything on the page.

Then Protonmail would not be at all private anymore. It would just be another arm of the Google spyware octopus.

But I have not seen it for myself, maybe this is a hoax. I have a Protonmail account and it does not happen to me.
3   fdhfoiehfeoi   2021 May 17, 11:13am  

DO NOT CLICK. I've never seen that, and employing a google tool would defeat the entire purpose of protonmail.
4   Hircus   2021 May 17, 3:12pm  

Some sites only show a captcha to visitors which trip their own "bot-heurisitc". For example, maybe visiting from an ip block thats typically used by russian spam farms.
5   Patrick   2021 May 17, 3:29pm  

Could be, but in that case they should use hCaptcha and not Google's reCaptcha. Anything but Google.
6   Blue   2021 May 17, 3:39pm  

I forgot my password for the email that I use for patrick.net. when I try repeatedly, I too get recaptcha.
7   Patrick   2021 May 17, 4:25pm  

I reported reCaptcha as a bug to Protonmail. I doubt that will change anything.

Shit, I used to like them, and now I don't trust them anymore.

Blue: You can email me at p@patrick.net to change your password.
8   Blue   2021 May 17, 5:57pm  

Thanks Patrick. my username/pw:(..myid..@protonmail.com )/pw_for_patnet for https://patrick.net able to login and works fine. But I forgot pw to be able to login to protonmail.com to access my emails. I will ask in case if I need to change the email.
9   fdhfoiehfeoi   2021 May 17, 6:04pm  

I still like protonmail, but unfortunately, I'm unable to pay them for my plan. The once use cards I use aren't accepted, all bitcoin sites I tried require identification, and paypal has been a no-go for a year as they also won't all me to transact because they can't identify me. They do have an option to send cash, but that's a bit sketchy, especially overseas.

Guess it's time I setup my own email server...
10   Patrick   2021 May 17, 6:06pm  

@NuttBoxer Why would you pay them at all?

The basic plan is free.

I've set up my own email server. Not terribly hard, but not trivial either.
11   fdhfoiehfeoi   2021 May 17, 6:08pm  

If I like a service, I usually support them financially. I also get the added benefit of multiple emails, which I use to divide me that can be identified from pseudo me.
12   mell   2021 May 17, 6:09pm  

NuttBoxer says
I still like protonmail, but unfortunately, I'm unable to pay them for my plan. The once use cards I use aren't accepted, all bitcoin sites I tried require identification, and paypal has been a no-go for a year as they also won't all me to transact because they can't identify me. They do have an option to send cash, but that's a bit sketchy, especially overseas.

Guess it's time I setup my own email server...


Where do you stash your cash? Having one credit card is not a bad idea unless you want to be totally incognito, you don't have to have your primary residence as billing address. If you stash cash or pay once cards then one burglary, flood or fire will take it all. Do you bank at all?
13   Patrick   2021 May 17, 6:38pm  

mell says
Where do you stash your cash?


Lol, no one should ever answer this question honestly.

I've heard of some clever ways. There was some genius poker player who lived in Vegas and just kept it all in various casino lockboxes. He had no bank accounts at all.
14   mell   2021 May 17, 6:58pm  

Patrick says
mell says
Where do you stash your cash?


Lol, no one should ever answer this question honestly.

I've heard of some clever ways. There was some genius poker player who lived in Vegas and just kept it all in various casino lockboxes. He had no bank accounts at all.


lol it wasn't meant literally, like tell me the exact location ;) While I can't see any way that is not burdensome, I'm always interested in clever ideas to diversify. But I still think credit cards have a lot of pros, given you have a bank account.
15   qroproton   2021 May 17, 7:45pm  

HunterTits says
Could be some spyware or whatever intercepts and redirects to a fake protonmail site, @qroproton ?
Do not think so. I use linux, mozilla, and protonVPN!
16   qroproton   2021 May 17, 7:50pm  

Patrick says
I reported reCaptcha as a bug to Protonmail. I doubt that will change anything.
Cool. Here is why protonmail.com uses recaptcha:

https://protonmail.com/support/knowledge-base/human-verification/

"In order to prevent the creation of accounts by spam bots or human spammers, ProtonMail uses a variety of human verification methods. You may be asked to verify using either reCaptcha, Email, or SMS. We have an intelligent algorithm that determines the required verification method based on a number of factors."
17   Maga_Chaos_Monkey   2021 May 17, 8:43pm  

I just emailed them too. I was just about to buy their email and vpn too. I told them to let me know it was a mistake and they've created a policy to never use any google products or I'll go elsewhere.
18   qroproton   2021 May 18, 6:24am  

just_passing_through says
I just emailed them too. I was just about to buy their email and vpn too. I told them to let me know it was a mistake and they've created a policy to never use any google products or I'll go elsewhere.
Excelent. Hope they replay back.
19   Maga_Chaos_Monkey   2021 May 18, 8:07am  

@qroproton

They did but I don't find it satisfactory:

Thank you for contacting us.

Please note that our reCaptcha implementation is sandboxed on a separate domain so no data is disclosed. We might look into alternative solutions in the future, but so far, we have found no alternatives that work for our service.
20   fdhfoiehfeoi   2021 May 18, 8:08am  

mell says
Where do you stash your cash? Having one credit card is not a bad idea unless you want to be totally incognito, you don't have to have your primary residence as billing address. If you stash cash or pay once cards then one burglary, flood or fire will take it all. Do you bank at all?


I work in the system so I have to bank. I live in a modest dwelling in the country, and drive a beat looking car. If you don't flash wealth, and especially if you live out of the city, unlikely to ever be robbed. The cards I buy are used up within a month, and since I'm spreading those around the internet, and they have a fixed limit, my exposure to online theft is very limited. But if someone was to come calling, I have a gun, and even my 11 year old knows how to pull the slide, aim, and fire.

My alternative would be trusting a system designed to rob me at a time when it's fast approaching collapse, and lose everything. There are many thieves in this world, I'll plan for the ones I know are coming.
21   fdhfoiehfeoi   2021 May 18, 8:12am  

qroproton says
Do not think so. I use linux, mozilla, and protonVPN!


I actually deleted Mozilla last night and switched over to Brave. Been hearing some bad stuff about them lately. I did think about protonVPN when I switched providers recently, but don't like keeping too many eggs in one basket. Have you considered installing torBrowser, or using Whonix, or even Brave?
22   fdhfoiehfeoi   2021 May 18, 8:15am  

qroproton says
"In order to prevent the creation of accounts by spam bots or human spammers, ProtonMail uses a variety of human verification methods. You may be asked to verify using either reCaptcha, Email, or SMS. We have an intelligent algorithm that determines the required verification method based on a number of factors."


I tried creating a second account last night, they require SMS or donation to open and account. Temp SMS numbers all came up as already registered, and I already mentioned the issues I had with anonymous payment. One of the only privacy focused email providers I found that doesn't require any personal info is msgsafe.io. They have some pretty cool anonymizing features out-of-the-box. Not sure how private it is though, or how well the service works.
23   Patrick   2021 May 18, 8:42am  

just_passing_through says
They did but I don't find it satisfactory:

Thank you for contacting us.

Please note that our reCaptcha implementation is sandboxed on a separate domain so no data is disclosed. We might look into alternative solutions in the future, but so far, we have found no alternatives that work for our service.



They could use hCaptcha.
24   Maga_Chaos_Monkey   2021 May 18, 8:44am  

Patrick says
They could use hCaptcha.


Yes, I told them this initially. I also told them thanks for the fast reply I'll use some other email/vpn service.
25   Patrick   2021 May 18, 8:47am  

I'll say the same if they reply to me.
26   Maga_Chaos_Monkey   2021 May 18, 8:47am  

I didn't file it as a bug, just used their regular contact us addy.
27   Patrick   2021 May 18, 9:20am  

I stopped using Mozilla/Firefox too.

I didn't like them for kicking out Brendan Eich because of his own personal and private donation to a group that wants to keep marriage between men and women. But I didn't stop at that time.

After they changed Firefox so that you cannot stop it from continuously calling home, that's when I stopped.
28   Hircus   2021 May 18, 10:46am  

NuttBoxer says
Guess it's time I setup my own email server...


I've been considering this too.

One thing I worry about is if my email traffic will be sent as plaintext. I haven't looked into this topic much yet, but I know maybe 5ish years ago I read an article about how google was pushing lots of other email providers to setup encrypted email channels with gmail and other large providers, because the default was plaintext, making it really easy to eavesdrop if you can sniff network traffic. If google had to hobnob others to do this, it makes me think email encryption isn't some easy default thing given the current industry tech stack, and that it might require quite a bit of effort.

I'm just talking route point to point encryption, which still lets each mail server node along the route read the email, but prevents those along the network from snooping. Ideally I want end to end encryption, but despite being such a valuable thing to have, we oddly still dont have ubiquity of it. I know ~20 yrs ago I think there was a few end to end email providers like hushmail and ziplip, but you had to send and receive from the same provider. So emailing from hushmail to hotmail was still unencrypted, obviously. I think the gmails who like to read our emails have probably sabotaged the industry, preventing end to end from happening. In fact, now that I think about it, I bet that was google's motivation 5 yrs ago to improve email encrypted routes - I bet they were worried if it were to stay unencrypted, end to end might end up being the solution, preventing gmail from spying. So they improve the situation, making it less of a problem, which makes people less likely to care about e2e.
29   fdhfoiehfeoi   2021 May 18, 10:58am  

I think for Linux server email setup there is encryption you can add. I started setting it up one day, then realized it was way more work than a few hours over one weekend. There are really good tutorials, so totally doable, just need some time. And if all mail is stored on your server, and it's just the calls from the individuals using the service to the server, that reduces the surface of attack as long as you've set it up correctly. And I don't think it will work for more than personal emails, as most sites will blacklist personal email domains.
30   Patrick   2021 May 18, 6:47pm  

Yes, setting up my own email server was quite a pain in the ass. But after that, it's been pretty hands-off. Just works.
31   Maga_Chaos_Monkey   2021 May 19, 8:03am  

So they replied to my "I'm going elsewhere" reply:

Hello,

Thank you for the follow-up.

Please note that we respect everyone's decision and we will be happy if you ever change your mind and try our ProtonMail service.

You can always follow our blog or social media to get the latest updates: https://protonmail.com/blog/

Feel free to contact us if you need any other assistance regarding our ProtonMail service.
32   porkchopXpress   2021 May 29, 1:29pm  

Looks like Protonmail is phasing out Google captcha

https://news.ycombinator.com/item?id=27326961
33   Patrick   2021 May 29, 1:43pm  

Yes!

Maybe we are helping Protonmail to become more secure.
34   Hircus   2021 May 30, 9:43am  

Ya looks pretty obvious your emails and suggestion to use hcaptcha resulted in this change.

Good job. And It's good to see protonmail be receptive to good advice.
35   Maga_Chaos_Monkey   2021 May 30, 10:18pm  

Nice job Pat! I may reconsider now...
36   qroproton   2021 Jun 24, 7:43pm  

Well, looks like your e-mails had some impact!

37   Patrick   2021 Jun 24, 7:45pm  

Nice!
39   Eric Holder   2021 Sep 7, 11:40am  

porkchopexpress says
Bummer. Protonmail now releasing IP addresses to law enforcement.


Sic transit gloria mundi.
40   fdhfoiehfeoi   2021 Sep 7, 12:41pm  

They have a tor site, and that's the only way i never access my email. Good luck tracking my IP...

Comments 1 - 40 of 50       Last »     Search these comments

Please register to comment:

api   best comments   contact   latest images   memes   one year ago   random   suggestions   gaiste