ProtonMail got extorted a while back when they were DDoS'd by some hackers and told that the attack would stop if they paid a ransom. ProtonMail paid the ransom and the attack didn't stop because "duh".
I don't want to get bogged down in the details of that story except to the extent that we agree that ProtonMail's management gave the hackers money on the assumption that the attack would stop.
ProtonMail advertises itself as being a safe alternative to Gmail, Yahoo Mail, etc... from state-sponsored attacks. They make this point by advertising themselves with end to end encryption and by pointing out that they're based in Switzerland, vaguely gesturing to the protections from external legal action that Swiss businesses enjoy.
The problem is this: security from attacks on the level of a state-sponsored attacker is not *just* about technical security, but operations security as well. ProtonMail demonstrated that they don't have a lot of familiarity or expertise with rebuffing hackers, as demonstrated by their response to the DDoS attack.
If ProtonMail doesn't know the basic logic of dealing with extortion, then suddenly I have serious, grave doubts about whether they know what to do with legal action served to them given that they're in Switzerland. A lot of people just nebulously think that Switzerland is this lawless paradise for tax evasion and whatnot, and that's simply not the case; the reality is that Swiss laws are more amenable to that kind of behavior, but you still need a savvy lawyer (who's familiar with the Swiss legal system) to make use of those laws for your benefit.
This is why I lack confidence in ProtonMail. Their hearts are in the right place, and I'm sure they're a proficient technical staff, but they haven't demonstrated that they know how to fight either individuals hackers or nation-states.
>>52326356 According to Protonmail, there were 2 attacks, the first one, which was done by the hackers and the one for which it was paid a ransom, stopped quickly after paying, but there was a second round of attacks, even stronger ones.
I also dont trust Protonmail, I am from a country that doesnt trust western countries and services
>>52326401 I hadn't read that, so I was under the impression that the same attackers just didn't stop. Thanks for that update/clarification.
I think it's worth pointing out, though, that either way it doesn't reflect well on ProtonMail; capitulating to a ransom tells other attackers that such a ransom demand would be successful if they can maintain a similar or stronger attack. There's a lot of research on the game theory involved in ransoms, and the consensus is that as unintuitive as it seems, and as painful as it will be in the moment, you *must not* pay a ransom in an "open world" environment where others might take you hostage later.
Governments have wrestled with this question for a while, and while every country is different, we can look at the policies of countries that pay ransoms (e.g. France, Spain, Switzerland) and see that their citizens appear to be taken more often than countries that don't (e.g. Britain, Netherlands, Sweden). I want to stress that these countries have different political regimes and all sorts of other factors influence whether a citizen of that country might be taken hostage (namely, whether those citizens are even visiting other countries all that much, per capita adjustments, etc...), but as a gross sampling it serves to illustrate that it's not good policy to give in to ransoms (particularly if it becomes public knowledge that that's your policy).
>>52327664 There were two attacks I'll focus on the second one because that's the one that got me worried.
The second attack was multi-step, first APDoS singled their IP out until ProtonMails servers went down. Then the attacked moved to the whole data center where they were located, which brought down more sites in the process. Finally certain servers where hit that belonged to the national Swiss ISP that ProtonMail used, bringing down large Swiss banking sites as well as some others.
These large sites "asked" ProtonMail to pay the APDoSers so they would stop. What other option did they have? This time they paid around 50k for it to stop and chose some Israel/US based proxy server for defense. This kind of attack had to of been some sort of nation/state attack because what group could pull off such a large scale attack.
>>52328869 >What other option did they have? the other option is always to refuse. if the hostage-takers determine that their hostage (in this case ProtonMail) is worthless to them, they'll either kill it or release it. Hostage takers don't develop reputations (unless they're stupid and have a persistent identity), so the risk of capitulating (and letting it be known that you can stare them down) is minimal.
The fact that ProtonMail failed to defend against a nation-state scale attack says that the entire point of ProtonMail's existence - to be resistant to nation-states interfering with your email - is null; maybe a subpoena won't work (although that hasn't been tested), but a marginally clandestine attack like the one they experienced sure as hell would, as proven by the recent events.
You faggots who say that the hacks didn't stop by the first group who extorted them are absolutely retarded. With the faggots who DDOS people for ransom, it is in their best interest to stop once they are paid. If they are known to continue attacks even after payment, then no one will pay up because the attacks will continue anyway.
Also, Protonmail is now tunneling their entire traffic through a server farm in Israel. The same company also hosts, built and manages the IDF's server farms. Even though the traffic is encrypted, this alone is a red flag for me.
Another option to choose from is Tutanota which is based in germany. Germany has okay-ish laws regarding data privacy, but we also know that Merkel is hot for Obama's BBC so I wouldn't count on infallible security with them either.
You could rent a mail server with server-bunker in the netherlands and host your own stuff.
Other than that, these were options; https://www.hushmail.com/ https://mail.riseup.net/rc/ https://mail.yandex.com https://www.ghostmail.com/ https://protonmail.com/login https://www.openmailbox.org/ https://bitmessage.ch/roundcube/?_task=mail&_mbox=INBOX
>>52331503 My second paragraph anticipated that. I don't care if ProtonMail decided on their own to do it or were coerced, mandated, or otherwise compelled to do it by another party. The fact is that the whole value ProtonMail proposed was that they were immune to external influence, and an inept hosting service forcing them to pay a ransom doesn't strike me with any confidence whatsoever.
>>52336363 German "ProtonMail", basically. While Proton is becoming pretty big, and gathers more and more attention as times goes (which isn't necessarily a good thing), Tuta is flying somewhat under the radar.
Proton is a few weeks away from "going public", introducing paid-tier storage, and releasing iOS and Android apps. More educated normies will flock to it. And, as we all know, normies kill anything that they touch.
All trademarks and copyrights on this page are owned by their respective parties. Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.
This is a 4chan archive - all of the shown content originated from that site. This means that 4Archive shows their content, archived. If you need information for a Poster - contact them.
If a post contains personal/copyrighted/illegal content, then use the post's [Report] link! If a post is not removed within 24h contact me at firstname.lastname@example.org with the post's information.