Java Script required in advertised Privacy webmail logins.
Java Script required in advertised Privacy webmail logins.
I know that to login and use 'Proton Mail,' 'Guerrilla Mail' one must enable Java Script. I am not looking through the Java Script code involved, but is this as insecure as it feels?
I would opine its not as safe as advertised.
Not because of their doings, but because the US-based ISP records the destination prior to login. The US gov't has allowed the ISP to use that data to monetize the end-user (you, me, anyone else US based) through a third-party. If that ISP data were to be disposed immediately after request, I would have ProtonMail myself. But this is the USA, and $ is more important than privacy.
JavaScript is not the real concern, the internet connection is.
Regards
8Geee
Not because of their doings, but because the US-based ISP records the destination prior to login. The US gov't has allowed the ISP to use that data to monetize the end-user (you, me, anyone else US based) through a third-party. If that ISP data were to be disposed immediately after request, I would have ProtonMail myself. But this is the USA, and $ is more important than privacy.
JavaScript is not the real concern, the internet connection is.
Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
-
perdido
- Posts: 1528
- Joined: Mon 09 Dec 2013, 16:29
- Location: ¿Altair IV , Just north of Eeyore Junction.?
Protonmail allows you to login using TOR - that should mask your IP8Geee wrote:I would opine its not as safe as advertised.
Not because of their doings, but because the US-based ISP records the destination prior to login. The US gov't has allowed the ISP to use that data to monetize the end-user (you, me, anyone else US based) through a third-party. If that ISP data were to be disposed immediately after request, I would have ProtonMail myself. But this is the USA, and $ is more important than privacy.
JavaScript is not the real concern, the internet connection is.
Regards
8Geee
Protonmail now requires you use a real email account to set up your email for validation. They originally allowed daisy-chaining from an
existing protonmail account to setup additional accounts but they deleted all daisychained accounts.
Protonmail has access to your keys as they create them - that is a security risk. If you really require privacy encrypt the correspondence prior to
presenting it to protonmail.
Like 8Geee says, everyone wants your data to monetize you - that means you are the product, the product is not protonmail.
.
If it is not really private.
Actually I think Proton Mail says they need to know which country is logging in to determine which language is being used.
I was guessing it was possible for the Java Script to do a switch and determine my login in point, and perhaps other things. Like my Password.
If it is not private, then it can not be secure against national government surveillance.
I was a bit more amazed that Guerrilla Mail would require Java Script, as that seems to be contrary to their purpose. Most folks would not realize that Java Script was being used, as they would not detect it.
I was mostly concerned, in my lack of what is possible with Java Script, what exactly it can be modified to do. Perhaps modified after the initial load of Script from the website.
Using Tor can bring up the annoying Captcha pictures.
I was guessing it was possible for the Java Script to do a switch and determine my login in point, and perhaps other things. Like my Password.
If it is not private, then it can not be secure against national government surveillance.
I was a bit more amazed that Guerrilla Mail would require Java Script, as that seems to be contrary to their purpose. Most folks would not realize that Java Script was being used, as they would not detect it.
I was mostly concerned, in my lack of what is possible with Java Script, what exactly it can be modified to do. Perhaps modified after the initial load of Script from the website.
Using Tor can bring up the annoying Captcha pictures.
What did they really promise. Privacy? or Security?
I guess the point being that they Guerrilla Mail, ProtonMail do still offer privacy, but maybe not high end security. That using Java Script does make what they do easier.
Insofar as real Security; Might be it does not really exist no matter what the individual tries, as groups like the NSA are going to are more clever than what we are able to do.
Still, I think of dissident journalists, like those in China who are not computer knowledgeable/experienced enough to even recognize the problems inherent in using things like Proton Mail, or Guerrilla Mail. That is scary to offer them hope, and deliver a method for them to be caught.
I have read that China dissident journalists, in the past, used Tor to get on the dark web, and deliver their texts there. Also, I have never read anything attributed to any of these dissident cyber journalists, altho i read their are a lot of such in jail.
I also point out, a lot of folks do not/will not do PGP Encryption. Often PGP Encryption is dependent on the KeyServers not having been corrupted. HMM.
I sometimes wonder at whether the https system could easily be corrupted. That is, the https is really the first door guard for Security on the internet. Then there is the question, who can be the 'middle man' attack on any thing we do on the internet. That is where might the connection be hijacked. We read that hotels have captured the connection of their guests. Just like the DNS might be corrupted.
I also have to wonder if the NSA is actually more clever than the similar agencies of other countries. China, Russia, Iran.
Insofar as real Security; Might be it does not really exist no matter what the individual tries, as groups like the NSA are going to are more clever than what we are able to do.
Still, I think of dissident journalists, like those in China who are not computer knowledgeable/experienced enough to even recognize the problems inherent in using things like Proton Mail, or Guerrilla Mail. That is scary to offer them hope, and deliver a method for them to be caught.
I have read that China dissident journalists, in the past, used Tor to get on the dark web, and deliver their texts there. Also, I have never read anything attributed to any of these dissident cyber journalists, altho i read their are a lot of such in jail.
I also point out, a lot of folks do not/will not do PGP Encryption. Often PGP Encryption is dependent on the KeyServers not having been corrupted. HMM.
I sometimes wonder at whether the https system could easily be corrupted. That is, the https is really the first door guard for Security on the internet. Then there is the question, who can be the 'middle man' attack on any thing we do on the internet. That is where might the connection be hijacked. We read that hotels have captured the connection of their guests. Just like the DNS might be corrupted.
I also have to wonder if the NSA is actually more clever than the similar agencies of other countries. China, Russia, Iran.