Mailing List Archive

Isn't it obvious?
If ProtonMail is forcing you to sign up and use
an SMS registered to your cellphone then clearly
it's in their interest to collect cellphone numbers.

They're probably selling this information just like
facebook and so many other data-mining corporations.
After all, they have to fund it somehow.

On Sun, 5 May 2019 11:22:56 -0400
Tony Lane <codeguro@gmail.com> wrote:

> Isn't it obvious?

I don't think so! Users new to privacy related
services may think when visiting the ProtonMail
site that they are anonymous, when seeing their
main page:

https://protonmail.com/

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 5/5/19 1:36 PM, Stefan Claas wrote:
> On Sun, 5 May 2019 11:22:56 -0400
> Tony Lane <codeguro@gmail.com> wrote:
>
>> Isn't it obvious?
>
> I don't think so! Users new to privacy related
> services may think when visiting the ProtonMail
> site that they are anonymous, when seeing their
> main page:
>
> https://protonmail.com/
>

I suppose like anything else it all comes down to whether you believe
them or not. I do.

Here is ProtonMail's explanation of what they do with the personally
identifiable information collected during registration:

"If you are presented with Email or SMS verification, we only save a
cryptographic hash of your email or phone number which is not
permanently associated with the account that you create. Because hash
functions are one way functions, it is impossible to derive your phone
number or email from that hash. However, using the same phone number
will result in obtaining the same cryptographic hash, so by comparing
hashes, we can detect re-use of phone number or email addresses for
human verification."

The reasons behind ProtonMail signup procedures are more fully expained
at https://protonmail.com/support/knowledge-base/human-verification/

HTH,

Jeff

On Sun, 2019-05-05 at 14:32 -0400, Jeff Allen wrote:
> On 5/5/19 1:36 PM, Stefan Claas wrote:
> > On Sun, 5 May 2019 11:22:56 -0400
> > Tony Lane <codeguro@gmail.com> wrote:
> >
> > > Isn't it obvious?
> >
> > I don't think so! Users new to privacy related
> > services may think when visiting the ProtonMail
> > site that they are anonymous, when seeing their
> > main page:
> >
> > https://protonmail.com/
> >
>
> I suppose like anything else it all comes down to whether you believe
> them or not. I do.
>
> Here is ProtonMail's explanation of what they do with the personally
> identifiable information collected during registration:
>
> "If you are presented with Email or SMS verification, we only save a
> cryptographic hash of your email or phone number which is not
> permanently associated with the account that you create. Because hash
> functions are one way functions, it is impossible to derive your phone
> number or email from that hash. However, using the same phone number
> will result in obtaining the same cryptographic hash, so by comparing
> hashes, we can detect re-use of phone number or email addresses for
> human verification."
>

Don't you think that brute-forcing a hash of a phone number would be
trivial?

--
Best regards,
Micha? Górny



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 05/05/2019 03:12 AM, Stefan Claas wrote:
> Hi all,
>
> appologies for posting this, but I think it could
> be of interest for GnuPG users, because ProtoMail
> uses the OpenPGP protocol too.
>
> Some of you may have signed up with ProtonMail and
> enjoy the service, due to it's ease of use and they
> think they are anonymous, when using this service.
>
> At least ProtonMail says so on their main page.
>
> I have a different understanding of what anonymous
> email is, because not only PGP usage but also the
> use of anonymous email services is a hobby of mine
> which I use since the mid 90's.
>
> O.k. lets get started with a little test (I did a
> while ago):
>
> Fire up Tor browser and register at the ProtonMail
> site for a free email account and use as a user
> name a string from random.org.
>
> https://www.random.org/strings/
>
> When ProtonMail ask you for verification (...????)
> of your email account select SMS and use as
> SMS service a free one like:

Well of course that's not anonymous!

So what you do, if you want ~anonymity, is to use their Tor onion site.
That doesn't ask for anything beyond an email address.

<SNIP>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Sun, 5 May 2019 17:16:12 -0700
schrieb Mirimir <mirimir@riseup.net>:

> Well of course that's not anonymous!
>
> So what you do, if you want ~anonymity, is to use their Tor onion
> site. That doesn't ask for anything beyond an email address.


Assuming that this is their real .onion address, I just tried that.

https://protonirockerxow.onion/login and got this:

Are you human?

To fight spam, please verify you are human.

Your email or phone number will not be linked to the account created.
It is only used during the signup process. A hash will be saved to
prevent abuse of the ProtonMail systems. (Why is this required?)

SMS
Donate

Now my question for privacy experts ... Would you give away your
mobile phone number when using Tor ???

Regards
Stefan





_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 05/05/2019 09:52 PM, Stefan Claas wrote:
> Am Sun, 5 May 2019 17:16:12 -0700
> schrieb Mirimir <mirimir@riseup.net>:
>
>> Well of course that's not anonymous!
>>
>> So what you do, if you want ~anonymity, is to use their Tor onion
>> site. That doesn't ask for anything beyond an email address.
>
>
> Assuming that this is their real .onion address, I just tried that.
>
> https://protonirockerxow.onion/login and got this:
>
> Are you human?
>
> To fight spam, please verify you are human.
>
> Your email or phone number will not be linked to the account created.
> It is only used during the signup process. A hash will be saved to
> prevent abuse of the ProtonMail systems. (Why is this required?)
>
> SMS
> Donate

Huh. I've created a few ProtonMail accounts using their onion, and don't
recall ever being asked for a mobile number. Most recently, a few weeks
ago. But maybe this is a recent change. ProtonMail has become quite the
go-to place for trolls and worse, so maybe they've gotten too many
complaints.

Try CockMail's onion, perhaps ;)

> Now my question for privacy experts ... Would you give away your
> mobile phone number when using Tor ???

Of course not. But you can lease a SIM from https://speedyverify.com/,
and pay in mixed Bitcoin, all via Tor. They use real SIMs, hosted in the
Philippines.

> Regards
> Stefan
>
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Sun, 5 May 2019 14:32:20 -0400
schrieb Jeff Allen <jrallen@runbox.com>:

> On 5/5/19 1:36 PM, Stefan Claas wrote:
> > On Sun, 5 May 2019 11:22:56 -0400
> > Tony Lane <codeguro@gmail.com> wrote:
> >
> >> Isn't it obvious?
> >
> > I don't think so! Users new to privacy related
> > services may think when visiting the ProtonMail
> > site that they are anonymous, when seeing their
> > main page:
> >
> > https://protonmail.com/
> >
>
> I suppose like anything else it all comes down to whether you believe
> them or not. I do.

[snip]

Well, I just asked myself ...

What is the purpose behind an unlinked hash.

A spammer using their system, without a hash function
could send successfully spam to other users, because
ProtonMail is not blacklisted. When that happens a
user receiving this spam can report that, so that
actions can be taken. This of course requires then
a bit of work, at the ProtonMail site, to remove
the spammers account.

Why do they use unlinked hashes? If I could sign up
anonymously the hash could also be linked to my account
and even if thousands of people have the same hash they
could remove the spammers account.

Should an unlinked hash protect users from a powerful
adversary? O.k. people can now laugh at me, because
I am no programmer nor cryptographer or math-geek. My
assumption is that a powerful adversary has a list of
all global mobile phone numbers, computes quickle the
hashes for them and saves them also in a database.

How long does it take to find in a database the correct
hash for a given number ...

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Sun, 05 May 2019 22:20:58 +0200
Micha? Górny <mgorny@gentoo.org> wrote:

> On Sun, 2019-05-05 at 14:32 -0400, Jeff Allen wrote:
> Don't you think that brute-forcing a hash of a phone number would be
> trivial?
>
> --
> Best regards,
> Micha? Górny
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi,

Yes, of course it would be. But then, why would they even bother to
hash it?

This entire conversation is...interesting. If ProtonMail was
interested in selling our data then they chose a very small usergroup
to target, and honestly, that usergroup is too small to prove any real
value of any kind. And they claim they use end to end encryption, so
selling our data would be limited to phone numbers and email
addresses, data which is readily available elsewhere. (given that you
trust their end to end encryption claim)

I'm not a PM user but have been, and I liked their service due to
usability, being able to use sieve filtering and so forth. Had I been
truly paranoid I'd use something else.

--
Oscar

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

El día lunes, mayo 06, 2019 a las 07:15:06a. m. +0200, Stefan Claas escribió:

> > > https://protonmail.com/
> > >
> >
> > I suppose like anything else it all comes down to whether you believe
> > them or not. I do.
>
> [snip]
>
> Well, I just asked myself ...
>
> What is the purpose behind an unlinked hash.
>
> ....

Well, I'm asking myself: What has all this thread to do with GnuPG?

matthias


--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
May, 9: ???????? ????????????! Thank you very much, Russian liberators!

Am Sun, 5 May 2019 22:07:57 -0700
schrieb Mirimir <mirimir@riseup.net>:

> Of course not. But you can lease a SIM from https://speedyverify.com/,
> and pay in mixed Bitcoin, all via Tor. They use real SIMs, hosted in
> the Philippines.

Thanks a lot for this valuable privacy tip, much appreciated!

Regards
Stefan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hello Stephan,

Something completely different.

What is that link with the binary data in your OP?

I did not click it because I don't know what binary data I'd be handing
to that site. But I see this text on the front page of that site:

> You can also earn FREE TELE TOKENS from our bounty or airdrop programs
> or our referral bonus

I get the ugly feeling this is a referral link. That every time someone
clicks that link of yours, or perhaps only after they use some
functionality there, you get a "referral bonus".

If this is a referral link, I would consider that *extremely* bad form
of you. Made all the worse by you not explaining immediately that it
/is/ a referral link.

Could you please explain what the purpose of the data is? (Even with a
good explanation, I'd consider it basic hygiene to never click such
links, since the explanation cannot be verified).

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

On Mon, May 6, 2019 at 1:08 AM Mirimir <mirimir@riseup.net> wrote:
>
> On 05/05/2019 09:52 PM, Stefan Claas wrote:
> > Am Sun, 5 May 2019 17:16:12 -0700
> > schrieb Mirimir <mirimir@riseup.net>:
> >
> >> Well of course that's not anonymous!
> >>
> >> So what you do, if you want ~anonymity, is to use their Tor onion
> >> site. That doesn't ask for anything beyond an email address.
> >
> >
> > Assuming that this is their real .onion address, I just tried that.
> >
> > https://protonirockerxow.onion/login and got this:
> >
> > Are you human?
> >
> > To fight spam, please verify you are human.
> >
> > Your email or phone number will not be linked to the account created.
> > It is only used during the signup process. A hash will be saved to
> > prevent abuse of the ProtonMail systems. (Why is this required?)
> >
> > SMS
> > Donate
>
> Huh. I've created a few ProtonMail accounts using their onion, and don't
> recall ever being asked for a mobile number. Most recently, a few weeks
> ago. But maybe this is a recent change. ProtonMail has become quite the
> go-to place for trolls and worse, so maybe they've gotten too many
> complaints.
>
> Try CockMail's onion, perhaps ;)
>
> > Now my question for privacy experts ... Would you give away your
> > mobile phone number when using Tor ???
>
> Of course not. But you can lease a SIM from https://speedyverify.com/,
> and pay in mixed Bitcoin, all via Tor. They use real SIMs, hosted in the
> Philippines.
>
Another option is to buy a burner phone and SIM paying cash.
I've seen both available in stores and supermarkets and street stands
in at least 3 countries.

> > Regards
> > Stefan
> >
> >
> >
> >
> >
> > _______________________________________________
> > Gnupg-users mailing list
> > Gnupg-users@gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
> >
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[I am resending from my list-subscribed email address.]

On 06/05/2019 11:17, Mauricio Tavares wrote:

> Another option is to buy a burner phone and SIM paying cash.
> I've seen both available in stores and supermarkets and street stands
> in at least 3 countries.

In which countries is this allowed? In other words, is there a list
oublished online?

In Australia, where I am originally from, you can't do this. But this
is hardly surprising because Australia is not a privacy-respecting nation.

Andrew
--
OpenPGP key: EB28 0338 28B7 19DA DAB0 B193 D21D 996E 883B E5B9

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 06/05/2019 12:21, Andrew Luke Nesbit wrote:
> [I am resending from my list-subscribed email address.]
>
> On 06/05/2019 11:17, Mauricio Tavares wrote:
>
>> Another option is to buy a burner phone and SIM paying cash.
>> I've seen both available in stores and supermarkets and street stands
>> in at least 3 countries.
> In which countries is this allowed? In other words, is there a list
> oublished online?

Don't know about a list of countries but this is certainly possible in
the UK (for now, at least, until the government freaks out about it).
SIMs are widely available for purchase with no identity requirements and
can very often be topped up anonymously for cash via newsagents. As for
phones, it's been a while since I bought a new phone (although I suspect
that it is still possible to buy them new for cash) but of course second
hand ones are also widely available.


--
Mark Rousell

On 06/05/2019 10:19, Peter Lebbing wrote:
> Hello Stephan,
>
> Something completely different.
>
> What is that link with the binary data in your OP?
>
> I did not click it because I don't know what binary data I'd be handing
> to that site. But I see this text on the front page of that site:
>

I thought that too but it's easy enough to remove the code before going
to the site.

Assuming it is an affiliate tracking link then, to be fair, if you
haven't seen the site before and it's useful to you then it's only
reasonable to help reward the person who introduced you to it. (Although
it would have been nicer for it to be declared openly as an affiliate link).

--
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162

On 5/5/19 4:20 PM, Micha? Górny wrote:
>
> Don't you think that brute-forcing a hash of a phone number would be
> trivial?
>

It would be more trivial not to hash the number and say you did.
ProtonMail claims they hash the number and store it unlinked to your
account. Their stated objective is to prevent the same phone number or
email address from being used to sign up for numerous accounts. As I
said, I believe them. You apparently do not.

People who don't trust ProtonMail shouldn't use it. Why believe them
about end-to-end encryption if you can't trust them? That would seem to
me to be a bigger concern than how they handle your number or email address.

Jeff

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 07:21, Mon, May 6, 2019 Andrew Luke Nesbit <ullbeking@andrewnesbit.org
wrote:
>
> [I am resending from my list-subscribed email address.]
>
> On 06/05/2019 11:17, Mauricio Tavares wrote:
>
> > Another option is to buy a burner phone and SIM paying cash.
> > I've seen both available in stores and supermarkets and street stands
> > in at least 3 countries.
>
> In which countries is this allowed? In other words, is there a list
> oublished online?
>
Personal experience US and Switzerland. I was told Canada, Vietnam,
and many African countries. Don't know of a list though.

> In Australia, where I am originally from, you can't do this. But this
> is hardly surprising because Australia is not a privacy-respecting nation.
>
> Andrew
> --
> OpenPGP key: EB28 0338 28B7 19DA DAB0 B193 D21D 996E 883B E5B9

On 06/05/2019 14:53, Jeff Allen wrote:
> It would be more trivial not to hash the number and say you did.

I think it's a worthwhile thing to point out that they state "because
hash functions are one-way functions, it is impossible to derive your
phone number [...]" without reservations, but that this is a false sense
of security. It is a very limited part of the complete picture, which is
that a Dutch mobile phone number has only 8 varying digits, meaning an
entropy of less than 27 bits, cryptographically laughable. And that an
adversary might not even be interested in reversing the hash at all, but
just to verify that the phone number of their target has been used to
set up a ProtonMail account.

With passphrase hashing, the passphrase should be secret. There's
nothing secret about a phone number or e-mail address. That completely
changes the picture.

For me, it's not so much that I question their methods, it's that I
question their claims. Blanketly stating "it is impossible to derive
your phone number" sounds like security theater to me, and they should
be aware of that if they are the least bit competent. That doesn't sit
well.

I don't expect most of their clients to see through this theater. It is
their job to be open and honest about the consequences of their methods,
so their clients can make an informed choice whether they will go
through with it or not.

My 2 cents,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

Am Mon, 6 May 2019 07:26:50 +0200
schrieb Matthias Apitz <guru@unixarea.de>:

> Well, I'm asking myself: What has all this thread to do with GnuPG?

I think it is a good idea to post GnuPG related things here
on the ML when it comes also to things or services etc.
using the Openpgp protocol, so that users are aware of how those
services handle privacy,security and anonymity related things
in combination with GnuPG usage. I think it does not hurt and
if someone does not like such content he / she can simply skip
it.

And should'nt the older PGP geeks not post such stuff to educate
the younger generation, whishing to learn such privacy related
things in combination with GnuPG usage?

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Mon, 6 May 2019 08:53:14 -0400
schrieb Jeff Allen <jrallen@runbox.com>:


> People who don't trust ProtonMail shouldn't use it.

Absolutely! But I think it does not hurt to post
such things to educate PGP users how different
services or software applications etc. handle such
privacy related things, especially when using the
word anonymous.

I am not sure if you ever used an anonymous email
service, but I think, if, you would agree with me
that ProtonMail's procedure is not anonymous like
real anonymous email services are and therefore they
should IMHO not advertise Anonymity as a feature.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Mon, 6 May 2019 06:17:42 -0400
schrieb Mauricio Tavares <raubvogel@gmail.com>:


> Another option is to buy a burner phone and SIM paying cash.
> I've seen both available in stores and supermarkets and street stands
> in at least 3 countries.

While I am not using regular proxy servers, I figured out this morning
that when signing up there without Tor usage they allow captchas and
email as verification option.

So when using mailcatch.com, for example, you can then sign-up, because
they send the verification code to mailcatch.com and accept
mailcatch.com as registration email address ...

Maybe I should set-up squid on a VPS and let people register from there,
while keeping no log files. :-D

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 06/05/2019 15:39, Stefan Claas wrote:
> Maybe I should set-up squid on a VPS and let people register from there,
> while keeping no log files. :-D

Check your local laws first. I am pretty sure that doing that
(specifically the no logs bit) in the UK would now be a criminal
offence. ;-) This is the same as many other EU countries due to one of
the EU's data retention regulations whose name I've now forgotten.


--
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162

On Mon, May 6, 2019 at 11:17 AM Mark Rousell <markr@signal100.com> wrote:
>
> On 06/05/2019 15:39, Stefan Claas wrote:
>
> Maybe I should set-up squid on a VPS and let people register from there,
> while keeping no log files. :-D
>
>
> Check your local laws first. I am pretty sure that doing that (specifically the no logs bit) in the UK would now be a criminal offence. ;-) This is the same as many other EU countries due to one of the EU's data retention regulations whose name I've now forgotten.
>
Going maybe on a tangent, how would those data retention
regulations play with GDPR?
>
> --
> Mark Rousell
>
> PGP public key: http://www.signal100.com/markr/pgp
> Key ID: C9C5C162
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Mon, 6 May 2019 16:17:01 +0100
schrieb Mark Rousell <markr@signal100.com>:

> On 06/05/2019 15:39, Stefan Claas wrote:
> > Maybe I should set-up squid on a VPS and let people register from
> > there, while keeping no log files. :-D
>
> Check your local laws first. I am pretty sure that doing that
> (specifically the no logs bit) in the UK would now be a criminal
> offence. ;-) This is the same as many other EU countries due to one of
> the EU's data retention regulations whose name I've now forgotten.

Thanks for pointing that out! O.k. I do not want to get to off-topic
here but it interests me what would happen if I use a US based server
and a US domain with whois guard? Would ProtonMail really hunt down
a proxy server operator, or let's say other email providers, when
doing such a thing, or would they simply block access from that
domain? I mean it is not a crime to run a proxy server.


Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Mon, 6 May 2019 06:52:10 +0200
schrieb Stefan Claas <sac@300baud.de>:

> Am Sun, 5 May 2019 17:16:12 -0700
> schrieb Mirimir <mirimir@riseup.net>:
>
> > Well of course that's not anonymous!
> >
> > So what you do, if you want ~anonymity, is to use their Tor onion
> > site. That doesn't ask for anything beyond an email address.
>
>
> Assuming that this is their real .onion address, I just tried that.
>
> https://protonirockerxow.onion/login and got this:
>
> Are you human?
>
> To fight spam, please verify you are human.
>
> Your email or phone number will not be linked to the account created.
> It is only used during the signup process. A hash will be saved to
> prevent abuse of the ProtonMail systems. (Why is this required?)
>
> SMS
> Donate
>
> Now my question for privacy experts ... Would you give away your
> mobile phone number when using Tor ???

In case someone from the ProtonMail team is reading this thread ...

When using Tor for sign-up and using the donate* button I would
suggest support for the crypto currency Monero, so that users
stay anonymous.

*I have learned a while ago that privacy may cost also a bit
of money, even when using Open Source software only.

Regards
Stefan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 06/05/2019 16:27, Mauricio Tavares wrote:
> On Mon, May 6, 2019 at 11:17 AM Mark Rousell <markr@signal100.com> wrote:
>> Check your local laws first. I am pretty sure that doing that (specifically the no logs bit) in the UK would now be a criminal offence. ;-) This is the same as many other EU countries due to one of the EU's data retention regulations whose name I've now forgotten.
>>
> Going maybe on a tangent, how would those data retention
> regulations play with GDPR?

It would not be a problem for GDPR. GDPR certainly doesn't prohibit all
data retention or usage. If data/metadata/log retention is legally
mandated then this will be allowed for in GDPR.

--
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162

On 06/05/2019 16:39, Stefan Claas wrote:
> Maybe I should set-up squid on a VPS and let people register from there,
> while keeping no log files. :-D

The only purpose of that would be to specifically subvert the intentions
and processes of ProtonMail. They have designed a system which chooses
policy based on the source IP (including a different policy for Tor exit
nodes), and you try to subvert this policy selection, and possibly give
a route for spammers to register on the system.

If you don't like their policies, don't use them. Don't try to work
around the policies they impose on the use of their service. You don't
have a right to the use of their services under your conditions.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

On 06/05/2019 17:07, Stefan Claas wrote:
> Thanks for pointing that out! O.k. I do not want to get to off-topic
> here but it interests me what would happen if I use a US based server
> and a US domain with whois guard? Would ProtonMail really hunt down
> a proxy server operator, or let's say other email providers, when
> doing such a thing, or would they simply block access from that
> domain? I mean it is not a crime to run a proxy server.

(a) It's not a crime to run a proxy in the UK or EU[1]. It's just that
there are metadata logging and log-retention requirements if you do so.
(Once again, I apologise because I've lost my notes on all the EU and UK
legislation that may require this. It's findable on DuckDuckGo or the
search engine of your choice of course).

(b) ProtonMail isn't going to hunt down anyone (unless, maybe, they are
forced to by their local law enforcement). They aren't the police and
they're not even based in the EU, so they don't care.

(c) I do not know how the relevant legislation would work if you are a
UK or EU resident but set up your proxy service on hardware based in the
USA or another jurisdiction that does not enforce logging. A careful
reading of the legislation that is relevant to your local jurisdiction
might inform you.


Footnote:-
1: Although I fear that the UK is heading in this direction. That it,
not to outright criminalise proxies or VPNs but to 'regulate', control
and license their use. The cassus belli for this will, I suspect, be
probably very widespread evasion of the forthcoming 'porn block' using
proxies and VPNs.

--
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162

Am Mon, 6 May 2019 18:55:50 +0100
schrieb Mark Rousell <markr@signal100.com>:

> (a) It's not a crime to run a proxy in the UK or EU[1]. It's just that
> there are metadata logging and log-retention requirements if you do
> so. (Once again, I apologise because I've lost my notes on all the EU
> and UK legislation that may require this. It's findable on DuckDuckGo
> or the search engine of your choice of course).

Thanks for pointing that out! I will do more research on this topic.

> (b) ProtonMail isn't going to hunt down anyone (unless, maybe, they
> are forced to by their local law enforcement). They aren't the police
> and they're not even based in the EU, so they don't care.

That is was I am thinking as well, but it does not hurt to ask.

> (c) I do not know how the relevant legislation would work if you are a
> UK or EU resident but set up your proxy service on hardware based in
> the USA or another jurisdiction that does not enforce logging. A
> careful reading of the legislation that is relevant to your local
> jurisdiction might inform you.

I will check that out, because I am currently doing a project
which is similar and it is better to be properly informed than
instead later falling on my nose.

Thanks again for your valuable input, much appreciated!

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Monday 6 May 2019 at 10:19:35 AM, in
<mid:6b3e1a02-6d44-6a8c-8d00-45706bc3bdbb@digitalbrains.com>, Peter
Lebbing wrote:-



> If this is a referral link, I would consider that
> *extremely* bad form
> of you.

The “fbclid” parameter looks like a Facebook click identifier. It's a
tracking ploy added to external URLs from the Facebook site, similar
to Google's “gclid”.

- --
Best regards

MFPA <mailto:2017-r3sgs86x8e-lists-groups@riseup.net>

Great minds discuss ideas;
Average minds discuss events;
Small minds discuss people.
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXNISfl8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+lLvAPkBXb7U5fYH0tE8sxW+Goh6aV5X/ZWnQEPcEtp07mSV+wEA+4Cqxek1og8s
zZxtNBu44xuqLmlMuFhHPAXKBKZ+RwyJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXNISfl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/1X0D/9dJeMq52G25usMWuCBzCLndY/5
CifloqoVwOND5qX2VrPDGJ4mPgPUvqDXUz9SEOMzeCGZgkOMchZ29j45eLippSjc
zWY6nKTB7OE7D8ZMF6TpypXDAdQX8ULemUZOJDvgyb4Xj2yTYYDieQgu6bPivZni
PB9oLIEcaA2h3VXnDYWYrSAITA8YlPKVb/2ocGlv+f3Cu1VZZF119rHFpBrMc436
XcKVybXaYQccUlAyI87vm2GxnGDbnGXIv6dMw2tEhVYHeyjo4iE0wizz+IyKSXfv
H0fXWTskB+rPnHqORUFKoSIZtjTiKg7Y0/IUNCj4Zpr0MkNFs+xImYpCNRvnf1Ae
665t1tWMsmk/nTAmLLK7bLK38do9HmFjIpNZHB/2PZpsfrfyCSmJX4DaWofd1hZg
VXmRz5977o2IeMMwAUuykb+y9Kn30PqSE60Tt/fXBqjTSP5xw83RgJCAzWtGFB6s
d23ZcmOp6VRuHwXLFLjNtuQzPdohTN8OGLM6ZpmQO0ZBc2WB7XOLigs9IGj9qKOZ
+6LftMODff34h7ItKzqDUgpvhJmRMiW1R31VnYuKWtLmPKL7j11LtenyU/mEA3Mh
/U2z6QelkiPjLoSmNpROtJj6VYetqABhXCtXDAuYECP0X4oiaYyDcTQu/ljg0XIZ
VgeUtaRSsOKs0mSylw==
=ep1T
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Wed, 8 May 2019 00:19:26 +0100
schrieb MFPA <2017-r3sgs86x8e-lists-groups@riseup.net>:

> The “fbclid” parameter looks like a Facebook click identifier. It's a
> tracking ploy added to external URLs from the Facebook site, similar
> to Google's “gclid”.

That's correct, the fbclid parameter is from Facebook. I was careless
and copy / pasted the link from my PGP forum article. I already
appologized to Peter, but forgot to reply here as well.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de <mailto:sac@300baud.de>> wrote:
>
> ProtonMail's procedure is not anonymous like
> real anonymous email services

What are some such “real” anonymous email services?

Protonmail is anonymous† if used correctly and if you trust them.  Any user worried about text messages being tied to them could use cash at a place far from where they live with no cameras to buy a burner phone for a one time text message code if they are really that paranoid. 

If Protonmail didn't do some sort of vetting of accounts then it'd literally be infeasible to use because it would be RBL'd to hell and back due to being overrun with spammers.  

†Against typical adversaries.  If you are trying to hide from a powerful nation state willing to expend significant resources to look into you and you are not yourself supported and trained by a nation state's intelligence services, well, good luck with that.

-Ryan McGinnis
PGP: 486ED7AD
Sent with ProtonMail

??????? Original Message ???????
On Wednesday, May 8, 2019 3:08 PM, Christopher W. Richardson <cwr@cwrichardson.com> wrote:

> > On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de> wrote:
> >

> > ProtonMail's procedure is not anonymous like
> > real anonymous email services
>

> What are some such “real” anonymous email services?

On 05/08/2019 01:08 PM, Christopher W. Richardson wrote:
>
>
>> On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de <mailto:sac@300baud.de>> wrote:
>>
>> ProtonMail's procedure is not anonymous like
>> real anonymous email services
>
> What are some such “real” anonymous email services?

Any service that's available as a Tor onion service, and doesn't require
any verification, is about as anonymous as it gets. There aren't many of
those, because they get very popular among jerks. One is cock.li
(cockmailwwfvrtqj.onion). It came out of the chans, and it shows. Tor
Mail and Sigaint were great in their day, but both got taken down. I
could come up with others, but many are ~hobby-level.

ProtonMail is less anonymous for sure. There is a Tor onion service
(protonirockerxow.onion) but it can switch to the clearnet address
during registration. And they do require verification. But you can use a
cock.li address for that. But not an anonbox.net address :(


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Or you could just use qmail+GPG with the -R option.
Or heck, just post it the clearnet on some *chan. Isn't the whole point of GPG to hide the content or who it's intended to?
GPG is perfect for this imo
-----BEGIN PGP SIGNATURE-----

iLkEARMKAB0WIQQWZv6JZKxO310TWtXo8fj9gx4T0wUCXNNbCQAKCRDo8fj9gx4T
08U6AgkBU8XYac2+1C/zc6f+MEgit+MmladaKxb8BVP+xb1x3Sj5yi8k9iDStXID
2JdoVgbHmc79I7rgZ42Ab8V/6CCNoroCCQG0IOcaYdL1PPyZGH9EeZ9vCnLd1xNc
J4H7bAoMwLKthOXsE3kkAGFK9YZ9CkZSZ1BQ+dNyrFKuY5mQ2f5Kxl38zw==
=g9RY
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 05/08/2019 03:41 PM, Tony Lane wrote:
> Or you could just use qmail+GPG with the -R option.

Seriously, you're recommending that people run their own mail servers?

> Or heck, just post it the clearnet on some *chan. Isn't the whole point of GPG to hide the content or who it's intended to?
> GPG is perfect for this imo

Sure. Or pastebin. But that's not email.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Wed, 8 May 2019 22:08:22 +0200
schrieb Christopher W. Richardson <cwr@cwrichardson.com>:

> > On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de
> > <mailto:sac@300baud.de>> wrote:
> >
> > ProtonMail's procedure is not anonymous like
> > real anonymous email services
>
> What are some such “real” anonymous email services?

Sceptic, eh? :-)

No, seriously ... I will not reveal my knowledge here
publicity on the ML, for good reasons.

However, as soon as time permits I will create a little
.pdf dokument showing the required and reliable resources,
on how power user Bob communicates and how Mac Dummie Alice
communicates, securely and anonymously.

In order to obtain this document you or anybody else
will have to follow some guidelines, which I will
outline here, once the document is available.

I will challenge every GnuPG user, regardless of skill
level to try it out so that they can see that this is a
prooven and reliable method in anonymity circles. Toys
like Enigmail/Thunderbird etc. are not used. You will
need to be comfortable with GnuPG in command line mode.

Regards
Stefan



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Wed, 8 May 2019 18:41:13 -0400
schrieb Tony Lane <codeguro@gmail.com>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Isn't the whole point of GPG to hide the content or who it's intended
> to?

Well, yes to hide the content, that is true, but the recipient is known
and GnuPG produces the encrypted and armored content in an IMHO
non-optimal way.

In case Werner is reading this thread ..., I kindly request that you
implement for future generations of GnuPG users message padding
and and stealth mode, we had in PGP, back in the mid 90's, so
that procmail and Co. have it more difficult to filter PGP messages.

It could be implemented in gpg.conf, like:

--stealth-mode = true
--padding = integer (like minimum 1024, or 2048 etc.)

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 5/9/19 10:44 AM, Stefan Claas wrote:
> Am Wed, 8 May 2019 18:41:13 -0400
> schrieb Tony Lane <codeguro@gmail.com>:
>
>> Isn't the whole point of GPG to hide the content or who it's intended
>> to?
>
> Well, yes to hide the content, that is true, but the recipient is known
> and GnuPG produces the encrypted and armored content in an IMHO
> non-optimal way.

Uhh... no.
You can absolutely hide the recipient with the '-R' option in Gnupg.
-----BEGIN PGP SIGNATURE-----

iLgEARMKAB0WIQQWZv6JZKxO310TWtXo8fj9gx4T0wUCXNR/ZAAKCRDo8fj9gx4T
02bCAgkB+2W+DwtY34g6PJdFbESABim2/WOYir+P9hm+24oN6GuwgiQcMGObS539
hjAhi+B1lejvGbltx2xLODj7TPAlQ64CCNSs2F4eYbc9ZRmoKVGeveDd6lMxxdBZ
TBxFKVOmcFB+ug9ocGMXJ5IWC3mA7ksTxqFnGz6w6np5rn+bzLCshjvh
=kFa/
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am Thu, 9 May 2019 15:28:36 -0400
schrieb Tony Lane <codeguro@gmail.com>:

> Uhh... no.
> You can absolutely hide the recipient with the '-R' option in Gnupg.
> -----BEGIN PGP SIGNATURE-----


Sorry for my bad wording! I was refering to the email recipient, when
using a standard MUA which sends to a regular single email address.

Of course the -R option allows to send to someone and when the mail
arrives the message can then be handed over to the real recipient. ;-)

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 05/09/2019 01:03 PM, Stefan Claas wrote:
> Am Thu, 9 May 2019 15:28:36 -0400
> schrieb Tony Lane <codeguro@gmail.com>:
>
>> Uhh... no.
>> You can absolutely hide the recipient with the '-R' option in Gnupg.
>> -----BEGIN PGP SIGNATURE-----
>
>
> Sorry for my bad wording! I was refering to the email recipient, when
> using a standard MUA which sends to a regular single email address.
>
> Of course the -R option allows to send to someone and when the mail
> arrives the message can then be handed over to the real recipient. ;-)
>
> Regards
> Stefan

Or one can send to alt.anonymous.messages, or wherever. And recipient(s)
can periodically download everything, and simply try decrypting each
message. I don't recall now whether remailer nyms worked exactly that
way. Maybe client apps depended on seeing recipient IDs. Or maybe hashes
of recipient IDs. It's interesting, but doesn't scale well.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 9 May 2019, at 22:34, Stefan Claas <sac@300baud.de> wrote:
>
> Am Wed, 8 May 2019 22:08:22 +0200
> schrieb Christopher W. Richardson <cwr@cwrichardson.com>:
>
>>> On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de
>>> <mailto:sac@300baud.de>> wrote:
>>>
>>> ProtonMail's procedure is not anonymous like
>>> real anonymous email services
>>
>> What are some such “real” anonymous email services?
>
> Sceptic, eh? :-)
>
> However, as soon as time permits I will create a little
> .pdf dokument showing the required and reliable resources
>
> In order to obtain this document you or anybody else
> will have to follow some guidelines, which I will
> outline here, once the document is available.

I shall patiently await :)
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Am 09.05.2019 um 16:44 schrieb Stefan Claas:


> implement for future generations of GnuPG users message padding

> and and stealth mode, we had in PGP, back in the mid 90's, so

> that procmail and Co. have it more difficult to filter PGP messages.

Maybe an interesting read.

https://web.archive.org/web/20130513043502/http://finney.org/~hal/stealth_pgp.html

Regards

Stefan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Christopher W. Richardson wrote:

>
>
> > On 9 May 2019, at 22:34, Stefan Claas <sac@300baud.de> wrote:
> >
> > Am Wed, 8 May 2019 22:08:22 +0200
> > schrieb Christopher W. Richardson <cwr@cwrichardson.com>:
> >
> >>> On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de
> >>> <mailto:sac@300baud.de>> wrote:
> >>>
> >>> ProtonMail's procedure is not anonymous like
> >>> real anonymous email services
> >>
> >> What are some such “real” anonymous email services?
> >
> > Sceptic, eh? :-)
> >
> > However, as soon as time permits I will create a little
> > .pdf dokument showing the required and reliable resources
> >
> > In order to obtain this document you or anybody else
> > will have to follow some guidelines, which I will
> > outline here, once the document is available.
>
> I shall patiently await :)

Sorry for the late reply, I am still busy with some projects.

Anyways, I decided to post now some keywords, which you or
anybody else can Google up.

OmniMix, QuickSilver Lite, YAMN (check github), Mixmaster4096
(check github), Bitmessage, ZeroNet and for anonymous file
transfer Onionshare. Those tools can be all used with Tor.

There are probably many more tools available to communicate
anonymously, but those are reliable ones used in anonymous
circles.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 06/08/2019 01:25 AM, Stefan Claas wrote:
> Christopher W. Richardson wrote:
>
>>
>>
>>> On 9 May 2019, at 22:34, Stefan Claas <sac@300baud.de> wrote:
>>>
>>> Am Wed, 8 May 2019 22:08:22 +0200
>>> schrieb Christopher W. Richardson <cwr@cwrichardson.com>:
>>>
>>>>> On 6 May 2019, at 16:15, Stefan Claas <sac@300baud.de
>>>>> <mailto:sac@300baud.de>> wrote:
>>>>>
>>>>> ProtonMail's procedure is not anonymous like
>>>>> real anonymous email services
>>>>
>>>> What are some such “real” anonymous email services?
>>>
>>> Sceptic, eh? :-)
>>>
>>> However, as soon as time permits I will create a little
>>> .pdf dokument showing the required and reliable resources
>>>
>>> In order to obtain this document you or anybody else
>>> will have to follow some guidelines, which I will
>>> outline here, once the document is available.
>>
>> I shall patiently await :)

Yeah, I'd also like to see that :)

> Sorry for the late reply, I am still busy with some projects.
>
> Anyways, I decided to post now some keywords, which you or
> anybody else can Google up.
>
> OmniMix, QuickSilver Lite, YAMN (check github), Mixmaster4096
> (check github), Bitmessage, ZeroNet and for anonymous file
> transfer Onionshare. Those tools can be all used with Tor.

Some years ago, I got Quicksilver Lite working in Debian with Wine. But
even then, it hadn't been updated for years. And now I find that
https://www.quicksilvermail.net isn't loading. Are people still using
nymservers with mixmaster? And do you have working onion URLs for
nymservers and news servers?

> There are probably many more tools available to communicate
> anonymously, but those are reliable ones used in anonymous
> circles.
>
> Regards
> Stefan
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

First of all...

On 05.05.19 12:12, Stefan Claas wrote:
> Hi all,
>
> appologies for posting this, but I think it could
> be of interest for GnuPG users, because ProtoMail
> uses the OpenPGP protocol too.

It uses OpenPGP protocol, but quite a twisted way. And they're not
OpenPGP-compliant, because they're not able to encrypt mails leaving
their domain. Any webmail by itself cannot be secure, because provider
can always send you 'modified' browser applet and steal your private key
and some day ? the passphrase.

Real anonymous email services are out there in .onion domain, but
they're neither stable nor trusted by non-onion recipients...

Cheers,

Kirill

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mirimir wrote:

> Some years ago, I got Quicksilver Lite working in Debian with Wine.
> But even then, it hadn't been updated for years. And now I find that
> https://www.quicksilvermail.net isn't loading. Are people still using
> nymservers with mixmaster? And do you have working onion URLs for
> nymservers and news servers?

I visited the Quicksilver site a couple of days ago and it was working.

I may ping Richard to let him know that it is not working.

Regarding Nymservers, you communicate not directly with them, so
no .onion needed. What you need to do is set up Mixmaster with
Tor, socat and stunnel and then send the config Nym message to
the registration email address. There are hover .onion relays
available for Mixmaster Remailers, but I do not have them because
I use YAMN nowadays.

With News Servers I used them in the past also with Tor, socat and
stunnel. I may ask a friend if he has .onion addresses for them.
I currently don't need them because I have no more a nym to pull
messages from a.a.m.. And yes, people still using Mixmaster (and now
YAMN) with Usenet or email. :-)

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi Kirill,

On 09.06.2019 08:57, Kirill Peskov wrote:
> It uses OpenPGP protocol, but quite a twisted way. And they're not
> OpenPGP-compliant, because they're not able to encrypt mails leaving
> their domain.

What do you mean by that? There is an option to add OpenPGP key of a
"foreign" contact and send to other e-mail providers just like any oter
OpenPGP mail.

From what I've seen on OpenPGP mailing list they're also planning to
have Web Key Directory key discovery so that I'll be easier to encrypt
to people outside ProtonMail

> Any webmail by itself cannot be secure, because provider
> can always send you 'modified' browser applet and steal your private key
> and some day ? the passphrase.

Yes, that's a problem. Still, who would discover a compromised Enigmail
plugin (that autoupdates too), or even GnuPG? As the code is quite
complex and in some cases there are many intermediaries (distro
maintainers) it's not quite obvious what code are you running exactly.

As for webpages there is also this interesting plugin:
https://stosb.com/blog/signed-web-pages/

Kind regards,
Wiktor

--
https://metacode.biz/@wiktor

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Kirill Peskov wrote:

> First of all...
>
> On 05.05.19 12:12, Stefan Claas wrote:
> > Hi all,
> >
> > appologies for posting this, but I think it could
> > be of interest for GnuPG users, because ProtoMail
> > uses the OpenPGP protocol too.
>
> It uses OpenPGP protocol, but quite a twisted way. And they're not
> OpenPGP-compliant, because they're not able to encrypt mails leaving
> their domain. Any webmail by itself cannot be secure, because provider
> can always send you 'modified' browser applet and steal your private
> key and some day ? the passphrase.
>
> Real anonymous email services are out there in .onion domain, but
> they're neither stable nor trusted by non-onion recipients...

Correct and also .onion domains come and go.

The only IMHO reliable anonymous email services are if you
use Anonymous Remailers (with a Nym account) or Bitmessage
(with an additional Mailchuck email gateway address).

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mirimir wrote:

> And do you have working onion URLs for
> nymservers and news servers?

Here we go, it is from a.p.a-s:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are the free Onion SMTP Servers that I am aware of that are
working as of April 29, 2019

gbhpq7eihle4btsn.onion:25
sopoccfrkrpuiin5.onion:2525
nyt7rlpjogd24qx7.onion:587(TLS)
nyt7rlpjogd24qx7.onion:25
nyt7rlpjogd24qx7.onion:2525
nyt7rlpjogd24qx7.onion:465
bshc44ac76q3kskw.onion:25
oc6bguylwowxvs62.onion:2525

Frell must be the first remailer in your remailer chain when using
bshc44ac76q3kskw.onion.

Here are the free Onion NNTP Servers that I am aware of that are
working as of April 29, 2019

ruxuklsvo4pk74m5.onion:119
neodomea5yrhcabc.onion:119
asq5mo52aghemn2i.onion:119

I will try to update this on a weekly basis going forward and if
there are others that are working please update this thread.

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlzHSkgACgkQrrtSX34nv6ZyFgCg44BedGUs4jzYz204e6GlKp/9
E/cAoNa6V2YQzz9Tkb6CyyM0BOl/IRK9
=2Cfr
-----END PGP SIGNATURE-----

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 06/09/2019 01:20 AM, Stefan Claas wrote:
> Mirimir wrote:
>
>> Some years ago, I got Quicksilver Lite working in Debian with Wine.
>> But even then, it hadn't been updated for years. And now I find that
>> https://www.quicksilvermail.net isn't loading. Are people still using
>> nymservers with mixmaster? And do you have working onion URLs for
>> nymservers and news servers?
>
> I visited the Quicksilver site a couple of days ago and it was working.
>
> I may ping Richard to let him know that it is not working.

Thanks. Any chance of a native Linux port of Quicksilver? I asked, some
years ago, and got that it wasn't feasible.

> Regarding Nymservers, you communicate not directly with them, so
> no .onion needed. What you need to do is set up Mixmaster with
> Tor, socat and stunnel and then send the config Nym message to
> the registration email address. There are hover .onion relays
> available for Mixmaster Remailers, but I do not have them because
> I use YAMN nowadays.
>
> With News Servers I used them in the past also with Tor, socat and
> stunnel. I may ask a friend if he has .onion addresses for them.
> I currently don't need them because I have no more a nym to pull
> messages from a.a.m.. And yes, people still using Mixmaster (and now
> YAMN) with Usenet or email. :-)
>
> Regards
> Stefan
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mirimir wrote:

> Thanks. Any chance of a native Linux port of Quicksilver? I asked,
> some years ago, and got that it wasn't feasible.

You're welcome!

What I would do under Linux, wishing to run Mixmaster (latest
Version with 4k keys support) and using a Nym:

Check the docs here, they are for Remailers, but should help
you to compile Mixmaster under Debian.

https://inwtx.net/remailer.html

Mixmaster has also a nice ncurses Interface.

Then to handroll a Nym account with GnuPG:

http://mixnym.net/

And finally to fetch messages from a.a.m.:

https://github.com/crooks/aam2mail

If you need help with setting up Tor, socat and stunnel
let me know.

Hope this helps!

Regards
Stefan





_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Hope this helps!

And you probably want an up to date allpingers.txt:

# A L L P I N G E R S' I N D E X
#
# Updated: 09 June 2019
# This list was last updated by SEC3
# Please email corrections to: pinger-admin@sec3.net

[apricot]
base = https://apricot.fruiti.org/echolot/
rlist = https://apricot.fruiti.org/echolot/rlist.txt
mlist = https://apricot.fruiti.org/echolot/mlist.txt
rlist2 = https://apricot.fruiti.org/echolot/rlist2.txt
mlist2 = https://apricot.fruiti.org/echolot/mlist2.txt
rlist_html = https://apricot.fruiti.org/echolot/rlist.html
mlist_html = https://apricot.fruiti.org/echolot/mlist.html
rlist2_html = https://apricot.fruiti.org/echolot/rlist2.html
mlist2_html = https://apricot.fruiti.org/echolot/mlist2.html
pgpring = https://apricot.fruiti.org/echolot/pgp-all.asc
pgpring_rsa = https://apricot.fruiti.org/echolot/pgp-rsa.asc
mixring = https://apricot.fruiti.org/echolot/pubring.mix
type2list = https://apricot.fruiti.org/echolot/type2.list

[austria]
base = https://www.tahina.priv.at/~cm/stats/
rlist = https://www.tahina.priv.at/~cm/stats/rlist.txt
mlist = https://www.tahina.priv.at/~cm/stats/mlist.txt
rlist2 = https://www.tahina.priv.at/~cm/stats/rlist2.txt
mlist2 = https://www.tahina.priv.at/~cm/stats/mlist2.txt
rlist_html = https://www.tahina.priv.at/~cm/stats/rlist.html
mlist_html = https://www.tahina.priv.at/~cm/stats/mlist.html
rlist2_html = https://www.tahina.priv.at/~cm/stats/rlist2.html
mlist2_html = https://www.tahina.priv.at/~cm/stats/mlist2.html
pgpring = https://www.tahina.priv.at/~cm/stats/pgp-all.asc
pgpring_rsa = https://www.tahina.priv.at/~cm/stats/pgp-rsa.asc
mixring = https://www.tahina.priv.at/~cm/stats/pubring.mix
type2list = https://www.tahina.priv.at/~cm/stats/type2.list

[deuxpi]
base = https://www.deuxpi.ca/echolot/
rlist = https://www.deuxpi.ca/echolot/rlist.txt
mlist = https://www.deuxpi.ca/echolot/mlist.txt
rlist2 = https://www.deuxpi.ca/echolot/rlist2.txt
mlist2 = https://www.deuxpi.ca/echolot/mlist2.txt
rlist_html = https://www.deuxpi.ca/echolot/rlist.html
mlist_html = https://www.deuxpi.ca/echolot/mlist.html
rlist2_html = https://www.deuxpi.ca/echolot/rlist2.html
mlist2_html = https://www.deuxpi.ca/echolot/mlist2.html
pgpring = https://www.deuxpi.ca/echolot/pgp-all.asc
pgpring_rsa = https://www.deuxpi.ca/echolot/pgp-rsa.asc
mixring = https://www.deuxpi.ca/echolot/pubring.mix
type2list = https://www.deuxpi.ca/echolot/type2.list

[eurovibes]
base = http://www.eurovibes.org/echolot/
rlist = http://www.eurovibes.org/echolot/rlist.txt
mlist = http://www.eurovibes.org/echolot/mlist.txt
rlist2 = http://www.eurovibes.org/echolot/rlist2.txt
mlist2 = http://www.eurovibes.org/echolot/mlist2.txt
rlist_html = http://www.eurovibes.org/echolot/rlist.html
mlist_html = http://www.eurovibes.org/echolot/mlist.html
rlist2_html = http://www.eurovibes.org/echolot/rlist2.html
mlist2_html = http://www.eurovibes.org/echolot/mlist2.html
pgpring = http://www.eurovibes.org/echolot/pgp-all.asc
pgpring_rsa = http://www.eurovibes.org/echolot/pgp-rsa.asc
mixring = http://www.eurovibes.org/echolot/pubring.mix
type2list = http://www.eurovibes.org/echolot/type2.list

[frell]
base = https://echolot.theremailer.net/
rlist = https://echolot.theremailer.net/rlist.txt
mlist = https://echolot.theremailer.net/mlist.txt
rlist2 = https://echolot.theremailer.net/rlist2.txt
mlist2 = https://echolot.theremailer.net/mlist2.txt
rlist_html = https://echolot.theremailer.net/rlist.html
mlist_html = https://echolot.theremailer.net/mlist.html
rlist2_html = https://echolot.theremailer.net/rlist2.html
mlist2_html = https://echolot.theremailer.net/mlist2.html
pgpring = https://echolot.theremailer.net/pgp-all.asc
pgpring_rsa = https://echolot.theremailer.net/pgp-rsa.asc
mixring = https://echolot.theremailer.net/pubring.mix
type2list = https://echolot.theremailer.net/type2.list

[kroken]
base = https://rlist.uni-boeblingen.de/
rlist = https://rlist.uni-boeblingen.de/rlist.txt
mlist = https://rlist.uni-boeblingen.de/mlist.txt
rlist2 = https://rlist.uni-boeblingen.de/rlist2.txt
mlist2 = https://rlist.uni-boeblingen.de/mlist2.txt
rlist_html = https://rlist.uni-boeblingen.de/rlist.html
mlist_html = https://rlist.uni-boeblingen.de/mlist.html
rlist2_html = https://rlist.uni-boeblingen.de/rlist2.html
mlist2_html = https://rlist.uni-boeblingen.de/mlist2.html
pgpring = https://rlist.uni-boeblingen.de/pgp-all.asc
pgpring_rsa = https://rlist.uni-boeblingen.de/pgp-rsa.asc
mixring = https://rlist.uni-boeblingen.de/pubring.mix
type2list = https://rlist.uni-boeblingen.de/type2.list

[mixmin]
base = https://www.mixmin.net/echolot/
rlist = https://www.mixmin.net/echolot/rlist.txt
mlist = https://www.mixmin.net/echolot/mlist.txt
rlist2 = https://www.mixmin.net/echolot/rlist2.txt
mlist2 = https://www.mixmin.net/echolot/mlist2.txt
rlist_html = https://www.mixmin.net/echolot/rlist.html
mlist_html = https://www.mixmin.net/echolot/mlist.html
rlist2_html = https://www.mixmin.net/echolot/rlist2.html
mlist2_html = https://www.mixmin.net/echolot/mlist2.html
pgpring = https://www.mixmin.net/echolot/pgp-all.asc
pgpring_rsa = https://www.mixmin.net/echolot/pgp-rsa.asc
mixring = https://www.mixmin.net/echolot/pubring.mix
type2list = https://www.mixmin.net/echolot/type2.list

[paranoia]
base = https://remailer.paranoici.org/stats/echolot.html
rlist = https://remailer.paranoici.org/stats/rlist.txt
mlist = https://remailer.paranoici.org/stats/mlist.txt
rlist2 = https://remailer.paranoici.org/stats/rlist2.txt
mlist2 = https://remailer.paranoici.org/stats/mlist2.txt
rlist_html = https://remailer.paranoici.org/stats/rlist.html
mlist_html = https://remailer.paranoici.org/stats/mlist.html
rlist2_html = https://remailer.paranoici.org/stats/rlist2.html
mlist2_html = https://remailer.paranoici.org/stats/mlist2.html
pgpring = https://remailer.paranoici.org/stats/pgp-all.asc
pgpring_rsa = https://remailer.paranoici.org/stats/pgp-rsa.asc
mixring = https://remailer.paranoici.org/stats/pubring.mix
type2list = https://remailer.paranoici.org/stats/type2.list

[sec3]
base = https://sec3.net/echolot/
rlist = https://sec3.net/echolot/rlist.txt
mlist = https://sec3.net/echolot/mlist.txt
rlist2 = https://sec3.net/echolot/rlist2.txt
mlist2 = https://sec3.net/echolot/mlist2.txt
rlist_html = https://sec3.net/echolot/rlist.html
mlist_html = https://sec3.net/echolot/mlist.html
rlist2_html = https://sec3.net/echolot/rlist2.html
mlist2_html = https://sec3.net/echolot/mlist2.html
pgpring = https://sec3.net/echolot/pgp-all.asc
pgpring_rsa = https://sec3.net/echolot/pgp-rsa.asc
mixring = https://sec3.net/echolot/pubring.mix
type2list = https://sec3.net/echolot/type2.list

[senshi]
base = http://senshiweb.webhop.net
rlist2 = http://senshiweb.webhop.net/rlist2.txt
rlist_html = http://senshiweb.webhop.net/rlist.html
mlist2 = http://senshiweb.webhop.net/mlist2.txt
mlist_html = http://senshiweb.webhop.net/mlist.html
mixring = http://senshiweb.webhop.net/pubring.mix
type2list = http://senshiweb.webhop.net/type2.list

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> I visited the Quicksilver site a couple of days ago and it was
> working.
>
> I may ping Richard to let him know that it is not working.

O.k. his site is up and running, but his LE cert is expired.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Am Mon, 6 May 2019 08:53:14 -0400
> schrieb Jeff Allen <jrallen@runbox.com>:
>
>
> > People who don't trust ProtonMail shouldn't use it.
>
> Absolutely! But I think it does not hurt to post
> such things to educate PGP users how different
> services or software applications etc. handle such
> privacy related things, especially when using the
> word anonymous.

Also interesting.

https://eprint.iacr.org/2018/1121.pdf

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hello Stefan,

On 01/09/2019 14:14, Stefan Claas via Gnupg-users wrote:
> Also interesting.
>
> https://eprint.iacr.org/2018/1121.pdf

If you post URL's to this mailing list, could you please provide a short
description of what can be found at the URL? This prevents the situation
that people should visit the URL to know if they want to visit the URL,
and helps a lot when searching the archives.

In this case, since it's a scientific paper, I think the following would
be a good way to share it (I used the BibTeX citation to quickly get all
the relevant fields). But at least include a short description, please.

Here:

A scientific paper by Nadim Kobeissi published in 2018 in the Cryptology
ePrint Archive, titled "An Analysis of the ProtonMail Cryptographic
Architecture":

https://eprint.iacr.org/2018/1121

Abstract:
ProtonMail is an online email service that claims to offer end-to-end
encryption such that "even [ProtonMail] cannot read and decrypt [user]
emails." The service, based in Switzerland, offers email access via
webmail and smartphone applications to over five million users as of
November 2018. In this work, we provide the first independent analysis
of ProtonMail's cryptographic architecture. We find that for the
majority of ProtonMail users, no end-to-end encryption guarantees have
ever been provided by the ProtonMail service and that the
"Zero-Knowledge Password Proofs" are negated by the service itself. We
also find and document weaknesses in ProtonMail's "Encrypt-to-Outside"
feature. We justify our findings against well-defined security goals and
conclude with recommendations.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

On 2019-09-01 15:18, Peter Lebbing wrote:
Hi Peter,

> Hello Stefan,
>
> On 01/09/2019 14:14, Stefan Claas via Gnupg-users wrote:
>> Also interesting.
>>
>> https://eprint.iacr.org/2018/1121.pdf
>
> If you post URL's to this mailing list, could you please provide a short
> description of what can be found at the URL? This prevents the situation
> that people should visit the URL to know if they want to visit the URL,
> and helps a lot when searching the archives.
>
> In this case, since it's a scientific paper, I think the following would
> be a good way to share it (I used the BibTeX citation to quickly get all
> the relevant fields). But at least include a short description, please.

O.k., sorry, next time I will do so.

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

??????? Original Message ???????
On Sunday, September 1, 2019 12:14 PM, Stefan Claas via Gnupg-users <gnupg-users@gnupg.org> wrote:

> Stefan Claas wrote:
>
> > Am Mon, 6 May 2019 08:53:14 -0400
> > schrieb Jeff Allen jrallen@runbox.com:
> >
> > > People who don't trust ProtonMail shouldn't use it.
> >
> > Absolutely! But I think it does not hurt to post
> > such things to educate PGP users how different
> > services or software applications etc. handle such
> > privacy related things, especially when using the
> > word anonymous.
>
> Also interesting.
>
> https://eprint.iacr.org/2018/1121.pdf
>
> Regards
> Stefan
>
> ---------------------------------------------------------------------------
>
> box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
> certified OpenPGP key blocks available on keybase.io/stefan_claas
>
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

The paper overstated protonmail security weaknesses. The paper does not point to possible or actual attacks, nor reviews code. It merely boils down to two analytical (hypothetical thinking) conclusions: 1) protonmail server can be compromised, verified smartphone app is more reliable in this aspect 2) for outside encryption protonmail allows to use weak passwords.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users