For sure, I just think it should be specified so people are aware of it, and can make an informed choice.
Agreed.
Not apparently, you are absolutely wrong. No buts and ifs. Me and others have experience with this. I got a warning myself.
1 Like
Resurrecting old posts to āget someoneā is uncouth. Be better.
Yes, I was wrong. I learned. I no longer think this way. Geez, focus on your own issues instead of taking your frustration on incorrect comments from months ago by others.
Most users are unaware
Not only they are unaware, lots of Proton users will deliberately defend Proton, saying that youāre wrong, that itās not how Proton works, that thereās more to the story and it must be your fault doing something shady that causes the warning. Iāve tried to explain this on reddit and got downvoted to the bottom, while those who tried to ācorrectā me got upvoted.
We must raise public awareness
Theoretically, thereās an effective way to raise public awareness by letting other users experience this nonsensical policy.
SimpleLogin has this Subdomain paid feature:
You can use subdomain to quickly create email aliases without opening SimpleLogin app.
Handy when you need to quickly give out an email address, for example on a phone call, in a meeting or just anywhere you want.
After choosing a subdomain, simply use anything@my-subdomain.simplelogin.com next time you need an alias: itāll be automatically created the first time it receives an email.
The allowed root domains are aleeas.com, simplelogin.com, slmail.me, 8shield.net.
All the subdomains created by users can be found publicly here: simplelogin.io domains - UserCheck .
So technically anyone can grab a strangerās subdomain and use it to create multiple aliases to sign up on one single third-party website to trigger a warning/ban. This means anyone can get a SimpleLogin user banned just by abusing public sign-up forms. Maybe Proton will change their policy once enough people contact them about their accounts getting banned out of nowhere?
Or perhaps Proton will just brush it off like they did here: Reddit - The heart of the internet
1 Like
I donāt fully get it. Please explain.
Iām still confused as to how this is possible. Could you please explain. I understand that Simple Login allows subdomains, so does Addy, but how do other people find out about a specific userās SL subdomains and aliases? And why would that be public information?
I also read the Reddit post, and I donāt fully get it either. OP has custom domain, which means he owns the domain, how can other people use it if they donāt know it?
Even if somehow bad actors managed to figure out the domains or aliases of an SL user, how are they able to use them if they donāt have access to the account?
Many times in the distant past, I have found myself in situations where a public Wi-Fi network needed my email address to grant me access. Sometimes, those networks donāt require that you verify your address, so I would enter an address that I made up, but was confident really existed, like harrypotter@gmail.com
To me, it sounds like this is what is happening with SL. The only difference is it should be really hard for a complete strange to guess your SL subdomain. And even if they do, I donāt understand how it could be useful to them if they donāt have access to the account.
It still absolutely sucks
Even if I donāt understand how this is possible, the fact is, it is, and Proton acknowledges it.
And yet, they still decide to reprimand OP by not removing the warning to their account. That means Proton remembers the warnings they give you, and probably have a 2 strike rule when it comes to this.
This is terrible. It reinforces my decision not to tempt the devil by attempting to create multiple aliases for the same website. Even if I pace them well, the fact remains, I already have one warning against me, and I donāt want to play with fire.
It also reinforces my resolve and belief that we should raise this issue publicly, repeatedly, and loudly, until Proton understands. The very least they could do is clarify their ToS so people know. That is the bare minimum. Because this is not common knowledge, and Proton keeps inviting their users to brag about how many aliases they have to promote Proton Pass.
SimpleLoginās subdomain feature works in the same way as a catch-all email address. Hereās how they work:
- SimpleLoginās subdomain: You create a subdomain through SimpleLoginās website, you can name it whatever you want, as long as itās not taken. For example: @purpledime.simplelogin.com. And you donāt need to create aliases manually one by one using that subdomain. All emails sent to any address using that subdomain will be forwarded to your mailbox. An alias will be automatically created the first time it receives an email. You can come up with a new alias on the fly, without touching the SimpleLogin website and it will still work. For example, once the subdomain is created, you spontaneously visit a bookstore, and you want to give them an email address, you can just give them bookstore@purpledime.simplelogin.com without having to create that alias through SimpleLoginās UI, and it will still work.
- Catch-all email address: You connect your custom domain to the email hosting or forwarding service that offers the catch-all feature, and then all emails sent to any email addresses using that domain can be received without having to create each address beforehand.
but how do other people find out about a specific userās SL subdomains and aliases? And why would that be public information?
I can think of 2 ways an user generate SimpleLogin subdomain can be discovered:
- The user gives their subdomain aliases to websites they use. So the website owners knows about the subdomain. And if that website sells user data or is breached, the subdomain is also known by other parties.
- All of the subdomains and domains associated with SimpleLogin can be found through anti-spam sites like usercheck.com. You can check the list of all SimpleLogin subdomains and domains here: simplelogin.io domains - UserCheck
Thatās why I said it was public information.
I also read the Reddit post, and I donāt fully get it either. OP has custom domain, which means he owns the domain, how can other people use it if they donāt know it?
it should be really hard for a complete strange to guess your SL subdomain
They could coincidently use it as a made up address like you mentioned. Itās possible if OP owns a generic domain like secret.com or idontcare.com, which people could potentially come up with.
Itās correct that other people canāt use it unless they know the domain, but itās not hard to know the domain, as I explained above. A stranger sitting next to me on the bus wonāt be able to guess my SL subdomain, but anyone can obtain the full list of all SL subdomains created by all SL users.
Even if somehow bad actors managed to figure out the domains or aliases of an SL user, how are they able to use them if they donāt have access to the account?
Bad actors donāt need to have access to the account because of the catch-all nature of the subdomain feature. They can come up with random addresses using an SL userās subdomain, for example, random1@purpledime.simplelogin.com and random2@purpledime.simplelogin.com, and use them to register two Google accounts without the user knowing, and the user will get a bulk signups warning from SimpleLogin. The same thing happened to the Reddit post OP because he used a catch-all address with his custom domain.
Theoretically, if someone wants to attack SimpleLoginās service, they could grab the list of all subdomains and domains associated with SimpleLogin from usercheck.com and generate random addresses to register on one single website. As a result, a significant number of users will receive warnings or get banned without knowing why. Subdomain and custom domain are paid feature, so itās likely those affected paid customer will get pissed that their accounts are banned out of nowhere, locking them out of many other accounts. They will definitely make a fuss out of it.
1 Like
Thank you so much for explaining. I get it now.
As I mentioned previously, Addy also has a subdomain feature. In fact, in their cheapest paid plan, they only grant you 50 unique aliases with their generic domains, and unlimited subdomain aliases. Although itās appealing to some people, I am personally not a fan of this formula.
Itās always been clear to me that using subdomain aliases compromises your privacy, because websites that pay attention, will be able to correlate your aliases to the same person.
I am not sure that Addyās subdomain feature allows you to create an alias on the fly without going through them, though. It might not, which IMO, would be a good thing.
From my experience, most registrations via email require confirmation. Without it, it is useless. So my guess is the bad actors are just trying to mess with Simple Login even though they donāt have access to their users accounts. The solution seems to be to not allow catch all aliases, but I donāt know if everybody would be happy about that.
I feel terrible for that Redditor. Proton needs to do something about this. Itās not fair to get strikes on your account when you did nothing wrong.
Itās clear that the bad actors donāt have access to their users accounts, and they donāt need access for a successful attack. The attack is not useless without a confirmation. By āconfirmationā, did you mean something like the user needs to enter the code they receive in an email sent by the third-party service to continue the registration process on the third party website?
If that is what you were talking about, SimpleLogin doesnāt care whether the user open the email and complete the confirmation on the third-party service or not. The moment they receive the confirmation email from a third-party service, they issue a warning, or ban users automatically.
The attack is successful the moment the third-party service send an email confirmation to the SimpleLogin email alias address and SimpleLoginās anti-abuse system is triggered, which leads to a warning/ban issued to the attacked user.
Itās pretty simple to test this. You could register a new throwaway SimpleLogin account and try attacking your own account.
1 Like
That, or click on a link to confirm the creation of the account or the update to a new address, yes.
That is absolutely true and exactly what happened to me.
Youāre right. Thereās no need to test it as Iāve already experienced it once.
Iām just wondering what the bad actors gain out of it, outside of screwing over a poor SL user. I guess they damage Protonās reputation and jeopordize the reliability of their service by making websites not trust them. Why would a bad actors want to do that? I donāt know.
Here are my guesses. It could be that the bad actor is SimpleLoginās competitor. They could be someone who hold a grudge against SimpleLogin. Or it could be someone who wants Proton to change their nonsensical policy by showing them how that policy could easily be exploited to harm Proton paid users. If more people are affected by this, more people are going to voice their opinion, or even walk away from Proton, which leads to Protonās financial loss, which could make Proton finally pay attention to the issue.
I hope thatās not it because that is a bad way to do it. I also feel like if only a tiny minority bother to complain about an issue, Proton are less likely to feel compelled to do something about it.
We definitely need to raise our voices, but not like that. One strategy I am thinking of is to get influential voices in the privacy community to not just raise the issue, but ask Proton about it upfront and publicly, if and when they get the opportunity to do so. Various members of the privacy community have had the opportunity to interview Andy Yen, the CEO. I hope we can persuade them to ask hard questions the next time that opportunity comes again.
That is a great idea. That could be one of the best ways to get their attention.
Do you still actively use SimpleLogin to create new aliases? I have a workaround setup that can somewhat minimize the damage.
Oh, I use Proton Pass aliases every day. I just donāt create more than one alias per third party website, which is something I would like to do. Iām definitely not going to let this issue go.
Do you have paid subscriptions with Substack? If not, the best way to read articles is by using an RSS reader like Feeder. No need to use aliases as you donāt have to create an account.
I donāt have any paid Substack subscriptions, no. Thanks for the recommendation.