Vote for Proton not to have your recovery address stored as text

and readily available for LE and spy agencies

Not really. This can be solved by asking the user to verify the recovery email and matching it against the hashed value.

This is a better implementation given Proton’s slogan: “Privacy by default”.

No it does not. There is no requirement when implementing this the adversary attempting a brute-force receives confirmation the email/hash was valid or invalid.

This, by the way, is a workflow that already exists when recovering the email address. You must enter your recovery email correctly when attempting to recover via email. If anything, this would be a solid improvement as today the adversary receives output the email was invalid.

The best way to not let law enforcement have your recovery email is by not giving one. Use the recovery phrase.

BOTH options could be available which would benefit users who choose to use email as a recovery method.

This is pretty standard and often recommended to prevent enumeration of accounts as you indicated as a risk from earlier. Using your example an actor could enumerate a Proton user’s recovery email and use that information to gain control of the Proton account. Which again - this was a attack vector you described and is present today.

See above.

If proton can match the hash so can LE. This idea brings a false feeling of safety. An email is not a password and not as random. They could just as easily ask for the hash and match if with an emailadress from all the data certain gouvernments have access too. This is just a bump in the road, not stopping them from getting confrimation.

Just put the recovery key somewhere safe and do not configure a recovery email, problem solved.

In this circumstance I imagine the adversary would need:

• The hashed recovery email stored on Proton’s server associated with the email account.
• The exact hashing algorithm
• Brute force / Rainbow-esque tables of either:
  ** All known email addresses through some type of database leak (assuming the recovery is present)
  ** All permutations of valid email addresses

Can one of these 3 be skipped?

No this is correct. Although point 2 in most cases is very easy to determine from the hash format.

Am I missing something…if law enforcement and spy agencies are in your threat model, wouldn’t you just use a different email address as your recovery email that’s not traceable to you?

If I’m super-secret-hacker at proton, I’m using Proton for super secret hacking activities, and I can’t ever let someone discover that I’m really Jim Bob Jenkins…why on earth would I ever allow any communication from Proton (like the actual email to recover an account) to be sent to jim-bob-jenkins at gmail, thus demonstrating that I am super-secret-hacker to Google and everyone who can get to that email along that chain?

You’re not missing anything. That’s exactly correct.

I’ve never used a recovery email for my proton account. My concern wasn’t anonymity, but rather if my non-proton account was compromised it could be used to take over my proton account via the recovery process.

So I keep the recovery phrase in my password manager.

I have considered using a private Tuta account as a recovery email for my Proton account (although I still can’t make a Tuta account via Tor) . Would that be more likely to be compromised than a Proton account? I suppose the more ways to gain access to an account the more likely it is.

The question to ask is: what’s more likely, losing access to your Proton account and recovery phrase, or someone gaining access to your recovery account and knowing a Proton account is tied to it?

How secure a Tuta or Proton account is really is up to you. If you use a long, complex passphrase and a hardware security key for 2FA then it is very secure.

Adding a recovery email just means that your proton account has another vector for attack. That new vector could be minimal, like a well secured Tuta account, but it does add complexity to your security model.

Instead of recovery email, you can use a password manager like Bitwarden or Keepass to store your recovery stuff.

Snowden might have a threat model that involves the spy agencies targeting him personally.

I, Joe Nobody, have a threat model that involves the spy agencies logging every second of my existence just because they can.
They’re in my threat model even though their surveillance is inconsequential to me. Not a lot different from wanting to avoid “Big Tech surveillance”.

So yeah, a “threat model involving spy agencies” may mean very different things.

If LE and 3-letter agencies were a legtimate concern of mine and I was still using any form of email at all then getting locked up would be more of a concern than getting locked out. It’s far more likely I’ll lose access thru my own incompetence. Consequently, I have 2-yubikeys, Aegis TOTP, backup codes in Keepass and recovery email on both my Proton and Tuta accounts.
Tuta is the recovery email for Proton and Proton is the recovery for Tuta.

What do you mean by locked up?

Anyway, if you’re afraid of being locked out, you might consider a break glass account.

Imprisoned. Whats a “break glass account?”

Something that allows you to access your stuff if you lose your passwords, etc.

If you search online you’ll probably see some enterprise-related examples. It’s an interesting read, but for end users, it might be something like this.

Suppose you know by heart the password for your password manager (PM) and nothing else. But that’s a dangerous account to leave without a 2FA, so you activate it, but now you’re in a situation where you might get locked out of your passwords.

So you create a second PM account, with a bs email that can’t be traced back to you, but one you have to remember. And the only thing it holds is the 2FA key for your first PM account. So if anything happens and you’re far away from your recovery codes, or you lose them, all you’ve got to remember is the second email (and password, if you feel the need to create a different one).

If anything I think Proton should enumerate the account and content metadata they have access to and would be able to disclosure to an adversary, either by legal request or even a potential compromise of the service. That way users can make their own informed decisions.

If you are really that concerned about keeping your Proton(Mail) account anonymous, either use a recovery phrase or do not set any recovery methods at all.

Interesting discussion. The concerns around recovery emails and privacy are definitely valid, esspecially given Proton’s promise of ‘Privacy by Default’. The challenge truly lies in balancing security with usability.

One option to keep control more firmly in your own hands is by using email aliases. This allows you to provide a recovery email that isn’t directly linked to your account, without compromising your privacy.

Far less bulletproof than not including a recovery address. If someone has the authority to compel Proton to hand over the recovery address, they almost certainly have the authority to compel the alias provider to hand over the email linked to it. Much safer to just not have a recovery address in the first place.