Vote for Proton not to have your recovery address stored as text

and readily available for LE and spy agencies

5 Likes

Seems like a request made without actually understanding why it works that way. Recovery emails, by definition, should be available to the service so that they can help you recover your access. If the service cannot know what your recovery email is, they cannot send you recovery emails. This also means that it is available to be extracted by legal request.

You have the option to not give a recovery email and just use the backup recovery codes. Poor OpSec from users by giving away identifying emails as recovery emails is not the responsibility of any company.

17 Likes

Not really. This can be solved by asking the user to verify the recovery email and matching it against the hashed value.

This is a better implementation given Proton’s slogan: “Privacy by default”.

3 Likes

No it’s not a better implementation. It allows bruteforcing for discovery of recovery emails by adversary. This is way worse than having law enforcement go through Swiss legal system, since now what law enforcement can do is this:

  1. Start the recovery flow
  2. Start bruteforcing potential recovery emails that the user is already connected to or may have
  3. Send a legal request to the non-proton email provider (of the recovery email) to extract the recovery phrase and unlock the entire proton account.

Please don’t assume that trivial solutions cannot be thought of by companies who have it as their primary job.

And if the next suggestion is to restrict attempts to prevent bruteforcing, let me stop you in advance. Any such limiting would allow the adversary to perform a denial of service attack, where the user can be trivially locked out of their proton account usage by just spamming random emails.

The best way to not let law enforcement have your recovery email is by not giving one. Use the recovery phrase.

14 Likes

No it does not. There is no requirement when implementing this the adversary attempting a brute-force receives confirmation the email/hash was valid or invalid.

This, by the way, is a workflow that already exists when recovering the email address. You must enter your recovery email correctly when attempting to recover via email. If anything, this would be a solid improvement as today the adversary receives output the email was invalid.

The best way to not let law enforcement have your recovery email is by not giving one. Use the recovery phrase.

BOTH options could be available which would benefit users who choose to use email as a recovery method.

1 Like

This can’t be serious. It’s a mass usage product, and that’s incredibly unpleasant UX.

Plus you are still missing the point - They can’t send you a recovery email if they don’t know your recovery email. They have to necessarily know it to be able to send the recovery email to you.

Unless of course you have found a way to send email to an address without knowing the address.

Feel free to vote for it. It’s likely to never be implemented though, since there is already a way to not shoot yourself in the foot.

4 Likes

This is pretty standard and often recommended to prevent enumeration of accounts as you indicated as a risk from earlier. Using your example an actor could enumerate a Proton user’s recovery email and use that information to gain control of the Proton account. Which again - this was a attack vector you described and is present today.

See above.

You are still not understanding. Let me go with your flow:

  1. Proton starts storing email as a hash
  2. You go into recovery flow
  3. You type in your email, and Proton matches hashes
  4. It decides to use your typed email to send the recovery email. It won’t try to see the email.
  5. Now what? Who will send the email. If proton does, their email server will have to know the email to send it. If they outsource it to some service, they will have to know the email. Who do you propose sends the email?

If it’s still hard to understand, let’s do this: Help me recover my mail. You are in the same situation as Proton would be in above case:

  1. You don’t actually know my email
  2. I can provide you a hash of my recovery email
  3. You will have to send me an email using nothing but the hash.
  4. I can type in the email address in someplace to verify that it’s actually the recovery email. Now you have to send an email to it, but the condition is that you can’t see my verified address at all.
  5. Is it possible? Can you send me an email using just my hash without knowing my email?

Did it dawn on you now? Someone HAS to know your email to send you an email. Is this actually so hard?

If proton can match the hash so can LE. This idea brings a false feeling of safety. An email is not a password and not as random. They could just as easily ask for the hash and match if with an emailadress from all the data certain gouvernments have access too. This is just a bump in the road, not stopping them from getting confrimation.

Just put the recovery key somewhere safe and do not configure a recovery email, problem solved.

11 Likes

In this circumstance I imagine the adversary would need:

  • The hashed recovery email stored on Proton’s server associated with the email account.
  • The exact hashing algorithm
  • Brute force / Rainbow-esque tables of either:
    ** All known email addresses through some type of database leak (assuming the recovery is present)
    ** All permutations of valid email addresses

Can one of these 3 be skipped?

No this is correct. Although point 2 in most cases is very easy to determine from the hash format.

2 Likes

Am I missing something…if law enforcement and spy agencies are in your threat model, wouldn’t you just use a different email address as your recovery email that’s not traceable to you?

If I’m super-secret-hacker at proton, I’m using Proton for super secret hacking activities, and I can’t ever let someone discover that I’m really Jim Bob Jenkins…why on earth would I ever allow any communication from Proton (like the actual email to recover an account) to be sent to jim-bob-jenkins at gmail, thus demonstrating that I am super-secret-hacker to Google and everyone who can get to that email along that chain?

6 Likes

You’re not missing anything. That’s exactly correct.

I’ve never used a recovery email for my proton account. My concern wasn’t anonymity, but rather if my non-proton account was compromised it could be used to take over my proton account via the recovery process.

So I keep the recovery phrase in my password manager.

1 Like

I have considered using a private Tuta account as a recovery email for my Proton account (although I still can’t make a Tuta account via Tor) . Would that be more likely to be compromised than a Proton account? I suppose the more ways to gain access to an account the more likely it is.

The question to ask is: what’s more likely, losing access to your Proton account and recovery phrase, or someone gaining access to your recovery account and knowing a Proton account is tied to it?

How secure a Tuta or Proton account is really is up to you. If you use a long, complex passphrase and a hardware security key for 2FA then it is very secure.

Adding a recovery email just means that your proton account has another vector for attack. That new vector could be minimal, like a well secured Tuta account, but it does add complexity to your security model.

Instead of recovery email, you can use a password manager like Bitwarden or Keepass to store your recovery stuff.

2 Likes

Snowden might have a threat model that involves the spy agencies targeting him personally.

I, Joe Nobody, have a threat model that involves the spy agencies logging every second of my existence just because they can.
They’re in my threat model even though their surveillance is inconsequential to me. Not a lot different from wanting to avoid “Big Tech surveillance”.

So yeah, a “threat model involving spy agencies” may mean very different things.

1 Like

If LE and 3-letter agencies were a legtimate concern of mine and I was still using any form of email at all then getting locked up would be more of a concern than getting locked out. It’s far more likely I’ll lose access thru my own incompetence. Consequently, I have 2-yubikeys, Aegis TOTP, backup codes in Keepass and recovery email on both my Proton and Tuta accounts.
Tuta is the recovery email for Proton and Proton is the recovery for Tuta.

3 Likes

What do you mean by locked up?

Anyway, if you’re afraid of being locked out, you might consider a break glass account.

1 Like

Imprisoned. Whats a “break glass account?”