Please be aware that we don't log email content (and we are also not vulnerable to Log4j). Our anti-spam systems do check for malicious links from third party email services so we can proactively warn users about phishing attempts.
This is definitely not precise. I confirmed that the lookup is also performed by Proton servers for mails sent to third party mail services, not just from third party mail services. Are they also scanned?
> We do NOT have access to encrypted message content, but unencrypted messages sent from external providers to ProtonMail are scanned for Spam and Viruses to pursue the legitimate interest of the protection of our users.
I believe ProtonTeam's claim is that the spam filter visits the links in the email content. As a result, it's not the log4shell vulnerability making the connection, it's the spam filter.
I.e. try to send some e-mails without the log4j vuln syntax (just put your IP) and see if you still get hit. It's just the fact that there is the IP, not that it happens to use the jndi syntax.
You may not feel you owe your target better, but you owe this community much better if you're participating in it. The damage this sort of poison causes to the ecosystem greatly exceeds any benefits it may have.
This is always posted like some 'gotcha', despite it being right there in the transparency report.
In case you trust any company blindly: any company that wants to keep playing the money game will follow the laws forced upon them by the government they are beholden to.
There seem to be two popular approaches to avoiding the need to trust institutions.
One is technical: e2ee, implementation transparency, and similar.
The other is social: have fewer institutions.
I have never understood people who think the latter is a good approach. Like, "I don't trust these people who use their real names and are registered in a jurisdiction that has strong privacy obligations, so I'm gonna trust some randos on an abandoned oil rig instead."
I first heard that in the 1990s. And the TV show "The Wire" (c2004?) made frequent use of the phrase "the game" to describe the process of street-dealing drugs, and the money, and the police, etc. As in "it's all in the game" - ie: all's fair in love and war.
It looks like the old "Swiss secrecy" has been just marketing smoke...(see Crypto AG). I doubt any centralised entity(regardless of the country where it's hosted) can be trusted with your data. Cryptography is the only way to have some kind of assurance.
What would be useful would be for a Swiss attorney to explain the substantive and procedural law of the topic, and how the Swiss courts typically approach the issues.
The problem capitalist consumers have is conflating product marketing features and corporate objective statements with their own prerogatives.
No corporation will ever at the users behest break a law that could impact a quarterly earnings statement.
If you need more security its time to succor the haggard burro we call PGP, and enchant it with holy Bernstein's ED25519. It is hard so you will not like it. Because it is hard HN will lambasted it, turn away from its glory and call it false, but verily it is the way. because it is hard it cannot be broken easily, even by state actors, even by the gods of the market itself.
Data that was handed over included IP addresses of access, timing of access, email subjects, email metadata, and total number of emails in the account.
I'm not sure what PGP or ED25519 would do for those? The emails themselves are already encrypted.
> No corporation will ever at the users behest break a law that could impact a quarterly earnings statement
I'm not sure if I entirely understand the point you're making, but this sentence confuses me: Isn't this explicitly not the fault of capitalism, but instead government interference?
I'm not sure they are a Java company, they are more Python, PHP, Golang, and Node. At least Java is not described in their job offers, which are usually a very nice way to know about the company stacks by the way.
This is likely the spam filter scanning over the Links it finds in the E-Mail not actually something spitting the mail content into log4j (and I mean honestly, why would you even do that?)
Unlikely, spammers tend to get creative to bypass spam filters, it would probably scan anything that looks like a URL or Domain just to see if the IP behind it is sus.
That’s the point. You’ll still get a hit. If it’s the RCE you won’t. Just went through this with an email security provider, would get 3-4 pings with log4j payloads, 2-3 with inert ones.
Proton is not e2e for mails coming from outside Proton, if they aren't GPG encrypted. And in that case they apply very standard spam filters to your mail.
It's good to be cautious, but this is sort of a silly test.
Protonmail doesn't have to "log" messages; they have them already. If I were Protonmail and I had to comply with lawful intercept requirements, I'd just:
a) make sure that message content isn't deleted from the mailbox when the user thinks it is
b) make sure I retain access to server-managed PGP keys (by logging key material and user-supplied passphrases)
But I sure as hell would not call some Java logger.trace() on every goddamn email! That's totally nonscalable and just silly.
Seems odd for PM to be vulnerable by the log4j CVE considering (from what I understand) they're mostly Go house. Maybe in the Android app, but otherwise I'd be surprised.
Unrelated: I've been getting quite frustrated with some of the functionality and limitations of PM especially for the price I pay (I have 2 catch-all domains, 1 user for each, which requires 2 times pro accounts), so recently I've been trying to migrate away to mailbox.org. Mailbox allows for automatic PGP encryption when the emails come in which is great. However, there is no way to move all my PM emails onto my mailbox.org account while keeping the encryption (not via the original key set up in Protonmail, nor via new key set up in mailbox.org). Has anyone ever run into such a scenario, and what can be done in this scenario?
If I were you, I would not use any kind of non open source and non self-hosted email service pretending to be "secret", in the best (!) case it has some sort of silent metadata/access logging. While common shady services like Protonmail bluntly store plain text archives, and even if they claim they don't, there's no zero-knowledge proof on this highly sensitive topic.
I didn't say a plural form doesn't necessarily exist. I said they're words that are often used wrongly in the plural.
Moneys is used specifically when it denotes different sources of income. Similar to fruits meaning a variety of different kinds of fruit, but the ordinary plural of fruit is fruit, and fishes denoting a variety of different kinds of fish, but the ordinary plural of fish is fish.
"How much moneys does this cost "is obviously as wrong as "how much fruits / fishes did you buy".
Same with codes, you can talk about "nuclear codes" but not "morse codes" or "source codes".