Hacker News new | past | comments | ask | show | jobs | submit login

It's such a bad service, I don't know why anyone uses it. ProtonMail is superior in every way.

Tuta has all kind of weird restrictions, like not being able to search back more than a month.




One reason is that tuta does not require you to have any other connection to create and account. Protonmail require a second mail, phone or possibly some kind of payment if I recall correctly (for verification?) that could be linked from your account in theory.

Without having a good anonymous starting point, protonmail does not let you get that starting point, at least the last time I tired (maybe a year ago).


ProtonMail never used to require another email to verify, and only asked for a phone if I was on an IP that had made more than one account already.


Or, AFAIK, if you're registering using TOR.


Yes, Proton is hostile to Tor even though they deceptively market themselves as anonymity friendly: https://news.ycombinator.com/item?id=37174259

It's a stark contrast to Tuta, which allows anonymous account creation with Tor Browser if you pay with cryptocurrency (Monero or Bitcoin, via their partner ProxyStore) and doesn't require a whitelisted verification email address or any other data.


An additional email address is required only in cases when our system detects something suspicious about your network, so if you are coming across this, we recommend changing nodes. If you keep coming across the same issue, please contact us at: https://proton.me/support/contact, so we can take a closer look.

The email addresses, however, are not tied to your account - we only save a cryptographic hash of your email address. Due to the hash functions being one-way, we cannot derive your data back from the hash: https://proton.me/support/human-verification.


Who cares if you hash it, cracking a hash of an e-mail is easy AF compared to passwords. Especially on agency scale... How do you hash it? Argon2 or rather some extremely fast to crack hash?


It's a difficult issue. If they allow unlimited signups via Tor, people will bulk sign up for accounts and use them for spamming, scamming, threats, phishing and other crap. I can imagine why they don't tbh.


Proton forbidding anons from opening free accounts might be necessary for anti-spam/deliverability. But even paid accounts?

"They accept cryptocurrency, but only for existing accounts - after you've already doxxed yourself" (during the initial signup flow, where this payment option has been removed)

This looks very bad to me.


Good point. I didn't think about that.


You don't doxx yourself by creating a Free account. In most cases, no human verification method is required or it's captcha only. As explained above, an additional email address would be required only in cases when our system detects something suspicious about your network. It takes a while for the Bitcoin transaction to come through, which is why we the process is the way it is. The same process applies to users who wish to pay with cash or bank transfer.


Uh huh.

And what suspicious thing about the network would you be detecting for Tor Browser users arriving on the .onion? Their network is uniform as far as you can tell, and you are blocking them from opening either a free account without an invasive verification method (non-disposable email or phone) if it works at all, or a paid account without an invasive payment method.

For Tor users arriving on proton.me, what sense is there in saying "There's a surprise in every 100th exit node! If you cycle through enough of them maybe you too will be allowed to open an account anonymously!" Not treating them as equivalent to .onion visitors is a you problem.

> It takes a while for the Bitcoin transaction to come through, which is why we the process is the way it is.

By not allowing this payment option at all in the signup flow? Removing what would be the only way for Tor users to sign up to your service anonymously without beating lottery odds. Just use any normal off-the-shelf checkout page that waits for however many transaction confirmations you want! (Let's not even get into the lack of privacy coin support, e.g. Monero. For a privacy focused service, Bitcoin L1 only is substandard in 2023.)

Meanwhile, whenever people are concerned about user data being handed over to the authorities again, you counter by pointing out the supposed Tor support: https://web.archive.org/web/20210906132309/https://protonmai...

I'm not saying you are a honeypot. I'm saying you've cultivated such a careless indifference to data minimization that you've become indistinguishable from one.


Regarding TOR, it's based largely on volumes. Spikes on a TOR IP for example would trigger additional anti-abuse measures.


So fix your backend to exempt Tor visitors from those measures, if it's really all due to hallucinating clusters of abuse from a network where abuse categorically does not appear in clusters of the kind that your backend is attempting to detect.

To add an exemption for proton.me: The list of Tor exit IPs is public. For the .onion: That's loopback traffic from the tor daemon running on your own load balancer or wherever you've put it.


Thank you for your feedback, we've passed it on to our anti-abuse team.


I have an email that I've created and only accessed through their Tor hidden service hostname

   https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/
and I was never asked to provide any personally identifying information.


As always when people post this, I just tried it with Tor Browser, and, as always: "No verification method available"

Did you access the .onion with something more fingerprintable like Brave?


No, just the plain Tor Browser.


You can definitely search back more than a month. However the search is genuinely atrocious. I've been using tutanota for a few years now but every time I need to search my emails I think about switching to something else. It is just not acceptable for the service to need to slowly iterate through emails, downloading them one by one the first time you decide to go back that far, just to find something important.


I have a tuta account, I tried to search for something recently and it only let me search from October 12th or something. I'm not sure you can search back more than a month on the free plan.


Can confirm. Search is brutal. But I just set it to auto-delete old emails anyway now, so problem "solved". ;D


I used to love Tuta for the tempting price (1eur/month). But now due to the increasing price, poor UX, no bridge to Thunderbird, broken filter rules, I switched to another provider.


I still have an account that I have some stuff linked to, I want to close it down entirely soon, it sucks there isn't any way to export all my emails without paying though.


What do you use instead? I also only use it for the price.


> ProtonMail is superior in every way.

In the past, their billing was based on blackmailing. I don't know if that is the case anymore. But I dropped using it ever since.


Elaborate please?

> In the past, their billing was based on blackmailing.

Not saying I don't believe you but I'd like to know more.


It was possible to get "pro" version credits with coupons from very different places, for example Humble Bundle book bundles. Sometimes they gave them themselves. I guess you were also able to buy credits directly, but I am not sure about that.

Well, anyway when the credits ended, your service did not downgrade but they put your negative credit automatically, and if you don't pay it, you were never able to use your account until you pay this negative part.

There was no mention in anywhere that this would happen, and also all the messages were quite threatening.


Oh that is indeed a very nasty business practice. I agree. Wasn't aware of that.


I only use the free service, and it isn't nearly as limited as tutanota's free service.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: