[Resource] ProtonMail GUIDE (yes, the need objectively exists)

  • Welcome to Sanctioned Suicide, a pro-choice forum for the discussion of mental illness, suicide, and the moral implications of the act itself. This is not a pro-suicide site. We do not encourage or aid suicide, and the information offered is for educational purposes only. Read our rules and FAQ for more information. We also offer a recovery subforum if you wish to get support.

    You can close this box by clicking the top right "X".

enjolras

enjolras

Saw the angel shine through the jellyfish
Feb 13, 2020
975
1,476
Intro :

Contrary to popular belief, ProtonMail is a sub-optimal email service in terms of privacy and security, and even more so if manipulated awkwardly, without a clue. An overwiew explaining how terrible ProtonMail really is can be read here

A suggestion of superior email service is offered.
Since CTemplar is a lot less adopted (in May 2020), it’s your duty to convince contacts to upgrade, including the merchants subject to sell controversial items, for own futher benefits and ease of use (like with ProtonMail, it’s best to connect 2 users of the same email service, to achieve optimal end-to-end encryption by default)

This will be a more on the surface guide than the CTemplar one, since the detailed reasonings have been provided already with CTemplar, extending into Proton’s (& other providers) drawbacks. The focus will be on actions, rather than explanation why.

———————

What if you used ProtonMail in the past, not paying attention (to what will be described on this topic) ?

If your account could still be accessed, on a computer :
- download & install the Brave browser, launch it, open a ”Private tab, proxied w/ Tor”
7775D30D-C877-4AFA-BA53-30A013C1E758.jpeg

Visit the URL dark.fail, retrieve one active “Tor Project” .onion URL to copy-paste in the address bar of Brave
- download the Tor executable, close Brave, launch Tor, go to the dark.fail URL again, retrieve the ProtonMail .onion URL, copy-paste it into Tor
- login to your Proton’s mailbox
- delete messages left hanging around in every folders (Inbox, Sent, Draft, Trach, Archive, etc)
- finally, delete the account permanently

20ABA340-B04D-4FFA-944A-6E83C8AB1F9B.jpeg


Notwithstanding these actions, according to swiss laws, your data will be held by ProtonMail servers for again 6 months before (supposed) deletion on their part happens, thus exposing to potential prosecution following a meticulous investigation by LE eventually.

For new users, or old ones in need to use Proton again, let’s start ALL OVER with better opsec practices.

————————

Mission : register a free ProtonMail account without revealing one’s IP address, neither give away a phone number to receive SMS, nor an identifying email, nor make a donation (by PayPal / card) which all could create a trail.
There’s not many solution, if at all, at this time of writing, to achieve the goal appropriately. Here we go

UPDATE, new solution : ProtonMail changed its’ policy to accept CTemplar emails during the registration stage, finally. Therefore, instead of creating a sub-private (with VPN) email with Tutanota (see the 1-2-3 directions below), CTemplar (with Tor) arguably is a level above (directions here), then resume the tutorial at the step 4

1) Apply the steps of the previous paragraph, to install Brave then Tor confidentially

2) Go get a free VPN demo during 1-2 days. Options :
a) send an email to [email protected] or [email protected], requesting a trial of their VPN
Open a ”Private tab with Tor”. Load the dark.fail URL, retrieve the .onion URL of Mullvad VPN or cryptostorm and copy-paste it on the address bar of Tor
Once on the website is loaded, download the VPN installer for PC/Mac/Linux, end by installing the software
b) Less stealth : launch Tor, go to www.bolehvpn.net and apply for the Free Trial (top left corner) via their web form. For the purpose, don’t use your personal email but a new dedicated fresh one, non disposable (if you have access to RiseUp emails following an invitation, use their alias system, otherwise use any random email, why not www.gmx.com)

3) Once set up with a free VPN, connect to a VPN server. Secondly, launch Brave, open a basic ”Private tab“ (withOUT Tor). Load the www.tutanota.com website. Sign up for a free Tutanota account. If Tutanota rejects the IP of the VPN, switch of VPN server(s) - or VPN provider - until it works. It’s also possible Tutanota will apply a 48h hold period to clear away from abuse, before emails can be received, which will need at the next step, then wait 2 days

4) Once Tutanota is obtained, launch Tor, load dark.fail, retrieve the ProtonMail .onion URL there, load it on Tor.
Now let’s try to force an anonymous Tor registration to get a free ProtonMail account.
Enter wanted unique (not ones used frequently online) username and complex password, but NO recovery email, proceed.
At the next page, 2 scenarios can occur. The one we don’t want, where Proton doesn’t offer to register via email.

59458B75-97A8-4711-BB8F-47FE93F724EA.jpeg


In other words, Proton doesn’t like our Tor exit node. Blacklisted, it rejects it...

Our parade : we will change the relay of Tor nodes used (therefore the exit one as well), until Proton accepts another Tor IP address, more fresh / not yet burned, whitelisted this time >> hit the “New identity” button of Tor

BAF97C6D-C01F-4ABA-9B34-1600C411C777.jpeg


Tor will restart. Repeat the steps (dark.fail, Proton .onion, start the registration), again and again if needed, until you hit the second scenario. Then, we’re good to go

6400AE8A-9016-4F32-925B-9C206E35C252.jpeg


Use the Tutanota email here.

6B6203C3-E1B4-4790-8529-99D62D9E4EEE.jpeg


Voilà, now we cracked the many pitfalls of ProtonMail that tries to put down our identity. We’ve got an account with much better privacy by a mile.

—————————

Routine process :

* From now on, consult ProtonMail‘s webmail strictly, behind Tor & .onion (+/- Tails OS - following @HelensNepenthe’s guide - or VPN if no Tails)

IF tempted by the mobile apps of Proton instead, think twice, or sincerely consider to use a good trusted VPN (like Mullvad, at 5€ per month, paid by cash or Monero indirectly via Bitcoin), connect to it before the app is opened and until it’s closed, in order to mask your IP

* NEVER write down a sensitive subject line for emails sent out. ProtonMail does NOT encrypt them.
It could profile the intent of your communication (encrypted body) and serve as evidence against you.
Instead, title your emails with an innocent approach line...

* Delete all emails in all folders at the left vertical tree, as soon as you don’t need them anymore ...since Proton has a data retention period of 6 months, the sooner you delete messages, the wiser.

* Delete the Proton account as soon as it becomes unneeded (refer to the 1st image of this post)
 
Last edited:
enjolras

enjolras

Saw the angel shine through the jellyfish
Feb 13, 2020
975
1,476
Configuration / settings :

The options circled in red are the most important to carry on.

47199990-E6EE-4022-A9EB-65A9B5B4F54D.jpeg


423DD951-B2DB-4834-B921-3314026601F8.jpeg


EDEA106B-3DEE-4947-B89D-D1F9410659B4.jpeg


4192DB64-5B36-447E-8651-BFC9A1AC0649.jpeg


Notes :

- for the neophytes, structured tutorial to understand & activate the Two-Factor Authentication (2FA)

- disabling the authentication logs will also wipe out the logs’ history. Aim of the move : clear the past, present & futur proofs that your account is accessed by yours truely
 
Last edited:
enjolras

enjolras

Saw the angel shine through the jellyfish
Feb 13, 2020
975
1,476
Configuration / settings (bis)

This sequence of actions aims at upgrading the encryption protocol, tightening the security level, from RSA 2048 to 4096. (Contrary to what’s indicated, there‘s no real loss of speed felt to use the mailbox afterwards. It remains perfectly manageable, worth the trade-off)

It contains intermediary steps that were not captured because not useful. When extra captions are met, just validate & proceed to the next phase of the images below.

AA0AE998-88E7-4AFC-A0F3-DAB5BF4E85D9.jpeg


D0802769-F33D-4F60-8295-EC456A9ED2B0.jpeg


86D1E355-1DD3-44AA-9D5B-16144BAFE5A3.jpeg


62D8DE70-4B0F-4D52-9A03-5CCDFDCDBFC9.jpeg


NB : Explanations about the impact of the various actions are to be found here

419C1EC2-3517-438C-A889-E800C7DDA2D5.jpeg


There are several more captions in between those 2 screens. Just advance.

When you delete the lower security key (RSA 2048), you get a warning that all the content previously encrypted with this key will be lost (won’t be able to be decrypted anymore). Acknowledge (in theory, you’re doing this procedure early so none or little damage is ahead).

CF2C4F9F-67D7-4437-A173-31BF3E0ACE70.jpeg


With the switch of keys, your previous mailbox password is no more. You have to set a new one for the RSA 4096 keys (same or different). It’ll be the one to remember from now on.

Exporting the new private keys is the file version’s equivalent of saving/printing a backup formula like it happened when you completed the registration the first time. Since the email is destined at being temporary and handle messages to be trashed, as long as you’ll remember the password, you can skip to save the file so there’s no danger to have it collected by a 3rd party. If you decide to keep the file, avoid to store it in the local computer or in the cloud, but rather on a USB key or hard drive ...unplugged.
 
Last edited:
autumnal

autumnal

Visionary
Feb 5, 2020
976
1,721
@enjolras, just to clarify on this and your other Ctemplar thread, do you have any kind of personal or professional connection with Ctemplar, or are you purely just a fan?
 
  • Like
Reactions: Failed in life
enjolras

enjolras

Saw the angel shine through the jellyfish
Feb 13, 2020
975
1,476
@enjolras, just to clarify on this and your other Ctemplar thread, do you have any kind of personal or professional connection with Ctemplar, or are you purely just a fan?
Thanks for asking. I admit it could look like it. Zero connection. It’s just how I am. I’m just manichean in what I do and passionate.


I’ll tell you my intentions. I don’t like the oppresors, of any kind, neither the censorship, which I have been a victim of both and thus it has led me to special interests (never made a living out of them)

You could see me change my recommendations. I’m easy to reassess my opinion, maybe other members have noticed when I changed of stance shamelessly, making mistakes and correcting them. I used to be a trader and I would change my opinion 10 times a day. But sometimes, you need conviction, and that’s what I’m sharing here at SS, to the best of my modest knowledge (I’ve done lots of research prior to come with the solutions I propose). I don’t pretend I come with the best solution (I just do my best) and I strongly welcome criticism... that’s how I like to improve (I’ve learned from other members). I didn’t know CTemplar like 3 weeks ago... (Monero I’ve known and toyed with since years)

Oh ...I’m not done. I just want people to feel freed in general. For instance, I’ve read too many posts of members who are scared shitless to order N, fearing about the consequences or hypothesising that the process is out of reach, thus settling down on exit methods with a lot of trade-offs. I just feel that it’s sad when imaginary barriers interfere. So here I am, trying to democratise the business affairs.
Finally, there’s a very selfish motive that closes the loop. I’m not sure anymore when I will CTB (not if, it’s guaranteed). It could only happen in the longer term, rather than sooner anticipated (I have very cyclic moods, my only official diagnosis was bipolar ;p which I rejected)
I’m very concerned and appreciative that the best means to CTB remain available the longest time possible... this is my own interest, and that drives me to act ! Taking care that most people stop to act recklessly, which could pull down solutions, is a personal goal.
I’m pro-active behind the scenes more than I care to show. Again, I testify I’m not affiliated to any companies - check all my hypertext links in threads, I don’t hide any mean.
 
Last edited:
Failed in life

Failed in life

One more chance to live
Dec 11, 2018
261
951
Is it 'sub-optimal' ("of less than the highest standard or quality") or terrible ("it sucks") ? There is a wide range between the 2 terms.
 
  • Like
Reactions: autumnal
enjolras

enjolras

Saw the angel shine through the jellyfish
Feb 13, 2020
975
1,476
Is it 'sub-optimal' or terrible? There is a wide range between the 2 terms.
It depends about your point of comparison.
Personally, I consider any form of risk as unwelcomed (again when I was trading, such evaluation was the core of my “job”). Therefore I‘m comfortable to call terrible sub-optimal models.
It’s certain that ProtonMail is below perfection. At their beginning, they respected a genuine spirit, but as they grew and met success, they made concessions and it shows. It is a slippery slope. A and the PPH never updated. They’re lazy, careless, not up-to-date (sorry but I’m schematizing that they don’t know better than us)
Aside, we’re kept in the dark when assessing about the reasons why some connections of A were arrested, why police visits, why customs’ interceptions happen now and then. All kinds of hypothesis can circulate (and do), just never confirmed. Out of sorting the right from the wrong, it’s wiser to not minimise details about all the links of a chain.

I’ve contacted A before so he upgrades from Bitcoin to Monero. He seemed to show an interest, asked questions, but eventually didn’t pulled it down.
I’ve also suggested that he upgrades from ProtonMail to Tutanota (when I was not accurately knowing that Tutanota was also sub-optimal). I didn’t for CTemplar because he was unresponsive for Tutanota.

I’m just in the out to tell that it’s best to take our destinies in our hands, instead of stay passive. The people involved in the suicide business are sub-optimal themselves (too many examples to start listing, from gurus to dealers). It’s our duties to monitor evolutions and push for change. I wish that more members would request repeatedely that Monero be directly accepted for instance (that’s why I contacted C and learned, after insisting, that he was advertising on the White House dark market, while nobody knew. Initially, it puzzled him to admit it cause there’s an escrow system unlike his own site...)

To conclude, ProtonMail manipulated without appropriate consideration (which I believe most people did! because no hesitation is even talked about in sources like the PPH!), I’d judge sub-optimal imho.
Hence this guide, so everyone can make the experience much more tolerable regarding safety, then it becomes acceptable, and about equal to other solutions (CTemplar if you want)

ProtonMail does it bests to block stealth IPs (it is a new behavior and got tighter), up to potentially collecting / storing them (there’s a log, never told encrypted), has a data retention policy of 6 months after deletion, has a procedure to manually reset a 2FA w/o recovery codes if an intruder was interested to give it a chance. Yet, they call themselves a privacy-oriented email. That’s not right.
Why doesn’t Philip Nitschke tell that the subject lines of email should not talk about Nembutal, that could suffice to trigger a deeper investigation if caught, because he doesn’t know better / is far from an expert about internet security, barely a parrot that centrally collects feedback plus does minimal research to top it.
 
Last edited:
  • Like
Reactions: Mainlænder
enjolras

enjolras

Saw the angel shine through the jellyfish
Feb 13, 2020
975
1,476

C2D1B8FF-7836-47FD-B3ED-30271B1DFED6.jpeg


F4133EA1-F811-4FF8-8C88-63759F168A29.jpeg


Does it inspire confidence ? In the shoes of a professional dealer (criminal), would it sound like fun, to disregard ?
The point is, when corporates become too big, it’s less so they willingly sit on their early principles, rather they have the obligation to adapt with liabilities. Here the problem is larger, cause ProtonMail is subject to its setup with Switzerland. On the other hand, Iceland is know even more specially as a free speech haven & for its data privacy laws, has been vouched by Kim DotCom (MegaUpload) (& Snowden) in the past.


In the end, with whom does it get comfortable to partner with ? The elephant that doesn’t go unnoticed, or the mouse ? Imho the deliberate choice is going to fluctuate with time.


16322551-805A-423F-8453-3EF1FDD87875.jpeg


CF527FF8-A81E-453A-AA5D-5904D7DE3B51.jpeg


1A659F7B-01D5-48E9-8858-F4B56DCA8DFC.jpeg


(For comparisaon, RiseUp if I recall keeps them for 1 day, but has other drawbacks that cannot be fixed with competency)
At the end of the day, the same old truth applies with variations. It’s the user’s duty to take preventive measures, and that includes ProtonMail, then the difference of experience matters a lot less, a similar level of privacy can be obtained. Without careful behaviour, it’s another story.


E7659A94-F84B-41C5-A8F3-C2AD818E708B.jpeg


Here we clearly spot ambivalent claims (IP) ...
It only goes to show that the most precious gift / service you can offer yourself, is to invest time into your own fitter actions, no relying solely on the default solution used... there is NO alternative! All the services are imperfect.

———————-



When will the N visits look like this ? ^^ We’re lucky ...until now.
 
Last edited:
  • Wow
Reactions: Mainlænder
O

oopswronglife

Enlightened
Jun 27, 2019
871
2,654
I feel this thread generates unnecessary fear in people who may not know any better. I won't be debating, just stating my view. Protonmail is not the weak link and is not causing people to be raided. Neither is bitcoin. It's simple postal/shipping interceptions. People inspecting packages as part of routine checks and tracking them to their destination. Nobody is getting raided because Protonmail sent their emails to the authorities, or because their bitcoin wasn't tumbled etc. All of this is hard enough without people feeling nothing they do is safe enough. You simply cannot be entirely anonymous or private if the authorities want to find you. It's a matter of your resources vs theirs and what they will choose to spend time on. If you order things in this manner you have to hope bad luck doesn't strike and there isn't much else you can do since at the end of the day you have to give your name and address and receive something. All the "tricks" about remailing and fake names and whatnot doesn't work and adds more risks.

The raids that happened last year were clearly from good old fashioned detective work tracking packaging and relying on people being afraid and admitting things. It wasn't some high tech cyber sting. The minute Protonmail was detected serving malicious web interfaces etc, which is the only way they could have access to your encrypted message content as its done in browser...and someone WOULD discover it...their entire multi-million dollar business would collapse as people move off of them. They will serve up metadata if served Swiss warrants, but they cannot give anyone message contents without doing things they would get caught doing and would ruin their bottom line.
 
  • Like
Reactions: enjolras
enjolras

enjolras

Saw the angel shine through the jellyfish
Feb 13, 2020
975
1,476
I had missed your opinion, which I welcome but can’t agree on the conclusion to stay stubbornly inattentive.

I feel this thread generates unnecessary fear in people who may not know any better. I won't be debating, just stating my view. Protonmail is not the weak link and is not causing people to be raided. Neither is bitcoin.
Until when ? You seem to really underestimate the investigation competencies. I’d rather say we’re DAMN lucky to have had N canals stay alive for so long (like 8+ years). They could be shutdown any day without much hassle with coordinated efforts... I had the personal address of “A“ in the past, having sent cash by mail, I probably could get his IP in 3 days judging how I interacted with him. Would you want them to forward to LE ? Don’t you think a crackdown could be applied any day if just coordinating efforts with a serious will ?

It's simple postal/shipping interceptions.
PPH claimed it was Western Union records, so you’re going against ?
You may not be aware but apparently a collaborator of A has been arrested in the US with a list of clients, which supposedely led to the police visits. (Edit : seems you are ! Kudos)

People inspecting packages as part of routine checks and tracking them to their destination. Nobody is getting raided because Protonmail sent their emails to the authorities, or because their bitcoin wasn't tumbled etc.
Not yet (at least not that it filtered out).

Besides

All of this is hard enough without people feeling nothing they do is safe enough.
I agree that suicidal people are in bad places, somewhat with forces weakened, but keeping them in the dark, letting them take inappropriate actions leading to potential danger, is neglect and the real unfriendly disservice.

Sorry, but I cannot understand that members spend hours chitchatting at this forum, play random games, distract themselves, yet cannot take a couple of minutes of their precious time to alleviate their concerns ? Because they DO worry... you can find dedicated threads and posts if you search. Just some show a willingness to act, while others override the emotional state. That simple.

Moreover... unless you’re in a hospital bed with 2 arms broken in plaster, what’s the excuse ? At SS, we’re talking about mainly youngsters instead of 70+yo, intelligent adults that despite their struggles can be, at least for a good part of them, competent, if not already technology savyy. They know how to handle IT stuff more than telegraphs & fax, so it’s just a matter of filling the gap, complete the missing link, or give them envy : “Hey, did you know it was possible ? Want to take care of yourself further ?”. If/when nothing happens, it’s principally due to laziness and a tendency to immaturity (sorry but this is the truth, and I can attest that the elderlies comprehend this more, when I was at the PPH forum having written guidances)

Thank god, some understand / appreciate the necessity, with or without being taken by the hand. PM extracts I have received.

———

BFC46091-EF81-48C2-A7B4-9C68B1DDA5F0.jpeg


0E36A182-0C85-4B4B-90C3-9AA417811C1B.jpeg


0F98BC53-03F3-4F48-BB1F-AEE5A4247BFD.jpeg


C2631E58-D55C-4F7C-9F20-9D394CBEC7C9.jpeg


08FA9526-7E44-463D-A25C-1A0F321F434F.jpeg


6B2238F5-46F0-41D1-AF69-66ABE4AA8F08.jpeg

———-

At least, there are options giving empowerement, then peeps decide for themselves. Those who prefer to keep their head in the sand like an ostrich, up to them. Just don’t come crying next.

I should reassess that the members of this community pirate medias (i.e. PPeH sources) that should be locked down to closed circles, which increase the potentiality, coupled with reckless attitude, to fast spin the turnover of sources over time... you may accept the situation, I have a hard time with it, because I want not to have to jump out of the window or under a train 5 or 10 years from now on.
I see many topics treating “What will be the next big thing replacing N ?”. I anticipate with pity the day when the titles will read tearfully “No more N, boohoohoo” >> Did you have your head in the clouds when it happened ?

You simply cannot be entirely anonymous or private if the authorities want to find you. It's a matter of your resources vs theirs and what they will choose to spend time on.
If you order things in this manner you have to hope bad luck doesn't strike and there isn't much else you can do since at the end of the day you have to give your name and address and receive something. All the "tricks" about remailing and fake names and whatnot doesn't work and adds more risks.
No, I refuse to rely on hope or luck on my side.
Are you talking of reemailing or remailing ? Indeed, you don’t have to give your name and address, for conservation at the important fragile chain links, or ultimately to anyone. At the end of day, there can be solutions as long as you desire. It’s just a matter of knowledge and actions. Prove how it doesn’t work to browse and pay anonymously a forward reshipper under a fake identity, to receive a package at a fake mailbox ?
Of course, most won’t go as far... but there are segments to secure from unnecessary risk, putting down a huge chunk of possible failures. What’s the motivation to skip the steps ?

From Europol’s slide during a presentation at a conference

9E331C10-8953-4610-9BC6-73A3EA46467C.jpeg



This is just incorrect to imply that all actions are equal and worthless, that Bitcoin is the same than tumblers is the same than advanced cryptography (which Monero isn’t to the most extent).
I should not be invited to explain why obfuscating one’s IP when using email has value. Proton monitors this data and will release it under judicial demand... but please feel free to justify counter-arguments. Then readers will sort them out.

If my guides‘ goal would be mistaken : the intermediary steps are NOT the purpose but an extra (cost / hassle free) of a trajectory, in the case of email, in order to overcome the restrictions set by the services (the impossibility to register with Tor plus more & more VPNs, deanonymizing geolocation outside of other metadata) . I’m offering to provide alternative ways to open a ProtonMail or Tutanota account, because I’ve tested many and close to 10 email services before coming up with the instructions (others were either non-private, or paid exclusively, on invite only or even more complicated)

Anyway, I’m affirming again, if the authorities want to track someone down, possibly there’s no need to surrender early, but give them the hardest time of their life. If they want to persecute the sellers, which we don’t know anything about clearly how the operations are held, to indirectly come at you, that’s a whole different story that could go off-track. There’s little we can do about it, except by being proactive towards Exit / Exit’s connections to step up their education so we can all benefit...

The raids that happened last year were clearly from good old fashioned detective work tracking packaging and relying on people being afraid and admitting things. It wasn't some high tech cyber sting. The minute Protonmail was detected serving malicious web interfaces etc, which is the only way they could have access to your encrypted message content as its done in browser...and someone WOULD discover it...their entire multi-million dollar business would collapse as people move off of them. They will serve up metadata if served Swiss warrants, but they cannot give anyone message contents without doing things they would get caught doing and would ruin their bottom line.
We don’t disagree on the analysis, and you should not misunderstand my efforts to infuse fear but prevention. A state of affairs is never set in stone but bound to evolve, and it can at a fast pace. That’s the nature of security to move the pawns in advance on the chess field, otherwise too late, it doesn’t count.
 
Last edited:
  • Like
Reactions: Mainlænder
Thread starter Similar threads Forum Replies Date
Ghassane Suicide Discussion 8
Oblivion Suicide Discussion 4
IAmSam Suicide Discussion 2