Is Protonmail logging my email content?

100 points by ppcelery ↗ HN
evidences:

1. https://s3.laisky.com/uploads/2021/12/proton-1.jpg

2. https://s3.laisky.com/uploads/2021/12/proton-2.jpg

3. https://s3.laisky.com/uploads/2021/12/proton-3.jpg

52 comments

[ 3.3 ms ] story [ 120 ms ] thread
Recipient or sender using Proton VPN?
This is likely the spam filter scanning over the Links it finds in the E-Mail not actually something spitting the mail content into log4j (and I mean honestly, why would you even do that?)
How would that work with e2e encryption? What spam filter system would even follow ldap links?
Proton is not e2e for mails coming from outside Proton, if they aren't GPG encrypted. And in that case they apply very standard spam filters to your mail.
I assumed that the OP was sending from proton, to proton but looking at the screenshot again I guess that's not clear.
Protonmail also responded in this thread with a message stating that this is in fact their spam filter.
That should be quite easy to check, by changing the URI scheme and rerunning the experiment.
Unlikely, spammers tend to get creative to bypass spam filters, it would probably scan anything that looks like a URL or Domain just to see if the IP behind it is sus.
That’s the point. You’ll still get a hit. If it’s the RCE you won’t. Just went through this with an email security provider, would get 3-4 pings with log4j payloads, 2-3 with inert ones.
You're free to experiment, though the ProtonMail team has already responded upthread that this is in fact their SpamFilter.
This is always posted like some 'gotcha', despite it being right there in the transparency report.

In case you trust any company blindly: any company that wants to keep playing the money game will follow the laws forced upon them by the government they are beholden to.

interesting way to put it, "the money game".

did you see that somewhere?

I first heard that in the 1990s. And the TV show "The Wire" (c2004?) made frequent use of the phrase "the game" to describe the process of street-dealing drugs, and the money, and the police, etc. As in "it's all in the game" - ie: all's fair in love and war.
Isn't this what seasteading, and other jurisdiction avoidance schemes attempt to address? I wonder if anything like that has ever worked out.
I can't imagine seasteading is going to be able to avoid a nation's navy.
> I can't imagine seasteading is going to be able to avoid a nation's navy.

Seasteaders: "My Libertarian non-aggression principle trumps your cruise missiles!"

Navy: "No."

There seem to be two popular approaches to avoiding the need to trust institutions.

One is technical: e2ee, implementation transparency, and similar.

The other is social: have fewer institutions.

I have never understood people who think the latter is a good approach. Like, "I don't trust these people who use their real names and are registered in a jurisdiction that has strong privacy obligations, so I'm gonna trust some randos on an abandoned oil rig instead."

It looks like the old "Swiss secrecy" has been just marketing smoke...(see Crypto AG). I doubt any centralised entity(regardless of the country where it's hosted) can be trusted with your data. Cryptography is the only way to have some kind of assurance.
What would be useful would be for a Swiss attorney to explain the substantive and procedural law of the topic, and how the Swiss courts typically approach the issues.
S/swiss//

The problem capitalist consumers have is conflating product marketing features and corporate objective statements with their own prerogatives.

No corporation will ever at the users behest break a law that could impact a quarterly earnings statement.

If you need more security its time to succor the haggard burro we call PGP, and enchant it with holy Bernstein's ED25519. It is hard so you will not like it. Because it is hard HN will lambasted it, turn away from its glory and call it false, but verily it is the way. because it is hard it cannot be broken easily, even by state actors, even by the gods of the market itself.

Data that was handed over included IP addresses of access, timing of access, email subjects, email metadata, and total number of emails in the account.

I'm not sure what PGP or ED25519 would do for those? The emails themselves are already encrypted.

> No corporation will ever at the users behest break a law that could impact a quarterly earnings statement

I'm not sure if I entirely understand the point you're making, but this sentence confuses me: Isn't this explicitly not the fault of capitalism, but instead government interference?

Please be aware that we don't log email content (and we are also not vulnerable to Log4j). Our anti-spam systems do check for malicious links from third party email services so we can proactively warn users about phishing attempts.
If you are not vunerable to log4j, how did the screenshots come about?
I believe ProtonTeam's claim is that the spam filter visits the links in the email content. As a result, it's not the log4shell vulnerability making the connection, it's the spam filter.
I.e. try to send some e-mails without the log4j vuln syntax (just put your IP) and see if you still get hit. It's just the fact that there is the IP, not that it happens to use the jndi syntax.
Nobody believes you. Your track record is trash and I was happy to cancel all services and never pay you anymore money.
You can't attack others like that on HN, regardless of how right you are or you feel you are. Please review https://news.ycombinator.com/newsguidelines.html and don't post like this again.

You may not feel you owe your target better, but you owe this community much better if you're participating in it. The damage this sort of poison causes to the ecosystem greatly exceeds any benefits it may have.

Your contrast is visible. Your poison actually hurts people. You don't care who it impacts so long as people are polite/police.
This is definitely not precise. I confirmed that the lookup is also performed by Proton servers for mails sent to third party mail services, not just from third party mail services. Are they also scanned?

Source IP I got in my test: 185.70.43.80

```

# whois.ripe.net

inetnum: 185.70.40.0 - 185.70.43.255

netname: CH-PROTONMAIL-20140915

mnt-by: protonmail-mnt

org-name: Proton AG

```

From privacy policy https://protonmail.com/privacy-policy

> We do NOT have access to encrypted message content, but unencrypted messages sent from external providers to ProtonMail are scanned for Spam and Viruses to pursue the legitimate interest of the protection of our users.

very disappointing.

Seems odd for PM to be vulnerable by the log4j CVE considering (from what I understand) they're mostly Go house. Maybe in the Android app, but otherwise I'd be surprised.

Unrelated: I've been getting quite frustrated with some of the functionality and limitations of PM especially for the price I pay (I have 2 catch-all domains, 1 user for each, which requires 2 times pro accounts), so recently I've been trying to migrate away to mailbox.org. Mailbox allows for automatic PGP encryption when the emails come in which is great. However, there is no way to move all my PM emails onto my mailbox.org account while keeping the encryption (not via the original key set up in Protonmail, nor via new key set up in mailbox.org). Has anyone ever run into such a scenario, and what can be done in this scenario?

You should expect mail to be public. There's no security at all in those protocols, by default.

Only encrypted e-mails are somewhat safe. So I just don't understand who's upvoting this. It's a silly post.

If I were you, I would not use any kind of non open source and non self-hosted email service pretending to be "secret", in the best (!) case it has some sort of silent metadata/access logging. While common shady services like Protonmail bluntly store plain text archives, and even if they claim they don't, there's no zero-knowledge proof on this highly sensitive topic.
Seems Proton scan the emails. Including domains in the body.
The screenshots are to show that that link is processed by log4j, because it exploits a log4j vulnerability and gets it to make a dns call, right?
It's good to be cautious, but this is sort of a silly test.

Protonmail doesn't have to "log" messages; they have them already. If I were Protonmail and I had to comply with lawful intercept requirements, I'd just:

a) make sure that message content isn't deleted from the mailbox when the user thinks it is

b) make sure I retain access to server-managed PGP keys (by logging key material and user-supplied passphrases)

But I sure as hell would not call some Java logger.trace() on every goddamn email! That's totally nonscalable and just silly.

This needs more detail, what is the body of the mail supposed to show?

Did you run an experiment? How was it run?

Is this between protonmail addresses?

Hate to be that guy, but evidence has no plural.

Similar words often wrongly used in plural: - advices - feedbacks - codes (when referring to source code) - moneys - datas - syntaxes

If you're going to be that guy at least be correct

https://dictionary.cambridge.org/dictionary/english/moneys

But I am correct. :)

I didn't say a plural form doesn't necessarily exist. I said they're words that are often used wrongly in the plural.

Moneys is used specifically when it denotes different sources of income. Similar to fruits meaning a variety of different kinds of fruit, but the ordinary plural of fruit is fruit, and fishes denoting a variety of different kinds of fish, but the ordinary plural of fish is fish. "How much moneys does this cost "is obviously as wrong as "how much fruits / fishes did you buy".

Same with codes, you can talk about "nuclear codes" but not "morse codes" or "source codes".