Tell HN: ProtonMail enabled setting to autoshow embedded/remote images
- the ProtonMail web app will automatically show you embedded and remote image content in HTML messages. (New behavior.)
- "Trackers" will be removed, and presumably not processed at all. (Existing behavior.)
- ProtonMail will proxy the remote content for you. (Existing behavior.)
The settings to do so are:
- Messages and Composing
-- Auto show embedded images (automatically enabled with this change)
- Email Privacy
-- Auto show remote images (automatically enabled with this change)
-- Block email tracking (I had this enabled already but they probably also automatically enabled it.)
These settings are present in the beta and regular channels for the web app. I somehow had beta channel enabled, so I'm not sure if these settings would have been automatically enabled for non-beta users.This is the (now incorrect) documentation for what these features did before this change:
https://proton.me/support/email-tracker-protection
As of this submission, the page looks pretty much identical to this snapshot:
https://web.archive.org/web/20221007230237/https://proton.me/support/email-tracker-protection
Here's a reddit thread about it as well:
https://old.reddit.com/r/ProtonMail/comments/yethwd/enhanced_tracking_protection_and_automatic_load/
Archived just now:
https://web.archive.org/web/20221028182222/https://old.reddit.com/r/ProtonMail/comments/yethwd/enhanced_tracking_protection_and_automatic_load/
Tracker removal and remote image proxying were apparently already happening if you had "Block email tracking" enabled AND you chose to load remote images. From comments in the reddit thread, it's possible that the proxies are only fetching the remote content when you open the message. This is both good and bad. Good because it might indicate that the content of the messages is not accessible until your client decrypts it. Bad because it tells the sender that you viewed the content, and when. The cached image is also not encrypted in ProtonMail's infrastructure.
Furthermore, ProtonMail's tracker identification mechanism is flawed. Some messages say that several trackers were removed, but I have several recent messages with blatantly obvious 1x1 tracking pixels in their source that their tracker warning does not pick up on.
And in what appears to be the worst problem here, the reddit thread shows that some people in the beta experience DID have their client IPs exposed to the message sender.
10 comments
[ 3.4 ms ] story [ 36.9 ms ] thread- No actual threading available, even though the Message ID and In-Reply-To headers are not encrypted!
- Visual overhaul in the last 1-2 years that changed label colors significantly
- proton.me domain migration email sent out encouraging you to click it to log in at the new domain. (Now an attacker just has to do this from a similar domain a year or so from now.)
- Increasingly awful mobile app
At one point on my macos, logging back in after sleep basically kill-switched the whole OS, such that I couldn't connect to the Web no matter what. Only a reboot of the Mac worked. It got so bad, I had to switch VPNs.
Unfortunately, as I had prepaid my Proton VPN, I was stuck with them. Thankfully after a few months when I tried it again, it was back to normal.
Now here is the kicker - I tried to cancel the subscription, so that it would not be automatically renewed. The issue is this - if you cancel your subscription, you will lose any remaining months.
So essentially, they scumbag you into just chugging along in hopes you forget about it at the next renewal.
Also no way to remove credit card details to prevent automatic resubscription...
Really a whole host of dark patterns from a supposedly ethical company.
Don’t use Proton at all anymore though.