Q&A ProtonMail includes Google Recaptcha for Login

Paul.R

Level 17
Verified
May 16, 2013
827
Description:

A recent change over the course of the last two weeks led to re-visiting, re-logging-in users. Recaptcha is now injected and compromising a machine's identity on every single login; especially so if cookies are deleted afterwards to preserve user privacy.

Steps to reproduce the behavior:

  • Use any adblocker of choice (e.g. uBlock Origin with Cookie Autodelete)
  • Go to Login - ProtonMail
  • Find out ProtonMail is using Google Recaptcha, compromising privacy of all its already registered users.
Expected behavior:

As a project/company that was founded as an immediate response to the Snowden Leaks, which revealed that the Google PREFs cookie is literally how the NSA tracks users across the planet, I find this very absurd to see.

I understand that there's intention to lower the rate of spammer accounts in the Registration process. But reoccuring users that have -TWO- passwords to identify themselves with should not need to re-identify themselves as a human. And especially not with an unethical service such as Google that seem to not respect any privacy laws that are applicaple in the European Union.

To be honest, this issue is for me a reason to change services; and I feel betrayed in the sense that I as a crowdfunding campaign sponsoring user think that this is a serious breach of GDPR law. I'm a European citizen (from Germany) and I never agreed to share any information with Google.

I also understand that other Recaptcha using services are necessary when ProtonMail would face lots of TOR traffic (which actually would also endanger journalists abroad btw). But this web traffic was received by ProtonMail without any Proxy in between, from my ISP's geo-ip-confirmable IP.

Currently, if ProtonMail continues to deanonymize its users by including Google's Recaptcha code, I cannot recommend ProtonMail as a service to anyone anymore.

  • OS is ArchLinux
  • Browser is Ungoogle Chromium (latest)
  • URL is mail.protonmail.com

PROTON MAIL RESPONSE: A few comments about this. A very small fraction of logins get the CAPTCHA chal... | Hacker News
 

The_King

Level 7
Aug 2, 2020
319

protonmail
8 hours ago | parent | favorite | on: ProtonMail includes Google Recaptcha for login
A few comments about this.

A very small fraction of logins get the CAPTCHA challenge. We, and other services, face unrelenting brute force attacks on our login endpoints. If you are seeing a CAPTCHA on login, chances are that something about your connection is suspicious to our system. It's far from perfect, and we continue to improve it, but at most a percent or two of users are seeing CAPTCHA at any time.

The CAPTCHA is run in an iframe on a separate domain to sandbox it from the Proton login flow prevent it from compromising the webapp. Obviously Google still gets some information, but we do all we can to limit this.

CAPTCHAs are very hard to build, especially considering Google has a habit of clearing the field with it's own captcha-breaking code. Most companies do not have the resources to build their own. We had an alternative CAPTCHA we were going to use as a replacement a few years ago and then the company behind it went bankrupt. We are currently looking to replace ReCAPTCHA with hcaptcha, which should alleviate some of these problems.
We have other strategies which we are also exploring to try to reduce the need for CAPTCHAs entirely, but these are also not trivial to build and integrate into all clients.

TL;DR It's a small fraction of users who are affected, it's necessary to protect our users from brute force login attacks, we don't like it either and are working hard on replacements.
 

Vitali Ortzi

Level 21
Verified
Dec 12, 2016
1,058
Doesn't mean you're "fine". Take a look at bottom left or right or open web console. Sites need to display an captcha symbol if they use this service.

If Google have enough data, no captcha request is displayed as it's solved in background with collected data.
Basically if Google is allowed to track you
You can pass the boarder without a hassle
Personally I hate captcha lol
 

Local Host

Level 24
Verified
Sep 26, 2017
1,319
Doesn't mean you're "fine". Take a look at bottom left or right or open web console. Sites need to display an captcha symbol if they use this service.

If Google have enough data, no captcha request is displayed as it's solved in background with collected data.
Don't have any tracking from either google nor captcha on that website.
 

plat1098

Level 25
Verified
Sep 13, 2018
1,423
Hopefully, no misunderstanding or anything but no captcha here on the ProtonMail login page. I opened uBlock Origin's matrix and no Google stuff. One connected domain, no third party scripts. :unsure::whistle::coffee:

If anyone is running uMatrix (which sadly is being deprecated by the dev.), does this show anything differently? Using Edge browser as the example, same uBO reading in Firefox/Sandboxie. What other possibilities are there for why this is showing for some and not all? If the recaptcha was blocked by uBO, it would be shown in the logger. But all that's shown here is a good, clean webpage.

protonmailubo.PNG

Edited to remove some text.
 
Last edited:
Top