whonix wiki and protonmail - protonmail doesn't allow to register via Tor without de-anonymization

I noticed that Whonix wiki is mentioning protonmail.com as suitable mail provider several times. This could be misunderstood as recommendation.
And because it was mentioned in whonix wiki, i also tried to create an account at protonmail.com while using Tor.

But the problem is, that it is not possible to create an account at protonmail.com by using Tor.
If you try to do so, protonmail asks the user for a phonenumber (to send an SMS) or money (which requires a creditcard or similar).
Both options will de-anonymize the user and its email account he wants to use.
Thus this mail provider is not an option for usage via Tor.

It’s also not possible to just try to use some of these free SMS receive providers, because protonmail will bound the provided phone number to the mail account and when it is already in use, which is typically the case for such free disposal phone numbers from these free SMS receive providers, then protonmail rejects to accept the provided phone number. In consequence it’s not possible to create an account without de-anonymization by using Tor.

I would suggest to remove all entries that mention protonmail from the wiki.

You can find a free VPN service provider to:

User -> Tor -> VPN -> Internet

Its not ideal but you can register without SMS.

1 Like

They do the same when VPNs are used.
I will rather search for another mail provider.
I don’t need access via onion addresses to the mail provider.

Two tips man:

  1. 0brand’s suggestion will work with some VPN servers, not with others. Try to find less used servers and try again (hint: less popular locations than US / Europe).

  2. It is possible to get voip numbers that protonmail accepts. You need to search a bit harder and possibly pay a few dollars (in crypto).

2 Likes

I beg to differ. It’s possible to create an account with any service on the planet without de-anonymization. It just takes more work in some cases. It can be irritating at times, yes, but it’s just another habit you learn. I also found it irritating in the past to move from a continuously “logged in” state (browser remember everything, keeps history, passwords etc) to starting with a clean slate on every browser launch, but now it’s second nature.

2 Likes

register with danwin1210 or Torbox (only for onion mails)… no need to use protonmail.

also where in the wiki recommending the usage of protonmail ?

There is nothing secure about Torbox apart from not going through an exit relay. The emails are stored unencrypted on the server that is owned by an anonymous entity.

Actually I don’t think Whonix recommends any email provider.

Whonix ™ stands neutral in this regard; objectively speaking no particular mail provider can be recommended.

I’d note that even if the emails are PGP encrypted, the provider still has all the metadata (who sent to who and when) or otherwise it can’t deliver the email. Trust is indeed important and PGP doesn’t solve everything.

By the way, I found it ironic that the reddit page mentioned in

This Reddit thread is actively curated and maintains a list of privacy-friendly (Tor-accessible) providers. In early-2019, the list of providers with onion services

Is blocking Tor. Regardless of the fact, I suggest to remove “privacy friendly” and stick to “tor-accessible”, as that can be confusing.

I don’t know about now, but a few months ago a brute force approach clearly worked. If you kept trying enough, eventually you’d get the lucky option to only complete a recaptcha (may it get cancer too, because it is super hostile to non-Google browsers and Tor browser particularly) to sign up.

No, this isn’t entirely true. Protonmail does not like Tor but I have created many anonymous accounts with it.

Protonmail allows email verification to only some exit nodes, to get these just create a new circuit until you get it. Many temporary emails are blocked except some of guerilla mail’s emails. Use guerilla mail for email verification. Not all work though.

Tested just now - works perfectly with Tor Browser. Probably just circuit rotation required.

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/E-Mail#Onion_Service_Providers

This Reddit thread is actively curated and maintains a list of privacy-friendly (Tor-accessible) providers.

1 Like

use PGP , if you say PGP cant hide metadata then not much of emails provider does that maybe check lavabit. BUT still sending emails from provider to another provider cant be encrypted except with PGP/GNUPG.

I meant, use “Tor-accessible” instead of “privacy-friendly (Tor-accessible)”.

Correct, any email provider must know to whom you’re sending your emails and when, from whom you receive them and when. My point is that PGP encryption of content can be indeed helpful but doesn’t completely address issues with provider, if there are any. Trust issue still is relevant.