This, from a company that happily put Google's reCAPTCHA on their login form, further telling people on GitHub not to worry about it, without having ever heard of hCaptcha.
I have long since left Proton as I don't believe their actions match their supposed mission.
This comment is absolutely the wrong take on this.
For context, Proton Mail was first launched in 2014, and back then, hCaptcha didn't even exist and there were no other non-broken captcha solutions that worked at scale besides reCaptcha. It wasn't until 2020 that hCaptcha became better known, and until then it was really quite untested at scale. In any case, Proton switched over to hCaptcha soon after but even then, it was not without issues, and did not work for many prospective Proton users.
Whether it's reCaptcha or hCaptcha, Proton's implementation always sandboxed it within an iframe which mitigated the privacy concerns and it honestly could have been left like this.
But instead, Proton went out of the way, investing substantial resources to build, launch, and operate it's own captcha service. That's actually pretty extreme commitment to the mission, and putting money and resources to prove it.
This is not true.
We moved longtime ago to use hCaptcha precisely to cut ties with Google reCAPTCHA.
And we switched today from hCaptcha to our own solution precisely for the reason described in the blog post.
The service is solid, but there are a lot of caveats and compromises they make to achieve their differentiating features. For one thing, the encryption means you can only use their frontend/app to access your email. Unfortunately the app doesn't get notifications reliably, search is utterly broken, and the app can't show the subject line in toasts for security reasons, so I never know if an email needs to be read now or whenever's convenient.
You also need to be on the paying tier for a usable product. I evaluated a number of options when I was trying to decide where to park my domain long term. Cue an incident at a border crossing where immigration wanted to see a hotel booking that search insisted didn't exist. Turns out the booking email was a few days outside the free tier search window, and that limitation wasn't obvious in the pressure of an immigration queue. Felt like I had been gaslit once I realized.
There isn't one unless you run it yourself. It simply doesn't exist. Email is never private unless you put your own encryption layer on it, which both sides must support, at which point you're probably better off using an E2E solution.
Those visual challenges look pathetically easy to automate. I can’t see that they would offer any security against bots that actually want to get in—only against completely casual bots, and you can go much lower-tech against those, e.g. an invisible honeypot field on form submissions is surprisingly effective.
Finding a compromise between usability/accessibility and security is difficult. We want to make it easy for humans to minimize errors whilst also making it harder for bots, so we're happy that you think the challenges look easy. One of the differentiators in ProtonCAPTCHA is that we've built this system with the expectation that someone will break it, either through automated mechanisms, or via third party solvers - however, there are defenses against these attacks in place which we will not divulge for obvious reasons.
as a linux user, captchas deny me access to regular sites and services all the time. it doesnt matter how many fire hydrants i click, im as good as dead to them. we've come a long way with web accessibility. but we need to keep pushing.
I get them too but i guess this means that my locked down browser config (resistfingerprinting, strict ublock policy, privacy badger) is working. Behavioral security checks which are pretty common nowadays mean that either they can fingerprint you into a human they already know, or they will put you behind a captcha..
I feel you... even though I have a generic mac I currently live in a dorm with internet shared by 500+ people. I think I get captchas every single time that it's possible. Sometimes in the same minute. I actually turn on my vpn sometimes for fewer captchas
I don’t think this actually provides “defense-in-depth” as they claim. At the end of the day, whatever signals they determine mean “bot” or not are the actual critical defense. I’m assuming their PoW system doesn’t scale the work for human-classified requests, such that if there’s some unintended loop humans aren’t affected while bots would be. That again means that seeking a “human” designation is the important piece that bad actors will attack. The same goes for the UI challenge - these are becoming notoriously easy to ML your way to victory as a bad actor or to use actual humans to solve for cheaper than the value they get from beating the CAPTCHA.
An actual defense-in-depth strategy would be one that uses a tool like this for generic browser/device level signal interrogation AND domain/product-specific behavioral analysis. That would be 2 different layers — depth.
There has been a trend recently in computation proof of work only CAPTCHAs, e.g. mCAPTCHA, or Friendly CAPTCHA (https://proton.me/blog/captchas), but our own data shows that these are not sufficient to stop attackers due to compromises made to make PoW work for real users with slow devices. Adding the visual challenge has been essential in stopping these attackers. The combination of computational proof of work and human proof of work does in our experience provide defense in depth.
However it's not perfect.
One of the differentiators of ProtonCAPTCHA is that we've built this system with the expectation that someone will break it.
So, as you've alluded to, in the event that someone or some thing is able to navigate these challenges either through automated mechanisms, or via third party solvers, we have defenses against such attacks/automations. That is a third hidden level of defense -> however, you will understand that for obvious reasons we do not divulge how this is done.
This is ultimately why I left. I felt as though they kept releasing new features and services every month without a focus on improving their existing ones.
In what way would those visual challenges not get scripted within 24 hours? That's like my first autohotkey script level of "challenge". Look for dark pixels and then drag cursor to same level, or same place as dark pixels.
In countries with restricted internet (for example, Iran and Russia), there are issues with CAPTCHA availability issues affecting users of Proton services. Proton CAPTCHA helps bypass these issues.
I have long since left Proton as I don't believe their actions match their supposed mission.