proton-bridge VS mCaptcha

That isn't really fair. If you read the article, protonmail essentially supplied the FBI the recovery email of the account. This is metadata that protonmail must have that isn't encrypted by the user for obvious reasons.

Regarding the "MITM" for every email sent, this is related to their "bridge" software which allows regular IMAP/SMTP software to use Proton Mail. This software must edit the emails to encrypt them in their scheme.

This software is open source and can be inspected and/or built locally. https://github.com/ProtonMail/proton-bridge

> This appears to be related to a behaviour that ProtonMail has of dropping all plaintext email if any mime-encoded parts exist.

https://github.com/ProtonMail/proton-bridge/issues/26#issuec...

I'm actually more shocked knowing that they drop plain text if there is a mime-encoded part (e.g. HTML). Just verified that all mails imported from GMail and all newer mails I received in PM only have the HTML part now, while GMail shows both HTML and plain text parts in message source. Great, now if I want to use a text-only client to read those mails in the future, I won't be able to.

Now I honestly wonder, how did they think this is something okay to mess up? Is there just no usable email hosting service for someone that want their mails not touched and also stored securely? Like, this is not even going to save storage space for PM - I'm paying for my storage.

Repository here https://github.com/ProtonMail/proton-bridge

The privkey is never loaded out of the keychain. Rather, it acquires a handle to the privkey and relies on the keychain to carry out cryptographical operations. (https://github.com/ProtonMail/proton-bridge/blob/master/pkg/keychain/helper_darwin.go and https://github.com/ProtonMail/proton-bridge/blob/master/pkg/keychain/keychain_darwin.go)

Oh yes. The Bridge shouldn’t have been marketed as stable for the past years because of this issue (see issue #220 on Github, reported 2021-09-29). It’s fixed in Bridge 3.0.

What about proof of work based CAPTCHA like https://github.com/mCaptcha/mCaptcha ? Since CAPTCHAs can be solved by bots, at least make it more costly for them.

That should only be an issue if the server is under attack.

According to the docs (https://github.com/mCaptcha/mCaptcha/blob/master/docs/CONFIG...), you can set three difficulty levels:

MCAPTCHA_CAPTCHA_AVG_TRAFFIC_DIFFICULTY

MCAPTCHA_CAPTCHA_PEAK_TRAFFIC_DIFFICULTY

MCAPTCHA_CAPTCHA_BROKE_MY_SITE_TRAFFIC_DIFFICULTY

It isn't proprietary [0]. There is a matrix channel [1] for the project to ask questions.

[0] https://github.com/mCaptcha/mCaptcha

[1] https://matrix.to/#/@realaravinth:matrix.batsense.net