5

I like the look of ProtonMail. However, what has stopped me from signing up is that JavaScript seems to be used at various points in the site, and for someone to read your email they must click on a link to what I believe is a JavaScript page?

For people like me that use Tor Browser Bundle with NoScript: even if the site is usable, what about the end users that want to view the contents of your message while on Tor?

I am worried about something like what happened to Freedon Hosting. But, even without an exploit I've seen rather simple attacks using JavaScript to unmask someone.

This seems like a pretty stupid thing, but I am far from an expert. Am I wrong here, overreacting, or is this an actual huge vulnerability that for example the FBI (or whatever Switzerland has) could use to get an IP address?

EDIT: I found this article which is my worry.

techraf
  • 9,141
  • 11
  • 44
  • 62
k1308517
  • 1,272
  • 14
  • 27

1 Answers1

4

Note: this question might have been better on the Tor community despite being on-topic here.

Thomas Roth demonstrated that Protonmail was vulnerable to a Cross-site scripting (XSS) attack.

The video (Vimeo) he made shows that at least the mail body was vulnerable to Javascript injection. As soon as the receiver read the mail, the code is executed. Unfortunately, this code can be malicious and can, among other things, deanonymize the user. The FBI showed that it was possible when they seized Freedom Hosting. (Although they exploited a 0-day in Firefox.)

Using the Tor browser with Javascript enabled is risky. Disabling it will reduce the attack surface. The Tor developers are aware of this issue and address it in their FAQ:

Why is NoScript configured to allow JavaScript by default in Tor Browser? Isn't that unsafe?

We configure NoScript to allow JavaScript by default in Tor Browser because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if a website they want to use requires JavaScript, because they would not know how to allow a website to use JavaScript (or that enabling JavaScript might make a website work).

The Tor browser gives you the opportunity to disable JavaScript (with the NoScript plugin). However, as you may have noticed, Protonmail relies importantly on JavaScript, and disabling it would prevent you from using their service:

Why do you need JavaScript, Session Storage, and Cookies?

ProtonMail does encryption and decryption of messages in your web browser.

This ensures that we do not have the ability to independently decrypt your messages and thus ensures the security and privacy of your data. In order to do encryption and decryption in your web browser, we need to use JavaScript for the encryption/decryption and SessionStorage for saving your private key(s) locally. ProtonMail also requires cookies to be enabled so that we can store your current session information and log you into your account.

(Last emphasis is mine.)

Therefore you have to make a choice. Either you decide to trust Protonmail to be secure (even though vulnerabilities have been found); or you walk away and find another solution.

Yuriko
  • 941
  • 1
  • 6
  • 21