Note: This is an update of an article written 9/27/2023, parts of it may no longer be correct.
(Newsi8) As of today, many users are effectively locked out of Proton Mail accounts since Firefox can no longer log in. Users could log in yesterday with the same Firefox browser, but not now. What did the Proton Mail change?
Users have reported receiving the “Unsupported Browser” message on various browsers, including Safari and Vivaldi. This seems to be a result of ProtonMail’s recent changes in browser support, which now excludes some lesser-known or outdated browsers from accessing its webmail service.
Proton Support told one person to try re-installing the browser. That didn’t help, so they also suggested trying other browsers.
Web browsers collect an obscene amount of user data without permission. Get a hardware firewall and run your computers and phones through that at home and you will see that your devices are going to all kinds of sites you do not know about in the background, sites that track you, analyze you, and god knows what else.
Users have found that some older web browsers could be hack-blocked in various ways from spying for Big Tech. A conspiracy theory says this is the main reason web browser updates are required.
But could there be some other completely logical explanation? Perhaps this is not even ProtonMail’s fault?
The login URL is https://account.proton.me/login
What does the source code for this error look like?
<div class="m-auto text-center max-w30e"> <h1 class="text-bold text-4xl">Unsupported browser</h1> <p> You are using an unsupported browser. Please update it to the latest version or use a different browser. </p> <a class="primary-link bold" target="_blank" rel="noopener noreferrer" href="https://proton.me/support/recommended-browsers">More info</a> <div class="mt-8"> <img src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxODYiIGhlaWdodD0iMTM3IiBmaWxsPSJub25lIiB2aWV3Qm94PSIwIDAgMTg2IDEzNyI+CiAgICA8cGF0aCBmaWxsPSIjRjBFQ0U2IiBkPSJNMCA5LjQzNEE5LjQzNCA5LjQzNCAwIDAxOS40MzQgMGgxNjcuMTMyQTkuNDM0IDkuNDM0IDAgMDExODYgOS40MzRWMjBIMFY5LjQzNHoiIC8+CiAgICA8cGF0aAogICAgICAgIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl81NzQxXzE4NjU0KSIKICAgICAgICBkPSJNMCAxOS42NTRoMTg0Ljc0djEwNi45MTRjMCA1LjIxLTQuMjI0IDkuNDMzLTkuNDM0IDkuNDMzSDkuNDM0QTkuNDMzIDkuNDMzIDAgMDEwIDEyNi41NjhWMTkuNjU0eiIKICAgIC8+CiAgICA8cGF0aAogICAgICAgIHN0cm9rZT0iI0YwRURFNiIKICAgICAgICBzdHJva2Utd2lkdGg9IjEuNCIKICAgICAgICBkPSJNLjcgOS40MzRBOC43MzQgOC43MzQgMCAwMTkuNDM0LjdoMTY3LjEzMmE4LjczNCA4LjczNCAwIDAxOC43MzQgOC43MzR2MTE3LjEzMmE4LjczNCA4LjczNCAwIDAxLTguNzM0IDguNzM0SDkuNDM0QTguNzM0IDguNzM0IDAgMDEuNyAxMjYuNTY2VjkuNDM0eiIKICAgIC8+CiAgICA8Y2lyY2xlIGN4PSIxMi41NzgiIGN5PSIxMC4yMTkiIHI9IjMuMTQ1IiBmaWxsPSIjQ0NDOEMwIiAvPgogICAgPGNpcmNsZSBjeD0iMjIuMDEyIiBjeT0iMTAuMjE5IiByPSIzLjE0NSIgZmlsbD0iI0NDQzhDMCIgLz4KICAgIDxjaXJjbGUgY3g9IjMxLjQ0NSIgY3k9IjEwLjIxOSIgcj0iMy4xNDUiIGZpbGw9IiNDQ0M4QzAiIC8+CiAgICA8Zz4KICAgICAgICA8cGF0aAogICAgICAgICAgICBmaWxsPSJ1cmwoI3BhaW50MV9saW5lYXJfNTc0MV8xODY1NCkiCiAgICAgICAgICAgIGQ9Ik04NC45NjUgNDIuNGMzLjEwOC01LjE2OSAxMC42MDItNS4xNjkgMTMuNzExIDBsMzAuMzU0IDUwLjQ3N2MzLjIwNyA1LjMzMi0uNjM0IDEyLjEyMy02Ljg1NiAxMi4xMjNINjEuNDY2Yy02LjIyMiAwLTEwLjA2Mi02Ljc5LTYuODU2LTEyLjEyM2wzMC4zNTUtNTAuNDc2eiIKICAgICAgICAvPgogICAgICAgIDxwYXRoCiAgICAgICAgICAgIGZpbGw9IiNmZmYiCiAgICAgICAgICAgIGQ9Ik04OC40MzMgNjEuMzdhMy4zODcgMy4zODcgMCAwMTYuNzc0IDBsLjA5NiAxOC4xM2EzLjQ4MyAzLjQ4MyAwIDExLTYuOTY1IDBsLjA5NS0xOC4xM3pNOTUuMzIgOTAuNWEzLjUgMy41IDAgMTEtNyAwIDMuNSAzLjUgMCAwMTcgMHoiCiAgICAgICAgLz4KICAgIDwvZz4KICAgIDxkZWZzPgogICAgICAgIDxsaW5lYXJHcmFkaWVudAogICAgICAgICAgICBpZD0icGFpbnQwX2xpbmVhcl81NzQxXzE4NjU0IgogICAgICAgICAgICB4MT0iOTIuMzciCiAgICAgICAgICAgIHgyPSI5Mi4zNyIKICAgICAgICAgICAgeTE9IjQ2Ljc3NiIKICAgICAgICAgICAgeTI9IjEzNi4wMDEiCiAgICAgICAgICAgIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIgogICAgICAgID4KICAgICAgICAgICAgPHN0b3Agc3RvcC1jb2xvcj0iI2ZmZiIgLz4KICAgICAgICAgICAgPHN0b3Agb2Zmc2V0PSIxIiBzdG9wLWNvbG9yPSIjRkRGRUZFIiAvPgogICAgICAgIDwvbGluZWFyR3JhZGllbnQ+CiAgICAgICAgPGxpbmVhckdyYWRpZW50CiAgICAgICAgICAgIGlkPSJwYWludDFfbGluZWFyXzU3NDFfMTg2NTQiCiAgICAgICAgICAgIHgxPSI5MS44MiIKICAgICAgICAgICAgeDI9IjkxLjgyIgogICAgICAgICAgICB5MT0iMzguNDI2IgogICAgICAgICAgICB5Mj0iMTM0LjUxOSIKICAgICAgICAgICAgZ3JhZGllbnRVbml0cz0idXNlclNwYWNlT25Vc2UiCiAgICAgICAgPgogICAgICAgICAgICA8c3RvcCBzdG9wLWNvbG9yPSIjRkE1Mjg0IiAvPgogICAgICAgICAgICA8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiNEQzMyNTEiIC8+CiAgICAgICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDwvZGVmcz4KPC9zdmc+Cg==" alt="Unsupported browser"> </div> </div>
Nothing of interest there. The gobbledy gook is just the definition for an image. What are the recommended browsers? ( https://proton.me/support/recommended-browsers ) Well, Firefox for one. We tried using the version Notarealperson reported having trouble with, and got the same error.
… we at Proton feel it’s important to explain to people which browsers they can use if they want to keep their online activity private. There are hundreds of browsers out there, so we could not examine them all. However, we were able to assemble a list of six open-source browsers that respect your privacy to varying degrees.
https://proton.me/blog/best-browser-for-privacy
Based on these recommendations, we decided to try Chromium, specifically, ungoogled Chromium because Google is one of those companies that used to be cool. This browser is under 100MB to download for one old operating system we used for testing, which is pretty amazing.
https://ungoogled-software.github.io/ungoogled-chromium-binaries/
Going to Proton.me, Chromium next wants to connect to res.cloudinary.com, in this case to some Akamai server (104.97.188.44) a104-97-188-44.deploy.static.akamaitechnologies.com but why? Proton should have their own servers, so what is this? It seems to be a large server farm in Australia.
Chromium via Chromium Helper
wants to connect to res.cloudinary.com on TCP port 443 (https)
Cloudinary is primarily an image and video management service that provides features such as media uploading, transformation, optimization, and delivery through a content delivery network (CDN). It is designed to help developers manage media assets efficiently and is known for its robust capabilities in image manipulation and storage. On the other hand, Cloudflare is a web infrastructure and security company that offers various services, including CDN, DDoS protection, and domain registration.
Cloudinary claims on their web site to have partnerships with Google and Amazon among others. So much for de-googled chromium!? Why does Chromium need to tell Cloudinary I am going to Proton.me? This would clearly be distrubing to Mr. Notarealperson, and what is even worse is that the spying is mandatory? If you block Cloudinary, you Chromium refuses to connect to https://Proton.me.
The site is not down, the Internet is working. ProtonMail’s server IP is 185.70.42.12 at this time, 185-70-42-12.protonmail.ch, so I allowed only TCP port 80 (http). I also allowed the IP address, but still got https://proton.me/mail is unreachable. ERR_ADDRESS_UNREACHABLE.
The IP address is there:
> ping 185.70.42.12 PING 185.70.42.12 (185.70.42.12): 56 data bytes 64 bytes from 185.70.42.12: icmp_seq=0 ttl=47 time=4833.530 ms 64 bytes from 185.70.42.12: icmp_seq=1 ttl=47 time=672.080 ms 64 bytes from 185.70.42.12: icmp_seq=2 ttl=47 time=676.872 ms 64 bytes from 185.70.42.12: icmp_seq=3 ttl=47 time=664.257 ms 64 bytes from 185.70.42.12: icmp_seq=4 ttl=47 time=667.422 ms
Slow, but responding. So again, what the heck? Looking more into Cloudinary, could it just be that it is hosting some image on the Proton.me log in web page?
Cloudinary supports delivery of all images both through HTTP and HTTPS (SSL). Cloudinary delivers all images and transformed images through a fast CDN (Akamai, Fastly, and Amazon CloudFront). For HTTP delivery http://res.cloudinary.com is used, for HTTPS the base URL is https://res.cloudinary.com.
For example:
HTTP: http://res.cloudinary.com/demo/image/upload/sample.jpg
HTTPS: https://res.cloudinary.com/demo/image/upload/sample.jpg
It still makes no sense. Why is the entire Proton.me site giving me ERR_ADDRESS_UNREACHABLE on Chromium. Chromium can go to some web sites, but not Proton.me, which is strange. Flushing the DNS cache did not help.
MacOS Version | Command |
---|---|
macOS 12 (Monterey) | sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder |
macOS 11 (Big Sur) | sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder |
macOS 10.15 (Catalina) | sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder |
macOS 10.14 (Mojave) | sudo killall -HUP mDNSResponder |
macOS 10.13 (High Sierra) | sudo killall -HUP mDNSResponder |
macOS 10.12 (Sierra) | sudo killall -HUP mDNSResponder |
OS X 10.11 (El Capitan) | sudo killall -HUP mDNSResponder |
OS X 10.10 (Yosemite) | sudo discoveryutil udnsflushcaches |
OS X 10.9 (Mavericks) | sudo killall -HUP mDNSResponder |
OS X 10.8 (Mountain Lion) | sudo killall -HUP mDNSResponder |
Mac OS X 10.7 (Lion) | sudo killall -HUP mDNSResponder |
Mac OS X 10.6 (Snow Leopard) | sudo dscacheutil -flushcache |
Mac OS X 10.5 (Leopard) | sudo lookupd -flushcache |
Mac OS X 10.4 (Tiger) | lookupd -flushcache |
Is Google blocking Proton Mail? Microsoft Edge was once, according to one claim, falsely reporting ProtonMail as a malicious web site. That’s competition, fair and square, right?
That was over a year ago, but when you understand the history, could it be that Google is losing ground and money because it has _____ and ____ for years, therefore, we ask… Did Google perhaps have a hissy fit today, clamping down on all browsers it spawned around the world, to better feed it’s massive data collecting _____? Consider:
Not only did Microsoft make a point to tell users that it was stripping Google’s services from Chromium and replacing them with its own homegrown alternatives, but it could recreate those services it did not already have much easier than smaller browser makers. Several browsers are, like Edge, founded on Chromium and may have attracted the ire of Google, among them Brave, Opera, Epic and Vivaldi.
Did you know that Microsoft Edge and all these others listed came from Google? Let’s take a look behind the scenes at the handshake with proton.me to see if we can find any clues…
Looking at the details, here is what happens:
> curl --head "http://proton.me" HTTP/1.1 301 Moved Permanently content-length: 0 location: https://proton.me/
This is really just the proton.me server saying you have to use https, you can only connect securely.
> curl --head "https://proton.me" curl: (60) SSL certificate problem: certificate has expired More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Well, for now, let’s bypass checking the certificate, because we just want to see what is going on. Namely, is Proton.me hosting an image or something on Akamai servers in Australia?
>curl -k --head "https://proton.me" HTTP/2 200 date: Thu, 28 Sep 2023 05:37:23 GMT last-modified: Wed, 27 Sep 2023 12:55:05 GMT etag: "22c10-60656b3471c40" accept-ranges: bytes content-length: 142352 vary: Accept-Encoding cache-control: public, max-age=1, s-maxage=5, must-revalidate content-type: text/html; charset=utf-8 age: 1 content-security-policy-report-only: default-src 'self'; media-src https://static.zdassets.com; connect-src 'self' wss: https://protonmail.zendesk.com https://ekr.zdassets.com blob: https://account.proton.me https://reports.proton.me https://*.algolia.net https://*.algolianet.com https://go.getproton.me; script-src 'self' blob: 'unsafe-eval' 'unsafe-inline' https://static.zdassets.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; object-src 'self' data: blob:; frame-src 'self' data: blob: https://www.youtube-nocookie.com; child-src 'self' data: blob:; report-uri https://reports.proton.me/reports/csp; frame-ancestors 'self'; strict-transport-security: max-age=31536000; includeSubDomains; preload expect-ct: max-age=2592000, enforce, report-uri="https://reports.proton.me/reports/tls" public-key-pins-report-only: pin-sha256="CT56BhOTmj5ZIPgb/xD5mH8rY3BLo/MlhP7oPyJUEDo="; pin-sha256="35Dx28/uzN3LeltkCBQ8RHK0tlNSa2kCpCRGNp34Gxc="; report-uri="https://reports.proton.me/reports/tls" x-frame-options: sameorigin x-content-type-options: nosniff x-xss-protection: 0 referrer-policy: strict-origin-when-cross-origin x-permitted-cross-domain-policies: none onion-location: https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/
Hmm. Outside of Proton.me I see several URLs mentioned, and ____ ___, Google via youtube-nocookie.com.
go.getproton.me
static.zdassets.com/
ekr.zdassets.com
protonmail.zendesk.com
http://www.youtube-nocookie.com (Google!)
*.algolia.net
*.algolianet.com
So what the ___? Does Proton, have Google video, on their log in page? The reason people pay Proton is to avoid Google! Time to look in a bit more detail at that page.
curl -k "https://proton.me" > ~\Desktop\proton.me.txt
Going through the code, I found that, yes, for some unknown reason, Proton is hosting a 919 byte svg image on res.cloudinary.com in Australia, one of the Five Eyes countries.
The Five Eyes (FVEY) is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States.[1] These countries are parties to the multilateral UK-USA Agreement, a treaty for joint cooperation in signals intelligence.[2][3][4] Informally, Five Eyes can also refer to the group of intelligence agencies of these countries.
Here’s the code:
<img
src=”https://res.cloudinary.com/dbulfrlrz/image/upload/v1693233221/static/logos
/proton-logo_z7innb.svg” alt=”Proton” height=”175″ width=”690″ loading=”eager”
decoding=”async” class=”h-auto w-auto max-w-full max-h-full opacity-0
transition-opacity”/>
And many other svg images like this mail badge:
<img
src=”https://res.cloudinary.com/dbulfrlrz/image/upload/v1693233226/static/logos
/proton-mail-badge_puvcia.svg” alt=”” height=”106″ width=”106″ loading=”lazy”
decoding=”async” class=”h-full w-auto opacity-0
transition-opacity”/>
There was also a login service:
https://simplelogin.io (176.119.200.11)
Who runs that?
There were several other URLs, but most were just part of definitions for categorizing the various apps and the ProtonXXXX business. Some examples of URLs in the code for the Proton Mail web site.
https://schema.org/
http://www.productontology.org/id/Technology_company
h t t p s : / / t w i t t e r .com/ProtonPrivacy [ This text link was contacting Twitter! ]
https://www.linkedin.com/company/protonprivacy/
https://www.facebook.com/Proton
https://www.instagram.com/protonprivacy/
https://www.wikidata.org/wiki/Q30537036
https://en.wikipedia.org/wiki/Proton_(Swiss_company)
https://www.google.com/search?kgmid=/g/11g8vthvmc
https://twitter.com/andyyen (Person”,”name”:”Andy Yen”,”jobTitle”:”Chief Executive Officer”)
https://www.linkedin.com/in/andy-yen-03a9676/
https://www.wikidata.org/wiki/Q23759707
http://www.productontology.org/id/Digital_calendar
https://www.wikidata.org/wiki/Q114414130
https://play.google.com/store/apps/details?id=me.proton.android.calendar
https://apps.apple.com/app/apple-store/id1514709943
http://www.productontology.org/id/File_hosting_service
http://www.productontology.org/id/Mobile_cloud_storage
https://www.wikidata.org/wiki/Q30537036
https://apps.apple.com/app/id1509667851
https://play.google.com/store/apps/details?id=me.proton.android.drive
http://www.productontology.org/id/Webmail
https://www.google.com/search?kgmid=/m/0113fkjd
https://en.wikipedia.org/wiki/ProtonMail
https://www.wikidata.org/wiki/Q17355735
https://apps.apple.com/app/apple-store/id979659905
https://play.google.com/store/apps/details?id=ch.protonmail.android
https://www.google.com/search?kgmid=/m/0113fkjd
https://apps.apple.com/us/app/proton-pass-password-manager/id6443490629
https://play.google.com/store/apps/details?id=proton.android.pass
https://addons.mozilla.org/en-US/firefox/addon/proton-pass/
https://chrome.google.com/webstore/detail/proton-pass-free-password/ghmbeldphafepmbegfdlkpapadhbakde
Near the bottom of the page, I found out why going to Proton.me causes my browser to go to prismic.io. This is because Proton is using prismic.io as their CDN for some images:
proton-me.cdn.prismic.io
<img
data-gatsby-image-ssr=”” data-main-image=”” style=”object-fit:cover;opacity:0″
sizes=”100vw” decoding=”async” loading=”lazy”
data-src=”https://proton-me.cdn.prismic.io/proton-me/b2ea7dd4-2bad-4354-b21d-
1ee303fb17e6_MAP%20HOME%20PAGE%20PROTON%20ME%20MOBILE.svg?ixlib=gatsbyFP&
auto=compress%2Cformat&fit=max&w=3000&h=1510″
data-srcset=”https://proton-me.cdn.prismic.io/proton-me/b2ea7dd4-2bad-4354-b21d
-1ee303fb17e6_MAP%20HOME%20PAGE%20PROTON%20ME%20MOBILE.svg?ixlib=gatsbyFP&
auto=compress%2Cformat&fit=max&w=100&h=50
100w,https://proton-me.cdn.prismic.io/proton-me/b2ea7dd4-2bad-4354-b21d-
1ee303fb17e6_MAP%20HOME%20PAGE%20PROTON%20ME%20MOBILE.svg?ixlib=gatsbyFP&
auto=compress%2Cformat&fit=max&w=200&h=101
200w,https://proton-me.cdn.prismic.io/proton-me/b2ea7dd4-2bad-4354-b21d-
1ee303fb17e6_MAP%20HOME%20PAGE%20PROTON%20ME%20MOBILE.svg?ixlib=gatsbyFP&
auto=compress%2Cformat&fit=max&w=400&h=201
400w,https://proton-me.cdn.prismic.io/proton-me/b2ea7dd4-2bad-4354-b21d-
1ee303fb17e6_MAP%20HOME%20PAGE%20PROTON%20ME%20MOBILE.svg?ixlib=gatsbyFP&
auto=compress%2Cformat&fit=max&w=800&h=403
800w,https://proton-me.cdn.prismic.io/proton-me/b2ea7dd4-2bad-4354-b21d-
1ee303fb17e6_MAP%20HOME%20PAGE%20PROTON%20ME%20MOBILE.svg?ixlib=gatsbyFP&
auto=compress%2Cformat&fit=max&w=1600&h=805
1600w,https://proton-me.cdn.prismic.io/proton-me/b2ea7dd4-2bad-4354-b21d-
1ee303fb17e6_MAP%20HOME%20PAGE%20PROTON%20ME%20MOBILE.svg?ixlib=gatsbyFP&
auto=compress%2Cformat&fit=max&w=3000&h=1510 3000w”
alt=””/>
And now I see why I was also going to cloudfront.net when visiting Proton.Me:
> traceroute proton-me.cdn.prismic.io traceroute: Warning: proton-me.cdn.prismic.io has multiple addresses; using 18.67.65.46 traceroute to d19pb1pr53hgp.cloudfront.net (18.67.65.46), 64 hops max, 52 byte packets 1 * 10.1.0.1 (10.1.0.1) 334.822 ms 335.384 ms ...
So, what web sites do you have to permit to use Proton Mail? I’m not blocking any of these. When I try to go to protonmail.com with Chromium browser, I get “This site can’t be reached https://proton.me/mail is unreachable. ERR_ADDRESS_UNREACHABLE” but that is a lie.
My computer can go to the site, it’s just the browser that thinks it can’t.
> curl -k --head "https://proton.me/mail" HTTP/2 200 date: Thu, 28 Sep 2023 06:47:59 GMT last-modified: Wed, 27 Sep 2023 12:55:06 GMT etag: "2fba8-60656b3565e80" accept-ranges: bytes content-length: 195496 vary: Accept-Encoding cache-control: public, max-age=1, s-maxage=5, must-revalidate content-type: text/html; charset=utf-8 age: 1 content-security-policy-report-only: default-src 'self'; media-src https://static.zdassets.com; connect-src 'self' wss: https://protonmail.zendesk.com https://ekr.zdassets.com blob: https://account.proton.me https://reports.proton.me https://*.algolia.net https://*.algolianet.com https://go.getproton.me; script-src 'self' blob: 'unsafe-eval' 'unsafe-inline' https://static.zdassets.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; object-src 'self' data: blob:; frame-src 'self' data: blob: https://www.youtube-nocookie.com; child-src 'self' data: blob:; report-uri https://reports.proton.me/reports/csp; frame-ancestors 'self'; strict-transport-security: max-age=31536000; includeSubDomains; preload expect-ct: max-age=2592000, enforce, report-uri="https://reports.proton.me/reports/tls" public-key-pins-report-only: pin-sha256="CT56BhOTmj5ZIPgb/xD5mH8rY3BLo/MlhP7oPyJUEDo="; pin-sha256="35Dx28/uzN3LeltkCBQ8RHK0tlNSa2kCpCRGNp34Gxc="; report-uri="https://reports.proton.me/reports/tls" x-frame-options: sameorigin x-content-type-options: nosniff x-xss-protection: 0 referrer-policy: strict-origin-when-cross-origin x-permitted-cross-domain-policies: none
What is this algolianet thing? Looking at the site, it seems to be an AI search system.
So is a natural language AI system, algolianet, going through your email, images, everything on ProtonMail?
What does Algolia do?#
Algolia consists of two parts: search implementation and search analytics. The implementation tools make it easier for your developers to create and maintain great search experiences for your users. The analytics tools enable your business teams to analyze the impact of those experiences and refine them, so they can directly address your evolving business objectives.
Modern AI in 2024 says this: “ProtonMail, known for its strong privacy and security features, does not allow any natural language AI system, such as Algolia, to access the content of your emails or images. With Algolia, ProtonMail can provide users with instant search results, making it easier for them to locate emails or documents quickly. This is particularly beneficial for business users who manage large volumes of communications.” Uh, what? So, Algolia is out and Proton Scribe is in?
While Algolia is known for providing robust search capabilities, it does require access to content for its functionality. In contrast, ProtonMail’s approach with Proton Scribe emphasizes that no email content is accessed by external AI systems, which aligns better with the privacy expectations of its user base.
If an organization runs a survey in 2024 on whether it should get into AI, then they’ve already bodged an LLM into the system and they’re seeing if they can get away with it.
Proton Mail is a privacy-focused email service. It’s the level of privacy service that privacy obsessives recommend to their friends. Proton Mail ran a user survey two months ago. They found some readers saying they were “interested in AI,” didn’t include a “hell no” option, and today, they’ve introduced Proton Scribe, claiming that “interested in AI” constituted user demand for this specific feature! [blog post; blog post] Proton Scribe is a AI writing assistant for Proton Mail’s enterprise customers — who give them vastly more money than their original base of privacy-focused users do. The enterprise users very much want to press a button to write those emails that they didn’t want to write and the recipient didn’t want to read. {source}
Does ProtonMail use Algolia?
If not, why is Algolia in the CSP header for ProtonMail’s login page?
“The presence of Algolia in the Content Security Policy (CSP) header for ProtonMail’s login page indicates that while Algolia may be included in the site’s policy for certain functionalities, it does not imply that ProtonMail uses Algolia for processing email content or user data. The CSP is designed to specify which sources are allowed to load resources on the site, and it can include various domains for legitimate purposes like analytics or support.”
Is Algolia still there in 2024? Yes
* About to connect() to proton.me port 443 (#0) * Trying 185.70.42.45... * Connected to proton.me (185.70.42.45) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=proton.me * start date: Oct 26 13:17:44 2024 GMT * expire date: Jan 24 13:17:43 2025 GMT * common name: proton.me * issuer: CN=R10,O=Let's Encrypt,C=US > GET /mail HTTP/1.1 > User-Agent: Site24x7 > Host: proton.me > Accept: */* > Connection: close > < HTTP/1.1 200 OK < date: Mon, 09 Dec 2024 21:15:15 GMT < set-cookie: Session-Id=Z1dd41F3h7u0iAx7YYyFcgAAAIg; Domain=proton.me; Path=/; HttpOnly; SameSite=None; Secure; Max-Age=7776000 < set-cookie: Tag=default; Path=/; SameSite=None; Secure; Max-Age=7776000 < last-modified: Mon, 09 Dec 2024 12:52:49 GMT < etag: "35776-628d5d7818a40" < accept-ranges: bytes < content-length: 218998 < vary: Accept-Encoding < cache-control: public, max-age=1, s-maxage=5, must-revalidate < content-type: text/html; charset=utf-8 < content-security-policy-report-only: default-src 'self'; media-src https://static.zdassets.com; connect-src 'self' wss: https://protonmail.zendesk.com https://ekr.zdassets.com blob: https://account.proton.me https://reports.proton.me https://*.algolia.net https://*.algolianet.com https://go.getproton.me; script-src 'self' blob: 'unsafe-eval' 'unsafe-inline' https://static.zdassets.com https://pmecdn.protonweb.com; style-src 'self' 'unsafe-inline' https://pmecdn.protonweb.com; font-src 'self' https://pmecdn.protonweb.com; img-src 'self' data: blob: https:; object-src 'self' data: blob:; frame-src 'self' data: blob: https://www.youtube-nocookie.com; child-src 'self' data: blob:; report-uri https://reports.proton.me/reports/csp; frame-ancestors 'self'; < strict-transport-security: max-age=31536000; includeSubDomains; preload < public-key-pins-report-only: pin-sha256="CT56BhOTmj5ZIPgb/xD5mH8rY3BLo/MlhP7oPyJUEDo="; pin-sha256="35Dx28/uzN3LeltkCBQ8RHK0tlNSa2kCpCRGNp34Gxc="; report-uri="https://reports.proton.me/reports/tls" < x-frame-options: sameorigin < x-content-type-options: nosniff < x-xss-protection: 0 < referrer-policy: strict-origin-when-cross-origin < x-permitted-cross-domain-policies: none < connection: close < { [data not shown] * Closing connection 0 ===== CURL Metrics Starts ===== status_code:200 proxy_status_code:000 redirectcount:0 redirect_url: resolved_ip:185.70.42.45 remote_port:443 read_byte:218998 header_size:1731 dns_time:0.012 con_time:0.161 ssl_time:0.609 pre_transfer_time:0.609 fb_time:0.813 response_time:1.364 redirection_time:0.000 last_url:https://proton.me/mail download_speed:160560.000 ===== CURL Metrics Ends =====
I believe the deal is that you an choose in ProtonMail to have your email indexed or not. Once you do, you can search easily, but you are also giving all of your email to AI to chow upon. That includes all the private details in your private ProtonMail messages. We mostly always choose convenience, don’t we?
Update: A new version of Firefox 115.3.1 did work, while Firefox 76.0.1 still gives the unfriendly Unsupported Browser error at ( https://account.proton.me/login ). A forced web browser update to continue using an email service we pay for is not cool. They should have an old version for those who do not want to upgrade. ProtonMail tech support has declined to indicate what new features are required. If we find out, we will update this.