ProtonMail and Anonymity

Michał Górny mgorny at gentoo.org
Sun May 5 22:20:58 CEST 2019


On Sun, 2019-05-05 at 14:32 -0400, Jeff Allen wrote:
> On 5/5/19 1:36 PM, Stefan Claas wrote:
> > On Sun, 5 May 2019 11:22:56 -0400
> > Tony Lane <codeguro at gmail.com> wrote:
> > 
> > > Isn't it obvious?
> > 
> > I don't think so! Users new to privacy related
> > services may think when visiting the ProtonMail
> > site that they are anonymous, when seeing their
> > main page:
> > 
> > https://protonmail.com/
> > 
> 
> I suppose like anything else it all comes down to whether you believe
> them or not.  I do.
> 
> Here is ProtonMail's explanation of what they do with the personally
> identifiable information collected during registration:
> 
> "If you are presented with Email or SMS verification, we only save a
> cryptographic hash of your email or phone number which is not
> permanently associated with the account that you create. Because hash
> functions are one way functions, it is impossible to derive your phone
> number or email from that hash. However, using the same phone number
> will result in obtaining the same cryptographic hash, so by comparing
> hashes, we can detect re-use of phone number or email addresses for
> human verification."
> 

Don't you think that brute-forcing a hash of a phone number would be
trivial?

-- 
Best regards,
Michał Górny





More information about the Gnupg-users mailing list