I don’t see there customer support call as a recovery method. I‘d expect that for paid accounts you could theoretically verify your identity to CS via payment, but in that case you lose the data anyway.
Even if the attacker cant decrypt existing e-mail the concern is by hijacking the account they can intercept future e-mail received such as password resets.
Some searching finds this comment. [1] I would be interested if such a password reset were possible against someone who for instance had 2FA enabled, no recovery information and only accessed their account using the Tor onion-service. ;-)
Tor onion service relays are mostly on VPS. And those VPS are mostly American.
The number of tutorials I have seen about spinning up a tor relay on a VPS is crazy. These tutorials are probably written by three letter agencies - though I have no proof.
Regardless, protonmail doesn’t let people register when connecting with Tor unless you use phone number or card to make a payment. You will have to give up something which identifies you, and so it really doesn’t matter when you connect with Tor after you have already registered - there is a way to connect who you are.
Traffic of onion-services is encrypted. Traffic correlation to deanonymize the client can still be theoretically performed but ultimately you need to draw the line in the sand somewhere.
> Regardless, protonmail doesn’t let people register when connecting with Tor unless you use phone number or card to make a payment
Actually if you attempt enough times you will get the option to verify the registration with an e-mail. And they are rather liberal with which options they accept. So it is not exactly a circular dependency.
From there is it an exercise to the reader to create an account not linked to any other identity.
Valid point, however that happened at least 5 years ago. Proton was smaller. I don’t know if this is still the case for today: I would expect that they continuously improve security of user accounts as they grow.
Your link doesn't apply here. The attacker's recovery process is to just send an email to support@protonmail.zendesk.com and start flapping their gums.
It doesn't matter if you lose data. If you control an email address, you get all future email including forgot-my-password emails.
Here’s their recovery process: https://proton.me/support/set-account-recovery-methods
I don’t see there customer support call as a recovery method. I‘d expect that for paid accounts you could theoretically verify your identity to CS via payment, but in that case you lose the data anyway.