@enthusiast29
Can tracking onion exit node help to trace the culprit, is that easy ?
That would... depend, but it's rarely ever easy. Whenever multiple countries/destinations comes into play, it becomes really difficult. Even setting that aside, most 'consumers' using Onion wouldn't keep logs, which would make it even more difficult (
not impossible by itself, 'technically').
That said, most 'dark web' users are caught when they have to come in physical contact with something else, not by being traced via their onion routes. It's basically a game of phishing over there, lol
As for email, I'd like to point towards what Migadu says, and I've to agree with them:
Email as we know it and encryption are incompatible. If someone is telling youotherwise, they are not to be trusted.
Email is built on top of plain text protocols and messages flow in plain text.If you encrypt, you cannot scan for spam or viruses, index messages for searchingor recover messages when a password gets lost. Not to mention the usability issuesof changing passwords / encryption keys.
This cannot be fixed, at least not any time soon without breaking the protocolson which email relies.
If we were to roll out encryption at rest, we would have to keep theencryption keys ourselves. That means we would be encrypting and decryptingmessages on the fly using a key which is available on the same storage whereyour data is. That is not encryption but rather encoding, and we do not see thegreat benefit of it.
You may be thinking now, what if someone obtained the hard drives from the servers?Good one. We split data between disks and ensure individual disks are not sufficient torecover data. Our servers run in secure data centers that are internationallycertified for their security and data privacy processes. In short, a Hollywood-likeaction would be needed to get physical access to the servers, and the data-centeradministrators do not just toss out faulty disks into the nearest garbage bin.
We know some email providers automatically encrypt messages as they arrive using users'public keys. That sounds exciting but in practice it does not really preventthe provider from accessing the mails. It only makes email less usable, lessstandard and more tied to that provider. What you gain in security you lose inportability and usability, and what we do not want for ourselves, we won’t beoffering others either.
If you are interested in real encryption and absolute security for your Santa letters,please use end-to-end encryption tools such as GPG with your correspondents or pulllocally all your messages periodically (e.g. via POP3) and encrypt themyourself on your local device.
Link to their site:
https://www.migadu.com/procon/
While you can argue otherwise, I think if you want E2EE with every participant of yours and not just a select few and also want an open protocol (
ProtonMail isn't that, you've to use their clients), you should be looking at something else entirely, not email.
Should India ban ProtonMail because of encryption issues? Definitely not, that's just unethical.
Should you depend on ProtonMail entirely? I'd say no.
The most 'future-proof' solution is either to use what everyone else loves, Gmail or Outlook, or have email
at your own domain. For the latter, I suggest looking at
Fastmail or
Migadu, or other services that provide different things. Email is a pretty wide and amazing space. I've used both, and Migadu's offering is more in-line for me, and I love their alps webclient for self-hosting, but Fastmail is likely to be much more user-friendly. Worst case, you can self-host email yourself, too. It's not as bad as it was a few years ago, but you've to deal with a shit ton of things still. For that option, two things come to my mind:
Maddy and
Mailinabox
or look here
✉️ An awesome list of resources to build better emails. - jonathandion/awesome-emails
github.com
NOTE: I'm not saying ProtonMail is bad or that you should stop using it, I'm just listing alternatives to it as long as you're okay with giving up on the 'email encryption' part of your email life. You can still have encryption using PGP, though. So it's not gone, but has become client-specific.
