The popular encrypted email provider ProtonMail has launched the Tor Hidden Service to provide further protection to its users.

ProtonMail is the world’s largest encrypted email provider with over 2 million users worldwide. Its popularity exploded just after the US presidential election, its users include journalists, activists, businesses, and normal people that want to protect their security and privacy. The service is a free and open source, featuring strong end-to-end encryption and protected by Swiss privacy laws.

Implementing a Tor hidden service for ProtonMail Tor has numerous advantages for end-users, communications are protected by supplementary layers of encryption, user’ IP address is masqueraded by the anonymizing network, and such kind of service is able to bypass government censorship.

“There are several reasons why you might want to use ProtonMail over Tor. First, routing your traffic to ProtonMail through the Tor network makes it difficult for an adversary wiretapping your internet connection to know that you are using ProtonMail. Tor applies extra encryption layers on top of your connection, making it more difficult for an advanced attacker to perform a man-in-the-middle attack on your connection to us. Tor also makes your connections to ProtonMail anonymous as we will not be able to see the true IP address of your connection to ProtonMail.”  a onion site,” ProtonMail explained in a blog post.

“Tor can also help with ProtonMail accessibility. If ProtonMail becomes blocked in your country, it may be possible to reach ProtonMail by going to our onion site. Furthermore, onion sites are “hidden” services in the sense that an adversary cannot easily determine their physical location. Thus, while protonmail.com could be attacked by DDoS attacks, protonirockerxow.onion cannot be attacked in the same way because an attacker will not be able to find a public IP address.”

The onion address for the ProtonMail Tor service:

https://protonirockerxow.onion

Just for curiosity, the above address was generated by the company used spare CPU capacity to generate millions of encryption keys and then hashed them aiming to generate a more human readable hash. The address it can be easily remembered as:

proton i rocker xow

ProtonMail

ProtonMail published detailed instructions on how to setup Tor and how to access the service over Tor. For example, in order to use the ProtonMail hidden service is it necessary to enable Javascript.Tor Browser disables Javascript by default, but you will need it for our onion site. You can do this by clicking the “NoScript” button and selecting “Temporarily allow all this page”:

“Tor Browser disables Javascript by default, but you will need it for our onion site. You can do this by clicking the “NoScript” button and selecting “Temporarily allow all this page”” reads the ProtonMail page.

The ProtonMail hidden service only accepts HTTPS connections, it uses a digital certificate issued by Digicert, the same CA used by Facebook for its Tor hidden service.

The ProtonMail hidden service could be reached via a desktop web browser and both iOS and Android apps.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – ProtonMail, Tor)

The post ProtonMail announced that its Tor Hidden Service is online appeared first on Security Affairs.

Source: securityaffairs

According to Elcomsoft, iPhone and iPad automatically send call history to Apple when iCloud is enabled, the company stores the data for up to four months.

According to the digital forensics firm Elcomsoft, Apple mobile devices automatically send call history to the company when the iCloud is enabled, it also stores the data for up to four months.

The only way to prevent such activity is to completely disable the cloud synchronization feature.

“iCloud sync is everywhere. Your contacts and calendars, system backups and photos can be stored in the cloud on Apple servers. This time, we discovered that yet another piece of data is stored in the cloud for no apparent reason. Using an iPhone and have an active iCloud account? Your calls will sync with iCloud whether you want it or not. In fact, most users we’ve heard from don’t want this “feature”, yet Apple has no official way to turn off this behavior other than telling people “not using the same Apple ID on different devices”. What’s up with that? Let’s try to find out.” reads the analysis published by Elcomsoft.

Elcomsoft tools could allow determining what personal data is synchronized with Apple servers and how to prevent it.

When the iCloud feature is enabled, Apple mobile devices automatically collect and send back to the company private information such as call history, phone numbers, phone call metadata (i.e. Length of calls).

The iPhone also sends information collected from other third-party VoOP applications, including Facebook Messenger, Viber, WhatsApp, and Skype.

iCloud

Security experts highlighted the low level of protection of users’ data in Apple iCloud, that could be easily accessed by law enforcement.

“So far, we had no reasons to doubt this policy. However, we’ve seen Apple moving more and more data into the cloud. iCloud data (backups, call logs, contacts and so on) is very loosely protected, allowing Apple itself or any third party with access to proper credentials extracting this information. Information stored in Apple iCloud is of course available to law enforcement.” continues Elcomsoft .

Even logs are sent in real time to Apple when iCloud Drive is enabled. If users want to stop sharing their logs with Apple need to disable iCloud Drive completely, an operation that has an impact on many applications.

“Syncing call logs happens almost in real time, though sometimes only in a few hours,” says Elcomsoft CEO Vladimir Katalov. “But all you need to have is just iCloud Drive enabled, and there is no way to turn that syncing off, apart from just disabling iCloud Drive completely. In that case, many applications will stop working or lose iCloud-related features completely.”

Apple, of course, defends its iCloud Sync feature ensuring that customers’ data is encrypted and protected with a two-factor authentication mechanism.

“We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices. Apple is deeply committed to safeguarding our customers’ data. That is why we give our customers the ability to keep their data private. Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.” is the official statement from the company.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – iPhone, mobile)

The post Are you an iPhone user? Your call history is uploaded on iCloud too appeared first on Security Affairs.

Source: securityaffairs