I have never used an onion address.

I was logging into protonmail and it said on top that it was pushing an
onion address which it said was available for logging in.

But I already have a normal address to log in, don't I?
https://mail.protonmail.com

And I'm already using a tor browser to log in.
So what's the advantage of an onion address to do the exact same thing?

Before I ask here I tried it by starting up a new Tor browser session and
logging into protonmail using the onion address they gave me.

Same thing.
As far as I could see.

It wasn't any different.
What's the advantage of an onion address in this situation?
--
J. B. Wood e-mail: arl_123234@hotmail.com

On 9/29/2021 12:55 AM, J.B. Wood wrote:
> I have never used an onion address.
>
> I was logging into protonmail and it said on top that it was pushing an
> onion address which it said was available for logging in.
> But I already have a normal address to log in, don't I?
> https://mail.protonmail.com
>
> And I'm already using a tor browser to log in.
> So what's the advantage of an onion address to do the exact same thing?
>
> Before I ask here I tried it by starting up a new Tor browser session and
> logging into protonmail using the onion address they gave me.
>
> Same thing.
> As far as I could see.
>
> It wasn't any different.
> What's the advantage of an onion address in this situation?

If I understand it correctly this answers your question.

What are Onion Services?
Onion services are services that can only be accessed over Tor. Running
an onion service gives your users all the security of HTTPS with the
added privacy benefits of Tor Browser.

https://community.torproject.org/onion-services/

This is interesting.

How Do Onion Services Work?
https://community.torproject.org/onion-services/overview/

On 9/29/2021 8:29 AM, Mike S wrote:
> Onion services are services that can only be accessed over Tor. Running
> an onion service gives your users all the security of HTTPS with the
> added privacy benefits of Tor Browser.

But my question is related to the realization I already had all of that.

Without the onion URI.

What did the onion URI gain me if that's all it does (which is nothing)?
--
J. B. Wood e-mail: arl_123234@hotmail.com

"J.B. Wood" <arl_123234@hotmail.com> wrote:

> I have never used an onion address.
>
> I was logging into protonmail and it said on top that it was pushing an
> onion address which it said was available for logging in.
>
> But I already have a normal address to log in, don't I?
> https://mail.protonmail.com
>
> And I'm already using a tor browser to log in.
> So what's the advantage of an onion address to do the exact same thing?
>
> Before I ask here I tried it by starting up a new Tor browser session and
> logging into protonmail using the onion address they gave me.
>
> Same thing.
> As far as I could see.
>
> It wasn't any different.
> What's the advantage of an onion address in this situation?

ProtonMail, under Swiss law, was forced by court order to comply with
divulging IP, usage, and other logged data to nab someone the court
didn't like (I forget the details, but an online search would find
them).

https://techcrunch.com/2021/09/06/protonmail-logged-ip-address-of-french-activist-after-order-by-swiss-authorities/

This broke their promise that your use and content was secure from
anyone prying into who you are, where you are, and what you send or
receive. If PM operated in the USA, we would never know of this
penetration of security due to use of a National Security Letter which
legally mandates the operator cannot divulge any info regarding the NSL
action. The gov't could force PM to log all data (for a particular
account) even if they didn't before, and hand it over to the
authorities, and PM could never reveal getting an NSL letter, or what
they were forced to do, or release. PM is headquartered in Switzerland,
and must obey the laws there.

I suspect they added the Onion address to use with Tor to further
secrete identifying you. Tor will hide who and where you are; however,
some Tor nodes are operated by the FBI. After all, the US gov't, and
*anyone* can operate a Tor node. If a entry Tor node is coded to always
use a known set of exit Tor nodes, and the entry and exit Tor node
operators are the same or cooperate with each other, those operators
know where you came from and where you went. In fact, the entry Tor
node operator already knows who you are (since you connected to it) and
to where you want to connect (the destination in the packet). You're
hoping the Tor operator isn't the one watching you. Tor is not as
secure as many users would like to believe.

https://en.wikipedia.org/wiki/Tor_(network)#Weaknesses
https://www.addictivetips.com/vpn/vulnerable-using-tor/

but it does add another layer of some privacy. Some users will combine
Tor with a VPN, but again you are still relinquishing your privacy to a
3rd party and relying on their privacy claims. Any VPN that operates
within the USA is subject to an NSL. Some have dubious schemes where,
for example, the free accounts are used as parallized bandwidth nodes to
up the speed for paying customers. Some will fail testing, like
receiving IPv6 traffic, but converting to IPv4 traffic (i.e., they don't
handle IPv6) which can result in not reaching IPv6-only sites.

The whole HTTPS-VPN-Tor scheme is like putting more padlocks on a hasp
to add more security, but neglects a sawsall with a metal-cutting blade
can cut the hasp. You're hoping who operates the VPN and Tor nodes are
trustworthy, and your layering is more than someone else's effort to
undo all that.

"J.B. Wood" <arl_123234@hotmail.com> wrote:

> Mike S wrote:
>
>> Onion services are services that can only be accessed over Tor.
>> Running an onion service gives your users all the security of HTTPS
>> with the added privacy benefits of Tor Browser.
>
> But my question is related to the realization I already had all of
> that.
>
> Without the onion URI.
>
> What did the onion URI gain me if that's all it does (which is
> nothing)?

You have to learn about Tor and what are Onion addresses. See links in
my first reply, or go learn Tor and Onion networks through online
research.

I just logged into my PM account. There was no banner or other content
announcing availability of an Onion address to my account. Maybe that
feature is not available to free accounts.

What I did find were web pages at:

https://protonmail.com/tor
https://protonmail.com/support/knowledge-base/tor-setup/
https://protonmail.com/support/knowledge-base/firefox-onion-sites/

and their blog at:

https://protonmail.com/blog/tor-encrypted-email/

and a review article at:

https://techcrunch.com/2017/01/19/protonmail-adds-tor-onion-site-to-fight-risk-of-state-censorship/

In my first reply 10 minutes earlier, I noted how PM is still controlled
by Swiss law, and how PM was forced to divulge user information to the
authorities. Maybe that wouldn't have happened if the user used the Tor
access to PM's Onion access method assuming the authorities didn't also
invade the Tor network with their own monitoring entry Tor nodes.

On 9/29/2021 1:34 PM, VanguardLH wrote:
> Maybe that wouldn't have happened if the user used the Tor
> access to PM's Onion access method assuming the authorities didn't also
> invade the Tor network with their own monitoring entry Tor nodes.

Please look at this sentence: "I will continue to use public WiFi and the
TOR .onion connection to Proton to prevent an adversary from watching TOR
entrance/exit nodes."

Do you know what a "proton" is in that context?
"I suggest a simple code sent through Proton: email me the number of
packages you want at the next drop."

That's from a spy, who used what he called "Proton" to establish
communications with what he assumed was an agent of an unnamed country (in
actuality, an FBI agent).
[https://www.dailymail.co.uk/news/article-10078359/U-S-Navy-engineer-wife-charged-selling-submarine-secrets-smuggling-sandwich.html]

He keeps talking about a "Proton" as in: "My new Proton is actually an old
one I established quietly with a cash only burner phone while on vacation
several years ago. My original contact plan was to give the login details to
you, but I abandoned it as needlessly complicated. So it has been unused
ever since for any purpose except to sign up for a few innocent, randomly
chosen mailing lists to generate regular uninteresting traffic."

Obviously, if this is proton mail (further information in that news report
indicates it was) then they are using the onion for a reason that seemed
good to them.

But what?
What did the .onion address to proton mail gain this spy?
--
J. B. Wood e-mail: arl_123234@hotmail.com