non protonmail http connection attempts about electronmail HOT 26 CLOSED

offtopic: what firewall are you using?

It is Outpost Firewall. It is unfortunately dead, but still best if you on Win7 as me :)
More details here for example:
https://trackerninja.codeberg.page/post/agnitum-outpost-firewall-pro-advanced-protection-for-windows-7/

from electronmail.

Should be possible, but complicates the UX (explicit to user dictionaries downloading step vs in-background bootstrapping) and implementation/maintenance as each new app release will need to, depending on the feature state enabling, re-download all dictionaries in background from @electron release page since it might include some updates (they serve it as a single archive, so all locales at once). So I'd prefer to avoid this path.

from electronmail.

i used a different firewall which performed better DNS lookup. It turns out that these unencrypted connections are related indeed to certificates:

• electronmail connects (same as brave browser) to apps.identrust.com [port 80]
  = a1952.dscq.akamai.net = apps.identrust.com
  = 104.76.220.147 or 104.76.220.136
  =eg. a104-76-220-136.deploy.static.akamaitechnologies.com
  • identrust - this is a commercial public certificate authority
    REF: https://www.identrust.com/ca-certificate-compatibility - certificates can be retrieved on software (Browser based)
    The root certificates can be found on https://www.identrust.com/support/downloads (eg. http://apps.identrust.com/roots/IGC_Resiged_Human_Cert_Root_Chain.p7b, http://apps.identrust.com/roots/igcdeviceca2fullchain.p7b)

from electronmail.

Going to investigate what are the blocked requests, app itself interacts with https://mail.protonmail.com only, you can see that looking into the code. Most likely blocked requests are update check requests produced by electron-updater module, such requests are happening on app start and then every 30 minutes.

from electronmail.

Yes its on app start and then after some time period.
I've tried to look on DNS requests on program start and it wants to resolve those
github.com
mail.protonmail.com
ctldl.windowsupdate.com
ocsp.quovadisglobal.com
crl.quovadisglobal.com
ev.ocsp.quovadisglobal.com

So looks like mostly some certificate download requests, but why exactly?

from electronmail.

Can you try this version https://www.dropbox.com/s/fquubq186t9ldqn/protonmail-desktop-app-0.4.0-windows-nsis-installer.exe?dl=0? Having installed it, go to the "general" settings and disable Check for updates and notify on app start option there.

from electronmail.

Github connection on port 443 is gone with version 0.4.0 and disabled check for updates, but the rest attempts to port 80 for these is still there and still not sure why exactly
ctldl.windowsupdate.com
ocsp.quovadisglobal.com
crl.quovadisglobal.com
ev.ocsp.quovadisglobal.com

from electronmail.

still not sure why exactly

Have no idea so far about remaining requests, on Win 10 it's not reproducible (tried using Fiddler sniffer).

from electronmail.

Can you try to monitor the network activity using Fiddler or any other network sniffer having your firewall enabled and then disabled, to make sure that it's not a firewall somehow causes the issue, as there is no such side requests on clean Win 10 based on the Fiddler report. I'm not sure I will be able to play around this on Win 7 in the near future.

from electronmail.

I did just quick check for DNS request using DNS Query Sniffer and its still there firewall enabled or disabled. But ocsp parts are also in browser and looks like its this https://support.quovadisglobal.com/kb/a415/what-is-ocsp-stapling.aspx
Also protonmail cert is verified by this company. So should be probably ok.

from electronmail.

Ok closing then. The good part is that we got a new feature "disabling update check" because of this issue 😄

from electronmail.

on last update, i can see attempts to connect on port 80 as well, but doesn't look like ocsp. any idea what these could be?
a2-16-172-11.deploy.static.akamaitechnologies.com
a92-123-189-138.deploy.static.akamaitechnologies.com

from electronmail.

@fusionneur no idea. I'd recommend enabling Block non "API entry point"-based network requests to all email accounts. A red alert message will be displayed each time when the request gets blocked by the app. So might be annoying feature.

from electronmail.

on last update, i can see attempts to connect on port 80 as well

Try disabling the update check feature in the app's general settings block and restart the app then.

from electronmail.

i already have both already: "block non api entry point... " enabled, and updates disabled

from electronmail.

"block non api entry point... "

This only works for the webview the proton web clients loaded in, as enabled per account. But outer @electron itself might technically connect somewhere too. One option if such connection is downloading dictionaries for spellchecking feature, but this is a one time action per enabled language.

from electronmail.

putting my 2 cents here... i blocked port 80 on firewall since 1 march and seen no impact on the functionality. the requests are daily several times, each time with several attempts spamming my firewall's log.

could it be possible to add toggles to disable dictionaries/spellchecking periodic download?

from electronmail.

@fusionneur electron/electron#22995

from electronmail.

Consider disabling "update check" and "spellcheck" features in the app. Restart it and see if it helps.

from electronmail.

I already had "check spelling" and "check for update and notify" options disabled under settings>general.
are these the features you are referring to ?

from electronmail.

@fusionneur, those features, yes. I don't know what else to recommend, and would be interested to see if you are able to track down what triggers the unnecessary connection. I'm not sure that "check spelling" disabling works as expected, see electron/electron#22995.

PS Maybe try running the app for a while without the proton accounts added (no need to remove the accounts, disabling by toggle should be enough, so webview doesn't get created/loaded), so we know if it linked to the proton's web clients.

from electronmail.

• on android official proton mail app, there are no requests on port 80 only towards mail-api.proton.me and api.protonmail.ch, both on 443 (using netguard to monitor connections)
• on web browser, proton.me connects to its subdomains account.proton.me and mail.proton.me, both on HTTPS (using uMatrix extension to monitor connections)
• on windows, electronmail.exe tries to connect on port 80 on akamai's CND dynamic IPs (using simplewall to monitor and block connections).

One interesting thing is that on ElectronMail I have enabled 'Login delay range (seconds)' feature set on 10-30 seconds for each of my accounts. There is no connection attempt on port 80, until the first account actually connects to proton API and gets logged in.

I followed your idea, and disabled the accounts and after starting electronMail I did not see any connection attempt on port 80.
Enabling the accounts one by one, triggered 2 connections attempts for each account after being logged in (reproduceable each time):
a2-18-79-133.deploy.static.akamaitechnologies.com
a2-18-79-144.deploy.static.akamaitechnologies.com

Found 2 more opened issues that might be related:
electron/electron#32314
electron/electron#27403

Maybe the current electron check spelling flag only does the checking but it's not related to the actual download of the language packages. The download might be triggered upon electron handling text data such as after logging into proton mail, but most probably the request is not triggered by Proton API itself since on Android and on web browser there are no port 80 connections.

from electronmail.

I can confirm the connections attempts outside of Protonmail are there. I have enabled only Proton IPs and here is screenshot from my firewall log from last ~24 hours.

from electronmail.

offtopic: what firewall are you using?

from electronmail.

The option is to bundle the dictionaries into the app build (~32MB in archive, comes with each @electron release) and then serving it via the custom protocol from the app itself by using session.setSpellCheckerDictionaryDownloadURL.
Some points to consider:

• I didn't try this approach yet and so not sure if custom protocol will be usable for this case.
• It significantly increases app package size.

from electronmail.

could it be separated as an individual and optional language pack installer on top of electronMail?
..or add the possibility to download them from github (if possible to store the dictionaries here) on main installer or even post install

from electronmail.