deleted by author \ stacker news ~privacy

2073 sats \ 22 comments \ @Eobard 30 Dec 2023 privacy

deleted by author

661 sats \ 11 replies \ @ek 31 Dec 2023

I don't trust them.

Proton Mail only uses E2EE when you send mails between Proton users.

If you send mails to other mail providers, they simply allow you to encrypt your mail with a password:

Emails sent between Proton Mail users are automatically end-to-end encrypted.

If you want to send a secure, end-to-end encrypted email to someone who isn’t on Proton Mail, the easiest way is to use a Password-protected Email. You can also use PGP encryption if the person you’re writing to uses it.

If you use that, they literally mention that you have to send the password on another channel that is actually secure.

When you’re ready, click Send. Your intended recipient will need the password to read the message, so share it with them. Make sure you use another secure communication channel, like Signal, or just tell them in person.

So they basically admit that SMTP does not support E2EE.

So I would say in most cases, Proton Mail is useless when it comes to E2EE. If you rely on someone using the same mail provider as you, then you're not really using SMTP. You could just use any other centralized service. They probably don't even have to send a real SMTP message.

So I think they are mostly LARPing about privacy and security. To me, SMTP is unfixable when it comes to privacy. It's way too easy to leak a whole conversation on accident. One person not encrypting their reply is enough since usually, mails have the whole conversation attached. Boom, there go all your efforts to keep your mails secret, lol. Afaik, every mail server between you and the destination can now read the whole conversation.

At least they mention this problem at the end:

Note that, due to technical constraints with end-to-end encryption, if you respond to a message sent by the recipient of a Password-protected Email, your response is not end-to-end encrypted by default. The entire message history will be sent unencrypted to the recipient if you don’t password-protect your email again.

Source: https://proton.me/support/password-protected-emails

Btw, Mental Outlaw has a good video about them:

96 sats \ 3 replies \ @sudonaka 31 Dec 2023

Mental outlaw is a complete larp bro proton is fine for a google replacement.

If you are saying it should be secure enough to do full dark web activities with- well obviously fucking not. It’s a centralized service

21 sats \ 2 replies \ @Eobard OP 31 Dec 2023

deleted by author

0 sats \ 1 reply \ @cyberpunk02 3 Jan

yeah most people just need to get off google, apple and microsoft

0 sats \ 0 replies \ @ek 3 Jan

if it's just a replacement, is it really better?

60 sats \ 0 replies \ @ek 31 Dec 2023

Found even more admitting how what they are claiming to be isn't the case the moment you send a mail to someone outside of Proton:

TLS is the security mechanism used in the HTTPS communication protocol that prevents hackers and your ISP from seeing what information you submit to websites (like your credit card number or address) and is responsible for encrypting most of the internet, including your connection to our blog right now. However, TLS is only implemented between endpoints of an HTTP channel. For example, as you’re reading our blog, HTTPS is using TLS to encrypt your connection between your device and our server.

This works fine if you are connecting to a website, but it’s insufficient if you’re sending an email. When you use a standard email provider, such as Gmailor Hotmail, all traffic toward it, including emails sent to you, will be protected in transit by TLS. The same is true in reverse; Emails you send from a standard email provider are also encrypted using TLS and sent to your recipient’s email provider . However, all TLS-protected traffic is decrypted once it arrives at these companies’ servers, including your emails. Most companies will then re-encrypt your messages while they are stored on their servers – using keys they control. This means that the company can decrypt and access the content of your messages at any time.

Services that use end-to-end encryption eliminate this possibility because the service provider does not actually possess the private key required for decryption. With Proton Mail or any other E2EE service, your private key is only available on your device, making E2EE much more secure and private.

Source: https://proton.me/blog/what-is-end-to-end-encryption#e2ee-vs-tls

5 sats \ 5 replies \ @Eobard OP 31 Dec 2023

deleted by author

0 sats \ 0 replies \ @xz 31 Dec 2023

Thanks for posting this. My signing-up would hinge on this.

0 sats \ 3 replies \ @Eobard OP 31 Dec 2023

deleted by author

10 sats \ 0 replies \ @xz 31 Dec 2023

btw, I get the same results.

10 sats \ 1 reply \ @fishyness 31 Dec 2023

deleted by author

0 sats \ 0 replies \ @Eobard OP 31 Dec 2023

deleted by author

67 sats \ 0 replies \ @034b483ee7 31 Dec 2023

I had a paid Proton account for six plus years and then out of the blue my account was suspended. Their support totally sucks and I never did get a good answer as to why the account was suspended. It took about a week of emailing from a different account to unsuspected the account.

I'm no longer a paying customer for Proton and moving to tuta.com as my email provider.

110 sats \ 4 replies \ @xz 31 Dec 2023

My take is, like with many things, they start out with the best of intentions and then get told they have to divulge customer private information because x y z.

I doubt that means it's totally without merit. If I forget about the negligible benefit (intra-protonmail messaging) it's actually not very private, but quite secure and reliable email service.

Then you got to ask, is that worth paying for. I suppose that's why there's a free tier. Advantages are negligible, unless you despise other cloud services (more.)

50 sats \ 3 replies \ @Eobard OP 31 Dec 2023

deleted by author

10 sats \ 2 replies \ @xz 31 Dec 2023

Yep. I agree on all points.

Where's Darthcoin to tell me to get on it and run my own server and it's not that hard?

0 sats \ 1 reply \ @Eobard OP 31 Dec 2023

deleted by author

0 sats \ 0 replies \ @xz 31 Dec 2023

Yeah, sure, It's quite useful. But I just meant as in running your own SMTP email server. I see nextcloud handles IMAP/POP3 but then you'd still need a server?

40 sats \ 0 replies \ @BountifulB 2 Jan

I trust them more than trying to surf in the clearnet, remember my passwords and back up my data on a thumb drive that is constantly running out of space

Their Proton Pass email aliasing is easy and almost worth the price of admission for me.

50 sats \ 1 reply \ @WeAreAllSatoshi 31 Dec 2023

I suppose it depends on what you’re asking for? Like, do you trust it for what, exactly? I guess privacy, since that’s where you asked?

0 sats \ 0 replies \ @Eobard OP 31 Dec 2023

deleted by author

10 sats \ 0 replies \ @Entrep 31 Dec 2023

I use it but I trust it as far as I can throw it