Follow

Bitcoin and Protonmail, the calling cards of the cryptoshit techbro

@sir What’s a good alternative to ProtonMail? Multi-device, zero configuration end-to-end encryption that my mother could use? (Legitimately curious, not trolling)

@jish there is no such service, not even Protonmail qualifies for that

@sir I wasn’t making a fanciful feature request list. Those are the features that ProtonMail currently has. And I believe that’s why people use it. 🤔 Easy encryption.

@jish Protonmail is gaslighting you. They don't have end to end encryption. They can read all of your emails.

@sir oh, do you think they keep copies of the keys around? Do you have a source? (Again, legitimately curious, not trolling)

@jish @sir Easy way to verify this:
Send your mother an email from your ProtonMail account to her GMail account.
Can she read it?
If the answer is yes, the message was not end-to-end encrypted! It may have been encrypted in transit, which basically does nothing to really help anything (and which GMail does as well).
@kick @jish @sir lol, but what if they encrypted the emails you received with your public key, so only you could read them? I think that's how it works, but I'm not sure.
@ewaf @jish @sir Encrypting at-rest when receiving is pointless (because they can, in fact, read the mail). What they claim to do can not be automated over electronic mail as they advertise it.
In fact, they even flat out admit that their marketing copy is inaccurate, here (though they still claim that it's partially accurate):
https://protonmail.com/support/knowledge-base/what-is-encrypted/
Lies in the business they're in kill people, and if they can't be trusted on that, you shouldn't trust them on any claims they make, whatsoever.
@kick @jish @sir If I think about it, real e2ee is possible. You could for example generate yourself a keypair and then use the hash of the public key to receive emails (just like onion services do it), so if someone wanted to send you an email, they would have to get your public key from some database, then encrypt the content and send it to you. But maybe that's a bit too complicated and not very user friendly, so you could just use GPG.
@ewaf @jish @sir Real end to end encryption of mail is possible (literally the entire point of GPG), but it's not possible to automate. Look on keyservers and you'll find at least a dozen fake keys for Richard Stallman, for example.
@kick @jish @sir It is. Just use your public key as your local part (yeah, I just googled that.)

@jish protonmail does the encryption, not the sender, on their mail server. This is not end to end encryption. They could secretly store a copy of the plaintext and you'd never know.

@sir @jish that is not what they claim, and with my basic understanding of the web client, it seems that te browser does that in js.

Did you manage to test it and confirm that the client is sending info unencrypted to proton mail servers?

@cfenollosa @jish this is simply how email works. Hello, email expert here. They encrypt it on arrival, alledgedly, but they don't have to and you would never know. They encrypt it at rest and decrypt it in your browser but they could also be storing a plaintext version that you don't know about.

@sir @cfenollosa @jish Isn't that true only for unencrypted emails you send or receive? My understanding was anything to other ProtonMail users or users for whom you have PGP/GPG keys is end to end encrypted, but sending or receiving unencrypted emails only gets encrypted by them for data at rest purposes.

@allie @cfenollosa @jish but this is also true for literally all other email providers.

@sir @allie @jish protonmail claim that “All emails are secured automatically with end-to-end encryption. This means even we cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties.”

Are you saying that this isn’t true? That they only use gpg for specific mails but they store plaintext emails in their servers?

@cfenollosa @allie @jish correct, this is not true. This statement is a lie, used to gaslight users into thinking that Protonmail provides privacy guarantees that it does not. They claim that they don't store plaintext mails, but they have no cryptographic guarantee that they are not storing plaintext emails. Privacy is built on math, not trust.

@sir @allie @jish

Thanks for the explanation.

At first sight it seems that they indeed do in browser encryption, in fact, they don't support standard IMAP as apparently the mbox is encrypted.

What kind of audit did you do and how did you discover that they're lying and they're not using e2e? That is a serious statement, I was considering switching to Protonmail but now I guess I have to do more research.

@cfenollosa @allie @jish I don't have to audit someone who says 2+2=5 to tell you that they're wrong

@cfenollosa @allie @jish to explain further:

1. I write a plaintext email to you@protonmail.com

2. My mail server connects to mail.protonmail.ch and writes the plaintext email to it

3. mail.protonmail.ch now has the plaintext email

Q.E.D.

@sir @allie @cfenollosa @jish Their marketing copy is full of dissonance, as you can see on that page itself ("Everything is encrypted!" "We...don't actually encrypt 99% of mail on the internet.").

@sir @allie @jish now I get it! Thanks a lot for your patience in your explanations 😃

@cfenollosa @sir @allie @jish
>how did you discover that they're lying and they're not using e2e?

Just send an email to a non-protonmail address from a protonmail account, it will be in cleartext.
So at best they are using e2e between protonmail accounts and encrypted mailboxes.
At at worst (which is what you expect when doing security): you're vendor-locked by cryptography for accessing your mailbox and you need to pay for access without a browser. Kinda sounds too much like ransomware to me.
@sir @cfenollosa @jish Yeah, I do think they explain it in other documentation, but you're right that the marketing on the front few pages is disingenuous.

@sir @jish Protonmail encrypts within the browser JavaScript engine, or via their IMAP bridge, when you send mail.

No email service will ever be secure when RECEIVING email unless the sender uses something like PGP first.

@jish @sir It's not whether or not they keep the keys. The issue is that they *can* keep the keys if they choose to. I use proton mail because until I get a home server set up the alternative is either A) use cloud hosting or B) use something like gmail.
@jish @sir Worth mentioning while we're on the discussion of good/bad secure services. https://www.tarsnap.com/
@petit @jish @sir I wish I could like tarsnap but it not being FOSS just rubs me the wrong way.

I understand there's a practical concern of modified client code causing issues, but there are better solutions to that, but I just don't like it
@sir @jish Weird, Migadu recommends ProtonMail. "If you are engaged in activities of dubious legality, espionage or simply are timid of Uncle Sam, please consider our neighbours ProtonMail."

@jish @sir Signal

Seriously, don’t use Signal, though.

@jish @sir Configurationless end-to-end encryption doesn't really make sense under the electronic mail paradigm, and would only work to make people who are unaware how it works really start to actively dislike encryption.

@jish @sir Mailfence supports what you ask, and their pricing is good too.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!