Bitcoin and Protonmail, the calling cards of the cryptoshit techbro

@sir What’s a good alternative to ProtonMail? Multi-device, zero configuration end-to-end encryption that my mother could use? (Legitimately curious, not trolling)

@jish there is no such service, not even Protonmail qualifies for that

@sir I wasn’t making a fanciful feature request list. Those are the features that ProtonMail currently has. And I believe that’s why people use it. 🤔 Easy encryption.

@jish Protonmail is gaslighting you. They don't have end to end encryption. They can read all of your emails.

@sir oh, do you think they keep copies of the keys around? Do you have a source? (Again, legitimately curious, not trolling)

@jish protonmail does the encryption, not the sender, on their mail server. This is not end to end encryption. They could secretly store a copy of the plaintext and you'd never know.

@sir @jish that is not what they claim, and with my basic understanding of the web client, it seems that te browser does that in js.

Did you manage to test it and confirm that the client is sending info unencrypted to proton mail servers?

@cfenollosa @jish this is simply how email works. Hello, email expert here. They encrypt it on arrival, alledgedly, but they don't have to and you would never know. They encrypt it at rest and decrypt it in your browser but they could also be storing a plaintext version that you don't know about.

@sir @cfenollosa @jish Isn't that true only for unencrypted emails you send or receive? My understanding was anything to other ProtonMail users or users for whom you have PGP/GPG keys is end to end encrypted, but sending or receiving unencrypted emails only gets encrypted by them for data at rest purposes.

@allie @cfenollosa @jish but this is also true for literally all other email providers.

@sir @allie @jish protonmail claim that “All emails are secured automatically with end-to-end encryption. This means even we cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties.”

Are you saying that this isn’t true? That they only use gpg for specific mails but they store plaintext emails in their servers?

@cfenollosa @allie @jish correct, this is not true. This statement is a lie, used to gaslight users into thinking that Protonmail provides privacy guarantees that it does not. They claim that they don't store plaintext mails, but they have no cryptographic guarantee that they are not storing plaintext emails. Privacy is built on math, not trust.

@sir @allie @jish

Thanks for the explanation.

At first sight it seems that they indeed do in browser encryption, in fact, they don't support standard IMAP as apparently the mbox is encrypted.

What kind of audit did you do and how did you discover that they're lying and they're not using e2e? That is a serious statement, I was considering switching to Protonmail but now I guess I have to do more research.

@cfenollosa @allie @jish I don't have to audit someone who says 2+2=5 to tell you that they're wrong

Follow

@cfenollosa @allie @jish to explain further:

1. I write a plaintext email to you@protonmail.com

2. My mail server connects to mail.protonmail.ch and writes the plaintext email to it

3. mail.protonmail.ch now has the plaintext email

Q.E.D.

@sir @allie @cfenollosa @jish Their marketing copy is full of dissonance, as you can see on that page itself ("Everything is encrypted!" "We...don't actually encrypt 99% of mail on the internet.").

@sir @allie @jish now I get it! Thanks a lot for your patience in your explanations 😃

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!