Proton is such a hassle and implements security in a completely illogical manner. I honestly can’t believe that people are content with such mediocrity.
it’s been just fine for me for years.
I’d be down to hear you out but you gotta first provide proof/evidence backing up that claim
Can you give an example? This is the first criticism of Proton I’ve heard
Removed by mod
You are right that Proton is currently self-funded by its paying customers, but to be accurate, they have actually taken VC money before.
Removed by mod
They answer to government orders quite frequently, so stop pretending that they are above the law first of all… all it takes is one change to their served JS mail client and voila now they have your private key too which is already saved server-side. God, some people want to be had.
Removed by mod
Go ahead but I’m sure I can explain in much more technical depth than you… there is a reason I’m guessing you can’t even figure out how to use GnuPG so you just rely on some hosted solution to claim they are keeping you safe.
You use Chromium, don’t act elitist
Lol he does ? And is bitching about proton being unsafe oh the irony is killing me .
So you think GrapheneOS is insecure? It uses Chromium for their browser engine, which was picked because it provided more security than Firefox.
Find me a company that’s going to deny a court order for $5 a month.
Proton promises privacy and security. Not collusion in whatever illegal shit you’re doing.
TIL that being privacy conscious and security aware means your involved in collusion and illegal shit. Maybe you should tell that to Proton VPN users who primarily use their service to seed copyrighted torrents in countries where it is illegal. Oh, but you don’t care about them… just some rando who hurt your fee fees for being honest.
BTW I never said they should deny court orders. I was responding to someone who claimed that they answer no one except their customers. I claimed that even if they answer a court order, then hijacking your account and private key shouldn’t be as simple as serving modified JS to their users.
The fuck you smoking
Yeah well, they’re still bad. I remember the days they used to store the user’s private key on their servers for some reason: https://web.archive.org/web/20190718043517/https://protonmail.com/support/knowledge-base/how-is-the-private-key-stored/ and also: https://eprint.iacr.org/2018/1121.pdf
When using TOR or a VPN, they also force you to verify your account with SMS.
They’re not bad, you’re just misinformed at a fundamental level.
Proton Mail is like Bitwarden, it encrypts data client side and stores the encrypted blob server side, which is exactly what they’re doing with your private key. Otherwise, you’d have to carry it around on a USB or do some other voodoo to be able to read your emails.
That paper is god awful bad. They’re basically saying things like “it can’t be secure because they rely on the client code to be delivered by TLS and you could have a MITM that results in different client code being sent!” and "proton allows you to set passwords that are weak, thereby not looking out for your best interest!
Their conclusion can be summarized as “Proton can’t provide a secure web mail application, because nobody can.” Their suggested remedy is also actually a thing now because there is a Proton Mail desktop application.
The whole thing is pretty ridiculous in any case because someone would have to have control over your DNS server, you’d have to go to a phishing instance of proton instead of the real one, you’d be logged out because the cookies wouldn’t be decryptable by their server, so you’d then finally have to login handing over your password.
If you use Proton VPN (or some other trustworthy DNS) that situation can happen. For most people it’s an extremely unlikely situation. It’s not a Proton problem though, it’s a web technology problem.
For most people this situation will never happen (but it would be nice if someone would solve the problem).
When using TOR or a VPN, they also force you to verify your account with SMS.
People are going to abuse services that allow anonymous signups… Proton does not claim to be an anonymous email service, merely a private email service.
You mean that they store your private key “encrypted” and that it is encrypted by using served JS to the user? Do you know how many users would actually be technically capable of detecting an obfuscated modified JS that they randomly send should they become a target?
What are some better options?
Have you considered self hosting?
/s
After reading the adventures of https://io.mwl.io/@mwl trying to roll his own mail server, I’ll probably avoid that option.
What did you read? Can you share a link?
His #ryoms hashtag on Mastdon covers it. He plans to publish a whole book about it at some point.
Thanks!
Utilizing a good mail client with GnuPG/PGP support.
