• Dark ArcA
    link
    fedilink
    English
    arrow-up
    3
    ·
    8 months ago

    They’re not bad, you’re just misinformed at a fundamental level.

    Proton Mail is like Bitwarden, it encrypts data client side and stores the encrypted blob server side, which is exactly what they’re doing with your private key. Otherwise, you’d have to carry it around on a USB or do some other voodoo to be able to read your emails.

    That paper is god awful bad. They’re basically saying things like “it can’t be secure because they rely on the client code to be delivered by TLS and you could have a MITM that results in different client code being sent!” and "proton allows you to set passwords that are weak, thereby not looking out for your best interest!

    Their conclusion can be summarized as “Proton can’t provide a secure web mail application, because nobody can.” Their suggested remedy is also actually a thing now because there is a Proton Mail desktop application.

    The whole thing is pretty ridiculous in any case because someone would have to have control over your DNS server, you’d have to go to a phishing instance of proton instead of the real one, you’d be logged out because the cookies wouldn’t be decryptable by their server, so you’d then finally have to login handing over your password.

    If you use Proton VPN (or some other trustworthy DNS) that situation can happen. For most people it’s an extremely unlikely situation. It’s not a Proton problem though, it’s a web technology problem.

    For most people this situation will never happen (but it would be nice if someone would solve the problem).

    When using TOR or a VPN, they also force you to verify your account with SMS.

    People are going to abuse services that allow anonymous signups… Proton does not claim to be an anonymous email service, merely a private email service.