Oddbean new post about | logout
 First of all, Protonmail is creating their private key on their end and then giving it to you.  And the purpose of this encryption is to protect you from them.  So that’s a conflict of interest.  And what does end-to-end encryption even mean if it’s not on your device?

You can audit the code served in the browser yeah (which can change at every page refresh), but you have no real way to audit their cloud backend or database to know if they even use this key in the ways they claim.  Proton’s mobile app is far better than a web browser, but if they are so secure, then what are they handing over to the 3000 government data inquiries a year that’s growing? 
 "Protonmail is creating their private key on their end and then giving it to you."
Do you have a source for this?
 
 If you're looking for a fancy academic whitepaper, here is one example:

An Analysis of the ProtonMail
Cryptographic Architecture
Nadim Kobeissi
September 6, 2021
https://eprint.iacr.org/2018/1121.pdf

and the part me & you are talking about is:
Pg 7 of 14.
Section 4.1.1

If you're looking for me to say it to you in raw shit, here it is:

When you use Nostr you have the private key on your device, browser extension or client.

When you use Protonmail, their web app is unlocking/signing/or generating for you the private key stored via encryption on their server.  So there are many ways they can screw with you.  Including SOME:

a) serving you bogus code to phish the password
b) telling you the other proton guy's public PGP key is something else
c) brute forcing you, they have unlimited attempts with no time lock.  And your password is weaker than a PGP Key.
d) messing with you during registration to begin with 
 Thank you. 

The paper focuses on the fact that when using webmail the Proton server could serve you a malicious client-side code and steal or misuse your key. But all web apps have that problem. 

Since Proton has implemented their "one-password" login, the PGP key is on the server, encrypted using your password salted+hashed. That means Proton could try to bruteforce it. But it also means man in the middle attacks are avoided.

I would call them tradeoffs, but I wouldn't say their implementation is fundamentally flawed or insecure.  
 Yes, all web apps have the problem, and so it's not end-to-end.
No, It does NOT avoid middle attacks, since they can serve you phising info.  Also there's some analysis of proton of your password at account creation to make sure you're not a bot.  So if you have 90 random characters, its more likely to reject you as a spam bot, and not let you make an account.  But if you have basic WORDS that aren't random like "carrot" it will.  This means they are seeing the password, connected to the backend spam filter.  That's not private at all.  And the source on this is me.  We may release an official paper on it, but for now I'm just making the statement.

It's your subjective opinion if the trade off is good, but it's far less secure than self-hosting.  And a self-host VPS costs the same as a Proton Pro subscription. 
 Many of the things you state are difficult to verify, therefore difficult to discuss.
I hope you'll be able to publish some of your own research. The privacy community would benefit a lot.
 
 well anyone can create an account on proton and see 
 Aye reverse trust scam 😲