Oddbean new post about | logout
waitwaitwait | 5 months ago (raw) | root | parent | reply | flag +2 
 Thank you. 

The paper focuses on the fact that when using webmail the Proton server could serve you a malicious client-side code and steal or misuse your key. But all web apps have that problem. 

Since Proton has implemented their "one-password" login, the PGP key is on the server, encrypted using your password salted+hashed. That means Proton could try to bruteforce it. But it also means man in the middle attacks are avoided.

I would call them tradeoffs, but I wouldn't say their implementation is fundamentally flawed or insecure.
SimplifiedPrivacy.com Podcast | 5 months ago (raw) | root | parent | reply | flag +1 
 Yes, all web apps have the problem, and so it's not end-to-end.
No, It does NOT avoid middle attacks, since they can serve you phising info.  Also there's some analysis of proton of your password at account creation to make sure you're not a bot.  So if you have 90 random characters, its more likely to reject you as a spam bot, and not let you make an account.  But if you have basic WORDS that aren't random like "carrot" it will.  This means they are seeing the password, connected to the backend spam filter.  That's not private at all.  And the source on this is me.  We may release an official paper on it, but for now I'm just making the statement.

It's your subjective opinion if the trade off is good, but it's far less secure than self-hosting.  And a self-host VPS costs the same as a Proton Pro subscription.
waitwaitwait | 5 months ago (raw) | root | parent | reply | flag +1 
 Many of the things you state are difficult to verify, therefore difficult to discuss.
I hope you'll be able to publish some of your own research. The privacy community would benefit a lot.
SimplifiedPrivacy.com Podcast | 5 months ago (raw) | root | parent | reply | flag +1 
 well anyone can create an account on proton and see