Oddbean

"your private key in their web app, that's cloud to cloud" Not necessarily true. The fact it's a web app doesn't mean private key leaves your device. Code is open source for you to see. You don't trust they run that? You can always inspect what happens client-side. I'm not saying I did. I say strong claims need strong evidences.

First of all, Protonmail is creating their private key on their end and then giving it to you. And the purpose of this encryption is to protect you from them. So that’s a conflict of interest. And what does end-to-end encryption even mean if it’s not on your device? You can audit the code served in the browser yeah (which can change at every page refresh), but you have no real way to audit their cloud backend or database to know if they even use this key in the ways they claim. Proton’s mobile app is far better than a web browser, but if they are so secure, then what are they handing over to the 3000 government data inquiries a year that’s growing?

If you're looking for a fancy academic whitepaper, here is one example: An Analysis of the ProtonMail Cryptographic Architecture Nadim Kobeissi September 6, 2021 https://eprint.iacr.org/2018/1121.pdf and the part me & you are talking about is: Pg 7 of 14. Section 4.1.1 If you're looking for me to say it to you in raw shit, here it is: When you use Nostr you have the private key on your device, browser extension or client. When you use Protonmail, their web app is unlocking/signing/or generating for you the private key stored via encryption on their server. So there are many ways they can screw with you. Including SOME: a) serving you bogus code to phish the password b) telling you the other proton guy's public PGP key is something else c) brute forcing you, they have unlimited attempts with no time lock. And your password is weaker than a PGP Key. d) messing with you during registration to begin with

Thank you. The paper focuses on the fact that when using webmail the Proton server could serve you a malicious client-side code and steal or misuse your key. But all web apps have that problem. Since Proton has implemented their "one-password" login, the PGP key is on the server, encrypted using your password salted+hashed. That means Proton could try to bruteforce it. But it also means man in the middle attacks are avoided. I would call them tradeoffs, but I wouldn't say their implementation is fundamentally flawed or insecure.

Yes, all web apps have the problem, and so it's not end-to-end. No, It does NOT avoid middle attacks, since they can serve you phising info. Also there's some analysis of proton of your password at account creation to make sure you're not a bot. So if you have 90 random characters, its more likely to reject you as a spam bot, and not let you make an account. But if you have basic WORDS that aren't random like "carrot" it will. This means they are seeing the password, connected to the backend spam filter. That's not private at all. And the source on this is me. We may release an official paper on it, but for now I'm just making the statement. It's your subjective opinion if the trade off is good, but it's far less secure than self-hosting. And a self-host VPS costs the same as a Proton Pro subscription.