Drew DeVault  

Imagine putting a giant backdoor into your program and telling people it was secure

(this is a response to all JavaScript browser-based crypto libraries)

1
Freddy :ptshield:

@sir

You're right, if ProtonMail alters javascript in the webclient, you they could intercept your password and decrypt the contents of your email. However, with that logic no service is safe. Hence, ProtonMail state that if you're the next Snowden, you shouldn't be using ProtonMail. Frankly, if you are that concerned you shoudln't use email. ProtonMail is recommened because they fit our criteria.

Disclosure: I'm also a team member.

· · 3 · 0 · 0
Freddy :ptshield:  

@sir

For those looking, here is were ProtonMail made their statement:

protonmail.com/blog/protonmail

And here is a link to a video that covers the the Javascript claims.

yewtu.be/watch?v=AhdJzjC7Leo

0
Drew DeVault  

@freddy "However, with that logic no service is safe."

Imagine being so deep in webshit that you forget that anything other than web browsers exist

Except that you do recommend legitimate mail clients, only for Protonmail you have to pay extra for the privilege of privacy and freedom

Frankly, your criteria fucking sucks

1+
Drew DeVault  

@freddy your "criteria" is designed to keep ProtonMail on the list because you buy into their marketing and aren't a good privacy roleplayer if they aren't there

1
Daniel Gray  

@sir @freddy

The list is in no particular order. When we re-did the page a year ago it was ordered based on how many areas of the criteria were met.

With ProtonMail their product provided the most encryption at rest.

All subsequent listings have been ordered based on date.

1
Drew DeVault  

@dngray @freddy encryption at rest is no subsitute for end to end encryption and you had damn well better explain that to users

1
Daniel Gray  

@sir @freddy

> @dngray @freddy encryption at rest is no subsitute for end to end encryption and you had damn well better explain that to users

You're right and it was never advertised as such hence why it is under the "Data Security" heading and not the "Email Encryption" one.

The "Data Security" section specifically talks about *at rest*. ie. after the email has been received.

0
Daniel Gray  

@sir @freddy

We do recommend email clients. I use neomutt/isync myself.

That said we recognize that some people actually like using webmail.

1
Drew DeVault  

@dngray @freddy SO TELL THEM WHY IT'S INSECURE

1
Drew DeVault  

@dngray @freddy FUCKING EXPLAIN THE TRADE-OFFS TO USERS

0
Jasper (Free Julian Assange!)  

@freddy @sir
> if ProtonMail alters javascript in the webclient, you they could intercept your password and decrypt the contents of your email.

But with clients or those imap proxies you can't. Or at least, the changes might be visible. So it can be safer. Why not promote them more.

Also, eh would be nice if there was a federated system where people can just use the service and encryption is default. Keeping it as selling point for protonmail is less than ideal?

0
Sign in to participate in the conversation
Mastodon 🔐 privacytools.io

Fast, secure and up-to-date instance. PrivacyTools provides knowledge and tools to protect your privacy against global mass surveillance.

Website: privacytools.io
Matrix Chat: chat.privacytools.io
Support us on OpenCollective, many contributions are tax deductible!

Resources

Developers

What is Mastodon?

social.privacytools.io

More…