Protonmail
@ashwinvis I'm also quite interested in it but haven't found time to dig some information...
Please let me know if you find out anything interesting ;)
Protonmail
@silmathoron @ashwinvis I believe the risk with #Hydroxide is that it requires you to login via Firefox. That means you must trust on-the-fly javascript from #Protonmail to not leak your password. It's not likely a mass surveillance threat but if you were targeted by Protonmail you would be defenseless against that b/c they could push malicious js to your IP upon connection. /cc @jasper
Protonmail
@resist1984 @ashwinvis @silmathoron hydroxide uses the protonmail API so in regular use it gets around the javascript issue.
Oh you mean this https://social.privacytools.io/@resist1984/106659512174713582 where an issue popped up about that...
And could add afaik hydroxide doesn't provide for dealing with payments or changing passwords..
Suppose there is still their own bridge...
Embarrassed to say i dunno what extent protonmail really receives/sends (un)encrypted stuff especiakky when going outside of protonmail..
Protonmail
@resist1984 @ashwinvis @silmathoron and there is the issue that they use israeli services a bit.
At least one against DDOS attacks, and one that helps them(but they say causes no insecuriy ) with https certificates i think...
Feel a bit out of my depth, and not like researching this more.. Blep }:
Protonmail
@jasper @resist1984 @ashwinvis thanks for your answers I did not know hydroxide required an initial connection via the browser...
I used it for some time because the default protonmail bridge was not working well with git-sendemail but it tends to break when proton updates stuff, which seems to happens every now and then unfortunately :s
Protonmail
@silmathoron i can connect without it!
It's this bug regarding protonmail spam/ddos protection https://github.com/emersion/hydroxide/issues/179 (which i happen to not come across now)
Another is that you still need to login for other account stuff like payment? Seems like they could provide a workaround for this. (like a separate login)
Protonmail
@jasper @silmathoron indeed bug 179 explains the situation. To clarify & correct what I said, #Hydroxide does not officially depend on Firefox. If #Protonmail sends a #CAPTCHA then Hydroxide is dead in the water.. it just falls over with a error 9001. Developer "dvalter" created a hack whereby you can login using Firefox, harvest your session cookie, & pass the cookie to Hydroxide to use.
Protonmail
@silmathoron @jasper I wonder if #Hydroxide is the reason #Protonmail is pushing more #CAPTCHA puzzles. PM sees Hydroxide as a threat to their in-house non-gratis bridge. By pushing an #hCAPTCHA, it enables Protonmail to profit from the CAPTCHA solving.
Protonmail
@jasper @silmathoron My PM emails are trapped by a CAPTCHA & it's very unlikely that someone is attacking my acct. PM wants users to think they are protecting them but really they are just protecting the bottom line. The problem is, it compromises security because you can't trust the on-the-fly #javascript that comes from hCAPTCHA.
Protonmail
@jasper @ashwinvis @silmathoron It's safer to use #Electronmail because the javascript is static, potentially reviewed, and you can obtain it anonymously. So if Protonmail were to serve malicious js targeted to you, you would never execute it. But note that Electronmail is broken in #Debian #Bullseye.