#Protonmail is not a #privacy silver bullet.
https://tilde.town/~kzimmermann/articles/protonmail_is_not_silver_bullet.html
Nobody should be surprised when such services share data with law enforcement. After all, they must comply with the jurisdiction they operate in if they want to keep in business. So why so many people still think they can outsource their #encryption and never think about it again?
Post 25 in my #100DaysToOffload challenge
@kzimmermann “What ended up getting Connally was that his ProtonMail email was also registered with his Instagram account using the same exact name. Since Instagram keeps IP address logs on all its users, federal agents were able to ping his IP address to a property that he had previously rented. If Connally had invested in a decent VPN service… law enforcement may have never located him.”
Not, of course, that I’m encouraging breaking the law. Just putting things in perspective. 😄
@dianoetic @kzimmermann #Protonmail has the same vulnerability to subpoena power that #Hushmail has: the server can push malicious javascript that grabs whatever the server admin wants, including but not limited to the private key. There is a defense that's possibly in reach for normies-- running #ElectronMail over Tor, which uses static (potentially reviewed) javascript that's anonymously downloadable.
@kzimmermann @dianoetic We could really use a #Hydroxide for #Tutanota.
🇧🇪 🇪🇺
@kzimmermann which is the #1 reason to never ever read mail (or anything else that's potentially sensitive) through a web interface. @resist1984 @dianoetic
@kzimmermann @dianoetic And for expert users there is #Hydroxide which is leaner & also benefits from static js (as #Electronmail does)... right up until #Protonmail pushes a CAPTCHA, at which point Hydroxide falls over & (bloated) #Electronmail becomes essential. The use case for hydroxide is that sometimes experts need to talk to normies & doing a key exchange is enough to alienate normies.
@dianoetic @kzimmermann #Hushmail solved the key exchange problem.. it's a shame #Protonmail is a regression in that regard, so novice users are tasked with handling pubkeys of their expert correspondants.
@resist1984
> the server can push malicious javascript that grabs whatever the server admin wants, including but not limited to the private key
IIRC that's how #tutanota backdoored its subpoenaed user in 2020.
@dianoetic