Post 9oppCCiQvbIdLFn1d2 by jish@mastodon.technology
(DIR) More posts by jish@mastodon.technology
(DIR) Post #9on0st1frX4RLgTTiC by sir@cmpwn.com
2019-11-09T15:27:38Z
2 likes, 1 repeats
Bitcoin and Protonmail, the calling cards of the cryptoshit techbro
(DIR) Post #9oppCCiQvbIdLFn1d2 by jish@mastodon.technology
2019-11-10T22:27:52Z
0 likes, 0 repeats
@sir What’s a good alternative to ProtonMail? Multi-device, zero configuration end-to-end encryption that my mother could use? (Legitimately curious, not trolling)
(DIR) Post #9oppCDm0zll6ceTOqm by sir@cmpwn.com
2019-11-10T22:28:08Z
0 likes, 0 repeats
@jish there is no such service, not even Protonmail qualifies for that
(DIR) Post #9oq5KYr65ycJaeqhwe by jish@mastodon.technology
2019-11-11T03:01:25Z
0 likes, 0 repeats
@sir I wasn’t making a fanciful feature request list. Those are the features that ProtonMail currently has. And I believe that’s why people use it. 🤔 Easy encryption.
(DIR) Post #9oq8w8F7munfv5h7Hk by sir@cmpwn.com
2019-11-11T03:41:51Z
0 likes, 0 repeats
@jish Protonmail is gaslighting you. They don't have end to end encryption. They can read all of your emails.
(DIR) Post #9oqFaypIIqQaJRTQHI by jish@mastodon.technology
2019-11-11T04:56:27Z
0 likes, 0 repeats
@sir oh, do you think they keep copies of the keys around? Do you have a source? (Again, legitimately curious, not trolling)
(DIR) Post #9oqIZ4tB5hX8On4gzY by kick@blob.cat
2019-11-11T05:30:34.188595Z
1 likes, 0 repeats
@jish @sir Easy way to verify this:Send your mother an email from your ProtonMail account to her GMail account.Can she read it?If the answer is yes, the message was not end-to-end encrypted! It may have been encrypted in transit, which basically does nothing to really help anything (and which GMail does as well).
(DIR) Post #9oqJel3BrYjSYw1w9I by dielel8@zetsubou.xn--q9jyb4c
2019-11-11T05:42:47.800269Z
0 likes, 0 repeats
@jishNo but ur IPs are being logged by Israel when u connect to protonmail https://protonmail.com/support/knowledge-base/protonmail-israel-radware/Also they disclose ur data if need be see:https://protonmail.com/blog/transparency-report/@sir
(DIR) Post #9oqxNnluUKvQFJPv2O by sir@cmpwn.com
2019-11-11T13:07:07Z
1 likes, 1 repeats
@jish protonmail does the encryption, not the sender, on their mail server. This is not end to end encryption. They could secretly store a copy of the plaintext and you'd never know.
(DIR) Post #9orF6Q9E21PUfADpGy by petit@social.ufeff.club
2019-11-11T16:26:29.118286Z
0 likes, 0 repeats
@jish @sir It's not whether or not they keep the keys. The issue is that they *can* keep the keys if they choose to. I use proton mail because until I get a home server set up the alternative is either A) use cloud hosting or B) use something like gmail.
(DIR) Post #9orFD3mRajzTJojRxo by petit@social.ufeff.club
2019-11-11T16:27:40.448508Z
0 likes, 0 repeats
@jish @sir Worth mentioning while we're on the discussion of good/bad secure services. https://www.tarsnap.com/
(DIR) Post #9orGXefQG0BNSzpeUa by sir@cmpwn.com
2019-11-11T16:41:15Z
0 likes, 0 repeats
@petit @jish I recommend migadu
(DIR) Post #9orGtPg6fNHXLlWkLY by pea@fuckonthefirst.date
2019-11-11T16:46:27.608396Z
1 likes, 0 repeats
@petit @jish @sir I wish I could like tarsnap but it not being FOSS just rubs me the wrong way. I understand there's a practical concern of modified client code causing issues, but there are better solutions to that, but I just don't like it
(DIR) Post #9orL1HBoVhA59lMYbY by petit@social.ufeff.club
2019-11-11T17:32:46.177738Z
0 likes, 0 repeats
@pea @jish @sir Wow, I did not know about that.
(DIR) Post #9orL6ovkUQi5FYUaK8 by petit@social.ufeff.club
2019-11-11T17:33:46.753870Z
0 likes, 0 repeats
@sir @jish Weird, Migadu recommends ProtonMail. "If you are engaged in activities of dubious legality, espionage or simply are timid of Uncle Sam, please consider our neighbours ProtonMail."
(DIR) Post #9orNvIyuFGjLqK6rSK by cfenollosa@mastodon.sdf.org
2019-11-11T17:51:36Z
0 likes, 0 repeats
@sir @jish that is not what they claim, and with my basic understanding of the web client, it seems that te browser does that in js. Did you manage to test it and confirm that the client is sending info unencrypted to proton mail servers?
(DIR) Post #9orNvKClhDPfdbbRhY by sir@cmpwn.com
2019-11-11T17:52:36Z
0 likes, 0 repeats
@cfenollosa @jish this is simply how email works. Hello, email expert here. They encrypt it on arrival, alledgedly, but they don't have to and you would never know. They encrypt it at rest and decrypt it in your browser but they could also be storing a plaintext version that you don't know about.
(DIR) Post #9orOmXEfmT3XKNrcci by allie@mbl.social
2019-11-11T18:07:01.988410Z
0 likes, 0 repeats
@sir @cfenollosa @jish Isn't that true only for unencrypted emails you send or receive? My understanding was anything to other ProtonMail users or users for whom you have PGP/GPG keys is end to end encrypted, but sending or receiving unencrypted emails only gets encrypted by them for data at rest purposes.
(DIR) Post #9orOmYIbpJnacsiHOi by sir@cmpwn.com
2019-11-11T18:13:50Z
0 likes, 0 repeats
@allie @cfenollosa @jish but this is also true for literally all other email providers.
(DIR) Post #9orStUGB8Jt8yTi1R2 by matt@linuxrocks.online
2019-11-11T18:58:21Z
0 likes, 0 repeats
@sir @jish Protonmail encrypts within the browser JavaScript engine, or via their IMAP bridge, when you send mail.No email service will ever be secure when RECEIVING email unless the sender uses something like PGP first.
(DIR) Post #9orZ1shz2mV4OWPSaW by cfenollosa@mastodon.sdf.org
2019-11-11T20:08:50Z
0 likes, 0 repeats
@sir @allie @jish protonmail claim that “All emails are secured automatically with end-to-end encryption. This means even we cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties.”Are you saying that this isn’t true? That they only use gpg for specific mails but they store plaintext emails in their servers?
(DIR) Post #9orZpIfRJl2Z5umh0q by sir@cmpwn.com
2019-11-11T20:17:48Z
0 likes, 1 repeats
@cfenollosa @allie @jish correct, this is not true. This statement is a lie, used to gaslight users into thinking that Protonmail provides privacy guarantees that it does not. They claim that they don't store plaintext mails, but they have no cryptographic guarantee that they are not storing plaintext emails. Privacy is built on math, not trust.
(DIR) Post #9orcc8MUcd91EKKsEa by ewaf@ewaf.club
2019-11-11T20:29:03.578194Z
1 likes, 0 repeats
@kick @jish @sir lol, but what if they encrypted the emails you received with your public key, so only you could read them? I think that's how it works, but I'm not sure.
(DIR) Post #9orcc9blzIxf60Uagq by kick@blob.cat
2019-11-11T20:49:55.025225Z
0 likes, 0 repeats
@ewaf @jish @sir Encrypting at-rest when receiving is pointless (because they can, in fact, read the mail). What they claim to do can not be automated over electronic mail as they advertise it.In fact, they even flat out admit that their marketing copy is inaccurate, here (though they still claim that it's partially accurate):https://protonmail.com/support/knowledge-base/what-is-encrypted/Lies in the business they're in kill people, and if they can't be trusted on that, you shouldn't trust them on any claims they make, whatsoever.
(DIR) Post #9orda0ornFRjDG9woa by ewaf@ewaf.club
2019-11-11T20:58:55.206020Z
0 likes, 0 repeats
@kick @jish @sir If I think about it, real e2ee is possible. You could for example generate yourself a keypair and then use the hash of the public key to receive emails (just like onion services do it), so if someone wanted to send you an email, they would have to get your public key from some database, then encrypt the content and send it to you. But maybe that's a bit too complicated and not very user friendly, so you could just use GPG.
(DIR) Post #9orda20FOQ8ysqUYC0 by kick@blob.cat
2019-11-11T21:00:44.102995Z
0 likes, 0 repeats
@ewaf @jish @sir Real end to end encryption of mail is possible (literally the entire point of GPG), but it's not possible to automate. Look on keyservers and you'll find at least a dozen fake keys for Richard Stallman, for example.
(DIR) Post #9orgyuZ2UGJeulJwY4 by cfenollosa@mastodon.sdf.org
2019-11-11T21:38:02Z
0 likes, 0 repeats
@sir @allie @jish Thanks for the explanation.At first sight it seems that they indeed do in browser encryption, in fact, they don't support standard IMAP as apparently the mbox is encrypted.What kind of audit did you do and how did you discover that they're lying and they're not using e2e? That is a serious statement, I was considering switching to Protonmail but now I guess I have to do more research.
(DIR) Post #9ori7SHv5PZnmIx280 by sir@cmpwn.com
2019-11-11T21:50:07Z
1 likes, 0 repeats
@cfenollosa @allie @jish I don't have to audit someone who says 2+2=5 to tell you that they're wrong
(DIR) Post #9orihcoNRBhEqDNbzE by sir@cmpwn.com
2019-11-11T21:57:26Z
1 likes, 0 repeats
@cfenollosa @allie @jish to explain further:1. I write a plaintext email to you@protonmail.com2. My mail server connects to mail.protonmail.ch and writes the plaintext email to it3. mail.protonmail.ch now has the plaintext emailQ.E.D.
(DIR) Post #9oripyTilSxaM9hQhs by kick@blob.cat
2019-11-11T21:59:40.137877Z
0 likes, 0 repeats
@sir @cfenollosa @allie @jish To back Drew's point up, they openly admit to this!https://protonmail.com/support/knowledge-base/what-is-encrypted/
(DIR) Post #9orj41cLtEOg99R7aK by kick@blob.cat
2019-11-11T22:02:12.411453Z
1 likes, 0 repeats
@sir @allie @cfenollosa @jish Their marketing copy is full of dissonance, as you can see on that page itself ("Everything is encrypted!" "We...don't actually encrypt 99% of mail on the internet.").
(DIR) Post #9orj6jZfQm4X3TTLiy by lanodan@queer.hacktivis.me
2019-11-11T22:02:40.863648Z
1 likes, 0 repeats
@cfenollosa @sir @allie @jish >how did you discover that they're lying and they're not using e2e?Just send an email to a non-protonmail address from a protonmail account, it will be in cleartext.So at best they are using e2e between protonmail accounts and encrypted mailboxes.At at worst (which is what you expect when doing security): you're vendor-locked by cryptography for accessing your mailbox and you need to pay for access without a browser. Kinda sounds too much like ransomware to me.
(DIR) Post #9orlFXQq93VfuWfZ8C by cfenollosa@mastodon.sdf.org
2019-11-11T22:25:04Z
0 likes, 0 repeats
@sir @allie @jish now I get it! Thanks a lot for your patience in your explanations 😃
(DIR) Post #9orlMDSanWu3zqfoLA by dielel8@zetsubou.xn--q9jyb4c
2019-11-11T22:27:53.939117Z
0 likes, 0 repeats
@cfenollosaUse https://safe-mail.com@jish @allie @sir