Post Az43Fs2SQRBUEz3Jyq by aria@infosec.exchange
(DIR) More posts by aria@infosec.exchange
(DIR) Post #Az3tu1iarCQyIrGpuK by aria@infosec.exchange
2025-10-10T09:23:17Z
0 likes, 0 repeats
Thinking of making the switch from #GoogleWorkspace to #ProtonMail for my personal/newer .dev domain — what do all of you think?#mail #dev #development #privacy
(DIR) Post #Az3tu2gVGSM9IfIgHw by alrs@lsngl.us
2025-10-10T09:31:07Z
0 likes, 0 repeats
@aria It's cool that Proton exists, and it's weird that they talk about "encryption" so much when all of the email is sitting behind passwords. No IMAP without some weird desktop bridge, even though they have endless #openvpn endpoints to run it over if TLS is somehow not enough. No way to use an open-source mail client on Android.
(DIR) Post #Az3uCL2hkRuzRuPQKe by aria@infosec.exchange
2025-10-10T09:34:27Z
0 likes, 0 repeats
@alrs I just prefer the look and feel of proton, and realise its WAYYY cheaper considering i already pay for protonVPN, a password manager, and a Google mail serviceSo it makes sense to go for the proton business package that's all of that for cheaper
(DIR) Post #Az3uYdWxgtHV9xC6Ma by alrs@lsngl.us
2025-10-10T09:38:34Z
0 likes, 0 repeats
@aria ProtonVPN is free, no matter where you're hosting email.
(DIR) Post #Az3ubkJquKTL5BXrE0 by aria@infosec.exchange
2025-10-10T09:39:05Z
0 likes, 0 repeats
@alrs yeah, I'm aware the free plan exists, but for my use-cases, I need the paid plan
(DIR) Post #Az3ulPNRcmGF1mpgUC by alrs@lsngl.us
2025-10-10T09:40:54Z
0 likes, 0 repeats
@aria I'm not advocating for googs. tuta.com, maybe?
(DIR) Post #Az3v30AO5z4O3E7A6S by aria@infosec.exchange
2025-10-10T09:43:51Z
0 likes, 0 repeats
@alrs I think I'm gonna go with proton, unless you know anything bad with it?It's mainly just personal preference
(DIR) Post #Az3vTc8JYjoRKbpnwu by alrs@lsngl.us
2025-10-10T09:48:44Z
0 likes, 0 repeats
@aria If you're OK with encryption promises that don't make sense and an inability to use open protocols on mobile, then you're good. They run a reliable service.
(DIR) Post #Az3viHfjulf4DVSpkW by aria@infosec.exchange
2025-10-10T09:51:31Z
0 likes, 0 repeats
@alrs mind explaining what open protocols means?
(DIR) Post #Az3w5kFpoSTXWVXBsO by alrs@lsngl.us
2025-10-10T09:55:44Z
0 likes, 0 repeats
@aria Say you want to run Thunderbird on a de-googled or even stock Android phone: you can't, as ProtonMail doesn't speak IMAP. You're stuck with the ProtonMail client out of the Play Store.
(DIR) Post #Az3wIwjYj4IFzZjTm4 by aria@infosec.exchange
2025-10-10T09:58:10Z
0 likes, 0 repeats
@alrs ah, so, it's not something I'd really be bothered about since I just really wanna send emails, have a good VPN, password manager, etc just for daily use
(DIR) Post #Az3wMSHlsDb6iWPMjA by alrs@lsngl.us
2025-10-10T09:58:49Z
0 likes, 0 repeats
@aria you're the boss
(DIR) Post #Az3wRM3QT8koq42CZc by aria@infosec.exchange
2025-10-10T09:59:41Z
0 likes, 0 repeats
@alrs I'm tempted to register a .dev domain But aria.dev is taken I might go with ariarees.dev but idk, I like having something clean
(DIR) Post #Az3wyd34J1Gb6MjXvs by alrs@lsngl.us
2025-10-10T10:05:40Z
0 likes, 0 repeats
@aria anything 4-letter and common is going to be brutal.
(DIR) Post #Az3x66SbLrnULdEyVk by aria@infosec.exchange
2025-10-10T10:07:01Z
0 likes, 0 repeats
@alrs do I just end up going with [firstlast].dev?And then what do i do for the email?hi@me@?
(DIR) Post #Az3xYLjq8r03q9lxyq by alrs@lsngl.us
2025-10-10T10:12:08Z
0 likes, 0 repeats
@aria dunno, but dot@dot.at was the greatest email address I ever saw.
(DIR) Post #Az3xcrsMb6Bmffuj8i by aria@infosec.exchange
2025-10-10T10:12:53Z
0 likes, 0 repeats
@alrs amazing lmaoi'll just go with firstlast.devdo you think hi@firstlast or me@firstlast is best?
(DIR) Post #Az3yrFUhgJJNvlGhma by alrs@lsngl.us
2025-10-10T10:26:42Z
0 likes, 0 repeats
@aria aria@sharia.dev
(DIR) Post #Az3z33Ug7mEWBet1N2 by alrs@lsngl.us
2025-10-10T10:28:55Z
0 likes, 0 repeats
@aria aria@wistaria.dev. aria@solaria.dev. aria@sanitaria.dev. aria@terraria.dev
(DIR) Post #Az43Fs2SQRBUEz3Jyq by aria@infosec.exchange
2025-10-10T11:15:58Z
0 likes, 0 repeats
@alrs it appears they added it, unless i'm mistaken.
(DIR) Post #Az4L3DzZI3i3jpowt6 by hcf@infosec.exchange
2025-10-10T14:35:22Z
0 likes, 0 repeats
@alrs @aria The idea of Proton is encrypted storage of your email messages. From a user perspective it's simply a password but what is happening under the hood is pretty clever. All decryption is done on the user's device. So nobody, not even Proton, can read your messages. That's why IMAP cannot be used directly. IMAP is too basic and very old protocol, it was designed to access plain text mailboxes on remote servers. It can't be used if the remote data is encrypted and you want to decrypt it on the device locally (privately)
(DIR) Post #Az4Pfbg052MU0zE2XQ by alrs@lsngl.us
2025-10-10T15:27:09Z
0 likes, 0 repeats
@hcf @aria except you can log into a webapp and read your mail with a password, so what about it is clever?
(DIR) Post #Az4QkgSJq1cgEvoL7w by hcf@infosec.exchange
2025-10-10T15:39:11Z
0 likes, 0 repeats
@alrs @aria The web app is running locally in the web browser on the device too.
(DIR) Post #Az4Rgtrc95GGcUP06q by alrs@lsngl.us
2025-10-10T15:49:50Z
0 likes, 0 repeats
@hcf @aria I just created a new mozilla profile and logged in, there is no key retained on the user side.
(DIR) Post #Az4Vi9Aj7BS4ChBxoW by hcf@infosec.exchange
2025-10-10T16:34:46Z
0 likes, 0 repeats
@alrs @aria If curious you might want to find and read respectable papers rather than taking it from a rando on the internets (me). But in short, in cryptography there's a way to prove that you know your password without the other side knowing the same password. It's called Zero-Knowledge Password Proofs, or ZKPP for short.
(DIR) Post #Az4hM2jfZ0EFJwlLbk by alrs@lsngl.us
2025-10-10T18:45:14Z
0 likes, 0 repeats
@hcf @aria That is cool. How does it keep stored email "unreadable" to Proton? why is it that I can access stored email via password over web but not IMAP?
(DIR) Post #Az4lsdkZsYwrCdzDpg by hcf@infosec.exchange
2025-10-10T19:35:53Z
0 likes, 0 repeats
@alrs @aria How does it keep stored email "unreadable" to Proton? When you prove that you own your password, effectively authenticate yourself, the server lets you (your web app) download an encrypted blob that contains your keys, that you decrypt locally with your password. Then the same way you can download encrypted blobs with emails and decrypt them locally with the keys you just obtained. Proton still doesn't, and doesn't have to, know your password.why is it that I can access stored email via password over web but not IMAP?IMAP is an outdated protocol. It wasn't intended to manipulate encrypted data or do key exchanges. The max you can do with it is to encapsulate it into the TLS. But even in that case IMAP needs an agent on the other end that can manipulate messages in mbox format. But mbox is a plain text file which is not acceptable in this zero knowledge model.
(DIR) Post #Az4ne9MwEsXQpb9Dfs by alrs@lsngl.us
2025-10-10T19:55:49Z
0 likes, 0 repeats
@hcf @aria Makes sense. I don't trust that at all. If they get the tap on the shoulder to provide my mail to a government all they need to do is change the logic on their end to have the password go over the wire, and everything can be decrypted. Kinda like what they did last time with their promise not to log VPN users. They can't, until they flip a switch and then they can. https://www.wired.com/story/protonmail-amends-policy-after-giving-up-activists-data/
(DIR) Post #Az4odyxf2CPkVSoAZE by hcf@infosec.exchange
2025-10-10T20:06:56Z
0 likes, 0 repeats
@alrs @aria The user didn't use VPN therefore got their IP exposed. But this horse has been dead for quite a few years already. I'm not getting into this discussion.
(DIR) Post #Az4p56YIv3XvrtsfZ2 by alrs@lsngl.us
2025-10-10T20:11:47Z
0 likes, 0 repeats
@hcf @aria Sounds good. Like I said elsewhere, I like Proton, I'm glad they're around, I think they run a very reliable service. I don't like their position on open clients. I don't trust them not to fold on their guarantees. I'm a little grossed out by their advice to upload private PGP keys to their servers. If the goal is to starve Google AI of your mail as training data, I think Proton is great.
(DIR) Post #AzLcH1gGrT5kWAHQxs by mgeisler@ohai.social
2025-10-18T22:38:17Z
0 likes, 0 repeats
@alrs @aria I work at Proton, though not on Mail. I agree it's a shame that there isn't an IMAP service which could give you access to the encrypted mails. From talking to our crypto team, I believe we're sending/receiving completely normal #OpenPGP encrypted emails.Are there alternative Android email clients which can decrypt such emails?
(DIR) Post #AzNJb3Yi4wxXJyV876 by alrs@lsngl.us
2025-10-19T18:18:40Z
0 likes, 0 repeats
@mgeisler @aria I'm dubious that they're #openpgp encrypted when they arrive on my machine when I don't have a key on my side and I'm able to login to the website with a password.
(DIR) Post #AzNPLMEJUZjIJtrGoy by mgeisler@ohai.social
2025-10-19T19:22:55Z
0 likes, 0 repeats
@alrs @aria The #PGP private key is encrypted with your (hashed) password: https://proton.me/support/how-is-the-private-key-stored before being uploaded to Proton's server. This is how you bootstrap on a new machine!You can export (https://proton.me/support/download-public-private-key) or import (https://proton.me/support/importing-openpgp-private-key) the keypair as you like.#Proton is "just" doing what people have been doing for decades with things like #Enigmail. I used #Gnus for #Emacs some 20 years ago for the same thing 😄 The achievement of Proton is to make this seem easy!