• asudox
    link
    English
    0
    edit-2
    3 months ago

    You upload your private key to the cloud. Encrypted or not, this is a bad idea. No thanks. I can do the signing locally and then I’ll do the decryption with my own private key locally without them storing it as well.

    Edit: mixed public keys with private keys

    • @[email protected]
      link
      fedilink
      English
      83 months ago

      You upload your private key to the cloud. Encrypted or not, this is a bad idea.

      An encrypted key is a useless blob. What matters is the decryption key for that key, which is your password (or a key derived from it, I assume), which is client side.

      They can do the signing and encryption with my public key

      They can’t sign with your public key. Signing is done using your private one, otherwise nobody can verify the signature.

      Either way:

      and then I’ll do the decryption with my own private key locally without them storing it.

      You can do it using the bridge, exactly like you would with any client-side tooling.

      • @[email protected]
        link
        fedilink
        English
        33 months ago

        It’s still insecure. They decryption process is still in the proton company hands and they could add some client specific code to log the password on the fly. Proton is obliged to follow the swiss law and I can imagine situation that police asks proton (+ gag order ) to log certain data for specific clients like passwords and ips. Still private keys are better to be stored separately. You can sync them easily if you with with either rsync or rclone

        • @[email protected]
          link
          fedilink
          English
          43 months ago

          It’s not “insecure”, it’s simply a supply chain risk. You have the same exact problem with any client software that you might use. There are still jurisdictions, there are still supply chain attacks. The posture is different simply by a small tradeoff: business incentive and size for proton as pluses vs quicker updates (via JS code) and slower updates vs worse security and dependency on a handful of individuals in case of other tools.

          Any software that makes the crypto operations can do stuff with the keys if compromised or coerced by law enforcement to do so.

          In any case, if this tradeoff doesn’t suit you, the bridge allows you to use your preferred tool, so this is kinda of a moot point.

          The main argument for me is that if you rely on mail and gpg not to get caught by those who can coerce proton, you are already failing.

          • @[email protected]
            link
            fedilink
            English
            13 months ago

            I used bridge for many years. It was totally unusable - 1) you cannot delete emails with it ( deleted emails were coming back ), 2) synchronization issues so it made me move to another “plain and simple” email provider offering pop3 and imap and also gpg integration ( but without that e2e hype talk )

            • @[email protected]
              link
              fedilink
              English
              13 months ago

              I can’t comment on this, since I don’t use the bridge for a while. But it’s just an IMAP/SMTP server, so not sure why certain features wouldn’t work. What service did you end up using which has gpg integration?

              • @[email protected]
                link
                fedilink
                English
                33 months ago

                I used protonmail for 3 years - bridge issues have been being ignored by protonmail support in my opinion. “Clean cache and try again”. I stopped using protonmail and switched to mailbox.org. So far so good.

                • @[email protected]
                  link
                  fedilink
                  English
                  13 months ago

                  From what I read though, the GPG security model for mailbox.org is the same as it is for Proton webmail (except for the browser plugin, where the difference is not really there). I like mailbox.org, to be clear, but I don’t get how it is an alternative to the bridge.

                  • @[email protected]
                    link
                    fedilink
                    English
                    1
                    edit-2
                    3 months ago

                    I don’t use mailbox gpg sevice simple as that. I use mailbox perfect imap (k-9) / pop3 (desktop) integration and use gpg natively in case if that person uses gpg. Thunderbird (desktop), k-9 with openkeychain on android. I don’t say proton is bad. It’s quite good if you never want to export mails outside our webmail. I do want it so protonmail is not for me. Most my protonmail issues were with their bridge they, until the moment I migrated to mailbox, have not resolved.

        • asudox
          link
          English
          33 months ago

          Exactly. There’s no justification for them storing the private key online for “convenience”. And key generation happens in the browser with JS. Which means it is possible to send backdoored JS to easily copy the private key.

          • @[email protected]
            link
            fedilink
            English
            33 months ago

            There is a reason: simplicity. Either you do all the key management yourself, which in practice means 98% of the people won’t do it at all, or you implement a solution like they did and increase the risk of a small % (see my other comment) but you cover every customer.

            • asudox
              link
              English
              1
              edit-2
              3 months ago

              That simplicity introduces security and privacy issues.

              • @[email protected]
                link
                fedilink
                English
                43 months ago

                Introduces some risks in terms of security. Privacy concerns are extremely minimal, because in any case you don’t control the setup of your other interlocutor(s).

                Considering that the realistic alternative is not using anything at all and the fact that you have both options with Proton, it’s a win-win scenario.

                • asudox
                  link
                  English
                  1
                  edit-2
                  3 months ago

                  One of the biggest risks is when someone knows your password. Your PGP encrypted emails that you want noone to see will be available to the attacker. Whereas if no such thing happened, the attacker wouldn’t be able to decrypt the PGP encrypted emails even if the attacker gained access to your account. Manually encrypting your stuff is better than having some random on the internet do it for you. It’s really just a tradeoff. Convenience or security? It’s not even hard to manually encrypt emails.

                  • @[email protected]
                    link
                    fedilink
                    English
                    5
                    edit-2
                    3 months ago

                    One of the biggest risks is when someone knows your password.

                    Just a curiosity. How do you think every password for every online service works? The service “has” your password. It is hashed, but if this doesn’t matter (similarly for encryption) to you, then you should be panicking about basically everything.

                    In the case of Proton an attacker has basically these options:

                    • Option 1: Attack you, try to compromise your device. If this is the case, your local keys are going to be taken, one way or another, even if you have them locally and encrypted. The only way you might save yourself in this scenario is if you store them on an hardware device (like a yubikey).
                    • Option 2: Attack proton. Once the infrastructure is compromised, the JS code that does the crypto operation needs to be backdoored, you need to use the service while the JS is compromised, and the attacker will obtain the keys and the messages.
                    • Option 3: Compromise the sender/recipient for the emails (this is in cleartext in any case).

                    In the case of a manual solution:

                    • Option 1 is identical.
                    • Option 2: Attack the software you use (let’s say, mutt). Once you gain access to the repository, push a backdoored update and wait for you to install the new version. Incidentally, compromising this tool also allows the attacker to compromise your whole machine (unlike what happens with JS code, which runs at least in the browser sandbox).
                    • Option 3 is identical.

                    So the tradeoff is really that:

                    • With Proton an update is going to be pushed quicker and without your explicit interaction, but
                    • compromising Proton is going to be much, much harder than compromising the laptop/repository for the handful of maintainers that generally have the keys to push updates for the software you are most likely going to use. We are talking company with security department + SOC vs maintainers with whatever security practice and no funding.

                    It’s not even hard to manually encrypt emails.

                    Yeah, and this is why 99.9% of the people have never and will never touch GPG with a 10-foot pole. The tradeoff is a complete no-brainer for the vast majority of people, because the reality is that for most, either someone else does the key discovery, management, signing, encryption, decryption, or nobody does. We can sit here and pretend that it’s easy, but it’s not. Managing keys is hard, it is painful, especially on multiple devices, etc…

                    EDIT:

                    The entire threat model for proton is also documented BTW: https://proton.me/blog/protonmail-threat-model

          • @[email protected]
            link
            fedilink
            English
            23 months ago

            endof

            Especially with the fact that: 1) deminificafion of the javascript code is not simple 2) you cannot “freeze” the code version you use. Still your computer does allow it ( minus the windows which follows the Microsoft thinking way, kidding about windows updates )

      • asudox
        link
        English
        13 months ago

        Yeah mb. Mixed private keys with public keys. Edited original comment.