this post was submitted on 25 Apr 2024
287 points (95.3% liked)

Technology

59168 readers
2113 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] sugar_in_your_tea@sh.itjust.works 1 points 6 months ago* (last edited 6 months ago)

Yes, agreeing in general, just with some clarifications. I think clarifications are important when talking about a product focused on privacy and security.

I was responding to this part:

IDK if the other “easy encrypted” providers just use standard PGP.

Proton uses standard PGP AFAIK (and yes, PGP vs GPG is irrelevant), so your subject line and attachment names are not end-to-end encrypted:

All Proton Mail data at rest and in transit is encrypted. However, subject lines in Proton Mail are not end-to-end encrypted, which means if served with a valid Swiss court order, we do have the ability to turn over the subjects of your messages. Your message content and attachments are end-to-end encrypted.

Depending on your threat model, this may or may not be an issue.

At least one other provider (Tuta in my example) doesn't use PGP internally because using SMTP internally w/ PGP for the body leaks the subject line and other metadata. Neither have released the source to their backend, and I haven't read the client code, so I don't know if there are any other concerns.

That I think Proton is absolutely fantastic, and I used it for a few years with absolutely no issue. I do think it's important to be accurate, though, since others may not like the tradeoffs. Proton has a bunch of other benefits as well over alternatives, such as:

  • IMAP bridge - you can use whatever email client you want and back up emails yourself - this does decrypt your email though, so you'd need to account for that
  • automatic forwarding - seems to just work as expected
  • other bundled services - I've used their VPN, and they have a few other things other providers don't (e.g. encrypted storage)

Proton... standard protocol

Yeah, any email provider will use standard SMTP, otherwise it's not email. The differences are whatever happens after it reaches Proton's servers.