Comment

Comment on Proton’s Lumo AI chatbot: not end-to-end encrypted, not open source

DeathByBigSad@sh.itjust.works ⁨1⁩ ⁨day⁩ ago

Incoming Emails that aren’t from proton, or PGP encrypted (which are like 99% of emails), arrives at Proton Servers via TLS which they decrypt and then have the full plaintext. This is not some conspiracy, this is just how email works.

Now, Proton and various other “encrypted email” services then take that plaintext and encypt it with your public key, then they’re supposed to discard the plaintext, so that in case of a future court order, they wouldn’t have the plaintext anymore.

But you can’t be certain if they are lying, since they do necessarily have to have access to the plaintext for email to function. So “we can’t read your emails” comes with a huge asterisk, it onlu applies to those sent between Proton accounts or other PGP encrypted emails, your average bank statement and tax forms are all accessible by Proton (you’re only relying on their promise to not read it).

source

Sort:hotnew top

EncryptKeeper@lemmy.world ⁨1⁩ ⁨day⁩ ago
Ok yeah thats a far cry from Proton actually “Having your unencrypted emails on their servers”

There’s the standard layer of trust you need to have in a third party when you’re not self hosting. Proton has proven so far that they do in fact encrypt your emails and haven’t given any up to authorities when ordered to so I’m not sure where the issue is.

source
- Vinstaal0@feddit.nl ⁨17⁩ ⁨hours⁩ ago
  We need to call for an audit on Protons policy and see if they actually do what they say, that way we can know for almost certain that everything is good as they say
  
  source
  - EncryptKeeper@lemmy.world ⁨16⁩ ⁨hours⁩ ago
    I mean we know from documented events that Proton doesn’t store you emails in plain text because there have been Swiss orders to turn over information which they have to comply with and they’ve never turned in emails, because they can’t.
    
    source
    Vinstaal0@feddit.nl ⁨15⁩ ⁨hours⁩ ago
    Do you have a source for that? I know they handed over an IP address, but I haven’t heard about them handing over an email.
    
    source
    -> View More Comments
- cley_faye@lemmy.world ⁨1⁩ ⁨day⁩ ago
  
  Ok yeah thats a far cry from Proton actually “Having your unencrypted emails on their servers” as if they’re not encrypted at rest.
  
  See my other reply. There is no way to retrieve your mail using IMAP on a regular client if they’re encrypted on the server. And Gmail can retrieve your mails from proton using IMAP. It’s even in their own (proton’s) documentation.
  
  source
  - nymnympseudonym@lemmy.world ⁨7⁩ ⁨hours⁩ ago
    Agreed.
    
    Really, if someone wants to use an LLM, the right place to run it is in a sandbox locally on your own computer
    
    Anything else is just a stupid architecture. You don’t run your Second Brain on Someone Else’s Computer
    
    source
  - EncryptKeeper@lemmy.world ⁨1⁩ ⁨day⁩ ago
    
    There is no way to retrieve your mail using IMAP on a regular client if they’re encrypted on the server.
    
    That is probably why you can’t retrieve your emails using IMAP from a regular client.
    
    And Gmail can retrieve your mails from proton using IMAP. It’s even in their own (proton’s) documentation.
    
    I don’t think it can. Where in the documentation did you find that?
    
    source
    cley_faye@lemmy.world ⁨19⁩ ⁨hours⁩ ago
    
    And Gmail can retrieve your mails from proton using IMAP. It’s even in their own (proton’s) documentation.
    
    I don’t think it can. Where in the documentation did you find that?
    
    An online search brought me here : getmailbird.com/…/access-protonmail-com-via-imap-… which did looks like a documentation page about how to do exactly that. Obviously, it has nothing to do with them, and the actual details makes no sense the lower you get in the page. I’ve been had :)
    
    source
    -> View More Comments
cley_faye@lemmy.world ⁨1⁩ ⁨day⁩ ago

Now, Proton and various other “encrypted email” services then take that plaintext and encypt it with your public key, then store the ciphertext on their servers, and then they’re supposed to discard the plaintext, so that in case of a future court order, they wouldn’t have the plaintext anymore.

You would not be able to retrieve your mails using IMAP from a regular mail client if they were doing that. You can even retrieve them from Gmail, which is unlikely to support any kind of “bring your own private key to decrypt mails from IMAP”.

source