Comment on E-Mail with own domain
activistPnk@slrpnk.net 4 days agoside note: downside is, your data there is more snoopable, less so with something like proton.
Can you elaborate? AFAIK, Protonmail only gives e2ee in 2 rare situations:
- Both parties use PM
- The non-PM user has a PGP key and the PM user is competent enough to add the key to their PM address book. (This is where Hushmail is superior to PM, but HM is not gratis)
In all other scenarios (no e2ee), PM traffic and data-at-rest is just as exposed as conventional non-PM.
berber@feddit.org 2 days ago
actually, i was talking out of my ass a little. i am not sure itself how things work, i was under the impression that proton can’t access your clear text mails, once they are stored (of course, they can build backdoors that snoop when receiving mails, but we shall not assume this), similar to how mailbox.org allows you to have all incoming mails be immediately encrypted via your chosen pgp key, effectively having e2ee. i was under the impression proton did this automatically and stuff, i mean why else do you need to use their own apps for everything and to even use basic stuff like imap? but yeah i don’t know their setup exactly.
activistPnk@slrpnk.net 2 days ago
PM’s apps perform the encryption on your own device because it’s your device that runs the apps. That is e2ee, but still only in the two scenarios I mention and even then it’s also vulnerable to targeted attack. PM could ship malcious j/s if it wanted (the likely case being to comply with a court order). It’s better if your own non-j/s FOSS MUA handles the crypto, which is actually easier if you don’t use PM.
If mailbox.org works the way anonaddy works, then that’s not e2ee. The msg payload is seen by the server that does the encryption, in the very least. The sender’s ESP would have already seen the msg.
berber@feddit.org 1 day ago
so in both cases, proton and mailbox, you have “less” snoopability, in the sense that they wouldn’t be able to snoop your stored mail retroactively. i am (in some sense naively) assuming “good” conditions here, such as that they don’t keep copies somewhere.
of course without actual e2ee there is always a way for a provider to snoop any incoming email if they wanted to.