Comment on Proton Mail Discloses User Data Leading to Arrest in Spain

<- View Parent
barsquid@lemmy.world ⁨6⁩ ⁨months⁩ ago

I disagree it would be the same as a password. They do use only the hash to validate the entry, that is the same. But then they send recovery to the email instead of proceeding in place. An attacker would have to both know the email and be able to access its inbox. (Or, less likely, generate a hash collision with an address they do control.)

I think they could do verification if they kept the plaintext address just long enough to send something out.

The UX of only being able to show hashes would be pretty unfortunate, sure. Maybe that’s a potential compromise if they kept just a first letter, likex***@example.com? Same number of stars in the interface regardless of the real length of email, to attempt to leak less info.

source
Sort:hotnewtop