This is old
“I know this. Why doesn’t everyone else know this? They should be me, I’m the smartest man alive.”
I really don’t care much
proceeds to type an entire paragraph as to why you don’t care
Comment on Proton is transitioning towards a non-profit structure | Proton
Asudox@lemmy.world 4 weeks ago
This is old news. Why are you posting this just now? I mean I don’t really care much. I transitioned to Posteo as soon as I learned that they stored the private key. They don’t even let you use your own GPG key, useless honeypot. Their recent bitcoin wallet supports this. If they cared about privacy, they wouldn’t go with Bitcoin. They have been ignoring requests for monero since years.
wreckedcarzz@lemmy.world 4 weeks ago
sudneo@lemm.ee 4 weeks ago
You can use your own GPG key (proton.me/support/importing-openpgp-private-key or using the bridge), whatever tool does the signing needs the key (duh) so I am not sure what you mean by “they store your private key” (they stored it encrypted as per documentation proton.me/support/how-is-the-private-key-stored), their AI was specifically designed as local, exactly to be privacy friendly, plus is a feature that can be disabled (when it will reach general subscriptions).
I don’t care about cyptocurrencies, but I suppose they started with the most popular, nothing to do with privacy as they just let you store your currencies.
Anyway, use what you like the most, of course, but yours don’t look very solid motivations, quite a lot of incorrect information, I hope you didn’t take your decision based on it.
Asudox@lemmy.world 4 weeks ago
You upload your private key to the cloud. Encrypted or not, this is a bad idea. No thanks. They can do the signing with my public key and then I’ll do the decryption with my own private key locally without them storing it.
sudneo@lemm.ee 4 weeks ago
An encrypted key is a useless blob. What matters is the decryption key for that key, which is your password (or a key derived from it, I assume), which is client side.
They can’t sign with your public key. Signing is done using your private one, otherwise nobody can verify the signature.
Either way:
You can do it using the bridge, exactly like you would with any client-side tooling.
endofline@lemmy.ca 4 weeks ago
It’s still insecure. They decryption process is still in the proton company hands and they could add some client specific code to log the password on the fly. Proton is obliged to follow the swiss law and I can imagine situation that police asks proton (+ gag order ) to log certain data for specific clients like passwords and ips. Still private keys are better to be stored separately. You can sync them easily if you with with either rsync or rclone
Asudox@lemmy.world 4 weeks ago
Yeah mb. Mixed private keys with public keys. Edited original comment.